WO2015150797A1 - Distributed database access control method and system - Google Patents

Distributed database access control method and system Download PDF

Info

Publication number
WO2015150797A1
WO2015150797A1 PCT/GB2015/051004 GB2015051004W WO2015150797A1 WO 2015150797 A1 WO2015150797 A1 WO 2015150797A1 GB 2015051004 W GB2015051004 W GB 2015051004W WO 2015150797 A1 WO2015150797 A1 WO 2015150797A1
Authority
WO
WIPO (PCT)
Prior art keywords
principal
entity
database
authorities
authority
Prior art date
Application number
PCT/GB2015/051004
Other languages
French (fr)
Inventor
Matthew SEABORN
Original Assignee
Perform Media Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Perform Media Services Ltd filed Critical Perform Media Services Ltd
Publication of WO2015150797A1 publication Critical patent/WO2015150797A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to distributed database access control.
  • a method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
  • An authority mechanism may be generated within the distributed system and transmitted to the multiple locations for use in determining operational access.
  • the authority mechanism may be an authority map.
  • a key to the authority map may be comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity.
  • the key may map to a list of authorities relevant to the entity ordered by precedent.
  • the multiple locations may include the client device.
  • An authority may be granted or denied when allocated to a principal.
  • authorities may be allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups may be allocated to the principal.
  • authorities may be ranked higher in precedence dependent on the increased specificity of identification of the entity.
  • the principal may be a user.
  • a distributed system for access control of a database by a principal comprising:
  • Figure 1 shows a block diagram illustrating a system in accordance with an embodiment of the invention
  • Figure 2 shows a block diagram illustrating a database for use with an embodiment of the invention
  • Figure 3 shows a flow diagram illustrating a method in accordance with an embodiment of the invention
  • Figure 4 shows a sequence diagram illustrating a method in accordance with an embodiment of the invention
  • Figure 5a shows a table illustrating keys for an authority map generated in accordance with an embodiment of the invention
  • Figure 5b shows a table illustrating an authority table for an authority map generated in accordance with an embodiment of the invention.
  • the present invention provides a distributed database access control method and system.
  • FIG. 1 a system 100 in accordance with an embodiment of the invention is shown.
  • the system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105.
  • the server 102 may comprise a memory 106 and a processor 107.
  • the clients 103, 104, and 105 may be user devices or automated devices.
  • the clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals.
  • a principal is an actor, which may be a user or an automated process.
  • the server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
  • a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
  • the server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
  • a communications network 108 such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
  • the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
  • the database 101 will be described with reference to Figure 2.
  • the database 101 may comprise a plurality of entities 200, 201 , and 202.
  • Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205.
  • One of the properties 204 may identify the type of entity.
  • One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 .
  • One or more of the entities 200 may be associated 206 with one or more other entities 202.
  • the database 101 may be a relational database such as an SQL database.
  • Figure 2 illustrates a logical representation of a database.
  • the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
  • a method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
  • one or more authorities may be allocated for the entities within the database to a plurality of principals.
  • An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity.
  • the authority may define different types of operations on the entity. For example, the authority may relate to access to create, read, update and/or delete the entity. Operations may be defined by the authority in relation to specific properties of the entity.
  • the authorities may be granted or denied when allocated to a principal.
  • the authorities may be allocated directly to the principal, or the authorities may be allocated indirectly to the principal. In the case of the latter, the authorities may be allocated to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted or denied an authority or is associated with a group to which an authority is granted or denied, then the principal may inherit the grant or denial of that authority.
  • a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been allocated to the principal and which relate to the entity.
  • the determination may be made at multiple locations within the system. For example, it may be made at the client, at the server, and/or at the database.
  • the determination for permission may be driven in response to a request for that operation by the principal.
  • the request may be generated at a client and transmitted to the server.
  • An authority mechanism may be generated within the system. In one embodiment, the mechanism is generated at the server. The mechanism may be transmitted to multiple locations for use in determining whether the principal has permission to perform an operation.
  • the authority mechanism may comprise an authority map (a key-value mapping container) where the key is formed of, at least, the entity type and the operation.
  • the key may also include a group identifier.
  • the key may be hashed.
  • the key may correspond to rows comprising, at least, the following fields: an entity identifier, whether the authority is granted or denied, and the precedence of the authority.
  • the precedence of the authority may be defined by a numeric value.
  • the numeric value for the precedence may be calculated by the following method:
  • Entity identifier entity identifier
  • property associated entity identifier
  • associated entity type entity identifier
  • the process of determining permission may use the key within the authority map to locate the rows relevant to the entity and operation within the authority map. For example, the operation type and the entity type from the request are hashed together to generate the key, and this key is used as the index to the authority map.
  • the authority of the highest precedence from these rows is extracted and if the authority is granted determines that the principal has permission to perform the operation on the entity and if the authority is denied determines that the principal does not have permission to perform the operation on the entity.
  • FIG. 4 A sequence diagram illustrating one implementation of the method above will be described in reference to Figure 4.
  • the client 400, server 401 and database 402 are shown.
  • the principal 403 may make a request 404 for an operation on an entity at the client.
  • the client may determine 405 whether permission for this operation is possible at the client using, for example, the authority mechanism.
  • the request is transmitted 406 to the server 401 .
  • the server 401 may also determine 407 permission for the operation using, for example, the authority mechanism. If the request is possible, the request is transmitted 408 to the database 402 to be applied. In applying the operation, the database 402 may determine 409 whether the request is possible.
  • Authority 1 Update entity of type Article and ID 1
  • Row 501 shows key JsdfE which is a hash of the operation type "Update” and the entity type "Article”.
  • Row 502 shows key FFEel which is a hash of the operation type "Delete” and the entity type "Article”.
  • Row 503 shows key HdsW which is a hash of the operation type "Update” and the entity type "Category”.
  • the mapped table is shown in Figure 5b.
  • Row 504 corresponds to authority 1 .
  • Row 505 corresponds to authority 2.
  • Row 506 corresponds to authority 3.
  • Row 507 corresponds to authority 4.
  • Row 508 corresponds to authority 5.
  • Row 509 corresponds to authority 6.
  • Row 510 corresponds to authority 7.
  • a potential advantage of some embodiments of the present invention is that distributed access control at multiple locations permits rich client-side functionality and reduces latency in data delivery by shifting processing overhead to the client while maintaining data security.

Abstract

The present invention relates to a method of managing access to a database within a distributed system comprising a client device, a server, and the database. The method includes allocating authorities for access to entities within the database to a plurality of principals and determining operational access to an entity within the database for a principal based upon precedence of the authorities allocated to the principal and relevant to the entity. The operational access is determined at multiple locations within the distributed system.

Description

Distributed Database Access Control Method and System Field of Invention The present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to distributed database access control.
Background
Existing technologies for managing access control to databases derive from the terminal-server model of computing architecture where the server manages all processing and the terminal merely acts a conduit between the user and the server.
Consequently, these technologies control security access at the server or database-side, but this introduces inefficiencies in processing and limits functionality at the client-side. It is an object of the present invention to provide a database access control method and system which overcomes the disadvantages of the prior art, or at least provides a useful alternative.
Summary of Invention
According to a first aspect of the invention there is provided a method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
a) allocating authorities for access to entities within the database to a plurality of principals; and b) determining operational access to an entity within the database for a principal based upon precedence of the authorities allocated to the principal and relevant to the entity;
wherein the operational access is determined at multiple locations within the distributed system.
An authority mechanism may be generated within the distributed system and transmitted to the multiple locations for use in determining operational access. The authority mechanism may be an authority map. A key to the authority map may be comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity. The key may map to a list of authorities relevant to the entity ordered by precedent.
The multiple locations may include the client device.
An authority may be granted or denied when allocated to a principal.
Authorities may be allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups may be allocated to the principal.
Authorities denied to the principal and relevant to the entity may take precedence over otherwise identical authorities granted to the principal.
Authorities allocated directly to the principal may take precedence over authorities allocated to groups associated with the principal.
Authorities may be ranked higher in precedence dependent on the increased specificity of identification of the entity.
The principal may be a user. According to a further aspect of the invention there is provided a distributed system for access control of a database by a principal, comprising:
a client device;
a server; and
a database;
wherein the distributed system is configured to perform the method of the first aspect. Other aspects of the invention are described within the claims. Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:
Figure 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention; Figure 2: shows a block diagram illustrating a database for use with an embodiment of the invention;
Figure 3: shows a flow diagram illustrating a method in accordance with an embodiment of the invention;
Figure 4: shows a sequence diagram illustrating a method in accordance with an embodiment of the invention;
Figure 5a: shows a table illustrating keys for an authority map generated in accordance with an embodiment of the invention; and Figure 5b: shows a table illustrating an authority table for an authority map generated in accordance with an embodiment of the invention.
Detailed Description of Preferred Embodiments
The present invention provides a distributed database access control method and system.
In Figure 1 , a system 100 in accordance with an embodiment of the invention is shown.
The system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105. The server 102 may comprise a memory 106 and a processor 107.
The clients 103, 104, and 105 may be user devices or automated devices. The clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals. A principal is an actor, which may be a user or an automated process.
The server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
It will be appreciated that a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
The server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet. In one embodiment, the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
The database 101 will be described with reference to Figure 2.
The database 101 may comprise a plurality of entities 200, 201 , and 202. Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205. One of the properties 204 may identify the type of entity. One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 .
One or more of the entities 200 may be associated 206 with one or more other entities 202.
The database 101 may be a relational database such as an SQL database.
It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses. A method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
In step 301 , one or more authorities may be allocated for the entities within the database to a plurality of principals. An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity. The authority may define different types of operations on the entity. For example, the authority may relate to access to create, read, update and/or delete the entity. Operations may be defined by the authority in relation to specific properties of the entity. The authorities may be granted or denied when allocated to a principal. The authorities may be allocated directly to the principal, or the authorities may be allocated indirectly to the principal. In the case of the latter, the authorities may be allocated to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted or denied an authority or is associated with a group to which an authority is granted or denied, then the principal may inherit the grant or denial of that authority.
In step 302, a determination for permission to perform an operation on an entity within a database for a principal may be based, at least in part, upon the authorities which have been allocated to the principal and which relate to the entity.
The determination may be made at multiple locations within the system. For example, it may be made at the client, at the server, and/or at the database.
The determination for permission may be driven in response to a request for that operation by the principal. The request may be generated at a client and transmitted to the server. An authority mechanism may be generated within the system. In one embodiment, the mechanism is generated at the server. The mechanism may be transmitted to multiple locations for use in determining whether the principal has permission to perform an operation. The authority mechanism may comprise an authority map (a key-value mapping container) where the key is formed of, at least, the entity type and the operation. The key may also include a group identifier. The key may be hashed. The key may correspond to rows comprising, at least, the following fields: an entity identifier, whether the authority is granted or denied, and the precedence of the authority. The precedence of the authority may be defined by a numeric value.
The numeric value for the precedence may be calculated by the following method:
a) If the authority directly identifies the entity, set the numeric precedence value to 0
b) Otherwise, if the authority identifies the entity indirectly by identifying an associated entity, set the numeric precedence to 10
c) Otherwise, if the authority identifies the entity indirectly by identifying the type of an associated entity, set the numeric precedence to 20
d) Otherwise, set the numeric precedence to 30
e) If the authority was obtained by direct allocation to the principal, add 0 to the numeric precedence value
f) Otherwise, if the authority was obtained indirectly by the principal by allocation to a group to which the principal is a member, add 100 to the numeric precedence value
In alternative embodiments, the authority map includes one or more of the following additional fields: property (identifying the property within the entity to which the operation relates), associated entity identifier, and associated entity type.
Data may not be required for the following fields: entity identifier, property, associated entity identifier, and associated entity type.
The process of determining permission may use the key within the authority map to locate the rows relevant to the entity and operation within the authority map. For example, the operation type and the entity type from the request are hashed together to generate the key, and this key is used as the index to the authority map. The authority of the highest precedence from these rows is extracted and if the authority is granted determines that the principal has permission to perform the operation on the entity and if the authority is denied determines that the principal does not have permission to perform the operation on the entity.
A sequence diagram illustrating one implementation of the method above will be described in reference to Figure 4. The client 400, server 401 and database 402 are shown.
The principal 403 may make a request 404 for an operation on an entity at the client. The client may determine 405 whether permission for this operation is possible at the client using, for example, the authority mechanism.
If the request is possible, the request is transmitted 406 to the server 401 . The server 401 may also determine 407 permission for the operation using, for example, the authority mechanism. If the request is possible, the request is transmitted 408 to the database 402 to be applied. In applying the operation, the database 402 may determine 409 whether the request is possible.
Pseudo-code outlining an algorithm for determining permission is detailed below:
isPermitted(securedEntity, operationType, property)
OrderedList orderedAut orities
= aut orityMap. getByKey( securedEntity. type, operationType, securedEntity. owningOrganisation) ;
For Each auth in orderedAuthorities If operationType. scope = 'Property' if (auth. property is not wildcard And auth. property
!= property)
Continue
If auth. securedEntity is defined
If auth. securedEntity = securedEntity Return auth.whetherGranted
Else
Continue
Else If auth. associatedSecuredEntity is defined If
securedEntity. isAssociatedTo(auth. associatedSecuredEntity)
Return auth.whetherGranted
Else
Continue
Else If auth. associatedSecuredEntityType is defined If
securedEntity. isAssociatedToType( auth. associatedSecuredEntityType)
Return auth.whetherGranted
Else
Continue
Else
Return auth.whetherGranted Return denied An example of an authority map generated in accordance with an embodiment of the invention is shown at Figures 5a and 5b.
A principal is granted directly the following authorities:
Authority 1 : Update entity of type Article and ID 1
Authority 2: Delete entity of type Article and ID 1
And denied the following authorities:
Authority 3: Update entities of type Article associated with entity ID 1 of type Category
Authority 4: Delete entities of type Article
The principal is a member of a group - Group A - which has been granted the following authorities:
Authority 5: Update entities of type Article
Authority 6: Delete entities of type Article associated with entity ID 1 of type Category
And denied the following authorities:
Authority 7: Update entity of type Category
Keys for the authority map are shown in a table in Figure 5a.
Row 501 shows key JsdfE which is a hash of the operation type "Update" and the entity type "Article".
Row 502 shows key FFEel which is a hash of the operation type "Delete" and the entity type "Article". Row 503 shows key HdsW which is a hash of the operation type "Update" and the entity type "Category". The mapped table is shown in Figure 5b. Row 504 corresponds to authority 1 . Row 505 corresponds to authority 2. Row 506 corresponds to authority 3. Row 507 corresponds to authority 4.
Row 508 corresponds to authority 5.
Row 509 corresponds to authority 6. Row 510 corresponds to authority 7.
A potential advantage of some embodiments of the present invention is that distributed access control at multiple locations permits rich client-side functionality and reduces latency in data delivery by shifting processing overhead to the client while maintaining data security.
While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept.

Claims

Claims
1 . A method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
a) allocating authorities for access to entities within the database to a plurality of principals; and
b) determining operational access to an entity within the database for a principal based upon precedence of the authorities allocated to the principal and relevant to the entity; wherein the operational access is determined at multiple locations within the distributed system.
2. A method as claimed in claim 1 , wherein an authority mechanism is generated within the distributed system and transmitted to the multiple locations for use in determining operational access.
3. A method as claimed in claim 2, wherein the authority mechanism is an authority map.
4. A method as claimed in claim 3, wherein a key to the authority map is comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity.
5. A method as claimed in claim 4, wherein the key maps to a list of authorities relevant to the entity ordered by precedent.
6. A method as claimed in any one of the preceding claims, wherein the multiple locations include the client device.
7. A method as claimed in any one of the preceding claims, wherein an authority is granted or denied when allocated to a principal.
8. A method as claimed in any one of the preceding claims, wherein authorities are allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups are allocated to the principal.
9. A method as claimed in any one of the preceding claims when dependent on claim 7, wherein authorities denied to the principal and relevant to the entity take precedence over otherwise identical authorities granted to the principal.
10. A method as claimed in any one of the preceding claims, wherein authorities allocated directly to the principal take precedence over authorities allocated to groups associated with the principal.
1 1 . A method as claimed in any one of the preceding claims, wherein authorities are ranked higher in precedence dependent on the increased specificity of identification of the entity.
12. A method as claimed in any one of the preceding claims, wherein the principal is a user.
13. A distributed system for access control of a database by a principal, comprising:
a client device;
a server; and
a database;
wherein the distributed system is configured to perform any one of the methods of claims 1 to 12.
14. A client device configured for use within the distributed system of claim
15. A method or system for access control of a database as herein described with reference to the Figures.
PCT/GB2015/051004 2014-03-31 2015-03-31 Distributed database access control method and system WO2015150797A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1405802.8A GB2526056A (en) 2014-03-31 2014-03-31 Distributed database access control method and system
GB1405802.8 2014-03-31

Publications (1)

Publication Number Publication Date
WO2015150797A1 true WO2015150797A1 (en) 2015-10-08

Family

ID=50737771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2015/051004 WO2015150797A1 (en) 2014-03-31 2015-03-31 Distributed database access control method and system

Country Status (2)

Country Link
GB (1) GB2526056A (en)
WO (1) WO2015150797A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296523A1 (en) * 2010-05-26 2011-12-01 Microsoft Corporation Access control management mapping resource/action pairs to principals
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296523A1 (en) * 2010-05-26 2011-12-01 Microsoft Corporation Access control management mapping resource/action pairs to principals
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NUNO SANTOS ET AL: "Security in distributed metadata catalogues", CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE, vol. 20, no. 17, 10 December 2008 (2008-12-10), pages 1995 - 2007, XP055008668, ISSN: 1532-0626, DOI: 10.1002/cpe.1299 *

Also Published As

Publication number Publication date
GB201405802D0 (en) 2014-05-14
GB2526056A (en) 2015-11-18

Similar Documents

Publication Publication Date Title
US11128465B2 (en) Zero-knowledge identity verification in a distributed computing system
US11082226B2 (en) Zero-knowledge identity verification in a distributed computing system
US11126743B2 (en) Sensitive data service access
CN108259422B (en) Multi-tenant access control method and device
US11886547B2 (en) Systems and methods for entitlement management
US11093638B2 (en) Distributed management of user privacy information
EP3561636B1 (en) Record level data security
US10439992B2 (en) System for accessing data
US20160098573A1 (en) Securing a Distributed File System
US20070174271A1 (en) Database system with second preprocessor and method for accessing a database
WO2015150802A1 (en) Distributed database access control method and system
CA3177369C (en) Method and system for a data custodian implemented as an entity-centric, resource-oriented database within a shared cloud platform
EP3479274B1 (en) Sensitive data service storage
US20070244896A1 (en) System and method for authenticating remote users
WO2015150792A1 (en) An improved database access control method and system
Singh et al. Aggregating privatized medical data for secure querying applications
CN108141462B (en) Method and system for database query
WO2015150797A1 (en) Distributed database access control method and system
CN109818907A (en) One kind being based on UCON model user anonymity access method and system
WO2015150788A1 (en) Improved access control mechanism for databases
US10708253B2 (en) Identity information including a schemaless portion
CN106878256B (en) Information processing apparatus, approval system, and information processing method
CN116401706A (en) File processing method and device based on block chain
KR20140077132A (en) Method, system, and device for digital content transmission
Youn et al. Bucket Index Ordering Problem in Range Queries

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15721293

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15721293

Country of ref document: EP

Kind code of ref document: A1