WO2011097670A1 - Database access licence management - Google Patents

Database access licence management Download PDF

Info

Publication number
WO2011097670A1
WO2011097670A1 PCT/AU2011/000127 AU2011000127W WO2011097670A1 WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1 AU 2011000127 W AU2011000127 W AU 2011000127W WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1
Authority
WO
WIPO (PCT)
Prior art keywords
database
user
procedure
licence
access
Prior art date
Application number
PCT/AU2011/000127
Other languages
French (fr)
Inventor
Todd Meynink
Mark Joseph Ledwich
Original Assignee
Zap Holdings Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2010900507A external-priority patent/AU2010900507A0/en
Application filed by Zap Holdings Limited filed Critical Zap Holdings Limited
Publication of WO2011097670A1 publication Critical patent/WO2011097670A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/217Database tuning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/283Multi-dimensional databases or data warehouses, e.g. MOLAP or ROLAP
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Definitions

  • This invention relates to Database Management Systems (DBMS) to provide the necessary scaffolding to license access to the database itself.
  • DBMS Database Management Systems
  • IP is invested in the creation of databases that facilitates report writing that is relevant to a business. This is particularly acute in the case of OLAP databases where knowledge of the business and the reporting requirements is essential to an effective reporting system.
  • USA patent 6506786 discloses a method of controlling access where a service monitors the Analysis services for connections and if a licence limit is reached the data base is taken off line.
  • USA patent application 6904523 discloses the use of a licensing attribute certificate in enforcing access to a computer resource.
  • USA patent application 20090287704 discloses a security system for a data cube that operates on a per user basis at the cell level and includes in addition to dimension level tables cell security tables that include a cell permission and a cell qualifier table.
  • the present invention presents a range of mechanisms for providing the ability for database creators to license access to these valuable databases they have created on a per user basis (typically referred to as a client access licensing or CAL licensing) even though there is no explicit mechanism for doing so in database management system (DBMS).
  • DBMS database management system
  • a database management system (DBMS) sometimes just called a database manager, is a program that lets one or more computer users create and access data in a database.
  • the DBMS manages user requests (and requests from other programs) so that users and other programs are free from having to understand where the data is physically located on storage media and, in a multi-user system, who else may also be accessing the data.
  • the DBMS ensures the integrity of the data (that is, making sure it continues to be accessible and is consistently organized as intended) and security (making sure only those with access privileges can access the data).
  • the present invention provides a method of managing access to a database in which the database management system is modified by one or more of a) Incorporating a licence check procedure as a stored procedure in the
  • connection event to trigger a licence verification of the user
  • connection strings to bind access to the database to a particular
  • This invention utilizes one or more of the following aspects of a data base management system, the preferred system being the Microsoft SQL Server DBMS and an OLAP cube database, to effect licensing.
  • SQL Server 2008 allows you to trigger custom behaviours in response to new connections being established.
  • the invention can respond to these events by performing a license check and refusing the connection by throwing an exception if the license check does not pass. Connection Strings
  • Tokens can be inserted into the connection string by the application which can then be checked by another method inside the DBMS.
  • the invention Normally used to modify numerical results from a database query, the invention creates a "root" cell calculation that applies to all cells (data) in a cube. Rather than performing an arithmetical operation, the cell calculation calls out to a custom stored procedure to perform a license check. If the check succeeds, it returns the cell values unchanged. If it fails, it returns an error message, rather than the data itself.
  • the method performs a license check by hooking into connection request events and calling a custom stored procedure. If the check fails, the connection is refused.
  • the license itself is stored in an encrypted annotation in the database.
  • the Cube Wizard tool which creates the OLAP databases inserts special codes and structures necessary to perform the licensing checks. These include:
  • a .NET assembly which contains special stored procedures is registered with Analysis Services server that uses the Personalization Extensions feature of SQL2008 to handle log in and log out events.
  • a stored procedure in the assembly reads the encrypted license information from the cube and verifies all the specified restrictions are complied with.
  • restriction types typically include:
  • One of the key innovations of the present invention is the manner in which it utilizes existing mechanisms of the underlying databases themselves or their host DBMS in order to restrict access or communicate with the end user, regardless of the reporting application they are using.
  • the SQL Server OLAP cube is created with a special script that applies to all cells (elements of data returned). Through this hook, we can perform the license checks and modify the results returned to the user. It references the calculated members just created by our stored procedure above in the following logic:
  • the cube has a hidden MDX script which will generate an error if the required stored procedures are not installed on the server.
  • a third approach restricts access to the database indirectly by restricting access to the database to a specific application, and the licensing of that application in turn decides which users can access the database. It uses both the connection strings used to connect to the cubes, and cell calculations used inside the cube.

Abstract

A computer executable method of managing access to an OLAP cube in which the database management system is modified by one or more of: Incorporating a licence check procedure as a stored procedure in the database; Using a connection event to trigger a licence verification of the user; Using connection strings to bind access to the database to a particular application; Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.

Description

DATABASE ACCESS LICENCE MANAGEMENT
This invention relates to Database Management Systems (DBMS) to provide the necessary scaffolding to license access to the database itself.
Background to the invention
Often significant IP is invested in the creation of databases that facilitates report writing that is relevant to a business. This is particularly acute in the case of OLAP databases where knowledge of the business and the reporting requirements is essential to an effective reporting system.
Most database vendors do not provide a way for 3rd parties to capture the value they create with the design and knowledge that goes into producing these databases and the reports they build on top of them.
USA patent 6506786 discloses a method of controlling access where a service monitors the Analysis services for connections and if a licence limit is reached the data base is taken off line.
USA patent application 6904523 discloses the use of a licensing attribute certificate in enforcing access to a computer resource.
USA patent application 20090287704 discloses a security system for a data cube that operates on a per user basis at the cell level and includes in addition to dimension level tables cell security tables that include a cell permission and a cell qualifier table.
It is an object of this invention to provide a means of controlling access to databases and verifying a user's licence status.
Brief description of the invention
The present invention presents a range of mechanisms for providing the ability for database creators to license access to these valuable databases they have created on a per user basis (typically referred to as a client access licensing or CAL licensing) even though there is no explicit mechanism for doing so in database management system (DBMS). A database management system (DBMS), sometimes just called a database manager, is a program that lets one or more computer users create and access data in a database. The DBMS manages user requests (and requests from other programs) so that users and other programs are free from having to understand where the data is physically located on storage media and, in a multi-user system, who else may also be accessing the data. In handling user requests, the DBMS ensures the integrity of the data (that is, making sure it continues to be accessible and is consistently organized as intended) and security (making sure only those with access privileges can access the data).
To this end the present invention provides a method of managing access to a database in which the database management system is modified by one or more of a) Incorporating a licence check procedure as a stored procedure in the
database
b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular
application
d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user. This invention utilizes one or more of the following aspects of a data base management system, the preferred system being the Microsoft SQL Server DBMS and an OLAP cube database, to effect licensing.
Stored Procedures ' Most database systems allow you to create custom queries that can be
parameterized and saved for later use called stored procedures. These procedures can then be called from other queries. Rather than performing standard query operations, the invention uses a custom stored procedure to perform license checks.
Connection Events
SQL Server 2008 allows you to trigger custom behaviours in response to new connections being established. The invention can respond to these events by performing a license check and refusing the connection by throwing an exception if the license check does not pass. Connection Strings
In some instances it might be desirable to bind access to the database to a particular application. Tokens can be inserted into the connection string by the application which can then be checked by another method inside the DBMS.
Cell Calculations
Normally used to modify numerical results from a database query, the invention creates a "root" cell calculation that applies to all cells (data) in a cube. Rather than performing an arithmetical operation, the cell calculation calls out to a custom stored procedure to perform a license check. If the check succeeds, it returns the cell values unchanged. If it fails, it returns an error message, rather than the data itself.
Detailed description of the invention
In this invention the method performs a license check by hooking into connection request events and calling a custom stored procedure. If the check fails, the connection is refused.
This procedure is illustrated in Figure 1
The license itself is stored in an encrypted annotation in the database.
Detailed Example
The preferred embodiment is described with reference to the Microsoft SQL Server 2008 DBMS.
The Cube Wizard tool which creates the OLAP databases inserts special codes and structures necessary to perform the licensing checks. These include:
Component Where Deployed Purpose
Figure imgf000004_0001
restriction in the cube license restrictions to enforce
information
AS Asserhbly An assembly on the Performs license checks and creates
Analysis'i-Services Server calculations for the MDX script to use
A .NET assembly which contains special stored procedures is registered with Analysis Services server that uses the Personalization Extensions feature of SQL2008 to handle log in and log out events. A stored procedure in the assembly reads the encrypted license information from the cube and verifies all the specified restrictions are complied with. These restriction types typically include:
Figure imgf000005_0001
Number of concurrent sessions per user A count is kept against each user, which (used to stop a single user being used on is incremented when they log in and behalf of many users) decremented when they log out. This is
Figure imgf000005_0002
Restricting Cube Access and Communicating With Users and through
Generated Results
One of the key innovations of the present invention is the manner in which it utilizes existing mechanisms of the underlying databases themselves or their host DBMS in order to restrict access or communicate with the end user, regardless of the reporting application they are using.
Calculated Members
If there are any license errors, a calculated member with the error message is created just for this user. This results in their view of the data in whatever application they are using to display the message, without affecting other users. So rather than seeing the data they were expecting, each table cell entry will contain the desired message from the licensing system.
On the other hand, if the license check was successful, then a special success calculated member is created for that user. Cell Calculations
The SQL Server OLAP cube is created with a special script that applies to all cells (elements of data returned). Through this hook, we can perform the license checks and modify the results returned to the user. It references the calculated members just created by our stored procedure above in the following logic:
IF success calculation exists THEN
display data
ELSE IF error calculation exists THEN
display error calculation
ELSE
display licensing installation error
END IF
Counter-Hack
For a licensing system to be effective, it is important that it not be trivial to circumvent. The special scripts and modifications made by the OLAP database generation tool could be manually removed at a later date provided the person trying to circumvent the system knew what to look for.
The cube has a hidden MDX script which will generate an error if the required stored procedures are not installed on the server.
If these mechanisms are removed, the data will quickly become stale again, and it will be necessary to run the Cube creation Wizard again. This process ensures all licensing components exist on every run. Therefore the circumvention process would need to be repeated every time this occurs, which is usually at least daily. The labour involved here acts as an obvious deterrent to unauthorised access.
Another method is illustrated in figure 2
Not all DBMS provide a hook for connection events. In these cases (e.g. Microsoft SQL Server 2005), another approach is required.
A third approach restricts access to the database indirectly by restricting access to the database to a specific application, and the licensing of that application in turn decides which users can access the database. It uses both the connection strings used to connect to the cubes, and cell calculations used inside the cube.
From the above those skilled in the art will realise that this invention provides a unique way of allowing a third party created cube or database to be licensed without having to alter the application that runs the query. Those skilled in the art will also realise that this invention niay be implemented in embodiments other than those described.

Claims

1. A computer executable method of managing access to a database in which the database management system is modified by one or more of
a) Incorporating a licence check procedure as a stored procedure in the
database
b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular
application
d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.
2. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and a connection event triggers the database to run the stored procedure to verify the user.
3. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and modifies a cell calculation to trigger a stored procedure and the application that is used to request data includes a routine that verifies that the user is licensed and generates a token which is incorporated into the connection string and when the request is made the cell calculation verifies the token in the connection string.
PCT/AU2011/000127 2010-02-09 2011-02-08 Database access licence management WO2011097670A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2010900507 2010-02-09
AU2010900507A AU2010900507A0 (en) 2010-02-09 Database Access Licence Management

Publications (1)

Publication Number Publication Date
WO2011097670A1 true WO2011097670A1 (en) 2011-08-18

Family

ID=44367051

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2011/000127 WO2011097670A1 (en) 2010-02-09 2011-02-08 Database access licence management

Country Status (1)

Country Link
WO (1) WO2011097670A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110740122A (en) * 2019-09-11 2020-01-31 苏宁云计算有限公司 method and device for improving data warehouse security

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US20050086213A1 (en) * 2003-10-16 2005-04-21 Fuji Xerox Co., Ltd. Server apparatus, information providing method and program product therefor
US6898707B1 (en) * 1999-11-30 2005-05-24 Accela, Inc. Integrating a digital signature service into a database
US20060064387A1 (en) * 2004-09-22 2006-03-23 Siemens Information And Communication Networks, Inc. Systems and methods for software licensing
US20060224522A1 (en) * 2005-04-01 2006-10-05 Schlumberger Technology Corporation Method and system for database licensing
CA2674332A1 (en) * 2008-08-01 2010-02-01 Simba Technologies Inc. Method and system for using queries for multidimensional databases with databases of other types

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US6898707B1 (en) * 1999-11-30 2005-05-24 Accela, Inc. Integrating a digital signature service into a database
US20050086213A1 (en) * 2003-10-16 2005-04-21 Fuji Xerox Co., Ltd. Server apparatus, information providing method and program product therefor
US20060064387A1 (en) * 2004-09-22 2006-03-23 Siemens Information And Communication Networks, Inc. Systems and methods for software licensing
US20060224522A1 (en) * 2005-04-01 2006-10-05 Schlumberger Technology Corporation Method and system for database licensing
CA2674332A1 (en) * 2008-08-01 2010-02-01 Simba Technologies Inc. Method and system for using queries for multidimensional databases with databases of other types

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110740122A (en) * 2019-09-11 2020-01-31 苏宁云计算有限公司 method and device for improving data warehouse security
CN110740122B (en) * 2019-09-11 2022-06-07 苏宁云计算有限公司 Method and device for improving safety of data warehouse

Similar Documents

Publication Publication Date Title
Schultz et al. IFDB: decentralized information flow control for databases
Ulusoy et al. GuardMR: Fine-grained security policy enforcement for MapReduce systems
US8386448B2 (en) Methods, systems, and computer program products for providing a generic database security application using virtual private database functionality with a common security policy function
Xie et al. Information flow control for stream processing in clouds
CN105827645B (en) Method, equipment and system for access control
US10262159B2 (en) Privileged user access monitoring in a computing environment
US11726896B2 (en) Application monitoring using workload metadata
Grachev et al. Data security mechanisms implemented in the database with universal model
CN114422197A (en) Permission access control method and system based on policy management
US9330276B2 (en) Conditional role activation in a database
WO2011097670A1 (en) Database access licence management
WO2015005765A2 (en) Security model switching for database management system
Fernández et al. Patterns for content-dependent and context-enhanced authorization
WO2011097669A1 (en) Database access management
CN111723401A (en) Data access authority control method, device, system, storage medium and equipment
Pereira et al. Role-based access control mechanisms
Eykholt et al. Ensuring Authorized Updates in Multi-user {Database-Backed} Applications
Kamra et al. Privilege states based access control for fine-grained intrusion response
US20220350900A1 (en) Secure distribution of embedded policy
Le et al. Customized Intrusion Detection Based on a Database Audit Log.
Pollack et al. Permissions and Security
Kopach et al. Security of relational database systems
Schraml A review of technologies supporting dynamic fine-Ggained data access control in relational databases
CN116975893A (en) Access request processing method and device, storage medium and computer equipment
Alapati User Management and Database Security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11741745

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11741745

Country of ref document: EP

Kind code of ref document: A1