WO2015150788A1 - Improved access control mechanism for databases - Google Patents

Improved access control mechanism for databases Download PDF

Info

Publication number
WO2015150788A1
WO2015150788A1 PCT/GB2015/050994 GB2015050994W WO2015150788A1 WO 2015150788 A1 WO2015150788 A1 WO 2015150788A1 GB 2015050994 W GB2015050994 W GB 2015050994W WO 2015150788 A1 WO2015150788 A1 WO 2015150788A1
Authority
WO
WIPO (PCT)
Prior art keywords
authorities
principal
granted
entity
denied
Prior art date
Application number
PCT/GB2015/050994
Other languages
French (fr)
Inventor
Matthew SEABORN
Original Assignee
Perform Media Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Perform Media Services Ltd filed Critical Perform Media Services Ltd
Publication of WO2015150788A1 publication Critical patent/WO2015150788A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to controlling access to entities within a database for multiple principals.
  • Security mechanisms for databases are common. These mechanisms operate by determining whether an actor has permission to perform an operation on an entity by determining if the operation belongs to the actor's role. For example, in a content management system (CMS), when attempting to make changes to an article, most CMSes will require the user to be in the "Role" of editor. Users who are editors are therefore able to change articles and users who are not cannot.
  • CMS content management system
  • these existing mechanisms do not provide much scope for complexity in defining access control for actors to entities within the database. For example, if multiple organisations require access to the database then it may be a requirement to prohibit users of one organisation from accessing content of another organisation, to share access between the users of the organisations for certain content, or for an umbrella organisation's users to have access to content of a subsidiary organisation.
  • a method for access control of a database by a principal comprising:
  • At least some of the authorities may be granted or denied to a plurality of groups.
  • the principal may be allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
  • the authorities may define permission for one or more operations in relation to the entity.
  • the operations may include Create, Read, Update and Delete.
  • the operations may include custom-defined operations.
  • One or more authorities may be granted or denied for entities by type.
  • One or more authorities may be granted or denied for specific entities.
  • One or more authorities may be granted or denied for specific entities and all entities associated with that specific entity.
  • authorities may be ordered by a precedence method with the highest ranked authority taking precedence.
  • authorities denied to the principal and relevant to the entity may take precedence over the grant of authorities.
  • the precedence method may rank authorities granted or denied directly to the principal over authorities granted to groups associated with the principal.
  • the precedence method may rank, at least some, of the grant or denial of authorities by specificity of identification of the entity.
  • the principal may be a user.
  • At least some of the authorities may relate to one or more properties of the entity.
  • a system for access control of a database by a principal comprising:
  • a content management system comprising:
  • an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of the first aspect.
  • Figure 1 shows a block diagram illustrating a system in accordance with an embodiment of the invention
  • Figure 2 shows a block diagram illustrating a database for use with an embodiment of the invention
  • Figure 3 shows a flow diagram illustrating a method in accordance with an embodiment of the invention
  • Figure 4 shows a flow diagram illustrating an exemplary precedence method in accordance with an embodiment of the invention
  • Figure 5 shows a table illustrating an example of ranking of the grant and denial of authorities in accordance with an embodiment of the invention.
  • Figure 6 shows a block diagram illustrating a system in accordance with an embodiment of the invention.
  • the present invention provides an improved database access control method and system.
  • FIG. 1 a system 100 in accordance with an embodiment of the invention is shown.
  • the system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105.
  • the server 102 may comprise a memory 106 and a processor 107.
  • the clients 103, 104, and 105 may be user devices or automated devices.
  • the clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals.
  • a principal is an actor, which may be a user or an automated process.
  • the server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
  • a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
  • the server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
  • a communications network 108 such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
  • the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
  • the database 101 will be described with reference to Figure 2.
  • the database 101 may comprise a plurality of entities 200, 201 , and 202.
  • Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205.
  • One of the properties 204 may identify the type of entity.
  • One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 .
  • One or more of the entities 200 may be associated 206 with one or more other entities 202.
  • Figure 2 illustrates a logical representation of a database.
  • the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
  • a method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
  • one or more authorities may be granted for the entities within the database to a principal.
  • An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity.
  • the authority may define different types of operations permissible on the entity. For example, the authority may grant access to create, read, update and/or delete the entity.
  • Operations may be defined by the authority in relation to specific properties of the entity.
  • the authorities may be granted directly to the principal, or the authorities may be granted indirectly to the principal. In the case of the latter, the authorities may be granted to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted an authority or is associated with a group to which an authority is granted, then the principal may inherit the grant of authority.
  • one or more authorities may be denied for the entities within the database in the same way as the authorities may be granted.
  • a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been granted and denied to the principal and which relate to the entity. The determination may occur at the server. The determination may be based upon a precedence method. The precedence method may rank the grant and denial of authorities based upon the directness of the grant or denial of the authority to the principal and the specificity of identification of the entity. Where an authority has been both granted and denied at the same level of directness and/or specificity, the denial of authority is given precedence.
  • the determination for permission may be ascertained in response to a request for that operation by the principal.
  • the request may be generated at a client and transmitted to the server.
  • the grant or denial of authorities are ranked from highest to lowest based first upon the following order:
  • Entities that are specifically identified i.e. by unique identifier - the unique identifier may be comprised of an entity type and a identifier which is unique for that type).
  • the denial of authorities is ranked above the grant of authorities.
  • a request is made by the principal to update entity Article ID 1 which is associated with entity ID 1 of type Category.
  • the authorities are ranked as shown in table 500.
  • the principal is granted the authority 501 to update any articles.
  • this authority 501 is outranked by both the more specific denial of authority 502 to update article ID 1 by Group A and the direct denial of authority 503 to the principal of updates to any articles associated with category ID 1 .
  • the highest ranking is the direct grant of authority 504 to the principal to update article ID 1 because it is more direct than the denial of authority 502 and more specific than the denial of authority 503.
  • this principal is able to update entity Article ID 1 .
  • a database 600 is shown.
  • the database is configured for storing entities.
  • a server 601 is shown.
  • the server is configured for allocating authorities to entities within the database to principals and for determining access to the entities for principals based upon requests from client devices.
  • the database 600 and server 601 may together form a content management system.
  • a plurality of client devices 602 and 603 are shown.
  • the database 600, server 601 , and/or client devices 602 and 603 may be interconnected via a communications network or networks.
  • the server 601 comprises an application program interface (API) 604.
  • API application program interface
  • the API 604 provides functions that can be called by the clients 602 and 603.
  • the functions may include access requests to entities within the database 600 on behalf of principals.
  • the requests may trigger changes to the entities stored in the database 600, changes to processing or management of the entities, or may involve the retrieval of data within the entity for transmission back to the client device 602 or 603.
  • the clients 602 and 603 may include an access module 605.
  • This module 605 may be implemented in software or hardware.
  • the access module 605 may be defined within code, such as javascript, embedded within a web-page obtained, for example, from the server 601 ; the access module 605 may be compiled code executing on the client 602 or 603; or the access module 605 may be a customised chip for a server apparatus (which may be client device 602 or 603).
  • the access module 605 may be configured for interacting with the application program interface (API) 604 to provide access to entities within the database 600 on behalf of a principal at the client 602 or 603.
  • API application program interface
  • the advantage of providing for complex authorities is that fine-grained and coarse-grained access control can be defined. Furthermore, due to the interaction between grant and denial of authorities, the system provides both a simplified method of defining this access control and a computationally efficient method of managing this access control.

Abstract

The present invention relates to a method for access control of a database by a principal, comprising: granting authorities for entities within the database to the principal; denying authorities for entities within the database to the principal; and determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity. A system for access control is also disclosed.

Description

Improved access control mechanism for databases Field of Invention The present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to controlling access to entities within a database for multiple principals.
Background
Security mechanisms for databases are common. These mechanisms operate by determining whether an actor has permission to perform an operation on an entity by determining if the operation belongs to the actor's role. For example, in a content management system (CMS), when attempting to make changes to an article, most CMSes will require the user to be in the "Role" of editor. Users who are editors are therefore able to change articles and users who are not cannot. Unfortunately, these existing mechanisms do not provide much scope for complexity in defining access control for actors to entities within the database. For example, if multiple organisations require access to the database then it may be a requirement to prohibit users of one organisation from accessing content of another organisation, to share access between the users of the organisations for certain content, or for an umbrella organisation's users to have access to content of a subsidiary organisation.
It is an object of the present invention to provide an improved access control mechanism which overcomes the disadvantages of the prior art, or at least provides a useful alternative. Summary of Invention
According to a first aspect of the invention there is provided a method for access control of a database by a principal, comprising:
a) granting authorities for entities within the database to the principal; b) denying authorities for entities within the database to the principal ; and c) determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity.
At least some of the authorities may be granted or denied to a plurality of groups. The principal may be allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
The authorities may define permission for one or more operations in relation to the entity. The operations may include Create, Read, Update and Delete. The operations may include custom-defined operations. One or more authorities may be granted or denied for entities by type.
One or more authorities may be granted or denied for specific entities.
One or more authorities may be granted or denied for specific entities and all entities associated with that specific entity.
Where multiple authorities are granted and denied to the principal and relevant to the entity, the authorities may be ordered by a precedence method with the highest ranked authority taking precedence. Authorities denied to the principal and relevant to the entity may take precedence over the grant of authorities. The precedence method may rank authorities granted or denied directly to the principal over authorities granted to groups associated with the principal. The precedence method may rank, at least some, of the grant or denial of authorities by specificity of identification of the entity.
The principal may be a user.
At least some of the authorities may relate to one or more properties of the entity.
According to a further aspect of the invention there is provided a system for access control of a database by a principal, comprising:
a processor; and
a memory; wherein the system is configured to perform the method of the first aspect. According to a further aspect of the invention there is provided a content management system, comprising:
a database;
a server; and
an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of the first aspect.
Other aspects of the invention are described within the claims. Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which: Figure 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention; Figure 2: shows a block diagram illustrating a database for use with an embodiment of the invention;
Figure 3: shows a flow diagram illustrating a method in accordance with an embodiment of the invention;
Figure 4: shows a flow diagram illustrating an exemplary precedence method in accordance with an embodiment of the invention; Figure 5: shows a table illustrating an example of ranking of the grant and denial of authorities in accordance with an embodiment of the invention; and
Figure 6: shows a block diagram illustrating a system in accordance with an embodiment of the invention.
Detailed Description of Preferred Embodiments
The present invention provides an improved database access control method and system.
In Figure 1 , a system 100 in accordance with an embodiment of the invention is shown.
The system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105. The server 102 may comprise a memory 106 and a processor 107.
The clients 103, 104, and 105 may be user devices or automated devices. The clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals. A principal is an actor, which may be a user or an automated process. The server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
It will be appreciated that a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
The server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
In one embodiment, the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
The database 101 will be described with reference to Figure 2.
The database 101 may comprise a plurality of entities 200, 201 , and 202. Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205. One of the properties 204 may identify the type of entity. One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 . One or more of the entities 200 may be associated 206 with one or more other entities 202.
It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses. A method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3. In step 301 , one or more authorities may be granted for the entities within the database to a principal. An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity. The authority may define different types of operations permissible on the entity. For example, the authority may grant access to create, read, update and/or delete the entity. Other operations can be envisaged, for example, within a content management system "publish" may be an operation. Operations may be defined by the authority in relation to specific properties of the entity. The authorities may be granted directly to the principal, or the authorities may be granted indirectly to the principal. In the case of the latter, the authorities may be granted to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted an authority or is associated with a group to which an authority is granted, then the principal may inherit the grant of authority.
In step 302, one or more authorities may be denied for the entities within the database in the same way as the authorities may be granted. In step 303, a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been granted and denied to the principal and which relate to the entity. The determination may occur at the server. The determination may be based upon a precedence method. The precedence method may rank the grant and denial of authorities based upon the directness of the grant or denial of the authority to the principal and the specificity of identification of the entity. Where an authority has been both granted and denied at the same level of directness and/or specificity, the denial of authority is given precedence.
The determination for permission may be ascertained in response to a request for that operation by the principal. The request may be generated at a client and transmitted to the server.
An exemplary precedence method will be described with reference to Figure 4.
The grant or denial of authorities are ranked from highest to lowest based first upon the following order:
1 ) The authority was directly granted or denied to the principal.
2) The authority was indirectly granted or denied to the principal via the principal's membership of a group.
Within the above ranking the grant or denial of authorities is ranked from highest to lowest based upon the following specificity of entity identification by the authority:
1 ) Entities that are specifically identified (i.e. by unique identifier - the unique identifier may be comprised of an entity type and a identifier which is unique for that type).
2) Entities that are associated with another specifically identified entity.
3) Entities that are associated with another entity identified by type.
4) Entities that are identified by type.
Within the above ranking, the denial of authorities is ranked above the grant of authorities.
An example will now be described with reference to Figure 5. A principal is granted directly the following authorities:
Update entity of type Article and ID 1
And denied the following authorities:
Update entities of type Article associated with entity ID 1 of type Category
The principal is a member of a group - Group A - which has been granted the following authorities:
Update entities of type Article
And denied the following authorities:
Update entity of type Article and ID 1
A request is made by the principal to update entity Article ID 1 which is associated with entity ID 1 of type Category. The authorities are ranked as shown in table 500.
As the principal is a member of Group A, the principal is granted the authority 501 to update any articles. However, this authority 501 is outranked by both the more specific denial of authority 502 to update article ID 1 by Group A and the direct denial of authority 503 to the principal of updates to any articles associated with category ID 1 . Ultimately, the highest ranking is the direct grant of authority 504 to the principal to update article ID 1 because it is more direct than the denial of authority 502 and more specific than the denial of authority 503.
Therefore, this principal is able to update entity Article ID 1 .
An exemplary implementation of the invention will now be described with reference to Figure 6.
A database 600 is shown. The database is configured for storing entities. A server 601 is shown. The server is configured for allocating authorities to entities within the database to principals and for determining access to the entities for principals based upon requests from client devices.
The database 600 and server 601 may together form a content management system.
A plurality of client devices 602 and 603 are shown.
The database 600, server 601 , and/or client devices 602 and 603 may be interconnected via a communications network or networks.
The server 601 comprises an application program interface (API) 604. The API 604 provides functions that can be called by the clients 602 and 603. The functions may include access requests to entities within the database 600 on behalf of principals. The requests may trigger changes to the entities stored in the database 600, changes to processing or management of the entities, or may involve the retrieval of data within the entity for transmission back to the client device 602 or 603.
The clients 602 and 603 may include an access module 605. This module 605 may be implemented in software or hardware. For example, the access module 605 may be defined within code, such as javascript, embedded within a web-page obtained, for example, from the server 601 ; the access module 605 may be compiled code executing on the client 602 or 603; or the access module 605 may be a customised chip for a server apparatus (which may be client device 602 or 603). The access module 605 may be configured for interacting with the application program interface (API) 604 to provide access to entities within the database 600 on behalf of a principal at the client 602 or 603. A potential advantage of some embodiments of the present invention is that complex authorities can be defined for access to a database. The advantage of providing for complex authorities is that fine-grained and coarse-grained access control can be defined. Furthermore, due to the interaction between grant and denial of authorities, the system provides both a simplified method of defining this access control and a computationally efficient method of managing this access control.
While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept.

Claims

Claims
1 . A method for access control of a database by a principal, comprising: a) granting authorities for entities within the database to the principal; b) denying authorities for entities within the database to the principal; and
c) determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity.
2. A method as claimed in claim 1 , wherein at least some of the authorities are granted or denied to a plurality of groups.
3. A method as claimed in claim 2, wherein the principal is allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
4. A method as claimed in any one of the preceding claims, wherein the authorities define permission for one or more operations in relation to the entity.
5. A method as claimed in claim 4, wherein the operations include Create, Read, Update and Delete.
6. A method as claimed in any one of claims 4 to 5, wherein the operations include custom-defined operations.
7. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for entities by type.
8. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for specific entities.
9. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for specific entities and all entities associated with that specific entity.
10. A method as claimed in any one of the preceding claims, wherein, where multiple authorities are granted and denied to the principal and relevant to the entity, the authorities are ordered by a precedence method and the highest ranked authority takes precedence.
1 1 . A method as claimed in claim 10, wherein authorities denied to the principal and relevant to the entity take precedence over the grant of authorities.
12. A method as claimed in any one of claims 10 to 1 1 , wherein the precedence method ranks authorities granted or denied directly to the principal over authorities granted to groups associated with the principal.
13. A method as claimed in any one of claims 10 to 12, wherein the precedence method ranks, at least some, of the grant or denial of authorities by specificity of identification of the entity.
14. A method as claimed in any one of the preceding claims, wherein the principal is a user.
15. A method as claimed in any one of the preceding claims, wherein at least some of the authorities relate to one or more properties of the entity.
16. A system for access control of a database by a principal, comprising: a processor; and
a memory; wherein the system is configured to perform the method of any one of claims 1 to 15.
17. A content management system, comprising:
a database;
a server; and
an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of any one of claims 1 to 15.
18. A content management system as claimed in claim 17, further comprising a plurality of clients, each client comprising an access module for interacting with the application program interface.
An application program interface configured for use with the content management system of claim 17.
A client configured for use with the content management system of claim 18.
21 A method or system as herein described with reference to the Figures.
PCT/GB2015/050994 2014-03-31 2015-03-31 Improved access control mechanism for databases WO2015150788A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1405799.6 2014-03-31
GB1405799.6A GB2526054A (en) 2014-03-31 2014-03-31 Improved access control mechanism for databases

Publications (1)

Publication Number Publication Date
WO2015150788A1 true WO2015150788A1 (en) 2015-10-08

Family

ID=50737768

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2015/050994 WO2015150788A1 (en) 2014-03-31 2015-03-31 Improved access control mechanism for databases

Country Status (2)

Country Link
GB (1) GB2526054A (en)
WO (1) WO2015150788A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742667A (en) * 2021-08-06 2021-12-03 杭州群核信息技术有限公司 Account information processing method and device, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296523A1 (en) * 2010-05-26 2011-12-01 Microsoft Corporation Access control management mapping resource/action pairs to principals
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296523A1 (en) * 2010-05-26 2011-12-01 Microsoft Corporation Access control management mapping resource/action pairs to principals
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742667A (en) * 2021-08-06 2021-12-03 杭州群核信息技术有限公司 Account information processing method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
GB201405799D0 (en) 2014-05-14
GB2526054A (en) 2015-11-18

Similar Documents

Publication Publication Date Title
US11803651B2 (en) Dynamically generated smart contracts
US20200153870A1 (en) Dynamic authorization in a multi-tenancy environment via tenant policy profiles
US7478094B2 (en) High run-time performance method for setting ACL rule for content management security
CN102567454B (en) Realize the method and system of the granularity self contained navigation of data in cloud computing environment
US8458337B2 (en) Methods and apparatus for scoped role-based access control
US8191115B2 (en) Method and apparatus for extensible security authorization grouping
US8122484B2 (en) Access control policy conversion
US8850041B2 (en) Role based delegated administration model
US8250628B2 (en) Dynamic augmentation, reduction, and/or replacement of security information by evaluating logical expressions
US9860252B2 (en) System and method for maintenance of transitive closure of a graph and user authentication
US20070283443A1 (en) Translating role-based access control policy to resource authorization policy
US7596562B2 (en) System and method for managing access control list of computer systems
US10372483B2 (en) Mapping tenat groups to identity management classes
US20160098573A1 (en) Securing a Distributed File System
EP2659412B1 (en) A system and method for using partial evaluation for efficient remote attribute retrieval
US8180894B2 (en) System and method for policy-based registration of client devices
US20060156021A1 (en) Method and apparatus for providing permission information in a security authorization mechanism
CN111464487B (en) Access control method, device and system
US20060156020A1 (en) Method and apparatus for centralized security authorization mechanism
US9323751B2 (en) Controlling access to documents by parties
JP2013114475A (en) Information management system and information management method
WO2015150792A1 (en) An improved database access control method and system
WO2015150802A1 (en) Distributed database access control method and system
US10491635B2 (en) Access policies based on HDFS extended attributes
US20080201761A1 (en) Dynamically Associating Attribute Values with Objects

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15721292

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15721292

Country of ref document: EP

Kind code of ref document: A1