Event-based database access execution

US 7,120,635 B2
Filed: 12/16/2002
Issued: 10/10/2006
Est. Priority Date: 12/16/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of executing event-based database access requests, said method comprising:

establishing an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in an access rights database;

receiving a database access request from a user;

determining whether said request includes an explicit authorization privilege;

inferring an authorization privilege if said explicit authorization privilege is absent;

inferring any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;

verifying an inferred authorization privilege; and

executing said access request,wherein said step of inferring an authorization privilege includes algorithmically mining occurrence patterns of access rights from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authorisation privilege for an access request is inferred when no explicit privilege exists. The inference can be performed by way of mining occurrence patterns or derived from user hierarchy, profile, click history, transaction history or role. For any access request, the respective explicit privilege or inferred privilege is verified by the database or security administrator before the access request is permitted. Conditions expressed in an access policy are evaluated on the occurrence of predefined events. The events extend beyond user access requests, and include external events, composite events and access of a referential type. The access policy is framed in ‘event, condition, access enforcement’ terminology. The access control rules can be parameterised and can be instantiated by data obtained from inference rules associated with the conditions of the policy. The conditions have an evaluation component and an inference component. The access privileges supported are: read, write and indirect read. An indirect read operation typically allows a user qualified access to one or more portions of a database, but not the entire database.

101 Citations

View as Search Results

21 Claims

1. A method of executing event-based database access requests, said method comprising:
- establishing an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in an access rights database;
  
  receiving a database access request from a user;
  
  determining whether said request includes an explicit authorization privilege;
  
  inferring an authorization privilege if said explicit authorization privilege is absent;
  
  inferring any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  verifying an inferred authorization privilege; and
  
  executing said access request,wherein said step of inferring an authorization privilege includes algorithmically mining occurrence patterns of access rights from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the step of inferring an authorization privilege includes a derivation from data associated with said user.
  - 3. The method of claim 2, wherein said data includes any of a place in a hierarchy, a profile, a click history, a transaction history, and a role.
  - 4. The method of claim 1, wherein said step of inferring an authorization privilege is performed within an access control policy comprising a set of events, and wherein each of said events comprises at least one condition evaluation and associated inference rules, and access enforcement actions.
  - 5. The method of claim 4, wherein said access enforcement actions are parameterized.

6. A method of executing event-based database access requests within an access control policy having a set of events, wherein each of said events comprises at least one condition evaluation and associated inference rules, and an access enforcement action, the method comprising:
- establishing said access control policy comprising said set of events, wherein each of said events is capable of leading to a change of access rights in an access rights database;
  
  receiving a database access request from a requesting user;
  
  assessing an applicable event;
  
  evaluating said condition evaluations against said request;
  
  determining whether said request includes an explicit authorization privilege;
  
  inferring an authorization privilege if said explicit authorization privilege is absent;
  
  inferring any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  verifying an inferred authorization privilege; and
  
  executing a relevant said enforcement action,wherein said step of inferring an authorization privilege includes algorithmically mining occurrence patterns of access rights from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein the step of inferring an authorization privilege includes a derivation from data associated with said requesting user.
  - 8. The method of claim 7, wherein said data includes any of a place in a hierarchy, a profile, a click history, a transaction history, a and role.

9. A database system having event-based access, the system comprising:
- a user input interface operable to receive user access requests;
  
  a database;
  
  an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in said access rights database;
  
  an algorithmic mechanism adapted to infer any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  a database administrator tat verifies an inferred authorization privilege; and
  
  a processor controlling execution of user access requests to said database, and wherein, in response to a said access request, said processor is operable to determine whether said request includes an explicit authorization privilege, infers an authorization privilege if said explicit authorization privilege is absent, and executes said access request,wherein said processor infers said authorization privilege by algorithmically mining occurrence patterns from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (10, 11, 12)
- - 10. The database system of claim 9, wherein the processor infers an authorization privilege derived from data associated with said requesting user.
  - 11. The database system of claim 10, wherein the processor operates on data including any of a place in a hierarchy, a profile, a click history, a transaction history, and a role.
  - 12. The database system of claim 9, further comprising a database administrator that verifies an inferred authorization privilege before said processor executes said access request.

13. A database system having event-based access within an access control policy having a set of events, said set of events comprising at least one condition evaluation and associated inference rules, and access enforcement actions said database system, comprising:
- a user input interface by which a requesting user access requests are received;
  
  a database;
  
  an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in said access rights database;
  
  an algorithmic mechanism adapted to infer any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  a database administrator that verifies an inferred authorization privilege; and
  
  a processor controlling execution of user access requests to said database, and wherein, in response to an access request, the processor assesses an applicable event, and for the applicable event, evaluates said condition evaluation against said request, determines whether said request includes an explicit authorization privilege, infers an authorization privilege if said explicit authorization privilege is absent, and executes a relevant said enforcement action,wherein said processor infers an authorization privilege by algorithmically mining occurrence patterns from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (14, 15)
- - 14. The database system of claim 13, wherein the processor infers an authorization privilege derived from data associated with said requesting user.
  - 15. The database system of claim 14, wherein the processor operates on data comprising any of a place in a hierarchy, a profile, a click history, a transaction history, and a role.

16. A program storage device comprising computer software recorded on said program storage device and able to be executed by a computer system capable of interpreting the computer software, for performing a method of event-based database requests, the method comprising:
- establishing an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in an access rights database;
  
  receiving a database access request from a user;
  
  determining whether said request includes an explicit authorization privilege,inferring an authorization privilege if said explicit authorization privilege is absent;
  
  inferring any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  verifying an inferred authorization privilege; and
  
  executing said access request,wherein said step of inferring an authorization privilege includes algorithmically mining occurrence patterns of access rights from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (17, 18)
- - 17. The program storage device of claim 16, wherein said step of inferring an authorization privilege comprises performing a derivation from data associated with said user.
  - 18. The program storage device of claim 17, wherein said data includes data comprises any of a place in a hierarchy, a profile, a click history, a transaction history, and a role.

19. A program storage device readable by machine, tangibly embodying a program of instructions executable by said machine to perform a method for executing event-based database access requests within an access control policy having a set of events, wherein said events comprises at least one condition evaluation and associated inference rules, and access enforcement actions, said method comprising:
- establishing an access control policy comprising a set of events, wherein each of said events is capable of leading to a change of access rights in an access rights database;
  
  receiving a database access request from a requesting user;
  
  assessing an applicable event, and for the applicable event, evaluating said condition evaluations against said request;
  
  determining whether said request includes an explicit authorization privilege;
  
  inferring an authorization if said explicit authorization privilege is absent;
  
  inferring any of association rules and inference rules from said access rights database representing patterns between different access rights granted in an organization;
  
  verifying an inferred authorization privilege; and
  
  executing a relevant said enforcement actions,wherein said step of inferring an authorization comprises performing an algorithmically mining of occurrence patterns from existing user records, andwherein if a similarity between two patterns is within a specified threshold, said mining suggesting or inferring access rights be granted to said user.
- View Dependent Claims (20, 21)
- - 20. The program storage device of claim 19, wherein in said method, said step of inferring an authorization privilege comprises performing a derivation from data associated with said requesting user.
  - 21. The program storage device of claim 20, wherein said requesting user data comprises any of a place in a hierarchy, a profile, a click history, a transaction history, and a role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Mohania, Mukesh Kumar, Bhide, Manish Anand
Primary Examiner(s)
Pham, Khanh B.

Application Number

US10/319,980
Publication Number

US 20040117371A1
Time in Patent Office

1,394 Days
Field of Search

707 1- 10, 707/101
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2216/03   Data mining

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2145   Inheriting rights or proper...

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99936   Pattern matching access

Y10S 707/99939   Privileged access

Y10S 707/99942   Manipulating data structure...

Event-based database access execution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Event-based database access execution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others