Method and system for providing path-level access control for structured documents stored in a database
First Claim
1. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
- a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document; and
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
2 Assignments
0 Petitions
Accused Products
Abstract
An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
146 Citations
37 Claims
-
1. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document; and
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 17)
-
-
11. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, instructions for:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document; and
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document. - View Dependent Claims (12, 13, 14, 15, 16, 18, 19, 20)
-
-
21. A system for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising:
-
a database management system in a computer system;
an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules; and
an Access Control mechanism in the database management system for generating a path for each node of the plurality of nodes in the document, and for generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the database management system utilizes the corresponding value expression during access control evaluation to determine whether a user is allowed to access a node in the structured document. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document;
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node; and
(d) storing each path and the corresponding value expression in a table;
wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document. - View Dependent Claims (31, 32)
-
-
33. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, the programming instructions for:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document;
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the value expression is an executable statement indicating who is granted or denied access to the corresponding path associated with the node; and
(d) storing each path and the corresponding value expression in a table;
wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document. - View Dependent Claims (34, 35)
-
-
36. A method for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, comprising the steps of:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document;
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the generating step comprising;
(c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
(c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
(c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path; and
(d) storing each path and the corresponding value expression in a table;
wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
-
-
37. A computer readable medium containing programming instructions for providing path-level access control to a structured document in a collection stored in a database, wherein the structured document comprises a plurality of nodes, the programming instructions for:
-
a) providing an access control policy for the collection, wherein the access control policy comprises a plurality of access control rules;
b) generating a path for each node of the plurality of nodes in the document;
c) generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules, wherein the generating step comprising;
(c1) normalizing each of the access control rules into a format comprising a head, a path and a condition, wherein the condition indicates who is granted or denied access to the path and under what circumstances;
(c2) propagating each of the plurality of access control rules through each path such that access to each path is defined by at least one access control rule; and
(c3) transforming each of the at least one access control rules affecting each path into a statement indicating who is granted and denied access to the path; and
(d) storing each path and the corresponding value expression in a table;
wherein the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
-
Specification