Data resource control through a control policy defining an authorized context for utilization of a protected data resource
First Claim
1. A computer-implemented method for controlling a data resource of a datastore, using a computer processor and a computer readable physical memory, comprising:
- traversing a referent attribute of a first node of a non-hierarchical data structure referencing a security node,wherein the security node comprises a protected resource of the security node that is at least one of a protected primitive and a protected referent referring to a second node of the non-hierarchical data structure;
receiving an authorization request from a device for utilization of the protected resource of the security node, the authorization request comprising a state dataset comprising one or more state attributes each having a state value associated with a state of the device at generation of the authorization request;
referencing a control policy that defines an authorized context in which the device is authorized to utilize the protected resource of the security node, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset,wherein the control dataset comprising one or more control attributes each having a control value range, the control value range of each of the one or more control attributes usable as inputs to the control algorithm;
selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request;
extracting the control algorithm of the control policy from the security node, the control algorithm comprising one or more conditionals each comparing a first input that is a context value with a second input that is any one of a different context value and a control value range of the control dataset,wherein the context value is at least one of the state value of one or more of the state attributes and an external value associated with a source other than the authorization request of the device, andwherein the one or more conditionals of the control algorithm are expressed in a Turing complete language, the Turing complete language comprising an if operation, a then operation, and an else operation;
retrieving each of the context value specified in the control algorithm from at least one of the state dataset and the external dataset;
determining that the context dataset conforms with the authorized context by evaluating each of one or more conditionals of the control algorithm; and
authorizing utilization of the protected resource of the security node by the device when it is determined that the context dataset conforms to the authorized context defined by the control policy.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method, a device, and/or a system of a data resource control data structure. In one embodiment, a computer-implemented method includes receiving an authorization request from a device to utilize a protected resource within a datastore. A control policy that defines an authorized context in which the device is authorized to utilize the protected resource is extracted from a security node of a non-hierarchical data structure. The control policy includes a control algorithm and optionally a control dataset. Context values specified in the control algorithm are retrieved to form a context dataset. Utilization of the protected resource is authorized when it is determined by the control algorithm that the context dataset conforms to the authorized context. The security node may organize data into a domain structure that includes a unique identifier, an identity element, a content element, and a context element.
-
Citations
19 Claims
-
1. A computer-implemented method for controlling a data resource of a datastore, using a computer processor and a computer readable physical memory, comprising:
-
traversing a referent attribute of a first node of a non-hierarchical data structure referencing a security node, wherein the security node comprises a protected resource of the security node that is at least one of a protected primitive and a protected referent referring to a second node of the non-hierarchical data structure; receiving an authorization request from a device for utilization of the protected resource of the security node, the authorization request comprising a state dataset comprising one or more state attributes each having a state value associated with a state of the device at generation of the authorization request; referencing a control policy that defines an authorized context in which the device is authorized to utilize the protected resource of the security node, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset, wherein the control dataset comprising one or more control attributes each having a control value range, the control value range of each of the one or more control attributes usable as inputs to the control algorithm; selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request; extracting the control algorithm of the control policy from the security node, the control algorithm comprising one or more conditionals each comparing a first input that is a context value with a second input that is any one of a different context value and a control value range of the control dataset, wherein the context value is at least one of the state value of one or more of the state attributes and an external value associated with a source other than the authorization request of the device, and wherein the one or more conditionals of the control algorithm are expressed in a Turing complete language, the Turing complete language comprising an if operation, a then operation, and an else operation; retrieving each of the context value specified in the control algorithm from at least one of the state dataset and the external dataset; determining that the context dataset conforms with the authorized context by evaluating each of one or more conditionals of the control algorithm; and authorizing utilization of the protected resource of the security node by the device when it is determined that the context dataset conforms to the authorized context defined by the control policy. - View Dependent Claims (2, 3, 4)
-
-
5. A computer readable physical memory comprising:
-
a plurality of nodes of a non-hierarchical data structure, the non-hierarchical data structured defined by at least one of the plurality of nodes includes a non-hierarchical reference to another of the plurality of nodes, each node of the plurality of nodes defined by a node structure comprising; an identifier (ID) of a particular node whereby the particular node is referenced by at least one of the plurality of nodes; a referent attribute that references at least one other node of the plurality of nodes, a security node of the non-hierarchical data structure, the security node defined by the node structure and further comprising; a protected resource secured by a control policy establishing an authorized context for which utilization of the protected resource is authorized, the control policy for evaluation a context dataset associated with an authorization request of a device in relation to the authorized context defined by the control policy, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset, wherein the context dataset is at least one of a state dataset that comprises a state value for each of one or more state attributes associated with a state of the device at generation of the authorization request and an external dataset comprising an external value for each of one or more external attributes associated with a source other than the authorization request of the device; the control algorithm that is the first component of the control policy comprising one or more conditionals each comparing a first input that is any of the state value of one or more state attributes and the external value of one or more external attributes with a second input that any of a different state value of the one or more state attributes, a different external value of the one or more external attributes, and a control value range of the control dataset, and an identifier of the control algorithm that applies the control algorithm when a specific application program generates the authorization request. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a datastore comprising; a plurality of nodes of a non-hierarchical data structure, the non-hierarchical data structure defined by at least one of the plurality of nodes includes a non-hierarchical reference to another of the plurality of nodes, each node of the plurality defined by a node structure comprising; an identifier (ID) of a particular node whereby the particular node is referenced by at least one of the plurality of nodes, and a referent attribute that references at least one other node of the plurality of nodes, a security node of the non-hierarchical data structure, the security node defined by the node structure and further comprising; a protected resource secured by a control policy establishing an authorized context for which utilization of the protected resource is authorized, the control policy for evaluation of a context dataset associated with an authorization request of a device in relation to the authorized context defined by the control policy, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset, wherein the context dataset is at least one of a state dataset that comprises a state value for each of one or more state attributes associated with a state of the device at generation of the authorization request and an external dataset comprising an external value for each of one or more external attributes associated with a source other than the authorization request of the device, the control algorithm that is the first component of the control policy comprising one or more conditionals each comparing a first input that is any of the state value of one or more state attributes and the external value of one or more external attributes with a second input that is any of a different state value of the one or more state attributes, a different external value of the one or more external attributes, and a control value range of the control dataset, and a server comprising; a processor, a memory, and a computer readable physical memory comprising instructions to; receive the authorization request of the device; selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request; and evaluate the context dataset associated with the authorization request with the control algorithm to determine an authorization of the protected resource. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification