ACCESS CONTROL FOR OBJECTS HAVING ATTRIBUTES DEFINED AGAINST HIERARCHICALLY ORGANIZED DOMAINS CONTAINING FIXED NUMBER OF VALUES

US 20160104004A1
Filed: 02/23/2015
Published: 04/14/2016
Est. Priority Date: 10/08/2014
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values, said method comprising:

receiving data indicating a plurality of hierarchies of said hierarchically organized domains;

displaying the values of the corresponding domains in each hierarchy of said plurality of hierarchies;

enabling a user to select a first set of values from the displayed values of the corresponding domains;

enabling said user to specify a security rule for a combination of said first set of values and a user entity; and

enforcing said security rule when objects having attributes matching said first set of values are accessed by said user entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An aspect of the present disclosure facilitates controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values. In one embodiment, in response to receiving data indicating specific hierarchies of the hierarchically organized domains, the corresponding fixed number of values of the corresponding domains in each hierarchy is displayed. Accordingly, a user is enabled to select a desired set of values from the corresponding fixed number of values of the corresponding domains, and to specify a security rule for a combination of the selected set of values and a user entity. The security rule is thereafter enforced when objects having attributes matching the selected set of values are accessed by the user entity.

22 Citations

View as Search Results

20 Claims

1. A method of controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values, said method comprising:
- receiving data indicating a plurality of hierarchies of said hierarchically organized domains;
  
  displaying the values of the corresponding domains in each hierarchy of said plurality of hierarchies;
  
  enabling a user to select a first set of values from the displayed values of the corresponding domains;
  
  enabling said user to specify a security rule for a combination of said first set of values and a user entity; and
  
  enforcing said security rule when objects having attributes matching said first set of values are accessed by said user entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said displaying displays a plurality of tuples along respective lines with each tuple containing an ordered sequence of elements,wherein each element is set to one of the values of a corresponding hierarchy of said plurality of hierarchies such that said plurality of tuples together represents a Cartesian product of values of all of said plurality of hierarchies,wherein said selection comprises indicating a first set of lines corresponding to a set of tuples of interest contained in said plurality of tuples,wherein said enforcing enforces said security rule against objects having attributes matching any of said set of tuples of interest.
  - 3. The method of claim 2, wherein said lines are displayed along a first dimension and a plurality of user entities including said user entity are displayed along a second dimension,wherein said selection comprises indicating for each user entity of said plurality of user entities, a corresponding set of lines of interest, wherein said first set of lines are indicated for said user entity,wherein said enforcing enforces said security rule when objects having attributes matching any of the tuples corresponding to said selected set of lines of interest are accessed by the corresponding user entity.
  - 4. The method of claim 3, further comprising:
    - displaying a data map representing said plurality of tuples, wherein the values of each hierarchy of said plurality of hierarchies is displayed along a corresponding dimension of said data map; and
      
      receiving from said user, a set of valid tuples contained in said plurality of tuples, each valid tuple representing a corresponding set of values that may be assigned to attributes of the objects,wherein said displaying displays only said set of valid tuples as said lines along said first dimension.
  - 5. The method of claim 1, wherein said plurality of hierarchies include a first hierarchy and a second hierarchy, said first hierarchy having a plurality of values as nodes, and said second hierarchy having a plurality of user entities as nodes,wherein said first set of values are selected by said user from said plurality of values, wherein said user also selects a set of user entities of said plurality of user entities,wherein said method further comprises:
    - in response to said selection of said first set of values and said set of user entities, displaying a plurality of tuples along respective lines with each tuple containing an ordered sequence of elements,wherein elements at a first position and a second position in said ordered sequence, are respectively set to one of said set of user entities, and one of said first set of values such that said plurality of tuples together represents a Cartesian product of said first set of values and said set of user entities,wherein said user specifies said security rule by selecting lines corresponding to a first set of tuples of said plurality of tuples, wherein each tuple of said first set of tuples has said user entity in said first position and one of said first set of values in said second position.
  - 6. The method of claim 5, wherein said selection comprises a first value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said first value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy,wherein said descendant flag indicates whether or not to include the sub-domains under said first value in said selection,wherein said selection includes the values of said first domain and the sub-domains under said first value in said first set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise.
  - 7. The method of claim 6, wherein said security rule permits access to corresponding objects having attributes matching said first set of values, wherein access is denied to objects if not permitted access by any corresponding security rule.
  - 8. The method of claim 1, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries, wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing comprises:
    - appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said object matches said first set of values.
  - 9. The method of claim 8, wherein said method is implemented in a financial application server, wherein said objects are application objects defined in a financial application executing in said financial application server.

10. A non-transitory machine readable medium storing one or more sequences of instructions for enabling a system to control access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values, wherein execution of said one or more instructions by one or more processors contained in said system enables said system to perform the actions of:
- receiving data indicating a plurality of hierarchies of said hierarchically organized domains;
  
  displaying the values of the corresponding domains in each hierarchy of said plurality of hierarchies;
  
  enabling a user to select a first set of values from the displayed values of the corresponding domains;
  
  enabling said user to specify a security rule for a combination of said first set of values and a user entity; and
  
  enforcing said security rule when objects having attributes matching said first set of values are accessed by said user entity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The non-transitory machine readable medium of claim 10, wherein said displaying displays a plurality of tuples along respective lines with each tuple containing an ordered sequence of elements,wherein each element is set to one of the values of a corresponding hierarchy of said plurality of hierarchies such that said plurality of tuples together represents a Cartesian product of values of all of said plurality of hierarchies,wherein said selection comprises indicating a first set of lines corresponding to a set of tuples of interest contained in said plurality of tuples,wherein said enforcing enforces said security rule against objects having attributes matching any of said set of tuples of interest.
  - 12. The non-transitory machine readable medium of claim 11, wherein said lines are displayed along a first dimension and a plurality of user entities including said user entity are displayed along a second dimension,wherein said selection comprises indicating for each user entity of said plurality of user entities, a corresponding set of lines of interest, wherein said first set of lines are indicated for said user entity,wherein said enforcing enforces said security rule when objects having attributes matching any of the tuples corresponding to said selected set of lines of interest are accessed by the corresponding user entity.
  - 13. The non-transitory machine readable medium of claim 12, further comprising one or more instructions for:
    - displaying a data map representing said plurality of tuples, wherein the values of each hierarchy of said plurality of hierarchies is displayed along a corresponding dimension of said data map; and
      
      receiving from said user, a set of valid tuples contained in said plurality of tuples, each valid tuple representing a corresponding set of values that may be assigned to attributes of the objects,wherein said displaying displays only said set of valid tuples as said lines along said first dimension.
  - 14. The non-transitory machine readable medium of claim 10, wherein said plurality of hierarchies include a first hierarchy and a second hierarchy, said first hierarchy having a plurality of values as nodes, and said second hierarchy having a plurality of user entities as nodes,wherein said first set of values are selected by said user from said plurality of values, wherein said user also selects a set of user entities of said plurality of user entities,wherein said method further comprises:
    - in response to said selection of said first set of values and said set of user entities, displaying a plurality of tuples along respective lines with each tuple containing an ordered sequence of elements,wherein elements at a first position and a second position in said ordered sequence, are respectively set to one of said set of user entities, and one of said first set of values such that said plurality of tuples together represents a Cartesian product of said first set of values and said set of user entities,wherein said user specifies said security rule by selecting lines corresponding to a first set of tuples of said plurality of tuples, wherein each tuple of said first set of tuples has said user entity in said first position and one of said first set of values in said second position.
  - 15. The non-transitory machine readable medium of claim 14, wherein said selection comprises a first value of a first domain and a descendant flag, wherein said first domain is at a higher level in a first hierarchy of said plurality of hierarchies, wherein said first value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy,wherein said descendant flag indicates whether or not to include the sub-domains under said first value in said selection,wherein said selection includes the values of said first domain and the sub-domains under said first value in said first set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise.
  - 16. The non-transitory machine readable medium of claim 15, wherein said security rule permits access to corresponding objects having attributes matching said first set of values, wherein access is denied to objects if not permitted access by any corresponding security rule.
  - 17. The non-transitory machine readable medium of claim 10, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries, wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing comprises:
    - appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said object matches said first set of values.

18. A computing system comprising:
- a relational database server to store a plurality of objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values;
  
  an administrator system operable to;
  
  receive data indicating a plurality of hierarchies of said hierarchically organized domains;
  
  display the values of the corresponding domains in each hierarchy of said plurality of hierarchies;
  
  enable a user to select a first set of values from the displayed values of the corresponding domains; and
  
  enable said user to specify a security rule for a combination of said first set of values and a user entity; and
  
  a server system operable to;
  
  receive a user request from said user entity;
  
  determine that a first object having attributes matching said first set of values is to be accessed for processing said user request; and
  
  enforce said security rule as against said first object in processing said user request, as a response to said user having specified said security rule for said combination of said first set of values and said user entity.
- View Dependent Claims (19, 20)
- - 19. The computing system of claim 18, wherein said relational database server allows access to said plurality of objects using SQL (structured query language) queries,wherein said server system accesses said first object using a first SQL query,wherein to perform said determine and said enforce, said server system appends a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values.
  - 20. The computing system of claim 19, wherein said server system is a financial application server, wherein said plurality of objects are application objects defined in a financial application executing in said financial application server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle Financial Services Software Limited (Oracle Corporation)
Original Assignee
Oracle Financial Services Software Limited (Oracle Corporation)
Inventors
Vadapandeshwara, Rajaram Narasimha, Nagulakonda, Gangadhar, Srinivasa, Bhargava

Granted Patent

US 9,935,964 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

ACCESS CONTROL FOR OBJECTS HAVING ATTRIBUTES DEFINED AGAINST HIERARCHICALLY ORGANIZED DOMAINS CONTAINING FIXED NUMBER OF VALUES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL FOR OBJECTS HAVING ATTRIBUTES DEFINED AGAINST HIERARCHICALLY ORGANIZED DOMAINS CONTAINING FIXED NUMBER OF VALUES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links