×

Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values

  • US 9,935,964 B2
  • Filed: 02/23/2015
  • Issued: 04/03/2018
  • Est. Priority Date: 10/08/2014
  • Status: Active Grant
First Claim
Patent Images

1. A method of controlling access to objects, said method comprising:

  • receiving data indicating a plurality of hierarchies of hierarchically organized domains, with each domain containing a corresponding fixed number of values,said plurality of hierarchies including a first hierarchy and a second hierarchy,said first hierarchy and said second hierarchy respectively specifying a first plurality of values and a second plurality of values which can be stored for attributes of said objects, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries;

    displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities, wherein said first plurality of values and said second plurality of values are displayed on said display unit at said first time instance;

    enabling a user to specify a first combination and a second combination,said first combination comprising a user entity from said plurality of user entities, and a first set of values from the displayed values of the corresponding domains, wherein said first set of values includes a first value from said first plurality of values of said first hierarchy and a second value from said second plurality of values of said second hierarchy,wherein said second combination comprises said user entity and a second set of values from the displayed values, said second set of values containing said first value and a third value from said second plurality of values of said second hierarchy,wherein said user selects a third set of values from said first hierarchy, said third set of values comprising a fifth value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said fifth value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy,wherein said descendant flag indicates whether or not to include the sub-domains under said fifth value in said selection,wherein said selection includes the values of said first domain and the sub-domains under said fifth value in said third set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise;

    enabling said user to specify a first security rule and a second security rule, said first security rule being for said first combination of said user entity and said first set of values including said first value and said second value,said second security rule being for said second combination of said user entity and said second set of values including said first value and said third value; and

    enforcing said first security rule and said second security rule, wherein said first security rule is enforced when an object having attributes matching said first set of values, including a first attribute of the object matching said first value and a second attribute of the object matching said second value, is accessed by said user entity,wherein said second security rule is enforced when another object having attributes matching said second set of values, including a third attribute of the another object matching said first value and a fourth attribute of the another object matching said third value, is accessed by said user entity,wherein said user specifies both of said first security rule and said second security based on the values of the corresponding domains displayed on said display unit at said first time instance,wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing of said first security rule when said first object is accessed by said user entity comprises;

    appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×