The invention relates to computing systems, and more particularly to a method and mechanism for implementing fine-grained access control for data stored in a computer system. For many reasons, it is often desirable to limit the type and/or quantity of data that are made available to users of a computer system. For example, a very common reason for creating an access control policy is to enforce the security of data in the computer system.
In a database context, one approach for implementing access control is to utilize database views. A view is a custom presentation of data from one or more data sources. A view can be implemented as a stored query. A stored-query view does not normally contain or store data—it derives its data from the data sources upon which it is based by executing the stored query. In a relational database, the data source is referred to as a base table, which can itself be a view. A materialized view stores the results of the stored query into a separate schema object.
A database view provides access control by restricting a user's access to a predetermined set of data from a data source. An example of this type of access control is shown in FIG. 1. FIG. 1 includes a database table (sales table 100) containing a set of sales data for a hypothetical company. Each entry in sales table 100 includes an employee number for a sales employee (in the empno column 102), a department number for that employee (in the deptno column 104), and a sales amount for that employee (in the sales column 106).
Consider if it is desired to restrict access to the data in sales table 100 such that each employee can only view data from his or her own department. Thus, employees from department number “1” can only access entries in sales table 100 in which the value in the deptno column 104 is “1” (i.e., entries 108 and 110). Similarly, employees from department number “2” can only access entries in sales table 100 in which the value in the deptno column 104 is “2” (i.e., entries 112 and 114).
This type of access control is implemented by creating a first view 120 for all entries in sales table 100 (the base table) having a value of “1” in the deptno column 104, e.g., by using stored query 130. A second view 122 is created for all entries in sales table 100 having a value of “2” in the deptno column 104, e.g., by using stored query 132. All employees from department number “1” would be given the appropriate authorizations to access view 120, while all employees from department number “2” would be given appropriate authorizations to access view 122. Employees from department number “1” are not allowed to access either the base sales table 100 or view 122. Employees from department number “2” are not allowed access to either the base sales table 100 or view 120. In this manner, data access for each user is limited to a subset of the underlying Sales Table 100, in which the subset is embodied as an accessible view.
In a similar manner, a view can be used to restrict a user's access to only his or her own data. Consider if it is desired to restrict the employee having employee number “3” to access only to entries in sales table 100 corresponding to that employee number (i.e., entry 112). This type of access control is implemented by creating view 124 for all entries in sales table 100 having a value of “3” in the empno column 102, e.g., by using stored query 134. The particular employee having an employee number “3” would be given the appropriate authorization to access view 124, but may be blocked from accessing the base sales table 100 or the other views 120 and 122.
Several drawbacks exist when using views to implement access control. For example, a large number of views may need to be created for each installation to enforce the intended access policies for that computer system. The overhead from maintaining a large number of views is significant—the server may need to maintain a large number of view objects and their dependencies in the system metadata. Moreover, when the definition of a view changes, dependent stored objects may need to be updated or recompiled. In addition, at runtime, a large amount of resources may need to be devoted to the corresponding metadata caches for the views.
The present invention is directed to an improved method and system for implementing access control in a computer system. In accordance with one embodiment of the invention, synonyms associated with shareable security policies and policy functions are employed to encapsulate data from underlying data sources. By controlling access and contents of synonyms and their underlying security policies, fine-grained access control can be implemented for system data sources. Further details of aspects, objects, and advantages of the invention are described below in the detailed description, drawings, and claims.