METHOD AND DEVICES FOR ACCESS CONTROL

US 20150172320A1
Filed: 12/17/2013
Published: 06/18/2015
Est. Priority Date: 12/17/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method of controlling access to a stream of data, the method including the steps of:

storing a plurality of policies each defining access rights related to a user and having a filter associated with it;

continuously, for each new data element;

checking whether said data element can be accessed under each of said policies;

updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; and

applying the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies,receiving a query from a user relating to the data and returning the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method and system which provides access control and access control enforcement particularly in relation to business process data streams. Embodiments of the invention provide a method and a set of components (referred to as: Policy Administration Point, Policy Enforcement Point, Filter Updater, Log De-Multiplexer) for fast online filtering of process logs based on access rights. In one embodiment the method comprises a series of steps to (i) encode each user'"'"'s access rights to the process log in a machine readable format (ii) use such encoding together with incoming process events to compute a custom online filter to be applied to the process log as it is being recorded (iii) execute logical log de-multiplexing, enabling each user to query, inspect and monitor a separate event flow. In specific embodiments, the four components are virtual devices, respectively in charge of policy encoding (Policy Administration Point), policy evaluation and enforcement (Policy Enforcement Point), computation of an online filter with enforcement of log integrity constraints (Filter Updater), and generation of virtual event flows and support for policy changes and rights'"'"' revocations (Log De-Multiplexer).

38 Citations

View as Search Results

24 Claims

1. A method of controlling access to a stream of data, the method including the steps of:
- storing a plurality of policies each defining access rights related to a user and having a filter associated with it;
  
  continuously, for each new data element;
  
  checking whether said data element can be accessed under each of said policies;
  
  updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy; and
  
  applying the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies,receiving a query from a user relating to the data and returning the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1 wherein the step of updating the filter includes adding or removing one or more selectors from the filter, said selectors eliminating data to which access is not permitted by the associated policy from the output of the filter.
  - 3. A method according to claim 2 wherein the step of updating the filter includes adding one or more selectors to the filter if the new data element is disallowed by the associated policy, and leaving the filter unchanged if the new data element is allowed by the associated policy.
  - 4. A method according to claim 2 wherein the step of updating the filter includes removing one or more selectors from the filter if the new data element is allowed by the associated policy, and leaving the filter unchanged if the new data element is disallowed by the associated policy.
  - 5. A method according to claim 1, wherein the user is a software entity.
  - 6. A method according to claim 1, wherein the access rights are expressed as an extension to the XACML language.

7. A method of controlling access to data, the method including the steps of:
- storing a plurality of policies each defining access rights related to a user and having a filter associated with it;
  
  continuously, for each new data element;
  
  checking whether said data element can be accessed under each of said policies; and
  
  updating the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy;
  
  receiving a query from a user relating to the data;
  
  revising said query by incorporating the updated filter for said user; and
  
  returning the results of said revised query to the user such that the user is only able to access data permitted by the policy associated with the user.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. A method according to claim 7 wherein the step of updating the filter includes adding or removing one or more selectors from the filter, said selectors eliminating data to which access is not permitted by the associated policy from the output of the filter.
  - 9. A method according to claim 8 wherein the step of updating the filter includes adding one or more selectors to the filter if the new data element is disallowed by the associated policy, and leaving the filter unchanged if the new data element is allowed by the associated policy.
  - 10. A method according to claim 8 wherein the step of updating the filter includes removing one or more selectors from the filter if the new data element is allowed by the associated policy, and leaving the filter unchanged if new data element is disallowed by the associated policy.
  - 11. A method according to claim 7, wherein the user is a software entity.
  - 12. A method according to claim 7, wherein the access rights are expressed as an extension to the XACML language.

13. An access control system controlling access to a stream of data, the system including:
- a database storing a plurality of policies each defining access rights related to a user and having a filter associated with it; and
  
  a processor, wherein the processor is arranged to run the following components;
  
  a filter updater which, continuously for each new data element;
  
  checks whether said data element can be accessed under each of said policies; and
  
  updates the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy;
  
  a log demultiplexer which applies the updated filters to the incoming stream of data to generate a plurality of data stores, each based on one of said policies,and wherein the processor is further arranged to receive a query from a user relating to the data and to return the results of said query to the user based only on data in the respective data store such that the user is only able to access data permitted by the policy associated with the user.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. An access control system according to claim 13 wherein the filter updater adds or removes one or more selectors from the filter, said selectors eliminating data to which access is not permitted by the associated policy from the output of the filter.
  - 15. An access control system according to claim 14 wherein the filter updater adds one or more selectors to the filter if the new data element is disallowed by the associated policy, and leaves the filter unchanged if the new data element is allowed by the associated policy.
  - 16. An access control system according to claim 14 wherein the filter updater removes one or more selectors from the filter if the new data element is allowed by the associated policy, and leaving the filter unchanged if the new data element is disallowed by the associated policy.
  - 17. An access control system according to claim 13, further including the user which is a software entity.
  - 18. An access control system according to claim 13, wherein the access rights are expressed as an extension to the XACML language.

19. An access control system controlling access to data, the system including:
- a database storing a plurality of policies each defining access rights related to a user and having a filter associated with it;
  
  a processor, wherein the processor is arranged to run a filter updater which, continuously for each new data element;
  
  checks whether said data element can be accessed under each of said policies; and
  
  updates the filter associated with each policy to either permit or prevent access to said data element in accordance with said policy;
  
  wherein the processor is further arranged to;
  
  receive a query from a user relating to the data;
  
  run a log demultiplexer which revises said query by incorporating the updated filter for said user; and
  
  return the results of said revised query to the user such that the user is only able to access data permitted by the policy associated with the user.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. An access control system according to claim 19 wherein the filter updater adds or removes one or more selectors from the filter, said selectors eliminating data to which access is not permitted by the associated policy from the output of the filter.
  - 21. An access control system according to claim 20 wherein the filter updater adds one or more selectors to the filter if the new data element is disallowed by the associated policy, and leaves the filter unchanged if the new data element is allowed by the associated policy.
  - 22. An access control system according to claim 20 wherein the filter updater removes one or more selectors from the filter if the new data element is allowed by the associated policy, and leaving the filter unchanged if the new data element is disallowed by the associated policy.
  - 23. An access control system according to claim 19, further including the user which is a software entity.
  - 24. An access control system according to claim 19, wherein the access rights are expressed as an extension to the XACML language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC), Emirates Telecommunications Corporation, Khalifa University Of Science, Technology & Research
Original Assignee
British Telecommunications PLC (BT Group PLC), Emirates Telecommunications Corporation, Khalifa University of Science and Technology
Inventors
Colombo, Maurizio, Leida, Marcello, Damiani, Ernesto

Application Number

US14/109,016
Publication Number

US 20150172320A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 63/20 for managing network securi...

METHOD AND DEVICES FOR ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICES FOR ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links