The present disclosure relates to methods, systems and computer programs for accessing data stored in a database system.
A database system is a software-based system that provides applications with access to data stored in the database system in a controlled and managed fashion. By allowing separate definition of the structure of the data, the database system frees the applications from many of the onerous details in the care and feeding of the data. A database system may be implanted in a centralized way or distributed among different computing and storage resources.
In the context of database systems, a data-element may be defined as a uniquely identifiable representation of a real-world entity by means of a collection of fields. Each field may have a name and a different type. Examples of data-elements are rows (in relational database systems), objects (in object-oriented database systems), nodes/edges (in graph database systems), etc.
Different kinds of database systems are known depending on their data model, i.e. how the data is structured in the database system. For instance, relational database systems store data in the format of tables where each table represents a type of data and each row represents a data-element.
Object oriented database systems store data in the format of objects comprising a set of fields and normally a set of methods. Graph database systems store data-elements based on nodes and edges. Document database systems store data in a semi-structured data format, such as XML or JSON. Key-value database systems store data in tables with two columns: the first column is the key of the object that will be used to find the object whenever needed and the second column is an array of bytes with the object itself.
Typical database systems may be configured to store data as well as relationship(s) between data-elements of the stored data. Some database systems support these relationships either because they are part of the data model (e.g. nodes linked to edges and edges to nodes in a graph database system) or because they are part of the database schema (i.e. a field in an object with a reference to another object). Typical database systems may comprise a controller configured to ensure integrity of the data stored in the database system. These main features (relationships and integrity) are discussed below.
Relationships between data-elements may be implemented in different ways depending on the type of database system. For instance, in a relational database system, two objects can be linked or interrelated by e.g. using a column in a table for storing a foreign key pointing to another data-element in the same or another table. Object oriented database systems may implement relationships by e.g. having a field in a class which is a reference to another object. In Graph database systems, intrinsic relationships may be implemented between nodes and edges and vice versa. Other ways of implementing relationships between data-elements are possible in database systems with functionalities aimed at that purpose.
Integrity refers to a condition of the data stored in the database system in which all the data (elements) in the database system are correct in the sense that a target state of the real world is represented by the stored data, and rules of mutual consistency are satisfied (e.g. referential integrity in relational database systems).
For example, in a relational database system, a table PERSON and a table CAR may be inter-related through a relationship indicating which cars are owned by which person. To this end, table CAR may comprise a column for storing identifiers of PERSON so that different cars may point to the same person. Besides, table PERSON may include a column for storing the number (or counter) of cars owned by the person.
Ensuring that all the identifiers of PERSON stored in table CAR are pointing to existing rows in table PERSONS implies that integrity of the data is guaranteed with respect to satisfaction of mutual consistency rules.
Keeping the counter (of cars) of a person consistent with the number of cars “pointing” to the person implies that integrity of the data is guaranteed with respect to a target state of the real world.
In order to ensure integrity, a controller of database system (or database controller) may permit defining database constraints which, in some examples, may be intrinsic to the data model of the database system. For instance, a foreign key constraint may be used to ensure that all the persons referenced in table CAR correspond to existing rows of table PERSON. This constraint will prevent deleting a person that is owner of a car.
A database controller may also permit defining triggers (by the database administrator) aimed at triggering some action when a data-element is inserted, removed or modified. A trigger may be used e.g. for updating the counter of cars of a person when a car is unlinked from the person (counter is decreased) or linked to the person (counter is increased).
Examples of typical database systems comprising the previously discussed main features (relationships and integrity) are relational database systems, object-oriented database systems, graph database systems, key-value database systems with mechanisms to enforce data integrity such as triggers (e.g. Cassandra), etc.
Examples of database systems lacking some of the previously discussed main features (relationships and integrity) are document database systems such as e.g. MongoDB (integrity is not enforced), schema-less database systems such as e.g. LevelDB (relationships are not defined), etc.
Nowadays, database systems are mainly aimed to share data among different members and/or departments within the same organization. Thus, the shared data is owned by the organization and a single database administrator (DBA) is in charge of deciding what can be accessed and by whom.
Database controllers provide mechanisms for controlling access by users to data stored in the database system. Current database systems allow users to control access to different schema elements (e.g. tables, columns, procedures . . . ), by defining privileges or permissions at the level of schema elements. Some database systems also provide functionalities for limiting which data is shown to which user (or group of users) through e.g. some kind of view mechanism based on filters (e.g. showing only those rows with a certain value in a given column).
These mechanisms based on privileges at the level of schema elements and/or views by filtering data operate under integrity constraints (defined by corresponding DBA) such that integrity of the data accessed with said mechanisms is ensured.
An object of the present disclosure is improving the methods, systems and computer programs for accessing data stored in a database system supporting relationships between data-elements and enforcement of data integrity.
In an aspect, a computer-implemented method is provided for accessing data stored in a database system comprising a controller configured in such a way that the data is stored with relationships between data-elements of the data, and with enforcement of integrity of the data. A first data-element and a second data-element of the data are stored in the database system with a relationship between the first data-element and the second data-element.
The first data-element is stored in the database system encapsulated by one or more first access-procedures so that the first data-element is accessible exclusively by calling the one or more first access-procedures.
The second data-element is stored in the database system encapsulated by one or more second access-procedures so that the second data-element is accessible exclusively by calling the one or more second access-procedures.
The database system further stores access authorization data indicating, at data-element level, whether access to second data-element is authorized to a first user identified in the database system through corresponding credentials that enable the first user to log in and operate in the database system.
The method comprises receiving, by the controller, a call by the first user to a first access-procedure of the one or more first access-procedures for attempting to access the first data-element, said first access-procedure of the one or more first access-procedures including a call to a second access-procedure of the one or more second access-procedures for attempting to access the second data-element based on the relationship between first and second data-elements.
The method further comprises performing, by the controller, the call to said first access-procedure of the one or more first access-procedures, and verifying, by the controller, whether the first user is authorized to access the second data-element according to the access authorization data.
The method yet further comprises performing, by the controller, the call to said second access-procedure of the one or more second access-procedures, and returning, by the controller, a result of the attempt to access the second data-element, including an indicator of whether the first user is authorized to access the second data-element.
In the case that first user is not authorized to access the second data-element, the returned indicator may indicate that the second data-element exists but is unknown to the first user due to non-permitted access. The returned indicator may be processed by first access-procedure (of the one or more first access-procedures) so as to produce a consistent result of the access to first and second data-elements.
The proposed method thus permits the first user to obtain a consistent result of the access to first and second data-elements (following the relationship between them) irrespective of whether a consistent or inconsistent view of first and second data-elements is provided to the first user according to access authorizations (at data-element level). A result, view, etc. of interrelated data-elements is consistent if integrity constraints are satisfied.
Indeed, access authorizations defined at data-element level may permit implementing powerful data view functionalities with small granularity (data-element level). However, in some cases, such powerful views may not be consistent when e.g. first and second data-elements are interrelated and access to second data-element is not allowed to first user.
In an example, first data-element may include data of person P1, second data-element may include data of car C2 whose color is Red, and a relationship between P1 and C2 may be defined indicating that P1 owns C2. If first user is allowed to access P1 but not C2, a view of which car is owned by person P1 would not be consistent (in a prior art database system) because C2 is not accessible by first user. That is, only the relationship part between P1 and C2 at the side of P1 (e.g. a reference to C2) is seen by the user, but C2 (i.e. the relationship part at the side of C2) is not seen by the user.
In another example, first data-element may include a number of cars NC owned by person P1, NC being equal to 1 because P1 only owns car C2. In this case, an inconsistent view of person P1 could also result (in a prior art database system) because NC=1 indicates that P1 owns one car but C2 is not accessible by first user.
These inconsistencies cannot be solved in prior art database systems based on e.g. integrity constraints or triggers.
Integrity constraints apply to the data stored in the database system as a whole and, from the point of view of the database system there is no lack of integrity because P1, C2 and proper link (relationship) between P1 and C2 exist.
Triggers are not useful in this case either, according to similar reasons. Moreover, triggers react to events such as addition, removal, or modification, since they are operations that may break the integrity of the data stored in the database system.
Triggers may have been used to correctly update the number of cars NC owned by P1 upon creation of car C2. However, triggers are useless to provide a consistent result of accessing P1 with one car (NC=1) since said car is not accessible by first user.
The returned indicator is very valuable in the sense that a consistent result of accessing the data may be provided to a user, even if the data is seen by the user as inconsistent depending on access authorizations attributed to the user. The returned indicator may comprise any data structure including e.g. a list of which accesses have been successfully performed and which accesses have not been successfully performed, as well as a reason of each unsuccessful access.
In an example, the returned indicator may represent that both P1 and C2 have been successfully accessed. The first access-procedure (of the one or more first access-procedures) may thus receive the returned indicator and produce, based on the returned indicator, a result comprising data reflecting that person P1 owns ONLY one car (NC=1) which is C2 and whose color is Red. This result does not only reflect that P1 owns C2, but it further indicates that C2 is the ONLY car owned by P1, since the returned indicator may represent that all cars interrelated with (owned by) P1 have been successfully accessed.
In another example, the returned indicator may represent that P1 has been successfully accessed but C2 has not successfully accessed because user is not allowed to perform such access. The first access-procedure (of the one or more first access-procedures) may therefore produce, based on the received indicator, a result comprising data reflecting that P1 owns ONLY one car (NC=1) which is ‘unknown’ and whose color is also ‘unknown’. Therefore, a consistent result may be produced even though a lack of integrity exists for first user in relationship between P1 and C2, since first user is not allowed to access C2.
Alternatively, the first access-procedure (of the one or more first access-procedures) may produce, based on the returned indicator, a result reflecting that P1 does not own any car according to the data that the first user can view according to authorizations (at data-element level) attributed to the user. This result may be implemented by making the field NC (number of cars) consistent with the cars that the user can view. In this particular case, NC may be forced to be zero in the result provided to the user. This result is consistent even though the data viewed by the user is not consistent (P1 has NC=1 but no car owned by P1 is viewed by the user).
The suggested method may permit very secure access to data-elements since only access procedures encapsulating data-elements are allowed for accessing data-elements. Hence, creators (or owners) of the access procedures may implement security functionalities therein, so that e.g. data stored in the database system may be shared by multiple users subjected to suitable access authorizations (at data-element level). This may be seen as a new paradigm in the sense that each creator/user may be responsible for maintaining its own (sub) schema (or model) in the database system in comparison to prior art database systems wherein a single DBA is typically in charge of maintaining the database system.
The access performed by the method may be read access or update access.
In some examples, the database system may be a relational database system. Hence, first data-element may be a first row of a relational table, second data-element may be a second row of a relational table, and the relationship between first and second data-elements may be a relational relationship such as e.g. a foreign key included in first row pointing to second row. Access-procedures may be stored procedures.
Alternatively, the database system may be an object-oriented database system. Hence, first data-element may be a first object of a class, second data-element may be a second object of a class, and the relationship between first and second data-elements may be an object-oriented relationship such as e.g. a reference included in first object pointing to second object. Access-procedures may be class-methods.
Further alternatively, the database system may be a graph database system.
Hence, first data-element may be a node and second data-element may be an edge, or first data-element may be an edge and second data-element may be a node. The relationship between first and second data-elements may be a graph relationship intrinsically defined between node and edge, or between edge and node. Access-procedures may be graph procedures.
Access authorization data at data-element level may be stored in the database system based on that a data-element either belongs or does not belong to a set of data-elements (or dataset), as described in detail in other parts of the disclosure. The database controller may thus verify whether first user is allowed to access second data-element by consulting access authorization data according to any of said approaches, i.e. with or without datasets.
Grouping data-elements into datasets may simplify management of access authorization permissions to users, and also may allow improving efficiency since access authorizations may not require to be checked for every single access to a data-element. Instead, once an access authorization has been checked, it may not be necessarily checked again until a data-element of another dataset is accessed.
Access authorization data at data-element level (with or without datasets) may comprise a start date and/or an end date of the authorization, so that the database controller may verify whether first user is allowed to access second data-element further considering whether current date is later than start date and/or earlier than end date of the authorization.
The database system may further comprise call authorization data at access-procedure level indicating which user is authorized to call which access-procedure. The database controller may thus verify whether first user is allowed to call second access-procedure (of the one or more second access-procedures) by consulting said call authorization data.
Call authorization data at access-procedure level may be stored in the database system based on that an access-procedure either belongs or does not belong to a set of access-procedures (or function-sets), as described in detail in other parts of the disclosure. The database controller may thus verify whether first user is allowed to call second access-procedure (of the one or more second access-procedures) by consulting call authorization data according to any of said approaches, i.e. with or without function-sets.
Function-sets provide the user with an abstraction for grouping a set of access-procedures with same call authorization data. It is worthy of mention that an access-procedure may belong to several function-sets.
Call authorization data at access-procedure level (with or without function-sets) may comprise a start date and/or an end date of the authorization, so that the database controller may verify whether first user is allowed to call second access-procedure (of the one or more second access-procedures) further considering whether current date is later than start date and/or earlier than end date.
A special functionality which may be called “impersonation” may be implemented by the method. In this case, the database controller may successfully call second procedure even though first user is not explicitly allowed to perform said call. In particular, the database controller may call (in representation of first user) second access-procedure (of the one or more second access-procedures) if first user is allowed to call first procedure (of the one or more first access-procedures) and the creator of said first procedure is allowed to call second access procedure (of the one or more second access-procedures).
In an example, first user may be authorized to call a first procedure created by a hospital database administrator (DBA), returning a total number of patients with a given disease. First procedure may call, for each patient, a second procedure (also created by DBA) that returns patient data (including disease) to first procedure, which performs the appropriate counting. First user may not be authorized to call second procedure, since it returns sensitive data of individual patients, but however may be able to call first procedure since it does not return any sensitive data to first user. This logic can be implemented with the “impersonation” functionality, based on that DBA is allowed to call second procedure.
In a further aspect, a database system is provided for accessing data stored in the database system, comprising a controller configured in such a way that the data is stored with relationships between data-elements of the data, and with enforcement of integrity of the data.
A first data-element and a second data-element of the data are stored in the database system with a relationship between the first data-element and the second data-element.
The first data-element is stored in the database system encapsulated by one or more first access-procedures so that the first data-element is accessible exclusively by calling the one or more first access-procedures.
The second data-element is stored in the database system encapsulated by one or more second access-procedures so that the second data-element is accessible exclusively by calling the one or more second access-procedures.
The database system further stores access authorization data indicating, at data-element level, whether access to second data-element is authorized to a first user identified in the database system through corresponding credentials that enable the first user to log in and operate in the database system.
The controller is further configured to perform a computer-implemented method for accessing data stored in the database system such as the ones described in other parts of the present disclosure.
In a still further aspect, a further database system is provided for accessing data stored in the database system, comprising a controller configured in such a way that the data is stored with relationships between data-elements of the data, and with enforcement of integrity of the data.
A first data-element and a second data-element of the data are stored in the database system with a relationship between the first data-element and the second data-element.
The first data-element is stored in the database system encapsulated by one or more first access-procedures so that the first data-element is accessible exclusively by calling the one or more first access-procedures.
The second data-element is stored in the database system encapsulated by one or more second access-procedures so that the second data-element is accessible exclusively by calling the one or more second access-procedures.
The database system further stores access authorization data indicating, at data-element level, whether access to second data-element is authorized to a first user identified in the database system through corresponding credentials that enable the first user to log in and operate in the database system.
The controller comprises a memory and a processor, embodying instructions stored in the memory and executable by the processor, the instructions comprising functionality to execute a computer-implemented method for accessing data stored in the database system such as the ones described in other parts of the present disclosure.
In a yet further aspect, a computer program product is provided comprising program instructions for causing a computing system to perform a computer-implemented method for accessing data stored in a database such as the ones described in other parts of the present disclosure.
The computing system executing these program instructions may be a part of the database system, i.e. a sub-system inside the database system configured to reproduce a computer-implemented method for accessing data such as the ones described in other parts of the disclosure, or may be the database system itself. For example, the computing system may be a controller included in the database system.
Any of the aforementioned computer program products may be embodied on a storage medium (for example, a CD-ROM, a DVD, a USB drive, on a computer memory or on a read-only memory) or carried on a carrier signal (for example, on an electrical or optical carrier signal).
Any of said computer programs may be in the form of source code, object code, a code intermediate source and object code such as in partially compiled form, or in any other form suitable for use in the implementation of the corresponding method. The carrier may be any entity or device capable of carrying the computer program.
For example, the carrier may comprise a storage medium, such as a ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example a hard disk. Further, the carrier may be a transmissible carrier such as an electrical or optical signal, which may be conveyed via electrical or optical cable or by radio or other means.
When any of the computer programs is embodied in a signal that may be conveyed directly by a cable or other device or means, the carrier may be constituted by such cable or other device or means.
Alternatively, the carrier may be an integrated circuit in which the computer program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant methods.
These and other advantages and features will become apparent in view of the detailed description and drawings.
Non-limiting examples of the present disclosure will be described in the following, with reference to the appended drawings, in which:
First data-element may be a first row 101 of a first relational table 102 (called Person in the figure) and second data-element may be a second row 103 of a second relational table 104 (called Car in the figure). The relationship between the first row 101 and the second row 103 may be a foreign key 105 included in the first row 101, the foreign key being a reference 105 to a unique key of the second row 103. In this case, the relationship is implemented as a many-to-one relationship between Person 102 and Car 104 (many people may own same car). In other examples, a many-to-many relationship may be defined between Person 102 and Car 104 through an intermediate relational table storing rows each including a unique key of Person 102 and a unique key of Car 104 (one person may own several cars, and one car may be owned by several people).
In the particular example shown, each row 101 of the table Person 102 may store data of a person, such as e.g. a unique identifier of the person (R_ID: Row ID), a foreign key or reference to a unique key identifying a car (ER_ID: External Row ID) of the table Car, and other data (Other). Each row 103 of the table Car 104 may store data of a car, such as e.g. a unique identifier of the car (R_ID: Row ID), a color of the car (Color) and other data (Other).
Only one row 101 is shown in table Person 102 corresponding to a person with identifier ‘perl’ who owns a car with identifier ‘car2’ whose data (e.g. Color=‘red’) is stored in row 103 of the table Car 104. Row 101 may contain other data ‘. . . ’ of the person, and row 103 may contain other data of the car
First rows 101 may be accessible exclusively by calling (i.e. encapsulated by) first stored procedures 106. That is, first rows 101 may not be accessed through another way different from calling first stored procedures 106.
Second rows 103 may be accessible exclusively by calling (i.e. encapsulated by) second stored procedures 107. That is, second rows 103 may not be accessed through another way different from calling second stored procedures 107.
The concept of stored procedure is well-known in the field of relational database systems. Exclusive access to rows of a table through a stored procedure may be implemented e.g. by revoking all privileges on the table and grating “execute” privilege to the stored procedure for accessing the table.
The database system 100 may further comprise access authorization data 109 indicating whether access to second row 103 is authorized to first user U1 identified in the database system through corresponding credentials enabling the user to log in and operate in the database system 100.
Credentials may be granted at the level of user or, alternatively, at the level of role. Different users may belong to the same role. In other implementations, both approaches (user and role level) may be combined for allowing (full or restricted) operation in the database system 100.
In this respect, database system 100 may comprise a table 110 (called User) containing the users (or roles) that are allowed to operate in the database system. This table User 110 may store rows each including a user ID (U_ID) and corresponding credentials of the user such as e.g. username (U_N) and password (Pwd).
The access authorization data may be stored according to different approaches as described below.
According to a first approach, tables 102, 104 that are exclusively accessible through stored procedures 106, 107 may include a column which may be a hidden column or at least modifiable only by a controller 115 of the database system 100. This (hidden) column may be used by the controller 115 to store the owner (who created the row) for each record/row.
Still in relation to first approach, a “granting” table may be used to store data indicating that a user/role is allowed to access a row/record ID (in any table accessible through stored procedures). In this “granting” table, only the owner of a row/record ID is allowed to add/delete/modify the data granting access to the row/record to other users.
In a second (alternative) approach, a column may be included in tables 102, 104 that are exclusively accessible through stored procedures 106, 107 based on same principles as described with respect to first approach. Furthermore, a “denying” table may be used to store data indicating that a user/role is denied to access a row/record ID (in any table accessible through stored procedures). In this “denying” table, only the owner of a row/record ID is allowed to add/delete/modify the data denying access to the row/record to other users.
In a third (alternative) approach, internal structures associated to the controller 115 (of the database system) may be used to store data indicating which row (accessible through stored procedures) has been created by which user/role, and which user/role has permitted access to which row granted by the creator of the row. Said internal data may be structured as hash tables, or b-trees, or lists, or the like. A mechanism may be provided for enabling the creators of rows to manipulate the authorization data in such a way that only the creator of a row is allowed to set/modify/remove authorization(s) of access to said row.
In particular, database system 100 may comprise a table called Access_auth 109 indicating whether a row (identified by R_ID) is accessible by one or more users included in a list of users ID (U_ID). This list may further comprise for each user a start date (S_D) and an end date (E_D) of the authorization granted to the user. A record (of example) is shown in table Access_auth 109 indicating that row 103 of table Car 104 (R_ID=‘car2’) is accessible by user U1 (U_ID=‘U1’) if current date is between start date ‘d1’ and end date ‘d2’. Another row (of example) is shown in table Access_auth 109 indicating that row 101 (R_ID=‘perl’) is accessible by user U1 if current date is between ‘d3’ and ‘d4’ and user U4 if current date is between ‘d5’ and ‘d6’.
In alternative examples, table Access_auth 109 may indicate whether a user (U_ID) has permitted access to one or more rows included in a list of rows (R_ID). This list may further comprise for each accessible row (R_ID) a start date (S_D) and an ending date (E_D) of the authorization.
Database system 100 may further comprise one or more tables 111 (called R_creator) indicating the user (U_ID) that has created a row (R_ID). In some examples, a single table R_creator 111 may be employed for all relational tables 102, 104 (accessible through stored procedures). In alternative examples, a table R_creator 111 for each relational table 102, 104 (accessible through stored procedures) may be considered.
In the particular case shown, row 101 of table Person 102 (R_ID='perl') has been created by user U4 (U_ID=‘U4’), and row 103 of table Car 104 (R_ID=‘car2’) has been created by user U2 (U_ID=‘U2’). Only the creator of a given row may be allowed to add/delete/modify data in table Access_auth 109 for granting access to the row to other users. In the particular example of
The database system may further comprise call authorization data indicating which users/roles are authorized to call which stored procedures for accessing corresponding rows. These authorizations for calling stored procedures may be implemented in the database system according to different proposals as described below.
According to a first proposal, if the controller 115 of the relational database system includes functionalities of controlling permissions for calling stored procedures depending on which user/role has performed the call, these functionalities may be used and/or customized for the aforementioned purpose.
Based on a second (alternative) proposal, an internal structure (table, list, etc.) may be used to store data indicating which users/roles are authorized to execute which stored procedures. This structure may further keep data on which users have created which stored procedures. A mechanism may also be provided for enabling the creators (owners) of stored procedures to manipulate this authorization data, in such a way that only the creator (owner) of a stored procedure is allowed to manipulate the authorization data regarding said stored procedure.
Still in relation to second proposal, a single internal structure may be used to store authorizations for all the stored procedures in the database system or, alternatively, an internal structure for each stored procedure may be employed. The internal structure(s) and mechanism(s) to store and manipulate this authorization data may be configured to provide delegation functionalities, so that an owner of a stored procedure may delegate to other users/roles the ownership of said stored procedure. This may be considered substantially equivalent to having several owners per stored procedure.
Based on a third (alternative) proposal, an internal structure (table, list, etc.) may be used to store data indicating which users/roles are denied to execute which stored procedures. Principles commented with respect to the aforementioned second proposal may be similarly applied in this case, but taking into account that permission is denied instead of granted.
In alternative examples, table Call_auth 112 may indicate whether a user (U_ID) is allowed to call one or more functions included in a list of functions (F_ID). This list may further comprise for each callable function (F_ID) a start date (S_D) and an ending date (E_D) of the authorization.
Database system 100 may further comprise a table 113 (called F_creator) indicating the user (U_ID) that has created an access procedure or function (F_ID). In the particular case shown, function F10 has been created by user U4 and function F20 has been created by user U3. Only the creator of a given function may be allowed to add/delete/modify data in table Call_auth 112 for permitting execution of the function to other users. In the particular example of the figure, the authorization to execute F10 granted to user U1 may have been necessarily added by user U4 (creator of F10). User U4 may therefore be the only user permitted to delete/modify and/or delegate such authorization.
Any of the stored procedures or functions F10-F13, F20-F22 defined in the database system 100 may be called by a user in different ways, such as e.g. from an application (executed by the user), from another stored procedure (in representation of the user), etc. In the particular example of
It is worthy of mention that database systems according to
Table Person 202 may be substantially equal to table Person 102 of
Table Car 204 may be similar to table Car 104 of
Table User 210 may be substantially equal to table User 110 of
Principles similar to those described with respect to table User 110 may thus be of application to table User 210.
Stored procedures 206 (encapsulating rows of table Person 202) and stored procedures 207 (encapsulating rows of table Car 204) may be substantially equal to stored procedures 106 and 107 of
Call 214 by user U1 to the function F10 and call 208 by function F10 to the function F20 may be substantially equal to calls 114 and 108 of
There is no table in
Table DS_creator 211 may be similar to table R_creator 111 of
Table Access_auth 209 may be similar to table Access_auth 109 of
There is no table in
Table FS_creator 213 may be similar to table F_creator 113 of
A user may create as many function-sets as desired either by selecting individual functions owned by the user, or by selecting a subset of functions included in one or more function-sets previously created by the user.
Table Call_auth 212 may be similar to table Call_auth 112 of
Any database system according to the present disclosure may represent authorizations at row/function level according to any of the approaches described in other parts of the disclosure. Access authorizations at row level and call authorizations at function level may be defined without belonging to a set of rows/functions (as depicted in
Alternatively, access authorizations at row level and call authorizations at function level may be defined belonging to a set of rows/functions (as depicted in
It is worthy of mention that database systems according to
Database system 300, as in the case of database system 100, may be configured to perform computer-implemented methods for accessing first data-element 301 interrelated with second data-element 303.
First data-element may be a first object 301 of a first class 302 (called Person in the figure) and second data-element may be a second object 303 of a second class 304 (called Car in the figure). The relationship between first objects 301 (of first class 302) and second objects 303 (of second class 304) may be a property/attribute/field in first objects 301 including a reference 305 to second objects 303 (e.g. car=“car2” in object 301). In this case, the relationship 305 is implemented as a many-to-one relationship between objects 301 of Person 302 and objects 303 of Car 304 (many people may own same car).
In other examples, a many-to-many relationship may be defined between Person 302 and Car 304 through an intermediate class (and corresponding objects) including one or more references to objects 301 of Person 302 and to objects 303 of Car 304 (one person may own several cars, and one car may be owned by several people). Such an intermediate class may be e.g. a list class, table class, set class, etc.
In the particular example shown, each object 301 of the class Person 302 may store data of a person, such as e.g. an identifier of the person, a name of the person, a reference to object 303 of the class Car 304, etc. Each object 303 of Car 304 may store data of a car, such as e.g. an identifier of the car, a color of the car, etc.
Only one object 301 is shown in class Person 302 corresponding to a person with identifier ‘perl’ who owns a car with identifier ‘car2’ whose data (e.g. Color=‘red’) is stored in object 303 of Car 304.
First objects 301 (of class Person 302) may be accessible exclusively by calling (i.e. encapsulated by) first methods 306 of class Person 302. That is, first objects 301 may not be accessed through another way different from calling first methods 306 of class Person 302.
Second objects 303 (of class Car 304) may be accessible exclusively by calling (i.e. encapsulated by) second methods 307 of class Car 304. That is, second objects 303 may not be accessed through another way different from calling second methods 307 of class Car 304.
In object-oriented approach, attributes (or fields) are defined as private, while access to a field (or attribute) is defined to be performed through a method in corresponding class. Hence, the aforementioned access to objects exclusively through methods may be implemented by specifying the required methods as public, so that fields of the object can be accessed only by calling corresponding public methods.
Table User 310 may be similar (or substantially equal) to table User 110 as described with respect to
Tables O_creator 311 and Access_auth 309 may be similar to tables R_creator 111 and Access_auth 109 as described with respect to
Tables F_creator 313 and Call_auth 312 may be similar to tables F_creator 113 and Access_auth 112 as described with respect to
Database system 300 is shown in
In some examples, any of the access and call authorization data along with user/role and credentials data may be stored in objects of corresponding classes instead of the tables described with reference to
Call 314 by user U1 to the method F10 and call 308 by method F10 to the method F20 may be similar to calls 114 and 108 of
It is worthy of mention that database systems according to
Database system 400 (similarly to database system 100) may be configured to perform computer-implemented methods for accessing first data-element interrelated with second data-element.
First data-element may be a node 401 (with label Person 402 in the figure) and second data-element may be an edge 405 (called HAS_CAR in the figure). In this case, the relationship between first data-element and second data-element may be defined by connection between node 401 and edge 405, wherein edge 405 starts at node 401.
First data-element may also be an edge 405 and second data-element may be a node 403 (with label Car 404 in the figure). In this case, the relationship between first data-element and second data-element may be defined by connection between edge 405 and node 403, wherein edge 405 ends at node 403.
In the particular example shown, node 401 with label Person 402 may store data of a person, such as e.g. an identifier of the person, name of the person, etc. Edge 405 may store data of an ownership by person 401 of car 403, such as e.g. an identifier of the ownership, name of the ownership, etc. Node 403 with label Car 404 may store data of a car, such as e.g. an identifier of the car, color of the car, etc.
Node 401 is shown with label Person 402 corresponding to a person with identifier ‘perl’, name ‘John’ and owning something, said “owning” relationship being implemented by connection with edge 405 starting at the node 401.
Node 403 is shown with label Car 404 corresponding to a car with identifier ‘car2’, color ‘red’ and owned by somebody, said “owned” relationship being implemented by connection with edge 405 ending at the node 403.
Edge 405 is shown corresponding to an ownership with identifier ‘link1’, name HAS CAR and date of purchase ‘I-1-2001’.
Nodes 401 (with label Person 402) may be accessible exclusively by calling (i.e. encapsulated by) corresponding procedures 406. That is, nodes 401 may not be accessed through another way different from calling said procedures 406.
Edges 405 may be accessible exclusively by calling (i.e. encapsulated by) corresponding procedures (not shown), so that edges 405 may not be accessed through another way different from calling said (not shown) procedures.
Nodes 403 (with label Car 404) may be accessible exclusively by calling (i.e. encapsulated by) corresponding procedures 407, such that nodes 403 may not be accessed through another way different from calling said procedures 407.
The concept of procedure is well-known in the field of graph database systems. Exclusive access to nodes/edges through procedures may be implemented e.g. by disallowing querying (nodes and edges stored in) the database system, and allowing access only through procedures. Such functionalities may be provided in a similar way as described in other parts of the description with respect to relational and object-oriented database systems.
Table User 410 may be similar (or substantially equal) to table User 110 as described with respect to
Tables NE_creator 411 and Access_auth 409 may be similar to tables R_creator 111 and Access_auth 109 as described with respect to
Tables F_creator 413 and Call_auth 412 may be similar to tables F_creator 113 and Access_auth 112 as described with respect to
Database system 400 is shown in
In some examples, any of the access and call authorization data along with user/role and credentials data may be stored in corresponding nodes/edges instead of the tables described with reference to
Call 414 by user U1 to procedure F10 and call 408 by procedure F10 to procedure F20 may be similar to calls 114 and 108 of
It is worthy of mention that database systems according to
The examples disclosed with reference to
The skilled person will appreciate that any other database system of said type (such as e.g. key-value database like Cassandra) includes database components similar to e.g. tables, rows and stored-procedures of relational database systems, classes, objects and methods of object oriented database systems, nodes, edges and procedures of graph database systems, etc. so that fundamentals similar to those described with respect to
Any of the database systems described in relation to
Any of the database systems described in relation to
Access methods according to present disclosure (e.g. according to
First and second data-elements may be e.g. first and second rows 101, 103 with relationship 105 between them in relational database system 100, or first and second objects 301, 303 with relationship 305 between them in object oriented database system 300, or a node 401 and an edge 405 with relationship between them in graph database system 400, etc.
Access methods may be started at initial block 500 when e.g. a request for attempting to access first data-element stored in the database system occurs. This request may include a call 114, 214, 314, 414, by first user U1, to first access procedure F10 for accessing first data-element. Said request may have been performed by first user U1 through suitable user interface comprised in the database system. Alternatively, said request may be a request to call the first access-procedure included in another access-procedure previously called by the controller 115, 217, 315, 415.
Said first access-procedure F10 may comprise a call to second access-procedure F20 for attempting to access the second data-element based on the relationship between first and second data-elements.
At block 501, call by first user U1 to first access-procedure F10 may be received by database controller. First access procedure may be a stored procedure F10 included in a plurality of stored procedures 106 encapsulating first row 101, or a method F10 included in a plurality of methods 306 encapsulating first object 301, or a procedure F10 included in a plurality of methods 406 encapsulating first node 401, etc.
At block 502, call to first access-procedure F10 may be performed by database controller in representation of first user U1. As commented before, first access-procedure F10 may comprise a call 108, 308, 408 to second access-procedure F20. For example, first access procedure F10 may be aimed at returning name of a person owning a car and color of the car. Function F10 may thus include a call to second access procedure F20 for obtaining data of the car following the relationship between Person and Car.
Second access procedure may be a stored procedure F20 included in a plurality of stored procedures 107 encapsulating second row 103, or a method F20 included in a plurality of methods 307 encapsulating second object 303, or a procedure included in a plurality of methods encapsulating edge 405, etc.
At block 503, database controller may verify whether first user is authorized to access second data-element. This verification may be performed with or without sets of data-elements. Hence, a table similar to Access_auth 109, 309, 409 (wherein access authorizations are defined without considering sets of data-elements) may be consulted. Alternatively, tables similar to Data_set 215 and Access_auth 209 (wherein access authorizations are defined based on datasets) may be consulted. This verification may further comprise checking whether current date is between start date (S_D) and end date (E_D) of corresponding authorization.
At block 504, call to second access-procedure F20 may be performed by database controller in representation of first user U1.
At block 505, database controller may return a result of the attempt to access the second data-element including an indicator of whether the first user is allowed to access the second data-element. Once said result has been returned, a transition to final block 506 may be performed so that execution of the method is ended.
A method according to
For instance, an initial procedure (for accessing initial data-element) may include a call to an intermediate procedure (for accessing intermediate data-element following a relationship between initial and intermediate data-element), and intermediate procedure may include a call to final procedure (for accessing final data-element following a relationship between intermediate and final data-element).
An initial verification of whether the user is allowed to access the initial data-element may be performed and, subsequently, first and second executions of the method according to
In first execution, initial data-element and initial procedure may be the first data-element and first procedure, respectively, and intermediate data-element and intermediate procedure may be the second data-element and second procedure, respectively. In this case, first execution of the method may have been triggered due to a call request from user.
In second execution, intermediate data-element and intermediate procedure may be the first data-element and first procedure, respectively, and final data-element and final procedure may be the second data-element and second procedure, respectively. In this case, second execution of the method may have been triggered due to a call request included in a procedure previously called by the controller.
Blocks 600, 601, 602, 604 and 606 may be substantially equal to blocks 500, 501, 502, 504 and 506 of
Block 603 may be similar to block 503 of
Block 605 may be similar to block 505 of
In some examples, “impersonation” functionality may be provided. This functionality may permit the first user to call the second access-procedure even though the user is not “directly” authorized to do that. In particular, database controller may successfully call second access-procedure (in representation of first user) if first user is authorized to call first access-procedure and the creator of first access-procedure is allowed to call the second access-procedure. Verifications needed for implementing said “impersonation” functionality may be performed by consulting authorization tables in a similar way as described in other parts of the disclosure.
A method according to
Although only a number of examples have been disclosed herein, other alternatives, modifications, uses and/or equivalents thereof are possible. Furthermore, all possible combinations of the described examples are also covered. Thus, the scope of the present disclosure should not be limited by particular examples, but should be determined only by a fair reading of the claims that follow.
This application, filed under 35 USC 371, is a U.S. National Stage Application of International Application No. PCT/EP2016/075420, filed Oct. 21, 2016, the disclosure of which is incorporated herein by reference.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2016/075420 | 10/21/2016 | WO | 00 |