System and method for implementing domain based access control on queries of a self-describing data system

US 10,572,678 B2
Filed: 07/15/2019
Issued: 02/25/2020
Est. Priority Date: 04/30/2018
Status: Active Grant

First Claim

Patent Images

1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:

obtaining a query definition specifying a requested item of data in the self-describing data structure;

determining one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain;

determining a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain;

determining a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain;

determining that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and

generating an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing access controls for items of data belonging to a self-describing data structure including obtaining a query definition specifying a requested item of data in the self-describing data structure, determining domains associated with the requested item, the domains including a set of items within the self-describing data structure on an execution path of a query executed according to the query definition. For each respective domain associated with the requested item, the method includes determining subdomains associated with the requested item, determining a role of the user for the respective domain, the role is associated with a set of access permissions to items of data within the domain, and generating an output corresponding to whether access to the requested item is granted based on a policy for each of the subdomains associated with the requested item and the role of the user for the domain.

29 Citations

20 Claims

1. A method for implementing access controls for items of data belonging to a self-describing data structure, the method comprising:
- obtaining a query definition specifying a requested item of data in the self-describing data structure;
  
  determining one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain;
  
  determining a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain;
  
  determining a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain;
  
  determining that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and
  
  generating an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising maintaining a mapping of the one or more domains including one or more subdomains and the set of items in the one or more subdomains.
  - 3. The method of claim 2, further comprising updating the mapping when data included in the set of items is modified.
  - 4. The method of claim 1, wherein determining that the user has access to the requested item in the second subdomain of the second domain based on the policy for the second subdomain of the second domain and the second role of the user further comprises:
    - determining a state of the requested item; and
      
      determining the user has access to the requested item using a rule data structure based on at least the state of the requested item and the second role of the user.
  - 5. The method of claim 4, wherein the rule data structure is a lookup table.
  - 6. The method of claim 1, wherein the output comprises different access rights that are granted for different roles of the user based on a state of the requested item, a state of a root item in the second subdomain of the second domain, or some combination thereof.
  - 7. The method of claim 6, wherein the access rights comprise get, update, and delete.
  - 8. The method of claim 1, wherein the access controls are implemented by a query engine in a system for performing recursive searches in the self-describing data structure.

9. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause one or more processing devices to:
- obtain a query definition specifying a requested item of data in a self-describing data structure;
  
  determine one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain;
  
  determine a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain;
  
  determine a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain;
  
  determine that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and
  
  generate an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium of claim 9, wherein the one or more processing devices are further to execute the instructions to maintain a mapping of the one or more domains including one or more subdomains and the set of items in the one or more subdomains.
  - 11. The computer-readable medium of claim 10, wherein the one or more processing devices are further to execute the instructions to update the mapping when data included in the set of items is modified.
  - 12. The computer-readable medium of claim 9, wherein determining that the user has access to the requested item in the second subdomain of the second domain based on the policy for the second subdomain of the second domain and the second role of the user further comprises:
    - determining a state of the requested item; and
      
      determining the user has access to the requested item using a rule data structure based on at least the state of the requested item and the second role of the user.
  - 13. The computer-readable medium of claim 12, wherein the rule data structure is a lookup table.
  - 14. The computer-readable medium of claim 9, wherein the output comprises different access rights that are granted for different roles of the user based on a state of the requested item, a state of a root item in the second subdomain of the second domain, or some combination thereof.
  - 15. The computer-readable medium of claim 14, wherein the access rights comprise get, update, and delete.
  - 16. The computer-readable medium of claim 9, wherein the access controls are implemented by a query engine in a system for performing recursive searches in the self-describing data structure.

17. A system, comprising:
- a memory device storing instructions; and
  
  a processing device operatively coupled to the memory device, the processing device to execute the instructions to;
  
  obtain a query definition specifying a requested item of data in a self-describing data structure;
  
  determine one or more domains associated with the requested item, wherein the one or more domains comprise a set of items within the self-describing data structure on an execution path of a query executed according to the query definition, the requested item is included in a first subdomain of a first domain and a second subdomain of a second domain, and the query definition specifies accessing the requested item in the first subdomain of the first domain;
  
  determine a first role of the user for the first domain, wherein the first role is associated with a set of access permissions to items of data within the first domain;
  
  determine a second role of the user for the second domain, wherein the second role is associated with a set of access permissions to items of data within the second domain;
  
  determine that the user has access to the requested item in the second subdomain of the second domain based on a policy for the second subdomain of the second domain and the second role of the user; and
  
  generate an output to indicate that access to the user to the requested item is granted in the first subdomain of the first domain based on determining that the user has access to the requested item in the second subdomain of the second domain.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the processing device is further to execute the instructions to maintain a mapping of the one or more domains including one or more subdomains and the set of items in the one or more subdomains.
  - 19. The system of claim 17, wherein the processing device is further to execute the instructions to update the mapping when data included in the set of items is modified.
  - 20. The system of claim 17, wherein determining that the user has access to the requested item in the second subdomain of the second domain based on the policy for the second subdomain of the second domain and the second role of the user further comprises:
    - determining a state of the requested item; and
      
      determining the user has access to the requested item using a rule data structure based on at least the state of the requested item and the second role of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aras Corporation
Original Assignee
Aras Corporation
Inventors
Levit, Boris, Murashko, Sergey, Shapavalau, Valentsin, Samsonau, Andrei, Rasin, Gregory, Knourenko, Andrey
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/511,852
Publication Number

US 20190340382A1
Time in Patent Office

225 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2423   Interactive query statement...

G06F 16/2448   for particular applications...

G06F 16/24566   Recursive queries

G06F 16/252   between a Database Manageme...

G06F 21/6227   where protection concerns t...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

System and method for implementing domain based access control on queries of a self-describing data system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing domain based access control on queries of a self-describing data system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links