Providing path-level access control for structured documents stored in a database
First Claim
1. A method, comprising:
- providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules;
generating a path for each of a plurality of nodes in the structured document;
transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises;
normalizing the plurality of access control rules into a format;
converting the plurality of normalized access control rules into a plurality of modified normalized access control rules;
propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules;
combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and
generating the executable value expression for each generated path using the combined modified normalized access control rules;
populating a condition table for the converting; and
optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions.
1 Assignment
0 Petitions
Accused Products
Abstract
An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.
-
Citations
20 Claims
-
1. A method, comprising:
-
providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules; generating a path for each of a plurality of nodes in the structured document; transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises; normalizing the plurality of access control rules into a format; converting the plurality of normalized access control rules into a plurality of modified normalized access control rules; propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules; combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and generating the executable value expression for each generated path using the combined modified normalized access control rules; populating a condition table for the converting; and optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product, the computer program product comprising a computer readable hardware storage devices having program instructions embodied therewith, the program instructions executable by a processor for:
-
providing an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules; generating a path for each of a plurality of nodes in the structured document; transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises; normalizing the plurality of access control rules into a format; converting the plurality of normalized access control rules into a plurality of modified normalized access control rules; propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules; combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and generating the executable value expression for each generated path using the combined modified normalized access control rules; populating a condition table for the converting; and optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
a relational database management system (RDBMS) implemented on a computer, wherein the RDBMS comprises an access control policy for a structured document, wherein the structured document comprises a plurality of nodes and the access control policy comprises a plurality of access control rules; and an access control mechanism configured to; provide an access control policy for a structured document, wherein the access control policy comprises a plurality of access control rules; generating a path for each of a plurality of nodes in the structured document; transforming the plurality of access control rules into an executable value expression for each generated path by using a condition that indicates who is granted and/or denied access to each generated path, wherein transforming further comprises; normalizing the plurality of access control rules into a format; converting the plurality of normalized access control rules into a plurality of modified normalized access control rules; propagating the plurality of modified normalized access control rules for each generated path to identify at least one generated path that is affected by at least one of the plurality of modified normalized access control rules; combining at least two modified normalized access control rules of the plurality of modified normalized access control rules, if the at least two modified normalized access control rules affects a particular generated path; and generating the executable value expression for each generated path using the combined modified normalized access control rules; populating a condition table for the converting; and optimizing the plurality of modified normalized access control rules by eliminating repeated value expressions. - View Dependent Claims (18, 19, 20)
-
Specification