Method and system for utilizing a cache for path-level access control to structured documents stored in a database

US 8,250,093 B2
Filed: 08/25/2003
Issued: 08/21/2012
Est. Priority Date: 08/25/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the method comprising the steps of:

(a) storing an access control statement in a cache entry for a path associated with a node of the plurality of nodes;

(b) receiving a query, wherein the query comprises a request to access the node;

(c) checking the cache entry for the path associated with the node; and

(d) granting or denying access to the node based on the access control statement in the cache entry for the path associated with the node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved method and system for performing path-level access control evaluation for a structured document in a collection, where the structured document includes a plurality of nodes and each of the nodes is described by a path, is disclosed. The method comprises providing a cache for temporarily storing a cache entry for a path associated with a node of the plurality of nodes, receiving a query that includes a request to access the node, checking the cache entry for the path associated with the node, and determining whether to grant access to the node based on the cache entry.

Citations

31 Claims

1. A method for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the method comprising the steps of:
- (a) storing an access control statement in a cache entry for a path associated with a node of the plurality of nodes;
  
  (b) receiving a query, wherein the query comprises a request to access the node;
  
  (c) checking the cache entry for the path associated with the node; and
  
  (d) granting or denying access to the node based on the access control statement in the cache entry for the path associated with the node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the access control statement is one of a grant statement, a deny statement, an unknown statement, and a data-dependent statement.
  - 3. The method of claim 2, wherein step (d) further comprises:
    - (d1) granting access to the node responsive to the access control statement being a grant statement.
  - 4. The method of claim 2, wherein step (d) further comprises:
    - (d1) denying access to the node responsive to the access control statement being a deny statement.
  - 5. The method of claim 2, wherein step (d) further comprises:
    - (d1) evaluating an access control policy affecting the path in response to the access control statement being an unknown statement;
      
      (d2) granting access responsive to a result of the evaluation granting access; and
      
      (d3) denying access responsive to the result of the evaluation denying access.
  - 6. The method of claim 5, further comprising:
    - (e) determining whether the access control policy affecting the path is data-dependent;
      
      (f) changing the access control statement in the cache entry from the unknown statement to a grant statement or a deny statement based on the evaluation in response to the access control policy being data-independent; and
      
      (g) changing the access control statement in the cache entry from the unknown statement to a data-dependent statement if in response to the access control policy being data-dependent.
  - 7. The method of claim 2, wherein step (d) further comprises:
    - (d1) evaluating an access control policy affecting the path in response to the access control statement being a data-dependent statement;
      
      (d2) granting access responsive to a result of the evaluation granting access; and
      
      (d3) denying access responsive to the result of the evaluation denying access.
  - 8. The method of claim 1, further comprising:
    - (e) repeating steps (c) and (d) for a next node in the plurality of nodes.
  - 9. The method of claim 5, wherein evaluating step (d1) further comprises:
    - (d1i) evaluating a value expression for the path associated with the node, wherein the value expression is an executable statement based on the access control policy affecting the path and indicates who has access to the node.
  - 10. The method of claim 1, wherein steps (c) and (d) are performed during run-time.

11. A computer readable medium containing a computer program for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the computer program comprising programming instructions for:
- (a) storing an access control statement in a cache entry for a path associated with a node of the plurality of nodes;
  
  (b) receiving a query, wherein the query comprises a request to access the node;
  
  (c) checking the cache entry for the path associated with the node; and
  
  (d) granting or denying access to the node based on the access control statement in the cache entry for the path associated with the node.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer readable medium of claim 11, wherein the access control statement is one of a grant statement, a deny statement, an unknown statement, and a data-dependent statement.
  - 13. The computer readable medium of claim 12, wherein instruction (d) further comprises:
    - (d1) granting access to the node responsive to the access control statement being a grant statement.
  - 14. The computer readable medium of claim 12, wherein instruction (d) further comprises:
    - (d1) denying access to the node responsive to the access control statement being a deny statement.
  - 15. The computer readable medium of claim 12, wherein instruction (d) further comprises:
    - (d1) evaluating an access control policy affecting the path in response to the access control statement being an unknown statement;
      
      (d2) granting access responsive to a result of the evaluation granting access; and
      
      (d3) denying access responsive to the result of the evaluation denying access.
  - 16. The computer readable medium of claim 15, wherein the computer program further comprises programming instructions for:
    - (e) determining whether the access control policy affecting the path is data-dependent;
      
      (f) changing the access control statement in the cache entry from the unknown statement to a grant statement or a deny statement based on the evaluation in response to the access control policy being data-independent; and
      
      (g) changing the access control statement in the cache entry from the unknown statement to a data-dependent statement in response to the access control policy being data-dependent.
  - 17. The computer readable medium of claim 12, wherein instruction (d) further comprises:
    - (d1) evaluating an access control policy affecting the path in response to the access control statement being a data-dependent statement;
      
      (d2) granting access responsive to a result of the evaluation granting access; and
      
      (d3) denying access if responsive to the result of the evaluation denying access.
  - 18. The computer readable medium of claim 11, wherein the computer program further comprises programming instructions for:
    - (e) repeating instructions (c) and (d) for a next node in the plurality of nodes.
  - 19. The computer readable medium of claim 15, wherein evaluating instruction (d1) further comprises:
    - (d1i) evaluating a value expression for the path associated with the node, wherein the value expression is an executable statement based on the access control policy affecting the path and indicates who has access to the node.
  - 20. The computer readable medium of claim 11, wherein instructions (c) and (d) are performed during run-time.

21. A method for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the method comprising the steps of:
- (a) storing an access control statement in a cache entry for a path associated with a node of the plurality of nodes, wherein the access control statement is one of a grant statement, a deny statement, an unknown statement, and a data-dependent statement;
  
  (b) receiving a query, wherein the query comprises a request to access the node;
  
  (c) checking the cache entry for the path associated with the node;
  
  (d) granting access to the node responsive to the access control statement being a grant statement;
  
  (e) denying access to the node responsive to the access control statement being a deny statement; and
  
  (f) evaluating a value expression for the path associated with the node to produce a result in response to the access control statement being an unknown statement or a data-dependent statement,wherein the value expression is an executable statement based on an access control policy affecting the path and indicates who has access to the node.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising:
    - (g) granting or denying access to the node based on the result of the evaluation;
      
      (h) changing the access control statement in the cache entry from the unknown statement to a grant statement or a deny statement based on the result of the evaluation in response to the access control policy being data-independent; and
      
      (i) changing the access control statement in the cache entry from the unknown statement to a data-dependent statement in responsive to the access control policy being data-dependent.
  - 23. The method of claim 22, further comprising:
    - (j) repeating steps (c) through (i) for a next node in the plurality of nodes.

24. A computer readable medium containing a computer program for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the computer program comprising programming instructions for:
- (a) storing an access control statement in a cache entry for a path associated with a node of the plurality of nodes, wherein the access control statement is one of a grant statement, a deny statement, an unknown statement, and a data-dependent statement;
  
  (b) receiving a query, wherein the query comprises a request to access the node;
  
  (c) checking the cache entry for the path associated with the node;
  
  (d) granting access to the node responsive to the access control statement being a grant statement;
  
  (e) denying access to the node responsive to the access control statement being a deny statement; and
  
  (f) evaluating a value expression for the path associated with the node to produce a result in response to the access control statement being an unknown statement or a data-dependent statement,wherein the value expression is an executable statement based on an access control policy affecting the path and indicates who has access to the node.
- View Dependent Claims (25, 26)
- - 25. The computer readable medium of claim 24, wherein the computer program further comprises programming instructions for:
    - (g) granting or denying access to the node based on the result of the evaluation;
      
      (h) changing the access control statement in the cache entry from the unknown statement to a grant statement or a deny statement based on the result of the evaluation in response to the access control policy being data-independent; and
      
      (i) changing the access control statement in the cache entry from the unknown statement to a data-dependent statement in response to the access control policy being data-dependent.
  - 26. The computer readable medium of claim 25, wherein the computer program further comprises programming instructions for:
    - (j) repeating instructions (c) through (i) for a next node in the plurality of nodes.

27. A system for performing path-level access control evaluation for a structured document, wherein the structured document comprises a plurality of nodes and each of the plurality of nodes is described by a path, the system comprising:
- a database management system operable to receive a query, wherein the query comprises a request to access a node of the plurality of nodes; and
  
  a cache coupled to the database management system, the cache being operable to store an access control statement in a cache entry for a path associated with the node,wherein the database management system is further operable to check the cache entry for the path associated with the node and to grant or deny access to the node based on the access control statement in the cache entry for the path associated with the node.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The system of claim 27, wherein the access control statement is one of a grant statement, a deny statement, an unknown statement, and a data-dependent statement.
  - 29. The system of claim 28, further comprising:
    - an access control mechanism coupled to the database management system, the access control mechanism being operable to determine access control to the node responsive to the access control statement being an unknown statement or a data-dependent statement.
  - 30. The system of claim 29, wherein the access control mechanism is further operable to generate a value expression for the path associated with the node based on an access control policy affecting the path, and wherein the database management system is further operable to evaluate the value expression for the path to determine whether to grant or deny access to the node.
  - 31. The system of claim 30, wherein the database management system is further operable to change the access control statement in the cache entry from the unknown statement to a grant statement or a deny statement based on a result of the evaluation of the value expression if responsive to the value expression for the path being data-independent and to change the access control statement in the cache entry from the unknown statement to a data-dependent statement responsive to the value expression for the path being data-dependent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Van der Linden, Robbert C.
Primary Examiner(s)
Radtke, Mark A

Application Number

US10/648,499
Publication Number

US 20050050010A1
Time in Patent Office

3,284 Days
Field of Search

707/781
US Class Current

707/781
CPC Class Codes

G06F 16/284 Relational databases

Method and system for utilizing a cache for path-level access control to structured documents stored in a database

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for utilizing a cache for path-level access control to structured documents stored in a database

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links