METHOD AND DEVICES FOR ACCESS CONTROL
First Claim
1. A method of controlling access to a stream of data, the method including the steps of:
- storing a plurality of policies each defining access rights related to a user and having a filter associated with it;
continuously, for each new data element;
checking whether said data element can be accessed under each of said policies;
updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; and
applying the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies,receiving a query from a user relating to the data and returning the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to a method and system which provides access control and access control enforcement particularly in relation to business process data streams. Embodiments of the invention provide a method and a set of components (referred to as: Policy Administration Point, Policy Enforcement Point, Filter Updater, Log De-Multiplexer) for fast online filtering of process logs based on access rights. In one embodiment the method comprises a series of steps to (i) encode each user'"'"'s access rights to the process log in a machine readable format (ii) use such encoding together with incoming process events to compute a custom online filter to be applied to the process log as it is being recorded (iii) execute logical log de-multiplexing, enabling each user to query, inspect and monitor a separate event flow. In specific embodiments, the four components are virtual devices, respectively in charge of policy encoding (Policy Administration Point), policy evaluation and enforcement (Policy Enforcement Point), computation of an online filter with enforcement of log integrity constraints (Filter Updater), and generation of virtual event flows and support for policy changes and rights'"'"' revocations (Log De-Multiplexer).
38 Citations
24 Claims
-
1. A method of controlling access to a stream of data, the method including the steps of:
-
storing a plurality of policies each defining access rights related to a user and having a filter associated with it; continuously, for each new data element; checking whether said data element can be accessed under each of said policies; updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; and applying the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies, receiving a query from a user relating to the data and returning the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of controlling access to data, the method including the steps of:
-
storing a plurality of policies each defining access rights related to a user and having a filter associated with it; continuously, for each new data element; checking whether said data element can be accessed under each of said policies; and updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; receiving a query from a user relating to the data; revising said query by incorporating the updated filter for said user; and returning the results of said revised query to the user such that the user is only able to access data permitted by the policy associated with the user. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An access control system controlling access to a stream of data, the system including:
-
a database storing a plurality of policies each defining access rights related to a user and having a filter associated with it; and a processor, wherein the processor is arranged to run the following components; a filter updater which, continuously for each new data element; checks whether said data element can be accessed under each of said policies; and updates the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; a log demultiplexer which applies the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies, and wherein the processor is further arranged to receive a query from a user relating to the data and to return the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. An access control system controlling access to data, the system including:
-
a database storing a plurality of policies each defining access rights related to a user and having a filter associated with it; a processor, wherein the processor is arranged to run a filter updater which, continuously for each new data element; checks whether said data element can be accessed under each of said policies; and updates the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; wherein the processor is further arranged to; receive a query from a user relating to the data; run a log demultiplexer which revises said query by incorporating the updated filter for said user; and return the results of said revised query to the user such that the user is only able to access data permitted by the policy associated with the user. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification