Patents by Inventor Vikram Pesati
Vikram Pesati has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9886590Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.Type: GrantFiled: July 23, 2009Date of Patent: February 6, 2018Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
-
Patent number: 9495394Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: GrantFiled: August 29, 2013Date of Patent: November 15, 2016Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
-
Patent number: 9477671Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.Type: GrantFiled: May 27, 2009Date of Patent: October 25, 2016Assignee: Oracle International CorporationInventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
-
Patent number: 9471801Abstract: Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.Type: GrantFiled: November 29, 2007Date of Patent: October 18, 2016Assignee: ORACLE INTERNATIONAL CORPORATIONInventors: Sam Idicula, Thomas Keefe, Mohammed Irfan Rafiq, Tanvir Ahmed, Vikram Pesati, Nipun Agarwal
-
Patent number: 9043309Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.Type: GrantFiled: June 5, 2012Date of Patent: May 26, 2015Assignee: ORACLE INTERNATIONAL CORPORATIONInventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
-
Patent number: 8732847Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.Type: GrantFiled: August 31, 2009Date of Patent: May 20, 2014Assignee: Oracle International CorporationInventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
-
Publication number: 20140006344Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: ApplicationFiled: August 29, 2013Publication date: January 2, 2014Applicant: Oracle International CorporationInventors: JANAKI NARASINGHANALLUR, MIN-HANK HO, ERIC SEDLAR, THOMAS KEEFE, CHON HEI LEI, VIKRAM PESATI
-
Publication number: 20130325841Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.Type: ApplicationFiled: June 5, 2012Publication date: December 5, 2013Inventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
-
Patent number: 8549038Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: GrantFiled: June 15, 2009Date of Patent: October 1, 2013Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
-
Patent number: 8095557Abstract: A method and storage media for performing access resolution using ACL types is provided. Under an AND semantic, an intersection set formed from the types of multiple ACLs protecting a resource may be utilized to efficiently determine whether a request for a privilege to access the resource is granted or denied. If the privilege is not a member of the intersection set, the privilege cannot be granted. A union set may be used for an OR semantic. A global ACL type may represent all privileges system-wide or application-wide. A global ACL may represent a system-wide or application-wide access policy. A conjunction of a global ACL and a regular ACL may be stored in a cache. The union set, intersection set, or access resolution may also be cached for subsequent request processing.Type: GrantFiled: April 30, 2009Date of Patent: January 10, 2012Assignee: Oracle International CorporationInventors: Tanvir Ahmed, Thomas Keefee, Vikram Pesati, Eric Sedlar
-
Publication number: 20110055918Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.Type: ApplicationFiled: August 31, 2009Publication date: March 3, 2011Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
-
Publication number: 20110023082Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.Type: ApplicationFiled: July 23, 2009Publication date: January 27, 2011Inventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
-
Publication number: 20100306268Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.Type: ApplicationFiled: May 27, 2009Publication date: December 2, 2010Inventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
-
Publication number: 20100281060Abstract: A method and storage media for performing access resolution using ACL types is provided. Under an AND semantic, an intersection set formed from the types of multiple ACLs protecting a resource may be utilized to efficiently determine whether a request for a privilege to access the resource is granted or denied. If the privilege is not a member of the intersection set, the privilege cannot be granted. A union set may be used for an OR semantic. A global ACL type may represent all privileges system-wide or application-wide. A global ACL may represent a system-wide or application-wide access policy. A conjunction of a global ACL and a regular ACL may be stored in a cache. The union set, intersection set, or access resolution may also be cached for subsequent request processing.Type: ApplicationFiled: April 30, 2009Publication date: November 4, 2010Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Tanvir Ahmed, Thomas Keefee, Vikram Pesati, Eric Sedlar
-
Publication number: 20090144804Abstract: Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.Type: ApplicationFiled: November 29, 2007Publication date: June 4, 2009Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Sam Idicula, Thomas Keefe, Mohammed Irfan Rafiq, Tanvir Ahmed, Vikram Pesati, Nipun Agarwal
-
Publication number: 20060085837Abstract: One embodiment of the present invention provides a system that facilitates managing security policies for databases in a distributed system. During operation, the system creates multiple label security policies. The system stores these security policies in a directory and automatically propagates them from the directory to each database within the distributed system. In doing so, the system allows for applying policies to individual tables and schema in any database in the distributed system. The system facilitates centralized administration of security policies and removes the need for replicating policies, since the policy information is available in the directory.Type: ApplicationFiled: October 14, 2004Publication date: April 20, 2006Inventors: Vikram Pesati, Srividya Tata, Shiu Wong
-
Publication number: 20050289342Abstract: Regulating access to data in a database comprises binding data sensitivity labels to database table columns so that security policies can be applied at the column level rather than at the row level, without requiring creation of separate tables for the labeled columns and without associated join operations. In various embodiments, in response to a request for access to data in a particular column of a database table, column relevant data sensitivity labels and a user sensitivity permission are used to determine whether the requesting user is granted access to data in the labeled column. If the requesting user's sensitivity permission meets or exceeds the sensitivity of the requested data, then return of the data is allowed. The data sensitivity labels and the user sensitivity permission information may be managed in a central resource for access by multiple entities, such as multiple database servers.Type: ApplicationFiled: June 28, 2004Publication date: December 29, 2005Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Paul Needham, Vikram Pesati