Providing path-level access control for structured documents stored in a database

US 9,495,553 B2
Filed: 07/08/2014
Issued: 11/15/2016
Est. Priority Date: 08/29/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules;

generating a path for each of a plurality of nodes in the structured document;

transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises;

normalizing the plurality of access control rules into a format;

converting the plurality of normalized access control rules into a plurality of modified normalized access control rules;

propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules;

combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and

generating the executable value expression for each generated path using the combined modified normalized access control rules;

populating a condition table for the converting; and

optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

Citations

20 Claims

1. A method, comprising:
- providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules;
  
  generating a path for each of a plurality of nodes in the structured document;
  
  transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises;
  
  normalizing the plurality of access control rules into a format;
  
  converting the plurality of normalized access control rules into a plurality of modified normalized access control rules;
  
  propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules;
  
  combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and
  
  generating the executable value expression for each generated path using the combined modified normalized access control rules;
  
  populating a condition table for the converting; and
  
  optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - storing each generated path and corresponding executable value expression in a table.
  - 3. The method of claim 2, further comprising:
    - prior to the storing, compiling each executable value expression.
  - 4. The method of claim 3, wherein the compiling further comprises:
    - receiving a query, wherein the query requests access to one of the plurality of nodes in the structured document;
      
      executing the query;
      
      evaluating the executable value expression corresponding to the generated path associated with the requested node;
      
      displaying data associated with the requested node if the executable value expression grants access; and
      
      hiding data associated with the requested node if the executable value expression denies access.
  - 5. The method of claim 4, wherein the evaluating is performed during run time.
  - 6. The method of claim 1, wherein the format comprises a head, a path, and the condition.
  - 7. The method of claim 1, wherein the executable value expression is utilized during access control evaluation to determine whether a user is allowed to access at least one of the plurality of nodes in the structured document.
  - 8. The method of claim 1, wherein the optimizing further comprises:
    - replacing the executable value expression for a path associated with a node with a reference notation, if the executable value expression is identical to that for a path associated with the node'"'"'s parent, and the replacing thereby eliminating the repeated value expressions.
  - 9. The method of claim 1, wherein the providing further comprises:
    - writing the plurality of access control rules; and
      
      validating the plurality of access control rules such that the resulting rules are syntactically and logically valid.
  - 10. The method of claim 1, wherein the structured document is written in Extensible Markup Language (XML).

11. A computer program product, the computer program product comprising a computer readable hardware storage devices having program instructions embodied therewith, the program instructions executable by a processor for:
- providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules;
  
  generating a path for each of a plurality of nodes in the structured document;
  
  transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises;
  
  normalizing the plurality of access control rules into a format;
  
  converting the plurality of normalized access control rules into a plurality of modified normalized access control rules;
  
  propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules;
  
  combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and
  
  generating the executable value expression for each generated path using the combined modified normalized access control rules;
  
  populating a condition table for the converting; and
  
  optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product of claim 11, wherein the access control mechanism is configured to store each generated path and corresponding executable value expression in a table.
  - 13. The computer program product of claim 12, wherein the RDBMS further comprises a compiler configured to compile each executable value expression prior to the storage.
  - 14. The computer program product of claim 13, wherein the compiler further receives a query, wherein the query requests access to one of the plurality of nodes in the structured document;
    - executes the query;
      
      evaluates the executable value expression corresponding to the generated path associated with the requested node;
      
      displays data associated with the requested node if the executable value expression grants access; and
      
      hides data associated with the requested node if the executable value expression denies access.
  - 15. The computer program product of claim 11, wherein access control evaluation is performed during run time.
  - 16. The computer program product of claim 11, wherein the structured document is written in Extensible Markup Language.

17. A system, comprising:
- a relational database management system (RDBMS) implemented on a computer, wherein the RDBMS comprises an access control policy for a structured document, wherein the structured document comprises a plurality of nodes and the access control policy comprises a plurality of access control rules; and
  
  an access control mechanism configured to;
  
  provide an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules;
  
  generating a path for each of a plurality of nodes in the structured document;
  
  transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises;
  
  normalizing the plurality of access control rules into a format;
  
  converting the plurality of normalized access control rules into a plurality of modified normalized access control rules;
  
  propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules;
  
  combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and
  
  generating the executable value expression for each generated path using the combined modified normalized access control rules;
  
  populating a condition table for the converting; and
  
  optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, wherein the access control mechanism is configured to store each generated path and corresponding executable value expression in a table.
  - 19. The computer system of claim 17, wherein the RDBMS further comprises a compiler configured to compile each executable value expression prior to the storage.
  - 20. The computer system of claim 17, wherein the compiler further receives a query, wherein the query requests access to one of the plurality of nodes in the structured document;
    - executes the query;
      
      evaluates the executable value expression corresponding to the generated path associated with the requested node;
      
      displays data associated with the requested node if the executable value expression grants access; and
      
      hides data associated with the requested node if the executable value expression denies access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Seki, Naishin, Hada, Satoshi, Kudo, Michiharu, Tozawa, Akihiko, Van Der Linden, Robbert C.
Primary Examiner(s)
Gortayo, Dangelino

Application Number

US14/326,360
Publication Number

US 20140324834A1
Time in Patent Office

861 Days
Field of Search

707/783, 707/694, 707/754, 707/999.009
US Class Current

1/1
CPC Class Codes

G06F 16/284   Relational databases

G06F 16/8373   Query execution

G06F 16/86   Mapping to a database

G06F 16/972   Access to data in other rep...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Providing path-level access control for structured documents stored in a database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Providing path-level access control for structured documents stored in a database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links