Method and system for providing path-level access control for structured documents stored in a database

US 20050076030A1
Filed: 08/29/2003
Published: 04/07/2005
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:

a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;

b) generating a path for each node of the plurality of nodes in the document; and

c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

146 Citations

View as Search Results

37 Claims

1. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document; and
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 17)
- - 2. The method of claim 1, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node.
  - 3. The method of claim 1 further comprising:
    - (d) storing each path and the corresponding value expression in a table.
  - 4. The method of claim 3 further comprising:
    - (e) compiling each value expression prior to storing step (d).
  - 5. The method of claim 4 further comprising:
    - (f) receiving a query from a user, wherein the query requests access to a node in the document;
      
      (g) executing the query;
      
      (h) evaluating the value expression corresponding to the path associated with the requested node;
      
      (i) displaying data associated with the requested node if the value expression grants access to the user; and
      
      (j) hiding data associated with the requested node if the value expression denies access to the user.
  - 6. The method of claim 5, wherein the evaluating step (h) is performed during a run time.
  - 7. The method of claim 1, wherein generating step (c) further comprises:
    - (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
      
      (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
      
      (c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path.
  - 8. The method of claim 3, further comprising:
    - (e) replacing the value expression for a path associated with a node with a reference notation if the value expression is identical to that for a path associated with the node'"'"'s parent, thereby eliminating repeated value expressions in the table.
  - 9. The method of claim 1, wherein the providing step (a) comprises:
    - (a1) writing the plurality of access control rules; and
      
      (a2) validating the plurality of access control rules such that the resulting rules are syntactically and logically valid.
  - 10. The method of claim 1, wherein the structured document is written in Extensible Markup Language.
  - 17. The computer readable medium of claim 1, wherein generating instruction (c) further comprises:
    - (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path;
      
      (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
      
      (c3) transforming each of the at least one access control rules associated with each path into a statement indicating who is granted and denied access to the path.

11. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, instructions for:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document; and
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
- View Dependent Claims (12, 13, 14, 15, 16, 18, 19, 20)
- - 12. The computer readable medium of claim 11, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node.
  - 13. The computer readable medium of claim 11 further comprising:
    - (d) storing each path and the corresponding value expression in a table.
  - 14. The computer readable medium of claim 13 further comprising:
    - (e) compiling each value expression prior to storing instruction (d).
  - 15. The computer readable medium of claim 14 further comprising:
    - (f) receiving a query from a user, wherein the query requests access to a node in the document;
      
      (g) executing the query;
      
      (h) evaluating the value expression corresponding to the path associated with the requested node;
      
      (i) displaying data associated with the requested node if the value expression grants access to the user; and
      
      (j) hiding data associated with the requested node if the value expression denies access to the user.
  - 16. The computer readable medium of claim 15, wherein the evaluating instruction (h) is performed during a run time.
  - 18. The computer readable medium of claim 13, further comprising:
    - (e) replacing the value expression for a path associated with a node with a reference notation if the value expression is identical to that for a path associated with the node'"'"'s parent, thereby eliminating repeated value expressions in the table.
  - 19. The computer readable medium of claim 11, wherein the providing instruction (a) comprises:
    - (a1) writing the plurality of access control rules; and
      
      (a2) validating the plurality of access control rules such that the resulting rules are syntactically and logically valid.
  - 20. The computer readable medium of claim 11, wherein the structured document is written in Extensible Markup Language.

21. A system for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising:
- a database management system in a computer system;
  
  an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules; and
  
  an Access Control mechanism in the database management system for generating a path for each node of the plurality of nodes in the document, and for generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the database management system utilizes the corresponding value expression during access control evaluation to determine whether a user is allowed to access a node in the structured document.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node.
  - 23. The system of claim 21 wherein the Access Control mechanism is configured to store each path and the corresponding value expression in a table.
  - 24. The system of claim 23 further comprising a compiler for compiling each value expression prior to storing in the table.
  - 25. The system of claim 24 wherein the database management system is configured to receive a query from a user, wherein the query requests access to a node in the document, to execute the query, to evaluate the value expression corresponding to the path associated with the requested node, to display data associated with the requested node if the value expression grants access to the user, and to hide data associated with the requested node if the value expression denies access to the user.
  - 26. The system of claim 25, wherein access control evaluation is performed during a run time.
  - 27. The system of claim 21, wherein the access control mechanism comprises:
    - a translator for normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path, and for propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
      
      a value expression generator for transforming each of the at least one access control rules associated with each path into a statement indicating who is granted and denied access to the path.
  - 28. The system of claim 21, wherein the access control rules are syntactically and logically valid.
  - 29. The system of claim 21, wherein the structured document is written in Extensible Markup Language.

30. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document;
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node; and
  
  (d) storing each path and the corresponding value expression in a table;
  
  wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30 further comprising:
    - (e) receiving a query from a user, wherein the query requests access to a node in the document;
      
      (f) executing the query;
      
      (g) evaluating the value expression corresponding to the path associated with the requested node during a run time;
      
      (h) displaying data associated with the requested node if the value expression grants access to the user; and
      
      (i) hiding data associated with the requested node if the value expression denies access to the user.
  - 32. The method of claim 30, wherein generating step (c) further comprises:
    - (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
      
      (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
      
      (c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path.

33. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, the programming instructions for:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document;
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node; and
  
  (d) storing each path and the corresponding value expression in a table;
  
  wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
- View Dependent Claims (34, 35)
- - 34. The computer readable medium of claim 33 further comprising:
    - (e) receiving a query from a user, wherein the query requests access to a node in the document;
      
      (f) executing the query;
      
      (g) evaluating the value expression corresponding to the path associated with the requested node during a run time;
      
      (h) displaying data associated with the requested node if the value expression grants access to the user; and
      
      (i) hiding data associated with the requested node if the value expression denies access to the user.
  - 35. The computer readable medium of claim 33, wherein generating instruction (c) further comprises:
    - (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
      
      (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
      
      (c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path.

36. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document;
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the generating step comprising;
  
  (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
  
  (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
  
  (c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path; and
  
  (d) storing each path and the corresponding value expression in a table;
  
  wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

37. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, the programming instructions for:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
  
  b) generating a path for each node of the plurality of nodes in the document;
  
  c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the generating step comprising;
  
  (c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
  
  (c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
  
  (c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path; and
  
  (d) storing each path and the corresponding value expression in a table;
  
  wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Seki, Naishin, Tozawa, Akihiko, Hada, Satoshi, Van der Linden, Robbert C., Kudo, Michiharu

Granted Patent

US 8,775,468 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/284   Relational databases

G06F 16/8373   Query execution

G06F 16/86   Mapping to a database

G06F 16/972   Access to data in other rep...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Method and system for providing path-level access control for structured documents stored in a database

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing path-level access control for structured documents stored in a database

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links