| CPC H04L 63/107 (2013.01) | 20 Claims |
|
1. A computer-implemented method, comprising:
provisioning a kernel of an operating system (OS) with an authorization interceptor that uses a first set of security policies stored in a policy database to determine whether to grant or deny access to resources managed by the operating system;
launching a mainframe application on the operating system;
submitting, by the mainframe application, a first request to access a first resource managed by the operating system;
obtaining, at the kernel, a system call indicating that the mainframe application requested access to the first resource managed by the operating system;
determining, by the authorization interceptor, within the kernel of the OS, and based on the system call, a first request context;
performing, by the authorization interceptor, within the kernel of the OS, a first policy evaluation to determine whether to grant access to the first resource based on the first set of security policies and the first request context, wherein the first policy evaluation overrides a first security model of the operating system implemented using OS permissions;
submitting, by the mainframe application, a second request to perform an activity on a second resource managed by a database management system (DBMS), wherein the DBMS comprises a DBMS hook;
determining, at the DBMS hook of the database management system and based on the second request, a second request context;
determining, by the DBMS hook of the database management system, a second set of security policies stored in the policy database that control access to resources of the database management system;
performing, by the DBMS hook of the database management system, a second policy evaluation to determine whether to grant access to the second resource based on the second set of security policies and the second request context, wherein the second policy evaluation overrides a second security model implemented by the DBMS using database-level grants and revokes; and
responsive to the second policy evaluation indicating to grant the access to the second resource, performing, by the database management system, the activity on the second resource managed by the database management system.
|