Abstract: One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles.

Abstract: One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles.

Abstract: A method and system for managing access information for users and other entities in a distributed computing system is disclosed. An aspect is directed to sharing schemas across multiple users. This can be accomplished by mapping multiple global users to the same local schema. Any users mapped to that local schema would, upon logging in, receive the set of privileges associated with the global user and the local schema. In this manner, separate schemas would not need to be defined for each global user.

Abstract: A mechanism is described for determining whether a password may be used in a system that determines access privileges based on passwords. A computer system, such as a database system, receives user supplied routines that are each associated with a group of users. A proposed password (e.g. string) is received that is associated with a particular user that belongs to particular group. The user supplied routine associated with the group is used to determine whether the proposed password may be used as a password.

Abstract: A method for providing security and password mechanisms in a data base system. The method limits access to the database to clients who transmit a valid password and user ID combination. Furthermore, the method requires that passwords are changed periodically. The method ensures that passwords meet certain criteria. Finally, the method provides a script which can be used to extend the security and password mechanisms.