ENABLING GRANULAR DISCRETIONARY ACCESS CONTROL FOR DATA STORED IN A CLOUD COMPUTING ENVIRONMENT
1 Assignment
0 Petitions
Accused Products
Abstract
Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request.
52 Citations
25 Claims
-
1-8. -8. (canceled)
-
9. A system comprising:
-
a plurality of data artifacts representing electronic data files; a cloud computing environment comprising a plurality of cloud service providers configured to operate in accordance with a cloud computing model; a data storage cloud service configured to manage storage and access of the plurality of data artifacts within the cloud computing environment; an access manager cloud service configured to provide discretionary access control to the plurality of data artifacts managed by the data storage cloud service, wherein said discretionary access control is performed in addition to access control operations executed by the data storage cloud service, and wherein the discretionary access control of the access manager cloud service is capable of countermanding access allowances and access denials made by the data storage cloud service. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer program product comprising a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
-
computer usable program code configured to obtain a data request and a response message for the data request, wherein the response message is generated by a data storage service operating in a cloud computing environment in response to the data request, wherein said response message indicates at least one of an allowance and a denial of access to a data artifact stored by the data storage service; computer usable program code configured to identify an existence of at least one of at least one owner-specified access rule and at least one owner-specified access exception applicable to the data request; computer usable program code configured to determine an access response to the data request based upon the identified at least one owner-specified access rule and at least one owner-specified access exception, wherein said access response indicates at least one of the allowance and the denial of access to the data artifact requested in the data request, and wherein an owner-specified access rule defines at least one parameter value that restricts access to the data artifact, and wherein an owner-specified access exception defines conditions allowing access to the data artifact, wherein the access is denied by at least one of the data storage service and at least one owner-specified access rule; computer usable program code configured to compare the determined access response to the response message; computer usable program code configured to, if the determined access response does not match the response message, override the response message to express the determined access response; and computer usable program code configured to, if the determined access response matches the response message, convey the response message to an originating entity of the data request. - View Dependent Claims (17, 18, 19)
-
-
20-24. -24. (canceled)
-
25. A computer program product comprising a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
-
computer usable program code configured to receive of a data request by a data storage cloud service of a cloud storage system, wherein said data request requests access to a data artifact stored by the cloud storage system within a cloud computing environment; computer usable program code configured to determine of a response to the data request by the data storage cloud service, wherein said determination indicates at least one of allowing access and denying access to the data artifact; computer usable program code configured to detect of the data storage cloud service'"'"'s receipt of the data request by an access manager cloud service; computer usable program code configured to interrupt of the data storage cloud service'"'"'s handling of the data request prior to an execution of the determined response by the access manager cloud service; computer usable program code configured to obtain of a copy of the data request and the data storage cloud service'"'"'s response by the access manager cloud service; computer usable program code configured to evaluate of contents of the copy of the data request by the access manager cloud service with respect to discretionary access controls defined for the data artifact, wherein said discretionary access controls are configured by an entity associated with the data artifact; computer usable program code configured to determine of response from said evaluation of the data request copy by the access manager cloud service, wherein said determination indicates at least one of allowing access and denying access to the data artifact; computer usable program code configured to compare of the response determined by the data storage cloud service with the response internally determined by the access manager cloud service; computer usable program code configured to, if said comparison indicates disagreement between the responses of the data storage cloud service and the access manager cloud service, override of the data storage cloud service'"'"'s response by the access manager cloud service, wherein the response determined by the access manager cloud service is given precedence over the response determined by the data storage cloud service; and computer usable program code configured to, if said comparison indicates agreement between the responses of the data storage cloud service and the access manager cloud service, release of the interruption to the data storage cloud service'"'"'s handling of the data request by the access manager cloud service, wherein the data storage cloud service is allowed to complete fulfillment of the data request.
-
Specification