The present invention relates to methods and systems for establishing access control rules in managing access to information items stored in a relational database management system (RDBMS).
As set forth in related co-pending U.S. patent application Ser. No. (docket AM9-99-0210), information management systems (IMS) typically use a relational database management system (RDBMS) to manage data records. As an example, an IMS might manage document data, with the desire that some documents can be read by many users but only written to by a few. Many other high-level access rules can be enforced by the IMS. In any case, when a user wants to access the records of a document in the RDBMS, the user is routed through the IMS to first check for access control.
The documents themselves are broken down into records by the IMS and the records are stored in tabular form in the RDBMS, which can efficiently manage the records for querying using a language known as SQL. Only the IMS knows the high level access control rules with the high level rules being broken down by the IMS into low level rules for the RDBMS to enforce. An example of a low level rule is which users can perform which SQL operations against which data tables. Since the high level access control rules are for an entire document, low level access control rules are enforced table by table in the RDBMS, and are not enforced at any finer granularity (e.g., row by row). In any case, user applications must access the RDBMS indirectly, through the IMS, to ensure integrity and protection of data. The above-referenced application discloses an invention that essentially uses table view definitions in a novel way to enable users to access RDBMS directly without requiring modifications to the RDBMS, thereby enhancing performance, while at the same time maintaining high-level access control.
Of relevance to the present invention is ensuring effective access control for information items, with ease of administration and efficient access control checking. As recognized herein, access control rules for an item such as a document can be established simply by conceptually placing the item in a container, such as a folder, without requiring the editing of the items""s control rules, an otherwise tedious and risky operation for many users. This is accomplished by allowing items placed in a folder to inherit access control rules from the folder. The folder""s access control rules can be carefully defined by an administrator or security officer. When a folder is allowed to contain other folders (since folders themselves are also information items), the inheritance can propagate from one container to another. Unlike the case of a file in a directory of a file system, however, in which a single access path is normally provided to a file such that each directory in the path can restrict access to lower levels, the present invention recognizes that an item in a RDBMS can have multiple access paths, each of which may be controlled by separate protection rules, consequently requiring the novel invention provided herein.
The invention is a general purpose computer programmed according to the inventive steps herein. The invention can also be embodied as an article of manufacturexe2x80x94a machine componentxe2x80x94that is used by a digital processing apparatus and which tangibly embodies a program of instructions that are executable by the digital processing apparatus to undertake the present invention. This invention is realized in a critical machine component that causes a digital processing apparatus to perform the inventive method steps herein. The invention is also a computer-implemented method for undertaking the acts disclosed below.
Accordingly, a computer is programmed with instructions to selectively apply at least one container access control rule that is associated with a primary container to at least one item associated with both the primary container and with another container. The instructions embody method acts that include selecting whether to activate inheritance of the container access control rule, and then applying the container access control to the item only when inheritance is activated.
In a preferred embodiment, the method acts embodied by the instructions further include designating a container as the primary container for an item. Also, the method acts embodied by the instructions can include applying at least one item access control rule to the item, when inheritance is not activated. In a particularly preferred embodiment, the method acts embodied by the instructions include propagating the container access control rules through plural levels of containers.
In another aspect, a computer program product includes computer usable code means that are programmed with logic for establishing access control rules for an item in an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS. The program product includes computer readable code means for selecting a primary container for the item. Also, computer readable code means activate inheritance of access control from container to item, while computer readable code means are provided for applying container access control rules to the item when the application seeks to access the item.
In still another aspect, a computer-implemented method includes inserting at least one data item associated with item access control rules into at least one data container associated with container access control rules. Access control rules to apply to the item are then selected, and one of: the item access control rules, and the container access control rules, are applied to the item based on the selecting act.