T 0963/09 (Selective auditing/ORACLE) 05-06-2014
Download and more information:
Selectively auditing accesses to rows within a relational database at a database server
Remittal to the department of first instance without substantive examination - (no)
Inventive step - main request (yes)
I. The applicant (appellant) lodged an appeal against the decision of the Examining Division refusing European patent application No. 01908864.0.
II. In the contested decision, reference was made to the following documents:
D1: EP-A-0 723 238, published on 24 July 1996; and
D2: "Informix Guide to SQL: Tutorial", Informix Extended Parallel Server, Version 8.3 - Informix Dynamic Server 2000, Version 9.2, Chapter 11: "Creating and Using Triggers", December 1999.
The Examining Division decided that the independent claims of both the main request and the auxiliary request lacked an inventive step in view of a combination of documents D1 and D2. Under the heading "Obiter Dictum", it suggested an alternative argumentation of lack of inventive step based on document D2 alone.
III. With the statement of grounds of appeal, the appellant maintained its main request and filed a new auxiliary request.
IV. In a communication accompanying a summons to oral proceedings, the Board introduced the following document into the proceedings:
D3: "Oracle8i Concepts, Release 8.1.5", pages 6-7, 6-8, 29-9, 29-10 and 31-1 to 31-12, February 1999, retrieved from the Internet: http://docs.oracle.com/cd/F49540_01/DOC/server.815/a67781.pdf.
The Board expressed as its preliminary opinion that the subject-matter of claim 1 of the main request lacked an inventive step in view of document D3 and raised objections under Articles 123(2), 84 and 83 EPC against the auxiliary request.
V. With a letter dated 5 May 2014, the appellant filed new first and second auxiliary requests and maintained its previous auxiliary request as a third auxiliary request.
VI. Oral proceedings took place on 5 June 2014. At the start of the oral proceedings, the appellant requested that there be no discussion on the merits and that the case be remitted to the Examining Division for further prosecution. After deliberation, the Board announced that there would first be a substantive discussion of the main request. During the further course of the oral proceedings, the appellant replaced its main request with an amended main request filed at 15.00 hrs. At the end of the oral proceedings, the chairman announced the decision of the Board.
VII. The appellant requested that the decision under appeal be set aside and that the case be remitted to the department of first instance for grant of a patent on the basis of the main request filed at 15.00 hrs, or alternatively on the basis of one of the first and second auxiliary requests filed with letter of 5 May 2014, or on the basis of the third auxiliary request filed as auxiliary request with the statement of grounds of appeal. Furthermore, as a procedural request, the appellant requested that the application be remitted to the Examining Division for further prosecution should the Board be minded not to allow the application.
VIII. Claim 1 of the main request reads as follows:
"A method for selectively auditing accesses to a relational database system (109), comprising:
receiving a query (123) from a client (102) at a database server (110) that processes queries for the relational database system, wherein the relational database system comprises a plurality of relational tables (113), and each of the relational tables includes an auditing flag (206) to indicate whether auditing is enabled for the relational table;
determining whether auditing is enabled by checking all of the tables referenced by the query to see if an auditing flag is set for the tables, and if so, modifying the query prior to processing the query by inserting monitoring logic into the query for causing an audit record to be created and recorded for rows that satisfy an auditing condition;
processing the query at the database server to produce a query result, wherein processing the query causes an audit record to be created only for rows in the relational tables that satisfy the query conditions and are accessed by the query and that satisfy the auditing condition;
recording the audit record in an audit record store (118); and
returning the query result (124) to the client."
Claims 2 to 5 are dependent on claim 1.
Claim 6 of the main request reads as follows:
"A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform all the steps of the method of any preceding claim."
Claim 7 of the main request reads as follows:
"A database server for selectively auditing accesses to a relational database system (109), the database server comprising:
means for receiving a query (123) from a client (102) at the database server (110) that processes queries for the relational database system, wherein the relational database system comprises a plurality of relational tables (113), and each of the relational tables includes an auditing flag (206) to indicate whether auditing is enabled for the relational table;
means for determining whether auditing is enabled by checking all of the tables referenced by the query to see if an auditing flag is set for the tables, and if so, modifying the query prior to processing the query by inserting monitoring logic into the query for causing an audit record to be created and recorded for rows that satisfy an auditing condition;
means for processing the query at the database server to produce a query result, wherein processing the query causes an audit record to be created only for rows in the relational tables that satisfy the query conditions and are accessed by the query and that satisfy the auditing condition;
means for recording the audit record in an audit record store (118); and
means for returning the query result (124) to the client."
Claims 8 to 11 are dependent on claim 7.
The remaining application documents according to the main request are as follows:
- Description: pages 1, 2, 2a, 3 to 9 filed at the oral proceedings;
- Figures: sheets 1/3 to 3/3 of the application as published.
The text of the auxiliary requests is not relevant to the outcome of the present appeal.
1. The appeal complies with the provisions referred to in Rule 101 EPC and is therefore admissible.
2. Request for immediate remittal to the department of first instance
2.1 With the letter dated 5 May 2014, the appellant requested that the application be remitted to the Examining Division should the Board be minded not to allow the application. At the start of the oral proceedings, the appellant reformulated this request to the effect that there be no discussion on the merits and that the case be immediately remitted to the Examining Division for further prosecution.
Referring to decision G 10/93 (OJ EPO 1995, 172), the appellant submitted that while it was true that in ex parte appeal proceedings a board of appeal had the power to raise new objections and even to introduce new documents, this power was not without limitations. G 10/93 required a board to decide after due assessment of the particular circumstances whether it would rule on the case itself or whether it would remit the matter for further prosecution to the examining division (Article 111(1), second sentence, EPC). The relevant circumstances included in particular what stance the appellant was taking with regard to the "loss of instance".
In the present case, the Board appeared to have dispensed with this assessment when it issued its summons accompanied by a communication that not only introduced a new document, but also raised many new and detailed objections. The appellant drew particular attention to the prejudicial effect that such a communication would have on the Examining Division in case of a remittal.
2.2 At the oral proceedings, after an interruption for deliberation, the Board announced that it would not immediately accede to the appellant's request for remittal and then opened the discussion on the main request. By not allowing an immediate remittal the Board implicitly at least partially refused the appellant's procedural request. The Board considers it appropriate to give reasons for this decision.
2.3 It is undisputed that in G 10/93 the Enlarged Board of Appeal decided that a board of appeal in ex parte appeal proceedings had the power to raise new objections and to introduce new documents (reasons 3). The Enlarged Board went on to state that this did not mean that boards of appeal carried out a full examination of the application as to patentability requirements. If however there was reason to believe that a condition for patentability might not have been satisfied, the board either incorporated it into the appeal proceedings or ensured by way of referral to the examining division that it was included when examination was resumed (reasons 4).
In other words, if a board of appeal has reason to believe that an objection exists that has not been previously considered by the examining division, the board may not close its eyes. It must either incorporate the objection into the appeal proceedings or instruct the examining division to examine it.
2.4 The question that the appellant raises is whether a board of appeal may raise a (detailed) objection before inviting the appellant to comment on whether it should be given the right to have the objection examined by two instances. The appellant's concern is mainly that, if a board of appeal has formulated a detailed objection and eventually remits the case for further prosecution without deciding on the objection, the examining division may feel bound by the objection.
2.5 Although the Board to some extent understands the appellant's concern, it considers that a board of appeal has the right to raise such objections without first consulting the appellant.
Firstly, it is clear that an objection raised by a board in the form of a non-binding preliminary opinion does not in any way bind that board and hence also does not bind an examining division to which the case is later remitted. An examining division may be expected to be aware of this and to be capable of making up its mind on the objection independently of the board.
Secondly, if the case is eventually remitted to the examining division with the instruction to examine the new objection, it may in any event be necessary to include with the instruction an indication of the relevant grounds, facts and evidence to be considered.
Thirdly, where a board of appeal is in principle willing to decide on a new objection itself, e.g. because no further investigation appears to be necessary, it is only fair for the board to fully disclose its concerns to the appellant in order to give it the best possible opportunity to either convince the board that the case should be remitted or argue against the new objection.
2.6 From the above considerations it follows that the Board was free to raise an inventive step objection based on a newly introduced document (albeit a document representative of the prior art acknowledged in the application) and to discuss this objection at the oral proceedings even after the appellant had requested remittal to the Examining Division. This left open the possibility for the Board to decide, after due assessment of the particular circumstances, whether to rule on the case itself or to remit the matter for further prosecution.
3. The invention
3.1 The invention aims to enable selective auditing of accesses to tables of a relational database system, said system comprising a database server and a client. This is achieved by including in each table an "auditing flag" indicating whether auditing is enabled for that table. Upon receipt of a database query from the client, the database server checks the auditing flags of the tables accessed by the query to see for which tables the access should be audited. If auditing is enabled, the database server modifies the query by inserting into the query "monitoring logic" which causes audit records to be created "for rows in relational tables that are accessed by the query and that satisfy an auditing condition". The modified query is then processed and the query result is returned to the client. The selectivity of the auditing resides in the use of the auditing condition.
3.2 Two examples given in the application of auditing in accordance with the invention are:
- the creation of an audit record for any row of a database table satisfying either the auditing condition "salary > 1,000,000" or the auditing condition "title = 'CEO'" (page 5, line 31, to page 6, line 5); and
- the creation of an audit record for any row of a database table that is returned by a query and which satisfies the auditing condition "DEPT = 'SALES'" (page 7, lines 22 to 27, and page 8, lines 28 to 30).
3.3 According to the background section of the application, conventional database systems typically provide a general auditing facility that records an audit trail containing general information about the user and the query issued. These auditing facilities record information only as to which tables are accessed, not whether certain records inside a given table are accessed. This table-level auditing tends to generate a large number of false audit records, because many accesses to a given table do not touch sensitive data.
The background section further points out that in certain distributed database architectures, auditing is implemented in applications located on application servers rather than at the database server, which may render it almost impossible to ensure that each application is configured to perform the auditing properly.
4. Clarity - Article 84 EPC
4.1 The implementation of auditing of a query by modifying the query by inserting monitoring logic into the query is discussed on page 6 of the description of the application as filed. Two embodiments are presented. According to the first embodiment on page 6, lines 19 to 21, the query is modified by inserting statements into the query to make the query call a function that creates and records auditing records if a row in a table satisfies the auditing conditions. According to the second embodiment discussed on page 6, lines 22 to 26, modifying the query involves creating two separate queries. A first query additionally includes restrictions based on the auditing conditions and is used to produce the audit records. The second query is unmodified from the initial query and is used to produce the query result.
4.2 At the oral proceedings, the Board mentioned that it appeared unclear whether claim 1 of the then main request was intended to cover both embodiments or only the first embodiment.
Since claim 1 has now been amended to express that processing the (modified) query causes audit records to be created, and since passages related to the second embodiment have been deleted from the description, the Board's concern no longer applies.
4.3 Amended claim 1 now also clearly expresses, in accordance with the description on page 8, lines 28 to 30, that the audit records being created are audit records for those rows that both satisfy the query conditions and satisfy the auditing condition.
4.4 Furthermore, the dependent claims of the main request have been made consistent with the independent claims, and the description has been adapted.
4.5 The main request hence meets the requirements of Article 84 EPC.
5. Added subject-matter - Article 123(2) EPC
Independent claim 1 of the main request corresponds to a combination of claims 1 and 2 as originally filed with amendments based on Figure 1 and on page 5, lines 27 and 28, page 6, lines 12 to 21, and page 8, lines 28 to 30, of the originally filed description. Dependent claims 2 to 5 are based on originally filed dependent claims 3 to 5 and 10, respectively.
Corresponding computer-readable storage medium claim 6 and apparatus claims 7 to 11 similarly have a basis in the application as filed.
The Board is therefore satisfied that the main request complies with Article 123(2) EPC.
6. Sufficiency of disclosure - Article 83 EPC
6.1 In the communication accompanying the summons to oral proceedings, the Board raised an objection under Article 83 EPC in respect of features of claim 1 of the then auxiliary request which were taken from the description on page 7, line 10, to page 8, line 32.
6.2 This passage of the description illustrates by means of an example how monitoring logic is to be inserted into a query. First, the query is rewritten to include a case statement which causes an auditing function to be called if the auditing condition is satisfied. Buffers are then allocated, after which the case statement is removed from the query. After an optimisation step and generation of a query plan for the query, an execution plan for the case statement is generated.
6.3 The Board still has difficulty in completely understanding this passage, in particular in respect of what role the allocated buffers play and how and why the case statement is removed from the rewritten query. However, these concerns do not affect the claims of the main request. Since a person skilled in the field of relational databases is well aware of how a relational database system processes queries by generating a query plan and an execution plan, the Board does not doubt that the application discloses the claimed invention in a manner sufficiently clear and complete for it to be carried out by the skilled person. The main request hence complies with Article 83 EPC.
7. Inventive step - Article 56 EPC
7.1 According to the decision under appeal, the subject-matter of claim 1 of the then main request lacked an inventive step over a combination of documents D1 and D2. Under the heading "Obiter Dictum", the decision furthermore outlined an inventive step reasoning based on document D2 alone.
7.2 Document D1, abstract, discloses auditing of database table record events as part of a method of allowing the structure of a database table to be altered while the database table remains available for execution of transactions. In a first phase, records of a table partition or the entire table are accessed using read-only access while the structure of the database table is altered. In a second phase, the audit trail is used to clean up the data structures created during the first phase. In a third phase, audit trail entries created after the second phase are used to make final changes to the data structures.
In the statement of grounds of appeal, the appellant submitted inter alia that document D1 did not disclose selective auditing and that the skilled person would not modify the system of document D1 to select certain queries for auditing, as this would undermine its operation. In particular, if only selected (rather than all) queries were saved to the audit trail of document D1, the data clean-up of the second phase might not be reliable, and this could then compromise the logical integrity of the database.
For the reasons given by the appellant, the Board agrees that document D1 does not disclose selective auditing and that introducing selective auditing into the system of document D1 would go against its technical teaching. Document D1 is therefore not a suitable starting point for the assessment of inventive step.
7.3 Document D2 discloses the implementation of application-specific auditing by creating a select trigger on a table to insert an audit record into an audit table each time a user queries the table (page 11-13, "Using Select Triggers").
The decision under appeal appears to combine the section "Using Select Triggers" on page 11-13 with the section "Using the WHEN Condition" on page 11-10 to conclude that document D2 discloses the use of select triggers to create and record audit records for accessed rows that satisfy an auditing condition. However, the passage "Using Select Triggers" on page 11-13 only mentions the creation of audit records as one possible use of "select triggers". The skilled person reading document D2 might understand that such select triggers may be combined with a "WHEN condition", but this combination is not disclosed.
The Board does not consider document D2 to be particularly close to the invention. It discloses auditing, but not selective auditing. The Examining Division appears to have considered it important that a form of selective auditing may be implemented in the system of document D2 using select triggers, but - apart from this not being disclosed - this implementation of selective auditing is not the implementation claimed or disclosed in the present application.
The Board is therefore of the view that document D2 is not a more promising starting point for the assessment of inventive step than the conventional database auditing facilities discussed in the background section of the application.
7.4 In order to back up the prior art acknowledged in the background section of the present application, the Board has introduced document D3 into the proceedings.
Document D3, pages 6-7 and 6-8, discloses a distributed database architecture comprising clients, application servers and database servers. The application servers serve as an interface between the client and one or more database servers. An application server assumes the identity of the client when it is performing operations on the database server for that client. A database server provides the data requested by an application server on behalf of a client.
Document D3, page 6-8, discloses that the Oracle database server can audit operations performed by the application server on behalf of individual clients as well as operations performed by the application server on its own behalf.
The types of auditing supported by the Oracle database are listed on page 31-2. Schema object auditing, further explained on pages 31-8 and 31-9, makes it possible to enable auditing of select statements on a particular table using an "AUDIT SELECT ON" statement.
7.5 The Board considers document D3 to represent a suitable starting point for the invention. It discloses a database system comprising a database server and clients. The database server audits select statements on tables for which auditing has been enabled. The example on page 31-8 discloses a plurality of relational tables ("emp" and "dept"). The subject-matter of claim 1 differs from the auditing method of document D3 in that:
- each of the relational tables includes an auditing flag to indicate whether auditing is enabled for the table;
- upon receipt of a query, it is determined whether auditing is enabled by checking all of the tables referenced by the query to see if an auditing flag is set for the tables;
- if auditing is enabled, the query is modified prior to being processed by inserting monitoring logic into the query for causing an audit record to be created and recorded for rows that satisfy an auditing condition;
- processing the query causes an audit record to be created only for rows in the relational tables that satisfy the query conditions and are accessed by the query and that satisfy the auditing condition.
7.6 In the communication accompanying the summons, the Board observed that auditing of database accesses, while in itself a technical operation, in the context of the present invention appeared not to serve any specific technical purpose going beyond the act of auditing. Similarly, the motivation for making auditing selective, i.e. limiting auditing of database accesses to accesses of rows satisfying a particular auditing condition, appeared to be non-technical.
The Board need not decide whether it maintains this view, as it finds, as explained below, that the claimed implementation of selective auditing involves an inventive step.
7.7 According to claim 1, selective auditing is implemented essentially by the insertion into the query of monitoring logic that, upon processing of the query, causes an audit record to be created only for rows satisfying the auditing condition. In the communication accompanying the summons, the Board noted in respect of the corresponding feature of claim 1 of the then main request that auditing of a select statement caused the addition of audit records to an audit table, i.e. a further database action. It expressed the view that it was an obvious possibility to perform such database actions using a suitable database query either as part of the user's query or as a separate query. This effectively resulted in the auditing being performed by "inserting monitoring logic into the query". Reference was made to page 6, lines 16 to 26, of the description.
7.8 At the oral proceedings, the appellant explained that the claimed invention allowed row-based selective auditing to be performed based on an auditing condition that referred to fields that were not included in the query result returned to the client.
Taking the first example given in point 3.23.2 above, if the query takes the form of a select statement that selects the "salary" column and, for example, a column specifying the name of the employee, but does not select the "title" column, then auditing based on the condition "title = 'CEO'" is not possible by first executing the query and then filtering the query result to determine the rows that additionally satisfy the auditing condition.
7.9 In view of this explanation the Board accepts that the claimed solution to the problem of implementing selective auditing cannot be regarded, without documentary evidence, as a mere obvious possibility. Since, moreover, none of the documents on file disclose the insertion of monitoring logic into a query, the Board concludes that the subject-matter of claim 1 and that of corresponding independent claims 6 and 7 involves an inventive step. By virtue of their dependency on the independent claims, the subject-matter of the dependent claims involves an inventive step as well.
7.10 The main request hence complies with Articles 52(1) and 56 EPC.
8. Since the main request complies with the provisions of the EPC, the appeal is to be allowed.
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the department of first instance with the order to grant a patent on the basis of:
- Claims: claims 1 to 11 according to the main request filed at the oral proceedings at 15.00 hrs;
- Description: pages 1, 2, 2a, 3 to 9 filed at the oral proceedings;
- Figures: sheets 1/3 to 3/3 of the application as published.