US20050223006A1 - Method and device for controlling the access to knowledge networks - Google Patents
Method and device for controlling the access to knowledge networks Download PDFInfo
- Publication number
- US20050223006A1 US20050223006A1 US10/512,778 US51277804A US2005223006A1 US 20050223006 A1 US20050223006 A1 US 20050223006A1 US 51277804 A US51277804 A US 51277804A US 2005223006 A1 US2005223006 A1 US 2005223006A1
- Authority
- US
- United States
- Prior art keywords
- rights
- owner
- user
- tree
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9027—Trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- the invention relates essentially to a method for deriving user rights in a semantic network.
- Semantic networks are being used in increasing numbers for linking information items with one another and finding them again at a later time. These forms of networks with their algorithms are also referred to as knowledge networks or ontologies, whereby information objects are connected with one another by edges which exhibit specific semantics.
- the problem of the invention is to provide an efficient and flexibly configurable access control which is technically and ergonomically integrated, and which take account of the complexity of knowledge networks.
- the users are presented in the same semantic network as the information objects. Access rights are derived from the semantic relations between users and information objects.
- This solution has the advantage that no further metadata is required, such as is the case, for example, with relational databanks. Rather, existing algorithms and inference rules can be used in order to derive user rights. In addition to this, the same efficient memory system can be used for contents and access information.
- a further technical advantage lies in the fact that no adaptation of the code for the representation of the access information is required. The users and their relations to the information objects are part of the knowledge network as a whole.
- the rights system of the present invention makes the decision on access entitlements on the basis of information from the knowledge network.
- These user nodes are placed in a relationship with the nodes in the knowledge network which serve as starting points for the access rights of the member users.
- Roles are likewise defined in the knowledge network and simplify the configuration of the rights system. Depending on the role of a person, it is therefore possible for different rights to be defined for entire groups.
- a right r: ⁇ o, t, op> pertains from the three components of user, target, and operation.
- the user of a right can carry out the operation specified (operation) on the target of the right (target). If a part of the right is not defined, the right is deemed to apply to all the objects of the knowledge network which come into question for this part.
- the components can contain quantities. As a result of this, it is possible for groups of users of a right to be defined.
- Rights are for preference positively formulated. This means that a negative response will be given at the examination of the right if no positive answer is found.
- enquiries to the rights system attestations for the user, the target, and the knowledge network object respectively are transferred.
- the rights system seeks a positive response in the rights definitions.
- a negation it is possible for a negation to be presented to a right.
- the rights of a knowledge network are defined in a rights tree.
- This rights tree consists of folders which are arranged and structured in tree fashion. The roots, and therefore the highest folder of this space, is for preference anchored in the central part of the knowledge network, the “root”.
- the root is the organizational root of the knowledge network. If no rights tree exists in this preferred embodiment, or if this space consists solely of a root folder, then all operations are allowed for all users on all knowledge network objects.
- Rights are defined and allocated in sub-folders of the root folder of the rights tree.
- a right is divided in each case into a folder with its components, which are likewise arranged in folders.
- the folders, with their user and operations components, form filters of a right, while the folder for the target can contain a search query.
- the folders of a right do not stand next to each other in the rights tree, but form a part tree of the rights tree as a whole. If rights have the same components, e.g. the same operations, then the same folders can be used for them, i.e. the same components.
- the other components of these rights are then subdivided into other sub-folders.
- the components of a right are in each case the elements of a folder. They are defined in different ways and means, or arranged in their folders, as explained hereinafter.
- op in the rights system is effected for preference by the enumeration of the permitted operations (in the preferred implementation “Read”, “Modify”, “Generate” and “Delete”), which form the elements of an operations folder.
- the number of owners (o) of a right is represented by the number of elements of the owner folder.
- individual elements (instances) of a term of the knowledge network come into question, which were indicated as the owner term in the configuration of the rights system.
- the number of the owners of a right can be a part quantity of these individual elements.
- the selection of the owners can be for preference effected in three different ways during the processing of the user/owner folder; firstly by explicitly indication, secondly by the accessibility of the owner by and from a knowledge network object, and thirdly by the determination of the role which an owner has adopted.
- the owner or owners of a rights part tree are input explicitly, e.g. by means of an editor. In this situation, individual elements (instances) of the owner term are determined.
- the owner term Person has the individual elements Miller and Meier.
- a further object in the knowledge network may be “Mill”. If, for the indication of an owner, only the beginning of the name “Mi” is entered, the system will then find, as a possible object, only the individual item Miller, and will transfer this as the owner into the folder. The object Mill will not be found, because it does not involve an individual element of an owner term.
- the owner is in this case derived from a relationship which pertains between a knowledge network object and the user.
- the knowledge network object and the relationship are then explicitly indicated in an editor (see above also).
- the rights part tree accordingly applies to all user objects which can reach the knowledge network object via this relationship.
- the owner object from which the relationship is pursued is not determined until the time of the assessment of the rights tree, and not as early as the rights tree definition.
- the contents of the owner folder is defined by means of a role. This role is explicitly indicated at the processing of the folder.
- the elements of the owner/user folder are calculated at the rights examination.
- the number of targets of a rights part tree can either be indicated explicitly or calculated by means of a search query.
- Any knowledge network object can be drawn into any folder by drag and drop, but for preference not into a search folder of the rights tree.
- a knowledge network object is the target of a right.
- a search query is set up in a search folder.
- the search query is carried out at the examination of the rights, and the knowledge network objects found at this juncture represent the targets of the rights part tree.
- the folders of a part tree are checked recursively.
- the folders for operations and owners behave like filters.
- the sub-folders of these folders are checked if the operation or owner to be examined fulfil the filter criterion. If this is the case, then either the sub-folders will be checked or, if there are none available, a positive response will be returned.
- a check is carried out in a search folder as to whether the target of the query is an element of the quantity which is being calculated during the performance of the search query indicated in the folder. If that is the case, then the answer to the examination is positive.
- FIG. 1 An extract from a knowledge network with the user/owner nodes “Ms. Miller”, responsible for the knowledge network object “Reiber Street Residential Building”;
- FIG. 2 Rights in tree form with operations folders and user/owner folders
- FIG. 3 Rights part tree with negative filter.
- FIG. 1 shows a section from a knowledge network, in which the project structure of a construction company is deposited. Accordingly, “Ms. Miller” is responsible for the project of the “Reiber Street Residential Building”, in the role of “Building Manager”.
- the rights system can now be configured in such a way, for example, that Ms. Miller receives writing rights to the building sections relating to the “Reiber Street Residential Building” construction project. Construction sections from other construction projects (e.g. “Landburg Street Car Park”), for which Ms. Miller is not responsible, cannot be processed by her. New construction sections, such as in the sector of “Reiber Street External Installations”, automatically fall into the access area of Ms. Miller.
- the components of a right are defined in folders which form a part tree in the rights tree (see FIG. 2 ).
- the leaves of the rights tree it is mostly the target objects of the rights which are defined.
- the possible operations and the users are filtered out in the folders between the leaves and the roots. Accordingly, the topmost part tree in FIG. 2 shows that the operations Modify and Read can be carried out by all users who hold the role of Project Manager on all objects which can be calculated from the search query in the “Projects” folder.
- a part tree of the rights tree does not need to define explicitly all three components of a right.
- the second part tree in FIG. 2 contains two levels, since there is no indication of the operations. Accordingly, the right defined in this part tree signifies that the user, “Mr. Schuckmann”, may carry out all operations on the calculated objects in the “Road Construction Projects” sub-folder.
- the third part tree in FIG. 2 shows that any user can carry out the “Create” operation on any objects of the knowledge network.
- FIG. 3 shows the definition of Prohibition, with the aid of a negative filter in the rights part tree, which is set in front of the folder which is to be negated. All the elements contained in this folder form exceptions for which the rights part tree does not apply.
- the unfolded rights part tree in FIG. 2 indicates that everything can be read by all users except the elements in the search folder “Group Companies”.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/136,058 US9870431B2 (en) | 2002-04-26 | 2008-06-10 | Method and device for controlling the access to knowledge networks |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10218905.6A DE10218905B4 (de) | 2002-04-26 | 2002-04-26 | Verfahren und Datenstruktur zur Zugriffssteuerung in Wissensnetzen |
DE10218905.6 | 2002-04-26 | ||
PCT/EP2003/004373 WO2003092198A2 (de) | 2002-04-26 | 2003-04-28 | Verfahren und vorrichtung zur zugriffssteuerung in wissensnetzen |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/136,058 Continuation-In-Part US9870431B2 (en) | 2002-04-26 | 2008-06-10 | Method and device for controlling the access to knowledge networks |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050223006A1 true US20050223006A1 (en) | 2005-10-06 |
Family
ID=29224827
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/512,778 Abandoned US20050223006A1 (en) | 2002-04-26 | 2003-04-28 | Method and device for controlling the access to knowledge networks |
US12/136,058 Active 2025-11-17 US9870431B2 (en) | 2002-04-26 | 2008-06-10 | Method and device for controlling the access to knowledge networks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/136,058 Active 2025-11-17 US9870431B2 (en) | 2002-04-26 | 2008-06-10 | Method and device for controlling the access to knowledge networks |
Country Status (6)
Country | Link |
---|---|
US (2) | US20050223006A1 (de) |
EP (1) | EP1502211B1 (de) |
AT (1) | ATE521943T1 (de) |
AU (1) | AU2003233076A1 (de) |
DE (1) | DE10218905B4 (de) |
WO (1) | WO2003092198A2 (de) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090157627A1 (en) * | 2007-09-28 | 2009-06-18 | Xcerion Ab | Network operating system |
US20110109829A1 (en) * | 2009-11-10 | 2011-05-12 | Mathew Dinesh C | Methods for fabricating display structures |
US8332782B1 (en) * | 2008-02-22 | 2012-12-11 | Adobe Systems Incorporated | Network visualization and navigation |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100174577A1 (en) * | 2009-01-07 | 2010-07-08 | Red Hat, Inc. | Automated Task Delegation Based on Skills |
US8805713B2 (en) * | 2009-01-07 | 2014-08-12 | Red Hat, Inc. | Interface for project and task submission for automated delegation |
WO2016069034A1 (en) * | 2014-11-01 | 2016-05-06 | Hewlett Packard Enterprise Development Lp | Data management for tenants |
US9628555B2 (en) * | 2015-06-18 | 2017-04-18 | Live Nation Entertainment, Inc | Enhanced load processing using linked hierarchical data structures |
US9857960B1 (en) * | 2015-08-25 | 2018-01-02 | Palantir Technologies, Inc. | Data collaboration between different entities |
US11972356B2 (en) * | 2020-10-16 | 2024-04-30 | App Orchid Inc. | System and/or method for an autonomous linked managed semantic model based knowledge graph generation framework |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4815005A (en) * | 1986-11-29 | 1989-03-21 | Kabushiki Kaisha Toshiba | Semantic network machine for artificial intelligence computer |
US5941947A (en) * | 1995-08-18 | 1999-08-24 | Microsoft Corporation | System and method for controlling access to data entities in a computer network |
US20020013909A1 (en) * | 2000-04-29 | 2002-01-31 | Markus Baumeister | Method of dynamic determination of access rights |
US20020162005A1 (en) * | 2000-04-24 | 2002-10-31 | Masaomi Ueda | Access right setting device and manager terminal |
US20020161768A1 (en) * | 2001-04-30 | 2002-10-31 | International Business Machines Corporation | Group access privatization in clustered computer system |
US20030126136A1 (en) * | 2001-06-22 | 2003-07-03 | Nosa Omoigui | System and method for knowledge retrieval, management, delivery and presentation |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19954358A1 (de) * | 1999-01-07 | 2000-07-20 | Hewlett Packard Co | Benutzerrollenzugriffssteuerung |
AU1940601A (en) * | 1999-12-02 | 2001-06-12 | Secure Computing Corporation | Locally adaptable security management framework for networks |
US7185359B2 (en) * | 2001-12-21 | 2007-02-27 | Microsoft Corporation | Authentication and authorization across autonomous network systems |
JP4284497B2 (ja) * | 2003-01-29 | 2009-06-24 | 日本電気株式会社 | 情報共有方法、装置、およびプログラム |
-
2002
- 2002-04-26 DE DE10218905.6A patent/DE10218905B4/de not_active Expired - Lifetime
-
2003
- 2003-04-28 AT AT03727375T patent/ATE521943T1/de active
- 2003-04-28 AU AU2003233076A patent/AU2003233076A1/en not_active Abandoned
- 2003-04-28 WO PCT/EP2003/004373 patent/WO2003092198A2/de not_active Application Discontinuation
- 2003-04-28 EP EP03727375A patent/EP1502211B1/de not_active Expired - Lifetime
- 2003-04-28 US US10/512,778 patent/US20050223006A1/en not_active Abandoned
-
2008
- 2008-06-10 US US12/136,058 patent/US9870431B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4815005A (en) * | 1986-11-29 | 1989-03-21 | Kabushiki Kaisha Toshiba | Semantic network machine for artificial intelligence computer |
US5941947A (en) * | 1995-08-18 | 1999-08-24 | Microsoft Corporation | System and method for controlling access to data entities in a computer network |
US20020162005A1 (en) * | 2000-04-24 | 2002-10-31 | Masaomi Ueda | Access right setting device and manager terminal |
US20020013909A1 (en) * | 2000-04-29 | 2002-01-31 | Markus Baumeister | Method of dynamic determination of access rights |
US20020161768A1 (en) * | 2001-04-30 | 2002-10-31 | International Business Machines Corporation | Group access privatization in clustered computer system |
US20030126136A1 (en) * | 2001-06-22 | 2003-07-03 | Nosa Omoigui | System and method for knowledge retrieval, management, delivery and presentation |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8615531B2 (en) | 2007-09-28 | 2013-12-24 | Xcerion Aktiebolag | Programmatic data manipulation |
US9344497B2 (en) | 2007-09-28 | 2016-05-17 | Xcerion Aktiebolag | State management of applications and data |
US20090172078A1 (en) * | 2007-09-28 | 2009-07-02 | Xcerion Ab | Network operating system |
US20090192969A1 (en) * | 2007-09-28 | 2009-07-30 | Xcerion Aktiebolag | Network operating system |
US20090193410A1 (en) * | 2007-09-28 | 2009-07-30 | Xcerion Aktiebolag | Network operating system |
US8280925B2 (en) | 2007-09-28 | 2012-10-02 | Xcerion Aktiebolag | Resolution of multi-instance application execution |
US8112460B2 (en) | 2007-09-28 | 2012-02-07 | Xcerion Aktiebolag | Framework for applying rules |
US8156146B2 (en) * | 2007-09-28 | 2012-04-10 | Xcerion Aktiebolag | Network file system |
US8234315B2 (en) | 2007-09-28 | 2012-07-31 | Xcerion Aktiebolag | Data source abstraction system and method |
US8239511B2 (en) | 2007-09-28 | 2012-08-07 | Xcerion Aktiebolag | Network operating system |
US11838358B2 (en) | 2007-09-28 | 2023-12-05 | Xcerion Aktiebolag | Network operating system |
US20090172568A1 (en) * | 2007-09-28 | 2009-07-02 | Xcerion Ab | Network operating system |
US8688627B2 (en) | 2007-09-28 | 2014-04-01 | Xcerion Aktiebolag | Transaction propagation in a networking environment |
US8620863B2 (en) | 2007-09-28 | 2013-12-31 | Xcerion Aktiebolag | Message passing in a collaborative environment |
US20090157627A1 (en) * | 2007-09-28 | 2009-06-18 | Xcerion Ab | Network operating system |
US8738567B2 (en) | 2007-09-28 | 2014-05-27 | Xcerion Aktiebolag | Network file system with enhanced collaboration features |
US8843942B2 (en) | 2007-09-28 | 2014-09-23 | Xcerion Aktiebolag | Interpreting semantic application code |
US8954526B2 (en) | 2007-09-28 | 2015-02-10 | Xcerion Aktiebolag | Network operating system |
US8959123B2 (en) | 2007-09-28 | 2015-02-17 | Xcerion Aktiebolag | User interface framework |
US8996459B2 (en) | 2007-09-28 | 2015-03-31 | Xcerion Aktiebolag | Offline and/or client-side execution of a network application |
US9071623B2 (en) | 2007-09-28 | 2015-06-30 | Xcerion Aktiebolag | Real-time data sharing |
US9621649B2 (en) | 2007-09-28 | 2017-04-11 | Xcerion Aktiebolag | Network operating system |
US8332782B1 (en) * | 2008-02-22 | 2012-12-11 | Adobe Systems Incorporated | Network visualization and navigation |
US20110109829A1 (en) * | 2009-11-10 | 2011-05-12 | Mathew Dinesh C | Methods for fabricating display structures |
Also Published As
Publication number | Publication date |
---|---|
AU2003233076A1 (en) | 2003-11-10 |
WO2003092198A3 (de) | 2004-06-17 |
DE10218905A1 (de) | 2003-11-13 |
ATE521943T1 (de) | 2011-09-15 |
AU2003233076A8 (en) | 2003-11-10 |
EP1502211A2 (de) | 2005-02-02 |
DE10218905B4 (de) | 2016-03-17 |
WO2003092198A2 (de) | 2003-11-06 |
US20080275879A1 (en) | 2008-11-06 |
US9870431B2 (en) | 2018-01-16 |
EP1502211B1 (de) | 2011-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Denning et al. | Views for multilevel database security | |
US9870431B2 (en) | Method and device for controlling the access to knowledge networks | |
US7257599B2 (en) | Data organization in a fast query system | |
EP2863333B1 (de) | Verfahren, Vorrichtung, Computersystem, Sicherheitskomponenten und computerlesbares Medium zur Definition von Zugriffsrechten in einer Dateianordnung auf Metadatenbasis | |
US8046366B1 (en) | Orchestrating indexing | |
US6990492B2 (en) | Method for controlling access to information | |
US6405202B1 (en) | System and method for adding property level security to an object oriented database | |
US8386520B2 (en) | Database security structure | |
US20110010758A1 (en) | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements | |
US20070073695A1 (en) | Server side filtering and sorting with field level security | |
WO2008061254A1 (en) | Storing, maintaining and locating information | |
EP2659351A1 (de) | Verfahren und vorrichtung zur bestätigung einer datenzugrifferlaubnis von benutzergruppen an gruppen von datenelementen | |
US7689629B1 (en) | Method of the use of fractal semantic networks for all types of database applications | |
EP1193587B1 (de) | Datenschutz | |
Jodłowski et al. | Objects and roles in the stack-based approach | |
Kurmanbekovna et al. | Development of technology to support large information storage and organization of reduced user access to this information | |
US20080256030A1 (en) | Fine-grained authorization framework | |
Kozankiewicz et al. | Implementing Mediators through Virtual Updateable Views. | |
Shenoi | Multilevel database security using information clouding | |
Tan et al. | The conceptual design of OSEA: an object-oriented semantic data model | |
Eder et al. | Self-maintained folder hierarchies as document repositories | |
Garuba et al. | A constraint-based query modification engine for retrofitting COTS DBMS's | |
Sallam et al. | Comparative study of polyinstantiation models in MLS database | |
Biros et al. | Managing digital forensic knowledge an applied approach | |
Johnson et al. | Scalable Semantically Driven Decision Trees for Crime Data. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTELLIGENT VIEWS GMBH, GERMANY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAMMEN, CLARA;SCHUMMER, JAN;SCHUCKMANN, CHRISTIAN;AND OTHERS;REEL/FRAME:016629/0336;SIGNING DATES FROM 20041018 TO 20041025 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |