Synchronization of access permissions in a database network

US 7,769,715 B2
Filed: 03/17/2006
Issued: 08/03/2010
Est. Priority Date: 03/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for synchronizing access permissions across at least two disparate database systems, the method comprising:

queuing, into a work order queue, a plurality of work orders, each work order within the plurality of work orders comprising respective pre-defined synchronization rules and a respective sequence of a respective set of records stored in a source database system and a destination database system to be used for synchronizing access permissions between the source database system and the destination database system, wherein the source database system and the destination database system have distinct access control mechanisms associated therewith;

receiving, with a selected processing engine within a set of processing engines, a current work order from the work order queue, wherein the set of processing engines is separate from the source database system and the destination database system;

fetching, by the selected processing engine from the source database system in response to receiving the current work order and based upon the current work order, a current set of records, the current set of records being specified by the current work order and the current set of records having access permission rules assigned to the current set of records in the source database system, wherein the access permission rules are to be mapped to privileges to be assigned to records in the destination database system;

fetching, concurrently with the fetching by the selected processing engine, the current work order by a second processing engine, the second processing engine being different than the selected processing engine, wherein the selected processing engine and the second processing engine are each on a different processing node in a network and the selected processing engine and the second processing engine are selected in response to one of the processing nodes in the network having insufficient resources;

creating, with the selected processing engine in response to the fetching, a destination rule to be applied to the destination database system by mapping the access permission rules assigned to the current set of records in the source database system to the destination rule based upon at least one processing rule associated with the current set of records, the at least one processing rule defining a respective conversion mapping for access permission rules of the source database system to respective analogous access permission rules on the destination database system; and

applying, with the selected processing engine, the destination rule to at least one record in the destination database system, thereby altering an access control mechanism associated with the at least one record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product is disclosed for synchronizing access permissions across at least two disparate database systems. A source database system is coupled to a destination database system, using an asynchronous parallel processing system with a set of processing engines whereby each of the processing engines has independent access, separate from each other processing engines, to both the source database and the destination database. A set of self-contained synchronization rules for synchronizing access permissions from the source database system to the destination database system is distributed to execute on the set of processing engines, wherein each of the self-contained synchronization rules are XML formatted data to define a conversion mapping for access permissions from the source database system to analogous access permissions on a destination database and each of the self-contained synchronization rules are able to execute on a processing engine independently.

Citations

17 Claims

1. A method for synchronizing access permissions across at least two disparate database systems, the method comprising:
- queuing, into a work order queue, a plurality of work orders, each work order within the plurality of work orders comprising respective pre-defined synchronization rules and a respective sequence of a respective set of records stored in a source database system and a destination database system to be used for synchronizing access permissions between the source database system and the destination database system, wherein the source database system and the destination database system have distinct access control mechanisms associated therewith;
  
  receiving, with a selected processing engine within a set of processing engines, a current work order from the work order queue, wherein the set of processing engines is separate from the source database system and the destination database system;
  
  fetching, by the selected processing engine from the source database system in response to receiving the current work order and based upon the current work order, a current set of records, the current set of records being specified by the current work order and the current set of records having access permission rules assigned to the current set of records in the source database system, wherein the access permission rules are to be mapped to privileges to be assigned to records in the destination database system;
  
  fetching, concurrently with the fetching by the selected processing engine, the current work order by a second processing engine, the second processing engine being different than the selected processing engine, wherein the selected processing engine and the second processing engine are each on a different processing node in a network and the selected processing engine and the second processing engine are selected in response to one of the processing nodes in the network having insufficient resources;
  
  creating, with the selected processing engine in response to the fetching, a destination rule to be applied to the destination database system by mapping the access permission rules assigned to the current set of records in the source database system to the destination rule based upon at least one processing rule associated with the current set of records, the at least one processing rule defining a respective conversion mapping for access permission rules of the source database system to respective analogous access permission rules on the destination database system; and
  
  applying, with the selected processing engine, the destination rule to at least one record in the destination database system, thereby altering an access control mechanism associated with the at least one record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, the method further comprising:
    - receiving, prior to receiving the current work order, at least one event from the source database system;
      
      queuing along with the plurality of work orders, in response to receiving the at least one event, an event work order corresponding to the at least one event; and
      
      determining, based at least in part on the event received from the source database system, the selected processing engine in the set of processing engines that is to receive the current work order.
  - 3. The method according to claim 2, wherein the event is at least one of:
    - a user deactivation;
      
      a user activation;
      
      a user group deactivation;
      
      a user group activation;
      
      a modified security descriptor;
      
      a modified security level; and
      
      a modified custodian.
  - 4. The method according to claim 2, the method further comprising:
    - defining a predefined schedule specifying scheduled access control synchronization between the source database system and the destination database system, wherein the predefined schedule specifies a plurality of work orders to be received by at least one processing engines within the set of processing engines and is managed by a scheduler and work order dispatcher as part of an asynchronous parallel processing system for scheduling the set of processing engines, andwherein the receiving the plurality of work orders is also performed in response to an occurrence of the scheduled access control synchronization.
  - 5. The method according to claim 4, wherein the predefined schedule is based on errors received while previously applying at least one processing rule to at least one record in the at least one destination database system.
  - 6. The method according to claim 4, wherein a number of processing engines within the at least one processing engine is determined based upon an amount of database records in the source database to be synchronized.
  - 7. The method according to claim 1, whereinthe source database system is a records management system;
    - andthe destination database system is a content management system.
  - 8. The method of claim 1, wherein the destination rule is created based upon combining the permissions associated with the current set of records with processing rules defined by XML formatted data.

9. A synchronization system for synchronizing access permissions across at least two disparate database systems, the synchronization system comprising:
- a source database system having a first set of records with an access control mechanism for each record;
  
  a destination database system communicatively coupled to the source database system, the destination database system having a second set of records with an access control mechanism for each record that differs from the control mechanism of the first set of records;
  
  an asynchronous parallel processing system with a set of processing engines, the asynchronous parallel processing system adapted to;
  
  queuing, into a work order queue, a plurality of work orders, each work order within the plurality of work orders comprising respective pre-defined synchronization rules and a respective sequence of a respective set of records stored in a source database system and a destination database system to be used for synchronizing access permissions between the source database system and the destination database system;
  
  receiving, with a selected processing engine within the set of processing engines, a current work order from the work order queue, wherein the set of processing engines is separate from the source database system and the destination database system;
  
  fetching, by the selected processing engine from the source database system in response to receiving the current work order and based upon the current work order, a current set of records, the current set of records being specified by the current work order and the current set of records having access permission rules assigned to the current set of records in the source database system, wherein the access permission rules are to be mapped to privileges to be assigned to records in the destination database system;
  
  fetching, concurrently with the fetching by the selected processing engine, the current work order by a second processing engine, the second processing engine being different than the selected processing engine, wherein the selected processing engine and the second processing engine are each on a different processing node in a network and the selected processing engine and the second processing engine are selected in response to one of the processing nodes in the network having insufficient resources;
  
  creating, with the selected processing engine in response to the fetching, a destination rule to be applied to the destination database system by mapping the access permission rules assigned to the current set of records in the source database system to the destination rule based upon at least one processing rule associated with the current set of records, the at least one processing rule defining a respective conversion mapping for access permission rules of the source database system to respective analogous access permission rules on the destination database system; and
  
  applying, with the selected processing engine, the self-contained processing rule to at least one record in the destination database system, thereby altering the access control mechanism associated with the record.
- View Dependent Claims (10)
- - 10. The synchronization system according to claim 9, further comprising:
    - an event processor adapted to receive, prior to receiving the current work order, at least one event from the source database system, andwherein the asynchronous parallel processing system is further adapted to;
      
      queuing along with the plurality of work orders, in response to receiving the at least one event, an event work order corresponding to the at least one event; and
      
      determining, based at least in part on the event received from the source database system, the selected processing engine in the set of processing engines that is to receive the current work order.

11. A computer program product for synchronizing access permissions across at least two disparate database systems, the computer program product comprising:
- a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  queuing, into a work order queue, a plurality of work orders, each work order within the plurality of work orders comprising respective pre-defined synchronization rules and a respective sequence of a respective set of records stored in a source database system and a destination database system to be used for synchronizing access permissions between the source database system and the destination database system, wherein the source database system and the destination database system have distinct access control mechanisms associated therewith;
  
  receiving, with a selected processing engine within a set of processing engines, a current work order from the work order queue, wherein the set of processing engines is separate from the source database system and the destination database system;
  
  fetching, by the selected processing engine from the source database system in response to receiving the current work order and based upon the current work order, a current set of records, the current set of records being specified by the current work order and the current set of records having access permission rules assigned to the current set of records in the source database system, wherein the access permission rules are to be mapped to privileges to be assigned to records in the destination database system;
  
  fetching, concurrently with the fetching by the selected processing engine, the current work order by a second processing engine, the second processing engine being different than the selected processing engine, wherein the selected processing engine and the second processing engine are each on a different processing node in a network and the selected processing engine and the second processing engine are selected in response to one of the processing nodes in the network having insufficient resources;
  
  creating, with the selected processing engine in response to the fetching, a destination rule to be applied to the destination database system by mapping the access permission rules assigned to the current set of records in the source database system to the destination rule based upon at least one processing rule associated with the current set of records, the at least one processing rule defining a respective conversion mapping for access permission rules of the source database system to respective analogous access permission rules on the destination database system; and
  
  applying, with the selected processing engine, the destination rule to at least one record in the destination database system, thereby altering an access control mechanism associated with the at least one record.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer program product according to claim 11, the computer program product further comprising instructions for:
    - receiving, prior to receiving the current work order, at least one event from the source database system;
      
      queuing along with the plurality of work orders, in response to receiving the at least one event, an event work order corresponding to the at least one event; and
      
      determining, based at least in part on the event received from the source database system, the selected processing engine in the set of processing engines that is to receive the current work order.
  - 13. The computer program product according to claim 12, wherein the event is at least one of:
    - a user deactivation;
      
      a user activation;
      
      a user group deactivation;
      
      a user group activation;
      
      a modified security descriptor;
      
      a modified security level; and
      
      a modified custodian.
  - 14. The computer program product according to claim 12, the computer program product further comprising instructions for:
    - defining a predefined schedule specifying scheduled access control synchronization between the source database system and the destination database system, wherein the predefined schedule specifies a plurality of work orders to be received by at least one processing engines within the set of processing engines and is managed by a scheduler and work order dispatcher as part of an asynchronous parallel processing system for scheduling the set of processing engines, andwherein the receiving the plurality of work orders is also performed in response to an occurrence of the scheduled access control synchronization.
  - 15. The computer program product according to claim 14, wherein the predefined schedule is based on errors received while previously applying at least one processing rule to at least one record in the destination database system.
  - 16. The computer program product according to claim 11, wherein a number of processing engines within the at least one processing engine is determined based upon an amount of database records in the source database to be synchronized.
  - 17. The computer program product according to claim 11, wherein the destination rule is created based upon combining the permissions associated with the current set of records with processing rules defined by XML formatted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Carberry, Martin Doston, Miranda-Portillo, Juan B.
Primary Examiner(s)
Mofiz; Apu M
Assistant Examiner(s)
GIRMA, ANTENEH B

Application Number

US11/378,842
Publication Number

US 20070220062A1
Time in Patent Office

1,600 Days
Field of Search

707/1, 707/3, 707/8, 707/104.1, 707/200, 707/201, 713/201, 713/202, 709/229
US Class Current

707/618
CPC Class Codes

G06F 16/273   Asynchronous replication or...

G06F 21/6227   where protection concerns t...

G06F 21/6236   between heterogeneous systems

Synchronization of access permissions in a database network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Synchronization of access permissions in a database network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links