Access controls through node-based effective policy identifiers

US 10,432,469 B2
Filed: 06/14/2018
Issued: 10/01/2019
Est. Priority Date: 06/29/2017
Status: Active Grant

First Claim

Patent Images

1. A data processing method comprising:

receiving an update to a first node that changes a policy of the first node, the first node initially comprising an effective policy identifier mapped to the policy of the first node and an identifier of a second node that is a parent node of the first node;

in response to receiving the update, generating a new effective policy identifier for the changed policy of the first node and the identifier of the second node;

invalidating data associating user identifiers with effective policy identifiers corresponding to nodes that are descendant nodes of the first node.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for implementing a node-based access control system are described herein. In an embodiment, a server computer stores a node based policy system wherein each node identifies a resource and a policy for the resource. The server computer identifies a policy for a first node and an identifier of a second node wherein the second node is a parent node to the first node. The server computer maps an effective policy identifier to the policy for the first node and the identifier of the second node. The server computer stores data associating the effective policy identifier with the first node. The server computer identifies a policy for a third node and an identifier of the second node, wherein the second node is a parent node to the third node and wherein the policy for the third node is equivalent to the policy for the first node. The server computer then stores data associating the effective policy identifier with the third node.

101 Citations

18 Claims

1. A data processing method comprising:
- receiving an update to a first node that changes a policy of the first node, the first node initially comprising an effective policy identifier mapped to the policy of the first node and an identifier of a second node that is a parent node of the first node;
  
  in response to receiving the update, generating a new effective policy identifier for the changed policy of the first node and the identifier of the second node;
  
  invalidating data associating user identifiers with effective policy identifiers corresponding to nodes that are descendant nodes of the first node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - identifying a policy for a third node and an identifier of the second node, wherein the second node is a parent node to the third node and wherein the policy for the third node is equivalent to the policy for the first node;
      
      in response to the second node being a parent node to the third node and the policy for the third node being equivalent to the policy for the first node, storing data associating the effective policy identifier with the third node.
  - 3. The method of claim 1, further comprising:
    - storing data associating one or more user identifiers with the effective policy identifier;
      
      receiving a request for a particular resource identified by the first node from a client computing device, wherein the request includes a particular user identifier;
      
      determining that the one or more user identifiers include the particular user identifier;
      
      in response to determining, responding to the request for the particular resource with the particular resource.
  - 4. The method of claim 1, further comprising:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the particular node and an identifier of a fourth node, wherein the fourth node is a parent node of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 5. The method of claim 1, further comprising:
    - identifying a policy for a third node;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the fourth node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the third node and an identifier of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 6. The method of claim 1, further comprising:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a first particular node is identified with a non-null policy;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the first particular node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a second particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the first particular node and an identifier of the second particular node;
      
      storing data associating the second effective policy identifier with the fourth node.

7. A system comprising:
- one or more processors;
  
  one or more storage media;
  
  one or more instructions stored in the storage media which, when executed by the one or more processors, cause performance of;
  
  receiving an update to a first node that changes a policy of the first node, the first node initially comprising an effective policy identifier mapped to the policy of the first node and an identifier of a second node that is a parent node of the first node;
  
  in response to receiving the update, generating a new effective policy identifier for the changed policy of the first node and the identifier of the second node;
  
  invalidating data associating user identifiers with effective policy identifiers corresponding to nodes that are descendant nodes of the first node.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a policy for a third node and an identifier of the second node, wherein the second node is a parent node to the third node and wherein the policy for the third node is equivalent to the policy for the first node;
      
      in response to the second node being a parent node to the third node and the policy for the third node being equivalent to the policy for the first node, storing data associating the effective policy identifier with the third node.
  - 9. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - storing data associating one or more user identifiers with the effective policy identifier;
      
      receiving a request for a particular resource identified by the first node from a client computing device, wherein the request includes a particular user identifier;
      
      determining that the one or more user identifiers include the particular user identifier;
      
      in response to determining, responding to the request for the particular resource with the particular resource.
  - 10. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the particular node and an identifier of a fourth node, wherein the fourth node is a parent node of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 11. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a policy for a third node;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the fourth node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the third node and an identifier of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 12. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a first particular node is identified with a non-null policy;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the first particular node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a second particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the first particular node and an identifier of the second particular node;
      
      storing data associating the second effective policy identifier with the fourth node.

13. One or more non-transitory computer-readable media storing instructions which, when executed by one or more processors, cause performance of:
- receiving an update to a first node that changes a policy of the first node, the first node initially comprising an effective policy identifier mapped to the policy of the first node and an identifier of a second node that is a parent node of the first node;
  
  in response to receiving the update, generating a new effective policy identifier for the changed policy of the first node and the identifier of the second node;
  
  invalidating data associating user identifiers with effective policy identifiers corresponding to nodes that are descendant nodes of the first node.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a policy for a third node and an identifier of the second node, wherein the second node is a parent node to the third node and wherein the policy for the third node is equivalent to the policy for the first node;
      
      in response to the second node being a parent node to the third node and the policy for the third node being equivalent to the policy for the first node, storing data associating the effective policy identifier with the third node.
  - 15. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - storing data associating one or more user identifiers with the effective policy identifier;
      
      receiving a request for a particular resource identified by the first node from a client computing device, wherein the request includes a particular user identifier;
      
      determining that the one or more user identifiers include the particular user identifier;
      
      in response to determining, responding to the request for the particular resource with the particular resource.
  - 16. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the particular node and an identifier of a fourth node, wherein the fourth node is a parent node of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 17. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a policy for a third node;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the fourth node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the third node and an identifier of the particular node;
      
      storing data associating the second effective policy identifier with the third node.
  - 18. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a null policy for a third node;
      
      in response to identifying the null policy for the third node, traversing through one or more parent nodes of the third node until a first particular node is identified with a non-null policy;
      
      identifying a null policy for a fourth node, wherein the fourth node is a parent of the first particular node;
      
      in response to identifying the null policy for the fourth node, traversing through one or more parent nodes of the fourth node until a second particular node is identified with a non-null policy;
      
      mapping a second effective policy identifier to the policy for the first particular node and an identifier of the second particular node;
      
      storing data associating the second effective policy identifier with the fourth node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Rickards, Neil, Baker, James, Gelmi, Marco, Balan, Radu-Cosmin, Sguera, Savino
Primary Examiner(s)
Algibhah, Hamza N

Application Number

US16/009,120
Publication Number

US 20190007271A1
Time in Patent Office

474 Days
Field of Search

709225
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 65/65   Network streaming protocols...

H04L 67/10   in which an application is ...

Access controls through node-based effective policy identifiers

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Access controls through node-based effective policy identifiers

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links