1. Field of the Invention
Embodiments of the present invention relate to information processing and more specifically to monitoring access to a database.
2. Background of the Related Art
Databases are computerized information storage and retrieval systems. A relational database management system (RDBMS) is a computer database management system that uses relational techniques for storing and retrieving data. Relational databases are computerized information storage and retrieval systems in which data in the form of tables (formally denominated xe2x80x9crelationsxe2x80x9d) are typically stored for use on disk drives or similar mass data stores. A xe2x80x9ctablexe2x80x9d includes a set of rows (formally denominated xe2x80x9ctuplesxe2x80x9d or xe2x80x9crecordsxe2x80x9d) spanning several columns (formally denominated xe2x80x9cattributesxe2x80x9d). Reference is made to C. J. Date, An Introduction to Database Systems, 6th edition, Addison-Wesley Publishing Co. Reading, Mass. (1994) for an comprehensive general treatment of the relational database art.
An RDBMS is structured to accept commands to store, retrieve and delete data using, for example, high-level query languages such as the Structured Query Language (SQL). The term xe2x80x9cqueryxe2x80x9d denominates a set of commands for retrieving data from a stored database. The SQL standard has been promulgated by the International Standards Association since 1986.
An important need for entities using databases is the ability to restrict access to confidential or private information. For example, a business may require such restriction as a matter of internally implemented business processes or to comply with government regulations. Typically, access to a database is secured by an authorization list. An authorization list contains those individuals who have access to the files or tables in the database. The granularity of the authorization list may be at the file or table level, or maybe specific to columns of a table. The authorization list may further restrict what operations a user can perform on a table or a specific column in the table. For example, the user may be able to read or view the data, but not change or update the data.
Despite the conventional restriction methods being employed, there exists the possibility that the restricted information could be used improperly by individuals having authorization to access the information. Accordingly, simply securing the data may not provide sufficient control over the access to the data. This is especially true in large corporations or business entities having many divisions and many individuals requiring access to the corporate databases.
Therefore, what is needed is a mechanism to audit, or monitor, which individuals are accessing restricted data, and how often the accesses are occurring. In addition, it may be desirable to monitor trends, such as repeated accesses to a particular database.
In one embodiment, a data structure contained in a database, comprises a data access trigger definition defined on a table, wherein the data access trigger definition is configured for execution upon detection of an access attempt by a data access entity of at least a portion of one record of the table.
In another embodiment, a method of monitoring access attempts to a table contained within a database is provided. The method comprising receiving, from an entity, a request to access at least a portion of a record of a table having at least one data access trigger defined thereon and executing the at least one data access trigger. The data access trigger is configured to perform a logging process, comprising writing access information to a log.
In another embodiment, a method of monitoring access attempts to a table contained within a database is provided. The method comprising receiving, from an entity, a request to access at least a portion of a record of a table having at least one data access trigger defined thereon and executing the at least one data access trigger. The data access trigger is configured to perform a logging process, comprising writing access information to a log and modifying the information being requested before returning the information to the entity.
In another embodiment, a signal bearing medium containing a program which, when executed by at least one processor, performs a method of monitoring access attempts to a table contained within a database is provided. The method comprising receiving, from an entity, a request to access at least a portion of a record of a table having at least one data access trigger defined thereon and executing the at least one data access trigger. The data access trigger is configured to perform a logging process, comprising writing access information to a log. In another embodiment, the information being requested is modified prior to being returned to the entity.