Information sharing system and method with requester dependent sharing and security rules
First Claim
1. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:
- a port for receiving queries requesting information from the database;
means for accessing a set of rules, including query pre-processing rules and query results post-processing rules;
each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
a query pre-processing module for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
0 Assignments
0 Petitions
Accused Products
Abstract
A security mediator system is used in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints. A rules database stores rules, including query pre-processing rules and query results post-processing rules. The rules database includes data for specifying, for each of a plurality of specified groups of users, which of the rules in the rules database are applicable to queries received from users in each of the groups. A query pre-processing module applies to each received query all pre-processing rules in the rules database applicable to the query in accordance with the identified user who submitted the query. If any applicable rule is not passed, the query is blocked; otherwise execution of the query is enabled. A database access module executing each enabled query to produce a corresponding result. A post-processing module applies to the results all post-processing rules in the rules database applicable to the executed query. If any applicable rule is not passed, transmission of the results is blocked; otherwise transmission of the results to the identified user is enabled. A security officer module processes blocked queries and blocked results, enabling a security officer to review blocked queries and blocked results, and to either confirm the blocking determination or override it.
317 Citations
15 Claims
-
1. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:
-
a port for receiving queries requesting information from the database;
means for accessing a set of rules, including query pre-processing rules and query results post-processing rules;
each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
a query pre-processing module for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words. - View Dependent Claims (2, 3, 4)
each query is submitted by an identified user of the computer system; the set of rules includes user data for specifying, for each of a plurality of specified groups of users, which of the rules are applicable to queries received from users in each of the groups of users;
the query pre-processing module applies to each received query all pre-processing rules applicable to the query in accordance with the identified user who submitted the query; and
the post-processing module applies to the result produced for each executed query all post-processing rules applicable to the result in accordance with the identified user who submitted the corresponding query.
-
-
3. The security system of claim 2, further including:
a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
-
4. The security system of claim 1, further including:
a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
-
5. A method of constraining access to information in a database in accordance with pre-defined constraints, comprising the steps of:
-
receiving queries requesting information from the database;
accessing a rules database that stores a set of rules, including query pre-processing rules and query results post-processing rules;
each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
pre-processing each received query by applying all pre-processing rules in the rules database applicable to the query, blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
post-processing the result produced for each executed query by applying all post-processing rules in the rules database applicable to the result, blocking transmission of the result if any of the post-processing rules applied to the result are not passed, and otherwise enabling transmission of the result;
wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing step blocks transmission of the result if the result includes any words not in the predefined dictionary of words. - View Dependent Claims (6, 7, 8)
each query is submitted by an identified user; the rules database includes user data for specifying, for each of a plurality of specified groups of users, which of the rules in the rules database are applicable to queries received from users in each of the groups of users;
the pre-processing step includes applying to each received query all pre-processing rules in the rules database applicable to the query in accordance with the identified user who submitted the query; and
the post-processing step includes applying to the result produced for each executed query all post-processing rules in the rules database applicable to the result in accordance with the identified user who submitted the corresponding query.
-
-
7. The method of claim 6, further including:
processing at least a subset of blocked queries and blocked results by passing them to a security monitor for review, and receiving from the security monitor a signal that confirms the blocking determination or overrides it, in accordance with instructions received from an authorized security officer.
-
8. The method of claim 5, further including:
processing at least a subset of blocked queries and blocked results by passing them to a security monitor for review, and receiving from the security monitor a signal that confirms the blocking determination or overrides it, in accordance with instructions received from an authorized security officer.
-
9. A computer program product for applying security constraints to database access requests and replies, the computer product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism, comprising:
-
instructions for storing a set of rules, including query pre-processing rules and query results post-processing rules;
each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
a query pre-processing module for receiving queries requesting information from a database and for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-rocessing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words. - View Dependent Claims (10, 11, 12)
each query is submitted by an identified user; the set of rules includes user data for specifying, for each of a plurality of specified groups of users, which of the rules are applicable to queries received from users in each of the groups of users;
the query pre-processing module applies to each received query all pre-processing rules applicable to the query in accordance with the identified user who submitted the query; and
the post-processing module applies to the result produced for each executed query all post-processing rules applicable to the result in accordance with the identified user who submitted the corresponding query.
-
-
11. The computer program product of claim 10, further including:
a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
-
12. The computer program product of claim 9, further including:
a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
-
13. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:
-
a port for receiving queries requesting information from the database;
means for accessing a set of rules, including query results post-processing rules;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
a database access mechanism for extracting information from a database as specified in a query to produce a corresponding result having one or more words; and
a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
-
-
14. A method of constraining access to information in a database in accordance with pre-defined constraints, comprising the steps of:
-
receiving queries requesting information from the database;
executing a received query so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
comparing every word of the result with a predefined dictionary of words, and blocking transmission of the result if the result includes any words not in the predefined dictionary of words; and
post-processing the result produced for each executed query by applying a set of post-processing rules to the result, blocking transmission of the result if any of the post-processing rules applied to the result are not passed, and otherwise enabling transmission of the result;
the postprocessing step including accessing a rules database that stores a set of rules, including query results post-processing rules;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable.
-
-
15. A computer program product for applying security constraints to database access requests and replies, the computer product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism, comprising:
-
instructions for storing a set of rules, including query results post-processing rules;
each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
a database access mechanism for extracting information from a database as specified in a query to produce a corresponding result having one or more words; and
a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
-
Specification