This disclosure details the algorithms and structures used to implement a role based access control system to secure data stored in a relational data model or in one or more databases.
Generally in the state of the art, relational database systems only provide security at object/operation level. For example, it is possible to configure which users can read or modify a table, view or store procedure. It is also possible in more advanced database systems to control row level access using views to control access to the data (using role membership functions provided by the database system) and a model to store the association of data labels to roles that can be used to filter the data presented by the view. Those mechanisms present the following problems:
(1) The user or group accessing the database needs to be configured in the database system.
(2) The database system must have physical access to the security store (i.e. LDAP) in order to resolve user group memberships and the state of the account (enabled/disabled).
(3) The identity of the user must be used with or upon connection to the database.
(4) Authentication of users on multi layer systems requires delegation of credentials which is not universally available.
(5) Authenticating every user in the database server prevents the usage of connection pools and therefore degrades performance.
(6) Forcing the database to resolve users, groups and role memberships degrades performance.
(7) Changes on the security roles, requires modification of database objects (i.e. views or store procedures).