Database fine-grained access control employing hierarchical item level entitlement

摘要

A database query is received 300, a user associated with the query determined and an entitlement entry associated with the user - created by applying an entitlement rule associated with the user to a chasing rule - obtained 302. The entitlement entry may be obtained from an entitlement detail table populated by an entitlement engine. The entitlement rule may define a row in a table to which the user has access and operations the user may perform on data in the row, e.g. select, update, delete, insert. The chasing rule may define a hierarchy of tables, including a user-accessible table, and the order in which the hierarchy is traversed. An entitlement predicate for a data view query is determined 304 using the entitlement entry, the data view query including the entitlement predicate and being associated with the query. The data view query is executed 306, the user being entitled to view the data which is thus presented 308, 310. The data may itself be entitled by association with an entry in an entitleable table.