System and method for implementing domain based access control on queries of a self-describing data system
First Claim
1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
- obtaining a query definition specifying a requested item of data in the self-describing data structure;
determining one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain;
determining a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain;
determining a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain;
determining that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and
generating an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for implementing access controls for items of data belonging to a self-describing data structure including obtaining a query definition specifying a requested item of data in the self-describing data structure, determining domains associated with the requested item, the domains including a set of items within the self-describing data structure on an execution path of a query executed according to the query definition. For each respective domain associated with the requested item, the method includes determining subdomains associated with the requested item, determining a role of the user for the respective domain, the role is associated with a set of access permissions to items of data within the domain, and generating an output corresponding to whether access to the requested item is granted based on a policy for each of the subdomains associated with the requested item and the role of the user for the domain.
29 Citations
20 Claims
-
1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
-
obtaining a query definition specifying a requested item of data in the self-describing data structure; determining one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain; determining a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain; determining a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain; determining that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and generating an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause one or more processing devices to:
-
obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain; determine a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain; determine a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain; determine that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and generate an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
a memory device storing instructions; and a processing device operatively coupled to the memory device, the processing device to execute the instructions to; obtain a query definition specifying a requested item of data in a self-describing data structure; determine one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain; determine a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain; determine a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain; determine that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and generate an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain. - View Dependent Claims (18, 19, 20)
-
Specification