SYSTEM AND METHOD FOR FAST PROBABILISTIC QUERYING ROLE-BASED ACCESS CONTROL SYSTEMS

US 20180060593A1
Filed: 09/01/2016
Published: 03/01/2018
Est. Priority Date: 09/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-based method, comprising the steps of:

extracting from a computer-based system, information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations;

creating one computer-based user bloom filter for each one of the users, wherein each user bloom filter correlates an associated one of the users to one or more of the profiles;

creating one computer-based profile bloom filter for each one of the profiles, wherein each profile bloom filter correlates an associated one of the profiles to one or more of the assigned authorizations; and

creating one action bloom filter for each of a plurality of possible end user queries, wherein each action bloom filter correlates an associated one of the possible end user queries to a set of users that are authorized to perform the action associated with the corresponding end user query.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes extracting from a computer-based system, (e.g., a role-based access control system) information identifying users and information identifying one or more profiles for each of the users, creating one computer-based user bloom filter for each one of the users, creating one computer-based profile bloom filter for each one of the profiles and creating one action bloom filter for each of a plurality of possible end user queries. Each profile corresponds to one or more assigned authorizations, each user bloom filter correlates an associated one of the users to one or more of the assigned profiles, each profile bloom filter correlates an associated one of the profiles to one or more of the assigned authorizations, and each action bloom filter correlates an associated one of the possible end user queries to a set of users that are authorized to perform the action associated with the corresponding end user query.

18 Citations

View as Search Results

24 Claims

1. A computer-based method, comprising the steps of:
- extracting from a computer-based system, information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations;
  
  creating one computer-based user bloom filter for each one of the users, wherein each user bloom filter correlates an associated one of the users to one or more of the profiles;
  
  creating one computer-based profile bloom filter for each one of the profiles, wherein each profile bloom filter correlates an associated one of the profiles to one or more of the assigned authorizations; and
  
  creating one action bloom filter for each of a plurality of possible end user queries, wherein each action bloom filter correlates an associated one of the possible end user queries to a set of users that are authorized to perform the action associated with the corresponding end user query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-based method of claim 1, further comprising:
    - identifying the set of users that are authorized to perform the action associated with the corresponding end user query by;
      
      using each profile bloom filter to identify, for each respective one of the possible end user queries, all of the profiles that have the authorizations required to perform an action associated with the corresponding end user query; and
      
      using the user bloom filter to identify, for each respective one of the identified profiles, all of the users that have the identified profile.
  - 3. The computer-based method of claim 1, wherein the user bloom filters, the profile bloom filters and the action bloom filters are created only once from information contained within and retrieved from the system as part of an initiation phase for a computer-based system that facilitates querying the system.
  - 4. The computer-based method of claim 1, further comprising:
    - monitoring the computer-based system for changes; and
      
      updating one or more of the user bloom filters, profile bloom filters, and/or action bloom filters according to one or more changes to the computer-based system.
  - 5. The computer-based method of claim 4, wherein monitoring the computer-based system for changes comprises monitoring a time-stamped change document associated with the computer-based system,wherein the time-stamped change document identifies one or more changes along with corresponding time information relating to the one or more changes.
  - 6. The method of claim 4, further comprising:
    - updating only one or more of the user bloom filters, profile bloom filters, or action bloom filters that would be affected by the one or more changes to the computer-based system.
  - 7. The method of claim 1, further comprising:
    - enabling an end user to query about the computer-based system from a computer-based end-user terminal.
  - 8. The method of claim 7, further comprising:
    - using a corresponding one or more of the user bloom filters, profile bloom filters, or action bloom filters to identify information responsive to the end-user query.
  - 9. The method of claim 8, further comprising:
    - presenting, at the computer-based end-user terminal, the information responsive to the end-user query.
  - 10. The method of claim 8, wherein using the corresponding one or more of the user bloom filters, profile bloom filters, or action bloom filters to identify information responsive to the end-user query produces a false-negative rate of zero, but a false-positive rate that is not zero, the method further comprising:
    - enabling the end-user to specify an acceptable non-zero false-positive rate, wherein a higher acceptable value for the non-zero false positive rate corresponds to a lower speed of operation and a lower acceptable value for the non-zero false positive rate corresponds to a higher speed of operation.
  - 11. The method of claim 1, further comprising:
    - identifying a segregation of duties (SoD) conflict among the plurality of users.
  - 12. The method of claim 11, wherein identifying a segregation of duties (SoD) conflict among the plurality of users comprises:
    - identifying a first bloom filter from among the user bloom filters, the profile bloom filters and the action bloom filters;
      
      identifying a second bloom filter from among the user bloom filters, the profile bloom filters and the action bloom filters; and
      
      identifying an intersection between the first bloom filter and the second bloom filter.
  - 13. The method of claim 12, wherein each of the first bloom filter and the second bloom filter is represented by a sequence of bits, and wherein identifying the intersection between the first bloom filter and the second bloom filter comprises:
    - applying a logical AND function to the sequence of bits associated with the first bloom filter and the second bloom filter.
  - 14. The method of claim 12, further comprising:
    - creating an intersection bloom filter based on the intersection between the first bloom filter and the second bloom filter.
  - 15. The method of claim 14, further comprising:
    - enabling an end-user to query for SoD conflicts from a computer-based end-user terminal; and
      
      using the intersection bloom filter, in response to the query, to identify any SoD conflicts.
  - 16. The method of claim 15, further comprising:
    - presenting, at the computer-based end-user terminal, information responsive to the query from the end-user.
  - 17. The method of claim 1, wherein the computer-based system is a role based access control (RBAC) system.

18. A computer-based method, comprising the steps of:
- initializing a query system for a computer-based, role-based access control (RBAC) system by;
  
  extracting from the RBAC system information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations; and
  
  creating a plurality of different types of computer-based bloom filters based on the extracted information; and
  
  monitoring the computer-based RBAC system for changes and updating one or more of the bloom filters according to one or more changes to the computer-based RBAC system.
- View Dependent Claims (19, 20)
- - 19. The computer-based method of claim 18, wherein the initializing step is performed only once for the RBAC system, whereas the monitoring step is performed on an on-going basis while the query system is in operation.
  - 20. The computer-based method of claim 18, further comprising:
    - enabling an end user to query about the computer-based, role-based access control (RBAC) system from a computer-based end-user terminal;
      
      using a corresponding one or more of the bloom filters to identify information responsive to the end-user query; and
      
      presenting the identified information at the computer-based end-user terminal.

21. A system comprising:
- a computer-based processor; and
  
  a computer-based memory that stores instructions executable by the processor to perform the steps comprising;
  
  extracting from a computer-based, role-based access control (RBAC) system information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations;
  
  creating one computer-based user bloom filter for each one of the users, wherein each user bloom filter correlates an associated one of the users to one or more of the assigned profiles;
  
  creating one computer-based profile bloom filter for each one of the profiles, wherein each profile bloom filter correlates an associated one of the profiles to one or more of the contained authorizations; and
  
  creating one action bloom filter for each of a plurality of possible end user queries, wherein each action bloom filter correlates an associated one of the possible end user queries to a set of users that are authorized to perform the action associated with the corresponding end user query.

22. A system comprising:
- a computer-based processor; and
  
  a computer-based memory that stores instructions executable by the processor to perform the steps comprising;
  
  initializing a query system for a computer-based, role-based access control (RBAC) system by;
  
  extracting from the RBAC system information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations; and
  
  creating a plurality of different types of computer-based bloom filters based on the extracted information; and
  
  monitoring the computer-based RBAC system for changes and updating one or more of the bloom filters according to one or more changes to the computer-based RBAC system.

23. A non-transitory, computer-readable medium that stores instructions executable by a processor to perform the steps comprising:
- extracting from a computer-based, role-based access control (RBAC) system information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations;
  
  creating one computer-based user bloom filter for each one of the users, wherein each user bloom filter correlates an associated one of the users to one or more of the assigned profiles;
  
  creating one computer-based profile bloom filter for each one of the profiles, wherein each profile bloom filter correlates an associated one of the profiles to one or more of the contained authorizations; and
  
  creating one action bloom filter for each of a plurality of possible end user queries, wherein each action bloom filter correlates an associated one of the possible end user queries to a set of users that are authorized to perform the action associated with the corresponding end user query.

24. A non-transitory, computer-readable medium that stores instructions executable by a processor to perform the steps comprising:
- initializing a query system for a computer-based, role-based access control (RBAC) system by;
  
  extracting from the RBAC system information identifying a plurality of users and information identifying one or more profiles for each respective one of the users, wherein each profile corresponds to one or more assigned authorizations; and
  
  creating a plurality of different types of computer-based bloom filters based on the extracted information; and
  
  monitoring the computer-based RBAC system for changes and updating one or more of the bloom filters according to one or more changes to the computer-based RBAC system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onapsis, Inc.
Original Assignee
Onapsis Incorporated
Inventors
Abraham, Sergio, Russ, Fernando

Granted Patent

US 10,242,206 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2255   Hash tables

G06F 16/9535   Search customisation based ...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

H04L 63/10   for controlling access to d...

H04W 12/088   using filters or firewalls

SYSTEM AND METHOD FOR FAST PROBABILISTIC QUERYING ROLE-BASED ACCESS CONTROL SYSTEMS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR FAST PROBABILISTIC QUERYING ROLE-BASED ACCESS CONTROL SYSTEMS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links