System and method for implementing domain based access control on queries of a self-describing data system
First Claim
1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
- obtaining a query definition specifying a requested item of data in the self-describing data structure;
determining one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition;
for each respective domain of the one or more domains associated with the requested item;
determining one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain;
determining a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and
generating, by a processing device, an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, the generating comprising;
determining a first state of the requested item, the first state associated with a subdomain item state;
determining a second state of a root item of the respective domain, the second state associated with a root item state; and
identifying the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for implementing access controls for items of data belonging to a self-describing data structure including obtaining a query definition specifying a requested item of data in the self-describing data structure, determining domains associated with the requested item, the domains including a set of items within the self-describing data structure on an execution path of a query executed according to the query definition. For each respective domain associated with the requested item, the method includes determining subdomains associated with the requested item, determining a role of the user for the respective domain, the role is associated with a set of access permissions to items of data within the domain, and generating an output corresponding to whether access to the requested item is granted based on a policy for each of the subdomains associated with the requested item and the role of the user for the domain.
24 Citations
17 Claims
-
1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
-
obtaining a query definition specifying a requested item of data in the self-describing data structure; determining one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item; determining one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determining a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generating, by a processing device, an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, the generating comprising; determining a first state of the requested item, the first state associated with a subdomain item state; determining a second state of a root item of the respective domain, the second state associated with a root item state; and identifying the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause one or more processing devices to:
-
obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item; determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to; determine a first state of the requested item, the first state associated with a subdomain item state; determine a second state of a root item of the respective domain, the second state associated with a root item state; and identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system, comprising:
-
a memory device storing instructions; and a processing device operatively coupled to the memory device, the processing device to execute the instructions to; obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition; for each respective domain of the one or more domains associated with the requested item; determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain; determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to; determine a first state of the requested item, the first state associated with a subdomain item state; determine a second state of a root item of the respective domain, the second state associated with a root item state; and identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user. - View Dependent Claims (16, 17)
-
Specification