WO2015150788A1 - Improved access control mechanism for databases - Google Patents
Improved access control mechanism for databases Download PDFInfo
- Publication number
- WO2015150788A1 WO2015150788A1 PCT/GB2015/050994 GB2015050994W WO2015150788A1 WO 2015150788 A1 WO2015150788 A1 WO 2015150788A1 GB 2015050994 W GB2015050994 W GB 2015050994W WO 2015150788 A1 WO2015150788 A1 WO 2015150788A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authorities
- principal
- granted
- entity
- denied
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- the present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to controlling access to entities within a database for multiple principals.
- Security mechanisms for databases are common. These mechanisms operate by determining whether an actor has permission to perform an operation on an entity by determining if the operation belongs to the actor's role. For example, in a content management system (CMS), when attempting to make changes to an article, most CMSes will require the user to be in the "Role" of editor. Users who are editors are therefore able to change articles and users who are not cannot.
- CMS content management system
- these existing mechanisms do not provide much scope for complexity in defining access control for actors to entities within the database. For example, if multiple organisations require access to the database then it may be a requirement to prohibit users of one organisation from accessing content of another organisation, to share access between the users of the organisations for certain content, or for an umbrella organisation's users to have access to content of a subsidiary organisation.
- a method for access control of a database by a principal comprising:
- At least some of the authorities may be granted or denied to a plurality of groups.
- the principal may be allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
- the authorities may define permission for one or more operations in relation to the entity.
- the operations may include Create, Read, Update and Delete.
- the operations may include custom-defined operations.
- One or more authorities may be granted or denied for entities by type.
- One or more authorities may be granted or denied for specific entities.
- One or more authorities may be granted or denied for specific entities and all entities associated with that specific entity.
- authorities may be ordered by a precedence method with the highest ranked authority taking precedence.
- authorities denied to the principal and relevant to the entity may take precedence over the grant of authorities.
- the precedence method may rank authorities granted or denied directly to the principal over authorities granted to groups associated with the principal.
- the precedence method may rank, at least some, of the grant or denial of authorities by specificity of identification of the entity.
- the principal may be a user.
- At least some of the authorities may relate to one or more properties of the entity.
- a system for access control of a database by a principal comprising:
- a content management system comprising:
- an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of the first aspect.
- Figure 1 shows a block diagram illustrating a system in accordance with an embodiment of the invention
- Figure 2 shows a block diagram illustrating a database for use with an embodiment of the invention
- Figure 3 shows a flow diagram illustrating a method in accordance with an embodiment of the invention
- Figure 4 shows a flow diagram illustrating an exemplary precedence method in accordance with an embodiment of the invention
- Figure 5 shows a table illustrating an example of ranking of the grant and denial of authorities in accordance with an embodiment of the invention.
- Figure 6 shows a block diagram illustrating a system in accordance with an embodiment of the invention.
- the present invention provides an improved database access control method and system.
- FIG. 1 a system 100 in accordance with an embodiment of the invention is shown.
- the system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105.
- the server 102 may comprise a memory 106 and a processor 107.
- the clients 103, 104, and 105 may be user devices or automated devices.
- the clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals.
- a principal is an actor, which may be a user or an automated process.
- the server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
- a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
- the server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
- a communications network 108 such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
- the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
- the database 101 will be described with reference to Figure 2.
- the database 101 may comprise a plurality of entities 200, 201 , and 202.
- Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205.
- One of the properties 204 may identify the type of entity.
- One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 .
- One or more of the entities 200 may be associated 206 with one or more other entities 202.
- Figure 2 illustrates a logical representation of a database.
- the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
- a method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
- one or more authorities may be granted for the entities within the database to a principal.
- An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity.
- the authority may define different types of operations permissible on the entity. For example, the authority may grant access to create, read, update and/or delete the entity.
- Operations may be defined by the authority in relation to specific properties of the entity.
- the authorities may be granted directly to the principal, or the authorities may be granted indirectly to the principal. In the case of the latter, the authorities may be granted to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted an authority or is associated with a group to which an authority is granted, then the principal may inherit the grant of authority.
- one or more authorities may be denied for the entities within the database in the same way as the authorities may be granted.
- a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been granted and denied to the principal and which relate to the entity. The determination may occur at the server. The determination may be based upon a precedence method. The precedence method may rank the grant and denial of authorities based upon the directness of the grant or denial of the authority to the principal and the specificity of identification of the entity. Where an authority has been both granted and denied at the same level of directness and/or specificity, the denial of authority is given precedence.
- the determination for permission may be ascertained in response to a request for that operation by the principal.
- the request may be generated at a client and transmitted to the server.
- the grant or denial of authorities are ranked from highest to lowest based first upon the following order:
- Entities that are specifically identified i.e. by unique identifier - the unique identifier may be comprised of an entity type and a identifier which is unique for that type).
- the denial of authorities is ranked above the grant of authorities.
- a request is made by the principal to update entity Article ID 1 which is associated with entity ID 1 of type Category.
- the authorities are ranked as shown in table 500.
- the principal is granted the authority 501 to update any articles.
- this authority 501 is outranked by both the more specific denial of authority 502 to update article ID 1 by Group A and the direct denial of authority 503 to the principal of updates to any articles associated with category ID 1 .
- the highest ranking is the direct grant of authority 504 to the principal to update article ID 1 because it is more direct than the denial of authority 502 and more specific than the denial of authority 503.
- this principal is able to update entity Article ID 1 .
- a database 600 is shown.
- the database is configured for storing entities.
- a server 601 is shown.
- the server is configured for allocating authorities to entities within the database to principals and for determining access to the entities for principals based upon requests from client devices.
- the database 600 and server 601 may together form a content management system.
- a plurality of client devices 602 and 603 are shown.
- the database 600, server 601 , and/or client devices 602 and 603 may be interconnected via a communications network or networks.
- the server 601 comprises an application program interface (API) 604.
- API application program interface
- the API 604 provides functions that can be called by the clients 602 and 603.
- the functions may include access requests to entities within the database 600 on behalf of principals.
- the requests may trigger changes to the entities stored in the database 600, changes to processing or management of the entities, or may involve the retrieval of data within the entity for transmission back to the client device 602 or 603.
- the clients 602 and 603 may include an access module 605.
- This module 605 may be implemented in software or hardware.
- the access module 605 may be defined within code, such as javascript, embedded within a web-page obtained, for example, from the server 601 ; the access module 605 may be compiled code executing on the client 602 or 603; or the access module 605 may be a customised chip for a server apparatus (which may be client device 602 or 603).
- the access module 605 may be configured for interacting with the application program interface (API) 604 to provide access to entities within the database 600 on behalf of a principal at the client 602 or 603.
- API application program interface
- the advantage of providing for complex authorities is that fine-grained and coarse-grained access control can be defined. Furthermore, due to the interaction between grant and denial of authorities, the system provides both a simplified method of defining this access control and a computationally efficient method of managing this access control.
Abstract
The present invention relates to a method for access control of a database by a principal, comprising: granting authorities for entities within the database to the principal; denying authorities for entities within the database to the principal; and determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity. A system for access control is also disclosed.
Description
Improved access control mechanism for databases Field of Invention The present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to controlling access to entities within a database for multiple principals.
Background
Security mechanisms for databases are common. These mechanisms operate by determining whether an actor has permission to perform an operation on an entity by determining if the operation belongs to the actor's role. For example, in a content management system (CMS), when attempting to make changes to an article, most CMSes will require the user to be in the "Role" of editor. Users who are editors are therefore able to change articles and users who are not cannot. Unfortunately, these existing mechanisms do not provide much scope for complexity in defining access control for actors to entities within the database. For example, if multiple organisations require access to the database then it may be a requirement to prohibit users of one organisation from accessing content of another organisation, to share access between the users of the organisations for certain content, or for an umbrella organisation's users to have access to content of a subsidiary organisation.
It is an object of the present invention to provide an improved access control mechanism which overcomes the disadvantages of the prior art, or at least provides a useful alternative.
Summary of Invention
According to a first aspect of the invention there is provided a method for access control of a database by a principal, comprising:
a) granting authorities for entities within the database to the principal; b) denying authorities for entities within the database to the principal ; and c) determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity.
At least some of the authorities may be granted or denied to a plurality of groups. The principal may be allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
The authorities may define permission for one or more operations in relation to the entity. The operations may include Create, Read, Update and Delete. The operations may include custom-defined operations. One or more authorities may be granted or denied for entities by type.
One or more authorities may be granted or denied for specific entities.
One or more authorities may be granted or denied for specific entities and all entities associated with that specific entity.
Where multiple authorities are granted and denied to the principal and relevant to the entity, the authorities may be ordered by a precedence method with the highest ranked authority taking precedence. Authorities denied to the principal and relevant to the entity may take precedence over the grant of authorities. The precedence method may rank authorities granted or denied directly to the principal over authorities granted to groups associated with the
principal. The precedence method may rank, at least some, of the grant or denial of authorities by specificity of identification of the entity.
The principal may be a user.
At least some of the authorities may relate to one or more properties of the entity.
According to a further aspect of the invention there is provided a system for access control of a database by a principal, comprising:
a processor; and
a memory; wherein the system is configured to perform the method of the first aspect. According to a further aspect of the invention there is provided a content management system, comprising:
a database;
a server; and
an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of the first aspect.
Other aspects of the invention are described within the claims. Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which: Figure 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention;
Figure 2: shows a block diagram illustrating a database for use with an embodiment of the invention;
Figure 3: shows a flow diagram illustrating a method in accordance with an embodiment of the invention;
Figure 4: shows a flow diagram illustrating an exemplary precedence method in accordance with an embodiment of the invention; Figure 5: shows a table illustrating an example of ranking of the grant and denial of authorities in accordance with an embodiment of the invention; and
Figure 6: shows a block diagram illustrating a system in accordance with an embodiment of the invention.
Detailed Description of Preferred Embodiments
The present invention provides an improved database access control method and system.
In Figure 1 , a system 100 in accordance with an embodiment of the invention is shown.
The system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105. The server 102 may comprise a memory 106 and a processor 107.
The clients 103, 104, and 105 may be user devices or automated devices. The clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals. A principal is an actor, which may be a user or an automated process.
The server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
It will be appreciated that a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
The server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
In one embodiment, the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
The database 101 will be described with reference to Figure 2.
The database 101 may comprise a plurality of entities 200, 201 , and 202. Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205. One of the properties 204 may identify the type of entity. One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 . One or more of the entities 200 may be associated 206 with one or more other entities 202.
It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
A method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3. In step 301 , one or more authorities may be granted for the entities within the database to a principal. An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity. The authority may define different types of operations permissible on the entity. For example, the authority may grant access to create, read, update and/or delete the entity. Other operations can be envisaged, for example, within a content management system "publish" may be an operation. Operations may be defined by the authority in relation to specific properties of the entity. The authorities may be granted directly to the principal, or the authorities may be granted indirectly to the principal. In the case of the latter, the authorities may be granted to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted an authority or is associated with a group to which an authority is granted, then the principal may inherit the grant of authority.
In step 302, one or more authorities may be denied for the entities within the database in the same way as the authorities may be granted. In step 303, a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been granted and denied to the principal and which relate to the entity. The determination may occur at the server. The determination may be based upon a precedence method. The precedence method may rank the grant and denial of authorities based upon the directness of the grant or denial of the authority to the principal and the
specificity of identification of the entity. Where an authority has been both granted and denied at the same level of directness and/or specificity, the denial of authority is given precedence.
The determination for permission may be ascertained in response to a request for that operation by the principal. The request may be generated at a client and transmitted to the server.
An exemplary precedence method will be described with reference to Figure 4.
The grant or denial of authorities are ranked from highest to lowest based first upon the following order:
1 ) The authority was directly granted or denied to the principal.
2) The authority was indirectly granted or denied to the principal via the principal's membership of a group.
Within the above ranking the grant or denial of authorities is ranked from highest to lowest based upon the following specificity of entity identification by the authority:
1 ) Entities that are specifically identified (i.e. by unique identifier - the unique identifier may be comprised of an entity type and a identifier which is unique for that type).
2) Entities that are associated with another specifically identified entity.
3) Entities that are associated with another entity identified by type.
4) Entities that are identified by type.
Within the above ranking, the denial of authorities is ranked above the grant of authorities.
An example will now be described with reference to Figure 5.
A principal is granted directly the following authorities:
Update entity of type Article and ID 1
And denied the following authorities:
Update entities of type Article associated with entity ID 1 of type Category
The principal is a member of a group - Group A - which has been granted the following authorities:
Update entities of type Article
And denied the following authorities:
Update entity of type Article and ID 1
A request is made by the principal to update entity Article ID 1 which is associated with entity ID 1 of type Category. The authorities are ranked as shown in table 500.
As the principal is a member of Group A, the principal is granted the authority 501 to update any articles. However, this authority 501 is outranked by both the more specific denial of authority 502 to update article ID 1 by Group A and the direct denial of authority 503 to the principal of updates to any articles associated with category ID 1 . Ultimately, the highest ranking is the direct grant of authority 504 to the principal to update article ID 1 because it is more direct than the denial of authority 502 and more specific than the denial of authority 503.
Therefore, this principal is able to update entity Article ID 1 .
An exemplary implementation of the invention will now be described with reference to Figure 6.
A database 600 is shown. The database is configured for storing entities.
A server 601 is shown. The server is configured for allocating authorities to entities within the database to principals and for determining access to the entities for principals based upon requests from client devices.
The database 600 and server 601 may together form a content management system.
A plurality of client devices 602 and 603 are shown.
The database 600, server 601 , and/or client devices 602 and 603 may be interconnected via a communications network or networks.
The server 601 comprises an application program interface (API) 604. The API 604 provides functions that can be called by the clients 602 and 603. The functions may include access requests to entities within the database 600 on behalf of principals. The requests may trigger changes to the entities stored in the database 600, changes to processing or management of the entities, or may involve the retrieval of data within the entity for transmission back to the client device 602 or 603.
The clients 602 and 603 may include an access module 605. This module 605 may be implemented in software or hardware. For example, the access module 605 may be defined within code, such as javascript, embedded within a web-page obtained, for example, from the server 601 ; the access module 605 may be compiled code executing on the client 602 or 603; or the access module 605 may be a customised chip for a server apparatus (which may be client device 602 or 603). The access module 605 may be configured for interacting with the application program interface (API) 604 to provide access to entities within the database 600 on behalf of a principal at the client 602 or 603.
A potential advantage of some embodiments of the present invention is that complex authorities can be defined for access to a database. The advantage of providing for complex authorities is that fine-grained and coarse-grained access control can be defined. Furthermore, due to the interaction between grant and denial of authorities, the system provides both a simplified method of defining this access control and a computationally efficient method of managing this access control.
While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept.
Claims
1 . A method for access control of a database by a principal, comprising: a) granting authorities for entities within the database to the principal; b) denying authorities for entities within the database to the principal; and
c) determining operational access to an entity for the principal based upon the interaction of authorities granted and denied to the principal and relevant to the entity.
2. A method as claimed in claim 1 , wherein at least some of the authorities are granted or denied to a plurality of groups.
3. A method as claimed in claim 2, wherein the principal is allocated to one or more of the plurality of groups such that authorities granted or denied to the one or more groups are granted or denied to the principal.
4. A method as claimed in any one of the preceding claims, wherein the authorities define permission for one or more operations in relation to the entity.
5. A method as claimed in claim 4, wherein the operations include Create, Read, Update and Delete.
6. A method as claimed in any one of claims 4 to 5, wherein the operations include custom-defined operations.
7. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for entities by type.
8. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for specific entities.
9. A method as claimed in any one of the preceding claims, wherein one or more authorities are granted or denied for specific entities and all entities associated with that specific entity.
10. A method as claimed in any one of the preceding claims, wherein, where multiple authorities are granted and denied to the principal and relevant to the entity, the authorities are ordered by a precedence method and the highest ranked authority takes precedence.
1 1 . A method as claimed in claim 10, wherein authorities denied to the principal and relevant to the entity take precedence over the grant of authorities.
12. A method as claimed in any one of claims 10 to 1 1 , wherein the precedence method ranks authorities granted or denied directly to the principal over authorities granted to groups associated with the principal.
13. A method as claimed in any one of claims 10 to 12, wherein the precedence method ranks, at least some, of the grant or denial of authorities by specificity of identification of the entity.
14. A method as claimed in any one of the preceding claims, wherein the principal is a user.
15. A method as claimed in any one of the preceding claims, wherein at least some of the authorities relate to one or more properties of the entity.
16. A system for access control of a database by a principal, comprising: a processor; and
a memory; wherein the system is configured to perform the method of any one of claims 1 to 15.
17. A content management system, comprising:
a database;
a server; and
an application program interface configured to receive requests from clients for access to entities within the database on behalf of principals; wherein the system is configured to perform the method of any one of claims 1 to 15.
18. A content management system as claimed in claim 17, further comprising a plurality of clients, each client comprising an access module for interacting with the application program interface.
An application program interface configured for use with the content management system of claim 17.
A client configured for use with the content management system of claim 18.
21 A method or system as herein described with reference to the Figures.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1405799.6 | 2014-03-31 | ||
GB1405799.6A GB2526054A (en) | 2014-03-31 | 2014-03-31 | Improved access control mechanism for databases |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015150788A1 true WO2015150788A1 (en) | 2015-10-08 |
Family
ID=50737768
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2015/050994 WO2015150788A1 (en) | 2014-03-31 | 2015-03-31 | Improved access control mechanism for databases |
Country Status (2)
Country | Link |
---|---|
GB (1) | GB2526054A (en) |
WO (1) | WO2015150788A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113742667A (en) * | 2021-08-06 | 2021-12-03 | 杭州群核信息技术有限公司 | Account information processing method and device, storage medium and electronic equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110296523A1 (en) * | 2010-05-26 | 2011-12-01 | Microsoft Corporation | Access control management mapping resource/action pairs to principals |
US20140090085A1 (en) * | 2012-09-26 | 2014-03-27 | Protegrity Corporation | Database access control |
-
2014
- 2014-03-31 GB GB1405799.6A patent/GB2526054A/en not_active Withdrawn
-
2015
- 2015-03-31 WO PCT/GB2015/050994 patent/WO2015150788A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110296523A1 (en) * | 2010-05-26 | 2011-12-01 | Microsoft Corporation | Access control management mapping resource/action pairs to principals |
US20140090085A1 (en) * | 2012-09-26 | 2014-03-27 | Protegrity Corporation | Database access control |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113742667A (en) * | 2021-08-06 | 2021-12-03 | 杭州群核信息技术有限公司 | Account information processing method and device, storage medium and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
GB201405799D0 (en) | 2014-05-14 |
GB2526054A (en) | 2015-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11803651B2 (en) | Dynamically generated smart contracts | |
US20200153870A1 (en) | Dynamic authorization in a multi-tenancy environment via tenant policy profiles | |
US7478094B2 (en) | High run-time performance method for setting ACL rule for content management security | |
CN102567454B (en) | Realize the method and system of the granularity self contained navigation of data in cloud computing environment | |
US8458337B2 (en) | Methods and apparatus for scoped role-based access control | |
US8191115B2 (en) | Method and apparatus for extensible security authorization grouping | |
US8122484B2 (en) | Access control policy conversion | |
US8850041B2 (en) | Role based delegated administration model | |
US8250628B2 (en) | Dynamic augmentation, reduction, and/or replacement of security information by evaluating logical expressions | |
US9860252B2 (en) | System and method for maintenance of transitive closure of a graph and user authentication | |
US20070283443A1 (en) | Translating role-based access control policy to resource authorization policy | |
US7596562B2 (en) | System and method for managing access control list of computer systems | |
US10372483B2 (en) | Mapping tenat groups to identity management classes | |
US20160098573A1 (en) | Securing a Distributed File System | |
EP2659412B1 (en) | A system and method for using partial evaluation for efficient remote attribute retrieval | |
US8180894B2 (en) | System and method for policy-based registration of client devices | |
US20060156021A1 (en) | Method and apparatus for providing permission information in a security authorization mechanism | |
CN111464487B (en) | Access control method, device and system | |
US20060156020A1 (en) | Method and apparatus for centralized security authorization mechanism | |
US9323751B2 (en) | Controlling access to documents by parties | |
JP2013114475A (en) | Information management system and information management method | |
WO2015150792A1 (en) | An improved database access control method and system | |
WO2015150802A1 (en) | Distributed database access control method and system | |
US10491635B2 (en) | Access policies based on HDFS extended attributes | |
US20080201761A1 (en) | Dynamically Associating Attribute Values with Objects |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15721292 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase | ||
122 | Ep: pct application non-entry in european phase |
Ref document number: 15721292 Country of ref document: EP Kind code of ref document: A1 |