Abstract: User security through a middle tier access application is enhanced using a token. In a method, a user authentication request to access a database is received from an end client. The user is authenticated. An identity assertion token is obtained after authenticating the user. The identity assertion token includes a personal identifier. A database request is received from the end client and the database request is sent to the database with the identity assertion token. A reply is received from the database in response to the database request if the personal identifier corresponds to a record stored at the database. The reply received from the database is sent to the end client.

Abstract: One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) from modifying the configuration of the database object, without restricting the user from accessing the database object itself. The security officer is a trusted user that is responsible for maintaining the stability of the database configuration, such that a configuration lock activated by the security officer preserves the database configuration by overriding the privileges assigned to a database administrator.

Abstract: One embodiment of the present invention provides a system that differentiates service provided to a database user based on a security profile of the user. During operation, the system receives a sequence of commands from a user at a database system. The system then uses the sequence of commands to determine a security profile which indicates whether the user is behaving suspiciously. Next the system associates a resource consumer group with the user based on the security profile. Finally, the system differentiates service provided to the user based on the resource consumer group.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.

Abstract: One embodiment of the present invention provides a database system that facilitates modifying a row in a database table to include meta-data about operations performed on the row. During operation, the database system receives a definition for an extensible row descriptor, the extensible row descriptor indicating meta-data associated with operations performed on a row in a database table. The system then receives a condition for updating the extensible row descriptor. The system determines that executing a command satisfies the condition for updating the extensible row descriptor, and updates the extensible row descriptor.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.

Abstract: One embodiment of the present invention provides a system that differentiates service provided to a database user based on a security profile of the user. During operation, the system receives a sequence of commands from a user at a database system. The system then uses the sequence of commands to determine a security profile which indicates whether the user is behaving suspiciously. Next the system associates a resource consumer group with the user based on the security profile. Finally, the system differentiates service provided to the user based on the resource consumer group.

Abstract: One embodiment of the present invention provides a system that facilitates performing multi-stage table updates. During operation, the system receives a query at a query processor, wherein executing the query causes an update to an entire table in a database. Next, the system estimates an amount of transaction log space required to execute the query. If the amount of transaction log space is greater than a pre-determined threshold, the system splits the query into a set of sub-queries, wherein an amount of transaction log space required by each sub-query in the set of sub-queries is less than the pre-determined threshold. For each sub-query in the set of sub-queries, the system executes the sub-query, and performs a mini-commit operation for the sub-query, wherein updates which comprise the mini-commit operation are not exposed to a user. Finally, when mini-commit operations have been performed for all of the sub-queries, the system performs a commit operation for the query.

Abstract: An auditing system receives a set of audit rules from a database administrator, which define a search criteria used to identify a database object that is desired to be audited. The auditing system uses the audit rules to search through a database to identify a corresponding set of database objects that satisfy at least one of the set of audit rules. Then, the system generates audit commands that configure a database management system to audit the identified set of database objects.

Abstract: One embodiment of the present invention provides a system that differentiates service provided to a database user based on a security profile of the user. During operation, the system receives a sequence of commands from a user at a database system. The system then uses the sequence of commands to determine a security profile which indicates whether the user is behaving suspiciously. Next the system associates a resource consumer group with the user based on the security profile. Finally, the system differentiates service provided to the user based on the resource consumer group.

Abstract: One embodiment of the present invention provides a database system that facilitates modifying a row in a database table to include meta-data about operations performed on the row. During operation, the database system receives a definition for an extensible row descriptor, the extensible row descriptor indicating meta-data associated with operations performed on a row in a database table. The system then receives a condition for updating the extensible row descriptor. The system determines that executing a command satisfies the condition for updating the extensible row descriptor, and updates the extensible row descriptor.

Abstract: A method, mechanism, and computer program product for managing, referencing, and accessing centrally managed information are disclosed. Transparency is provided to the centrally managed data by introducing a mapping system between locally expected data and the central data repository. This allows, for example, local relational database systems to transparently access information from a central LDAP directory.

Abstract: One embodiment of the present invention provides a database system that facilitates modifying a row in a database table to include meta-data about operations performed on the row. During operation, the database receives a command to perform an operation on a row in a table of the database. The database then determines if executing the command necessitates updating an extensible row descriptor for the row, wherein the extensible row descriptor is a field in the row that contains meta-data about operations performed on the row. If so, the database updates the extensible row descriptor in a manner defined by an update rule for the extensible row descriptor.

Abstract: One embodiment of the present invention provides a system for performing selective encryption/decryption in a data storage system. During operation, the system receives a data block from a storage medium at an input/output layer, wherein the input/output layer serves as an interface between the storage medium and a buffer cache. Next, the system determines whether the data block is an encrypted data block. If not, the system stores the data block in the buffer cache. Otherwise, if the data block is an encrypted data block, the system retrieves a storage-key, wherein the storage-key is associated with a subset of storage, which is associated with the encrypted data block. Using the storage-key, the system then decrypts the encrypted data block to produce a decrypted data block. Finally, the system stores the decrypted data block in the buffer cache, wherein the data block remains encrypted in the storage medium.

Abstract: Sending control information that is associated with a statement that controls how the statement is processed is disclosed. The information is available to the server even after the window session is closed. The information may be contained in a tag appended to the statement. In an embodiment, the information may be viewed by an administrator. The information may determine aspects of how the statement is executed that is not controlled by the execution engine. For example, the information may relate to security access, priority, quality of service, scheduling, and or use supplied routines.

Abstract: Various techniques are described for processing externally encrypted data by database management system. Specifically, techniques are described for incorporating encrypted data stored in a first database that was encrypted by a first database management system into a second database where the encrypted data is accessed by a second database management system. When accessing externally encrypted data incorporated into the second database, the second database management system can decrypt portions of the data as needed. Because of the manner of incorporation of externally encrypted data into the second database, specifically because the externally encrypted data need not be decrypted before being incorporated into the second database, the computational overhead and security concerns associated with conventional approaches for migrating encrypted data from one database management system to another are avoided.

Abstract: Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response.