Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values

US 10,645,090 B2
Filed: 02/09/2018
Issued: 05/05/2020
Est. Priority Date: 10/08/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

a relational database server to store a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes,wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables,wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row,wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server,wherein the attribute value is one of a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity;

an administrator system comprising a memory and a processor, said memory to store instructions and said processor to execute said instructions stored in said memory to cause said administrator system to perform the operations of;

receive data indicating said plurality of hierarchies of hierarchically organized domains;

display on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities;

enable an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; and

enable said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value; and

a server system operable to;

receive a user request requesting access to objects stored in said relational database server from said user entity;

determine that a first object stored in said relational database server is required for processing said user request;

check whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and

enforce said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An aspect of the present disclosure facilitates controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values. In one embodiment, in response to receiving data indicating specific hierarchies of the hierarchically organized domains, the corresponding fixed number of values of the corresponding domains in each hierarchy is displayed. Accordingly, a user is enabled to select a desired set of values from the corresponding fixed number of values of the corresponding domains, and to specify a security rule for a combination of the selected set of values and a user entity. The security rule is thereafter enforced when objects having attributes matching the selected set of values are accessed by the user entity.

Citations

15 Claims

1. A computing system comprising:
- a relational database server to store a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes,wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables,wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row,wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server,wherein the attribute value is one of a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity;
  
  an administrator system comprising a memory and a processor, said memory to store instructions and said processor to execute said instructions stored in said memory to cause said administrator system to perform the operations of;
  
  receive data indicating said plurality of hierarchies of hierarchically organized domains;
  
  display on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities;
  
  enable an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; and
  
  enable said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value; and
  
  a server system operable to;
  
  receive a user request requesting access to objects stored in said relational database server from said user entity;
  
  determine that a first object stored in said relational database server is required for processing said user request;
  
  check whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and
  
  enforce said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computing system of claim 1,wherein access to said first object is performed using a first SQL query,wherein to perform said determine, said check and said enforce, said server system appends a condition to a WHERE clause of said first SQL query, said condition designed to check whether the values stored in said first attribute and said second attribute of said first object respectively matches said first value and said second value.
  - 3. The computing system of claim 2, wherein said server system is a financial application server executing a financial application, wherein said plurality of objects are application objects defined by said financial application and stored in said relational database server.
  - 4. The computing system of claim 1, wherein said server system is further operable to:
    - receive a second user request requesting access to objects stored in said relational database server from said user entity;
      
      determine that a second object stored in said relational database server is required for processing said second user request;
      
      check whether said second object has stored in said relational database server a third attribute value and a fourth attribute value respectively matching said first value and said second value specified in said first security rule; and
      
      enforce said first security rule to permit or deny access to said second object as specified in said first security rule in further processing of said second user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
  - 5. The computing system of claim 4, wherein each domain of said hierarchically organized domains contains a corresponding fixed number of values.

6. A method of controlling access to objects from an administrator system, said method comprising:
- receiving data indicating a plurality of hierarchies from a relational database server,wherein said relational database server stores a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes,wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables,wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row,wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server,wherein the attribute value is one a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity, said plurality of hierarchies being contained in said hierarchically organized domains;
  
  displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities;
  
  enabling an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies;
  
  enabling said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value,wherein a server system, in response to said administrator having specified said first security rule, upon receipt of a user request requesting access to objects stored in said relational database server from said user entity, is operable to perform the actions of;
  
  determining that a first object stored in said relational database server is required for processing said user request;
  
  checking whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and
  
  enforcing said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6,wherein access to said first object is performed using a first SQL query,wherein to perform said determining, said checking, and said enforcing, said server system appends a condition to a WHERE clause of said first SQL query, said condition designed to check whether the values stored in said first attribute and said second attribute of said first object respectively matches said first value and said second value.
  - 8. The method of claim 7, wherein said server system is a financial application server executing a financial application, wherein said plurality of objects are application objects defined by said financial application and stored in said relational database server.
  - 9. The method of claim 6, wherein said server system upon receipt of a second user request requesting access to objects stored in said relational database server from said user entity, performs the actions of:
    - determining that a second object stored in said relational database server is required for processing said second user request;
      
      checking whether said second object has stored in said relational database server a third attribute value and a fourth attribute value respectively matching said first value and said second value specified in said first security rule; and
      
      enforcing said first security rule to permit or deny access to said second object as specified in said first security rule in further processing of said second user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
  - 10. The method of claim 9, wherein each domain of said hierarchically organized domains contains a corresponding fixed number of values.

11. A non-transitory machine readable medium storing one or more sequences of instructions for enabling a system to control access to objects, wherein execution of said one or more instructions by one or more processors contained in said system enables said system to perform the actions of:
- receiving data indicating a plurality of hierarchies from a relational database server,wherein said relational database server stores a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes,wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables,wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row,wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server,wherein the value is one a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity, said plurality of hierarchies being contained in said hierarchically organized domains;
  
  displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities;
  
  enabling an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies;
  
  enabling said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value,wherein a server system, in response to said administrator having specified said first security rule, upon receipt of a user request requesting access to objects stored in said relational database server from said user entity, is operable to perform the actions of;
  
  determining that a first object stored in said relational database server is required for processing said user request;
  
  checking whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and
  
  enforcing said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory machine readable medium of claim 11,wherein access to said first object is performed using a first SQL query,wherein to perform said determining, said checking, and said enforcing, said server system appends a condition to a WHERE clause of said first SQL query, said condition designed to check whether the values stored in said first attribute and said second attribute of said first object respectively matches said first value and said second value.
  - 13. The non-transitory machine readable medium of claim 12, wherein said server system is a financial application server executing a financial application, wherein said plurality of objects are application objects defined by said financial application and stored in said relational database server.
  - 14. The non-transitory machine readable medium of claim 11, wherein said server system upon receipt of a second user request requesting access to objects stored in said relational database server from said user entity, performs the actions of:
    - determining that a second object stored in said relational database server is required for processing said second user request;
      
      checking whether said second object has stored in said relational database server a third attribute value and a fourth attribute value respectively matching said first value and said second value specified in said first security rule; and
      
      enforcing said first security rule to permit or deny access to said second object as specified in said first security rule in further processing of said second user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
  - 15. The non-transitory machine readable medium of claim 14, wherein each domain of said hierarchically organized domains contains a corresponding fixed number of values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle Financial Services Software Limited (Oracle Corporation)
Original Assignee
Oracle Financial Services Software Limited (Oracle Corporation)
Inventors
Vadapandeshwara, Rajaram Narasimha, Srinivasa, Bhargava, Nagulakonda, Gangadhar
Primary Examiner(s)
Chiang, Jason

Application Number

US15/892,436
Publication Number

US 20180167398A1
Time in Patent Office

816 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links