System and method for implementing domain based access control on queries of a self-describing data system

US 10,430,606 B1
Filed: 04/22/2019
Issued: 10/01/2019
Est. Priority Date: 04/30/2018
Status: Active Grant

First Claim

Patent Images

1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:

obtaining a query definition specifying a requested item of data in the self-describing data structure;

determining one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition;

for each respective domain of the one or more domains associated with the requested item;

determining one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain;

determining a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and

generating, by a processing device, an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, the generating comprising;

determining a first state of the requested item, the first state associated with a subdomain item state;

determining a second state of a root item of the respective domain, the second state associated with a root item state; and

identifying the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing access controls for items of data belonging to a self-describing data structure including obtaining a query definition specifying a requested item of data in the self-describing data structure, determining domains associated with the requested item, the domains including a set of items within the self-describing data structure on an execution path of a query executed according to the query definition. For each respective domain associated with the requested item, the method includes determining subdomains associated with the requested item, determining a role of the user for the respective domain, the role is associated with a set of access permissions to items of data within the domain, and generating an output corresponding to whether access to the requested item is granted based on a policy for each of the subdomains associated with the requested item and the role of the user for the domain.

24 Citations

View as Search Results

17 Claims

1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
- obtaining a query definition specifying a requested item of data in the self-describing data structure;
  
  determining one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition;
  
  for each respective domain of the one or more domains associated with the requested item;
  
  determining one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain;
  
  determining a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and
  
  generating, by a processing device, an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, the generating comprising;
  
  determining a first state of the requested item, the first state associated with a subdomain item state;
  
  determining a second state of a root item of the respective domain, the second state associated with a root item state; and
  
  identifying the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising combining the output generated for each of the one or more domains to determine whether to grant access to the user to the requested item in the one or more subdomains located in the respective domain, wherein access is granted to the requested item if the output generated for any of the one or more domains indicates that access to the requested item is granted for the role of the user in any of the one or more subdomains.
  - 3. The method of claim 1, wherein the requested item is included in a first domain and a second domain, the query definition specifies accessing the requested item in the first domain, and the method further comprises:
    - determining that the user has access to the requested item in the second domain based on the policy for a second subdomain of the second domain and the role of the user; and
      
      generating the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
  - 4. The method of claim 1, further comprising maintaining a mapping of the one or more domains each including the one or more subdomains and the set of items in the one or more subdomains.
  - 5. The method of claim 4, further comprising updating the mapping when data included in the set of items is modified.
  - 6. The method of claim 1, wherein the rule data structure is a lookup table.
  - 7. The method of claim 1, wherein the output comprises different access rights that are granted for different roles of the user based on the first state of the requested item, the second state of the root item, or some combination thereof.
  - 8. The method of claim 7, wherein the access rights comprise get, update, and delete.
  - 9. The method of claim 1, wherein the access controls are implemented by a query engine in a system for performing recursive searches in the self-describing data structure.

10. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause one or more processing devices to:
- obtain a query definition specifying a requested item of data in a self-describing data structure;
  
  determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition;
  
  for each respective domain of the one or more domains associated with the requested item;
  
  determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain;
  
  determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and
  
  generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to;
  
  determine a first state of the requested item, the first state associated with a subdomain item state;
  
  determine a second state of a root item of the respective domain, the second state associated with a root item state; and
  
  identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-readable medium of claim 10, wherein the one or more processing devices are further to:
    - combine the output generated for each of the one or more domains to determine whether to grant access to the user to the requested item in the one or more subdomains located in the respective domain, wherein access is granted to the requested item if the output generated for any of the one or more domains indicates that access to the requested item is granted for the role of the user in any of the one or more subdomains.
  - 12. The computer-readable medium of claim 10, wherein the requested item is included in a first domain and a second domain, the query definition specifies accessing the requested item in the first domain, and the one or more processing devices are further to:
    - determine that the user has access to the requested item in the second domain based on the policy for a second subdomain of the second domain and the role of the user; and
      
      generate the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
  - 13. The computer-readable medium of claim 10, wherein the one or more processing devices are further to maintain, in memory, a mapping of the one or more domains each including one or more subdomains and the set of items the one or more subdomains.
  - 14. The computer-readable medium of claim 13, wherein the one or more processing devices are further to update the mapping when data included in the set of items is modified.

15. A system, comprising:
- a memory device storing instructions; and
  
  a processing device operatively coupled to the memory device, the processing device to execute the instructions to;
  
  obtain a query definition specifying a requested item of data in a self-describing data structure;
  
  determine one or more domains associated with the requested item, the one or more domains comprising a set of items within the self-describing data structure on an execution path of a query executed according to the query definition;
  
  for each respective domain of the one or more domains associated with the requested item;
  
  determine one or more subdomains associated with the requested item, wherein the one or more subdomains are located in the respective domain;
  
  determine a role of the user for the respective domain, wherein the role is associated with a set of access permissions to items of data within the domain; and
  
  generate an output corresponding to whether access to the requested item is granted based on a policy for each of the one or more subdomains associated with the requested item and the role of the user for the domain, wherein to generate the output, the processing device is further to;
  
  determine a first state of the requested item, the first state associated with a subdomain item state;
  
  determine a second state of a root item of the respective domain, the second state associated with a root item state; and
  
  identify the output in a rule data structure based on the first state of the requested item, the second state of the root item, and the role of the user.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the processing device is further to:
    - determine that the user does not have access to the requested item in a first domain based on the policy for a first subdomain of the first domain and the role of the user;
      
      determine that the user has access to the requested item in a second domain based on the policy for a second subdomain of the second domain and the role of the user; and
      
      generate the output to indicate that access to the user to the requested item is granted in the first domain based on determining that the user has access to the requested item in the second domain.
  - 17. The system of claim 15, wherein the one or more processing devices are further to maintain, in memory, a mapping of the one or more domains each including one or more subdomains and the set of items the one or more subdomains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aras Corporation
Original Assignee
Aras Corporation
Inventors
Levit, Boris, Murashko, Sergey, Shapavalau, Valentsin, Samsonau, Andrei, Rasin, Gregory, Knourenko, Andrey
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/390,985
Time in Patent Office

162 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2423   Interactive query statement...

G06F 16/2448   for particular applications...

G06F 16/24566   Recursive queries

G06F 16/252   between a Database Manageme...

G06F 21/6227   where protection concerns t...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

System and method for implementing domain based access control on queries of a self-describing data system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

System and method for implementing domain based access control on queries of a self-describing data system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others