Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values
First Claim
1. A computing system comprising:
- a relational database server to store a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes,wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables,wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row,wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server,wherein the attribute value is one of a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity;
an administrator system comprising a memory and a processor, said memory to store instructions and said processor to execute said instructions stored in said memory to cause said administrator system to perform the operations of;
receive data indicating said plurality of hierarchies of hierarchically organized domains;
display on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities;
enable an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; and
enable said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value; and
a server system operable to;
receive a user request requesting access to objects stored in said relational database server from said user entity;
determine that a first object stored in said relational database server is required for processing said user request;
check whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and
enforce said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination.
0 Assignments
0 Petitions
Accused Products
Abstract
An aspect of the present disclosure facilitates controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values. In one embodiment, in response to receiving data indicating specific hierarchies of the hierarchically organized domains, the corresponding fixed number of values of the corresponding domains in each hierarchy is displayed. Accordingly, a user is enabled to select a desired set of values from the corresponding fixed number of values of the corresponding domains, and to specify a security rule for a combination of the selected set of values and a user entity. The security rule is thereafter enforced when objects having attributes matching the selected set of values are accessed by the user entity.
-
Citations
15 Claims
-
1. A computing system comprising:
-
a relational database server to store a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes, wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables, wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row, wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries, wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server, wherein the attribute value is one of a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity; an administrator system comprising a memory and a processor, said memory to store instructions and said processor to execute said instructions stored in said memory to cause said administrator system to perform the operations of; receive data indicating said plurality of hierarchies of hierarchically organized domains; display on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities; enable an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; and enable said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value; and a server system operable to; receive a user request requesting access to objects stored in said relational database server from said user entity; determine that a first object stored in said relational database server is required for processing said user request; check whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and enforce said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of controlling access to objects from an administrator system, said method comprising:
-
receiving data indicating a plurality of hierarchies from a relational database server, wherein said relational database server stores a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes, wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables, wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row, wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries, wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server, wherein the attribute value is one a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity, said plurality of hierarchies being contained in said hierarchically organized domains; displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities; enabling an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; enabling said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value, wherein a server system, in response to said administrator having specified said first security rule, upon receipt of a user request requesting access to objects stored in said relational database server from said user entity, is operable to perform the actions of; determining that a first object stored in said relational database server is required for processing said user request; checking whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and enforcing said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory machine readable medium storing one or more sequences of instructions for enabling a system to control access to objects, wherein execution of said one or more instructions by one or more processors contained in said system enables said system to perform the actions of:
-
receiving data indicating a plurality of hierarchies from a relational database server, wherein said relational database server stores a plurality of objects representing digital entities of interest on a non-volatile storage, each object having corresponding attributes, wherein each object of said plurality of objects is represented in a corresponding set of tables in said relational database server, wherein the attributes of each object are represented as respective columns of the corresponding set of tables, wherein instances of each object are stored as respective rows of the corresponding set of tables, with the value of the attributes of the object being stored in the respective column of the row, wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries, wherein each attribute is stored with a corresponding attribute value in the respective column in said relational database server, wherein the value is one a plurality of values organized as hierarchically organized domains, with the set value of each attribute expressing the corresponding characteristic of the corresponding entity, said plurality of hierarchies being contained in said hierarchically organized domains; displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities; enabling an administrator to specify a first combination comprising a user entity from said plurality of user entities, a first value from a first plurality of values of a first hierarchy and a second value from a second plurality of values of a second hierarchy, said first hierarchy and said second hierarchy being contained in said plurality of hierarchies; enabling said administrator to specify a first security rule permitting or denying access for said first combination of said user entity, said first value and said second value, wherein a server system, in response to said administrator having specified said first security rule, upon receipt of a user request requesting access to objects stored in said relational database server from said user entity, is operable to perform the actions of; determining that a first object stored in said relational database server is required for processing said user request; checking whether said first object has stored in said relational database server a first attribute value and a second attribute value respectively matching said first value and said second value specified in said first security rule; and enforcing said first security rule to permit or deny access to said first object as specified in said first security rule in further processing of said user request if said match is present and not enforce said first security rule otherwise, as a response to said administrator having specified said first security rule for said first combination. - View Dependent Claims (12, 13, 14, 15)
-
Specification