Access control for unprotected data storage system endpoints

US 9,690,792 B2
Filed: 08/26/2014
Issued: 06/27/2017
Est. Priority Date: 08/26/2014
Status: Active Grant

First Claim

Patent Images

1. An information processing system for providing access control to unprotected data storage system endpoints, the information processing system comprising:

a memory;

a processor communicatively coupled to the memory; and

an access control manager communicatively coupled to the memory and the processor, wherein the access control manager is configured to perform a method comprising;

receiving, from a computing device external to the information processing system, an authenticated query request comprising a query associated with an unprotected data storage system endpoint configured to execute queries anonymously, wherein the query is written in a Resource Description Framework (RDF) query language and requests one or more datasets stored in a relational data storage system;

identifying a user parameter within the query, wherein the user parameter uniquely identifies a user requesting the query;

automatically rewriting the query to include a set of access control list properties for one or more subject variables in the query, wherein each of the set of access control list properties configures the query to return data from the one or more datasets for which the user is authorized to access,wherein automatically rewriting the query comprisesobtaining the set of access control list properties from a mapping file, wherein the mapping file comprises a mapping of tables and columns of the one or more datasets to RDF Type and Property classes, respectively, wherein at least one RDF type class in the mapping is associated with at least one access list property of an access controlled table mapped to the RDF type class, wherein the at least one access list property indicates that the access controlled table is associated with an access control list in the relational data storage system, and wherein the access control list is mapped to a relational join query that resolves into identifying one or more users who are authorized to access data in the table via a project container associated with the table;

executing the query against the one or more datasets stored in the relational data storage system;

receiving, based on the executing, a set of query results comprising at least a portion of the one or more datasets, wherein the set of query results have been filtered based on the set of access control list properties and the user parameter bound to each of the set of access control list properties; and

transmitting the set of query results to the computing device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments provide access control to unprotected data storage system endpoints. In one embodiment, an authenticated query request is received. The request includes a query associated with an unprotected data storage system endpoint configured to execute queries anonymously. The query is written in a Resource Description Framework (RDF) query language and requests one or more datasets stored in a relational data storage system. A user parameter within the query is identified. The user parameter uniquely identifies a user requesting the query. The query is automatically rewritten to include a set of access control list properties for one or more subject variables in the query. Each of the set of access control list properties configures the query to return data from the one or more datasets for which the user is authorized to access.

89 Citations

View as Search Results

10 Claims

1. An information processing system for providing access control to unprotected data storage system endpoints, the information processing system comprising:
- a memory;
  
  a processor communicatively coupled to the memory; and
  
  an access control manager communicatively coupled to the memory and the processor, wherein the access control manager is configured to perform a method comprising;
  
  receiving, from a computing device external to the information processing system, an authenticated query request comprising a query associated with an unprotected data storage system endpoint configured to execute queries anonymously, wherein the query is written in a Resource Description Framework (RDF) query language and requests one or more datasets stored in a relational data storage system;
  
  identifying a user parameter within the query, wherein the user parameter uniquely identifies a user requesting the query;
  
  automatically rewriting the query to include a set of access control list properties for one or more subject variables in the query, wherein each of the set of access control list properties configures the query to return data from the one or more datasets for which the user is authorized to access,wherein automatically rewriting the query comprisesobtaining the set of access control list properties from a mapping file, wherein the mapping file comprises a mapping of tables and columns of the one or more datasets to RDF Type and Property classes, respectively, wherein at least one RDF type class in the mapping is associated with at least one access list property of an access controlled table mapped to the RDF type class, wherein the at least one access list property indicates that the access controlled table is associated with an access control list in the relational data storage system, and wherein the access control list is mapped to a relational join query that resolves into identifying one or more users who are authorized to access data in the table via a project container associated with the table;
  
  executing the query against the one or more datasets stored in the relational data storage system;
  
  receiving, based on the executing, a set of query results comprising at least a portion of the one or more datasets, wherein the set of query results have been filtered based on the set of access control list properties and the user parameter bound to each of the set of access control list properties; and
  
  transmitting the set of query results to the computing device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The information processing system of claim 1, wherein identifying the user parameter and automatically rewriting the query are based on:
    - identifying an information processing system from which the query request was received;
      
      comparing a unique identifier of the information processing system with a list of client authorized to connect to the unprotected data storage system endpoint; and
      
      determining, based on the comparing, that the information processing system is unprotected data storage system endpoint.
  - 3. The information processing system of claim 1, wherein the method further comprisesbinding each of the set of access control list properties to the user parameter.
  - 4. The information processing system of claim 1, wherein the query is a sub-query from a federated query.
  - 5. The information processing system of claim 1, wherein the method further comprises:
    - automatically modifying, prior to the identifying, the query to include the user parameter.

6. A computer program product for providing access control to unprotected data storage system endpoints, the computer program product comprising:
- a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  receiving, from a computing device external to an information processing system comprising the processing circuit, an authenticated query request comprising a query associated with an unprotected data storage system endpoint configured to execute queries anonymously, wherein the query is written in a Resource Description Framework (RDF) query language and requests one or more datasets stored in a relational data storage system;
  
  identifying a user parameter within the query, wherein the user parameter uniquely identifies a user requesting the query; and
  
  automatically rewriting the query to include a set of access control list properties for one or more subject variables in the query, wherein each of the set of access control list properties configures the query to return data from the one or more datasets for which the user is authorized to access,wherein automatically rewriting the query comprisesobtaining the set of access control list properties from a mapping file, wherein the mapping file comprises a mapping of tables and columns of the one or more datasets to RDF Type and Property classes, respectively, wherein at least one RDF type class in the mapping is associated with at least one access list property of an access controlled table mapped to the RDF type class, wherein the at least one access list property indicates that the access controlled table is associated with an access control list in the relational data storage system, and wherein the access control list is mapped to a relational join query that resolves into identifying one or more users who are authorized to access data in the table via a project container associated with the table;
  
  executing the query against the one or more datasets stored in the relational data storage system;
  
  receiving, based on the executing, a set of query results comprising at least a portion of the one or more datasets, wherein the set of query results have been filtered based on the set of access control list properties and the user parameter bound to each of the set of access control list properties; and
  
  transmitting the set of query results to the computing device.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6, wherein identifying the user parameter and automatically rewriting the query are based on:
    - identifying an information processing system from which the query request was received;
      
      comparing a unique identifier of the information processing system with a list of client authorized to connect to the unprotected data storage system endpoint; and
      
      determining, based on the comparing, that the information processing system is unprotected data storage system endpoint.
  - 8. The computer program product of claim 6, wherein automatically rewriting the query further comprises:
    - binding each of the set of access control list properties to the user parameter.
  - 9. The computer program product of claim 6, wherein the query is a sub-query from a federated query.
  - 10. The computer program product of claim 6, wherein the method further comprises:
    - automatically modifying, prior to the identifying, the query to include the user parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Edison Vault, LLC
Original Assignee
International Business Machines Corporation
Inventors
Bartlett, Nicholas Tyler, Ryman, Arthur Gary, Haumer, Peter
Primary Examiner(s)
Ly, Anh

Application Number

US14/468,415
Publication Number

US 20160063017A1
Time in Patent Office

1,036 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/148   File search processing

G06F 16/176   Support for shared access t...

G06F 16/245   Query processing

G06F 16/24534   Query rewriting; Transforma...

G06F 16/248   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

Access control for unprotected data storage system endpoints

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for unprotected data storage system endpoints

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links