US20050223006A1 - Method and device for controlling the access to knowledge networks - Google Patents

Method and device for controlling the access to knowledge networks Download PDF

Info

Publication number
US20050223006A1
US20050223006A1 US10/512,778 US51277804A US2005223006A1 US 20050223006 A1 US20050223006 A1 US 20050223006A1 US 51277804 A US51277804 A US 51277804A US 2005223006 A1 US2005223006 A1 US 2005223006A1
Authority
US
United States
Prior art keywords
rights
owner
user
tree
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/512,778
Other languages
English (en)
Inventor
Clara Hammeu
Jan Schummer
Christian Schuckmann
Elke Siemon
Patrick Closhen
Ralf Rath
Hans Scholz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intelligent Views GmbH
Original Assignee
Intelligent Views GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intelligent Views GmbH filed Critical Intelligent Views GmbH
Assigned to INTELLIGENT VIEWS GMBH reassignment INTELLIGENT VIEWS GMBH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RATH, RALF, SIEMON, ELKE, CLOSHEN, PATRICK, HAMMEN, CLARA, SCHOLZ, HANS, SCHUCKMANN, CHRISTIAN, SCHUMMER, JAN
Publication of US20050223006A1 publication Critical patent/US20050223006A1/en
Priority to US12/136,058 priority Critical patent/US9870431B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the invention relates essentially to a method for deriving user rights in a semantic network.
  • Semantic networks are being used in increasing numbers for linking information items with one another and finding them again at a later time. These forms of networks with their algorithms are also referred to as knowledge networks or ontologies, whereby information objects are connected with one another by edges which exhibit specific semantics.
  • the problem of the invention is to provide an efficient and flexibly configurable access control which is technically and ergonomically integrated, and which take account of the complexity of knowledge networks.
  • the users are presented in the same semantic network as the information objects. Access rights are derived from the semantic relations between users and information objects.
  • This solution has the advantage that no further metadata is required, such as is the case, for example, with relational databanks. Rather, existing algorithms and inference rules can be used in order to derive user rights. In addition to this, the same efficient memory system can be used for contents and access information.
  • a further technical advantage lies in the fact that no adaptation of the code for the representation of the access information is required. The users and their relations to the information objects are part of the knowledge network as a whole.
  • the rights system of the present invention makes the decision on access entitlements on the basis of information from the knowledge network.
  • These user nodes are placed in a relationship with the nodes in the knowledge network which serve as starting points for the access rights of the member users.
  • Roles are likewise defined in the knowledge network and simplify the configuration of the rights system. Depending on the role of a person, it is therefore possible for different rights to be defined for entire groups.
  • a right r: ⁇ o, t, op> pertains from the three components of user, target, and operation.
  • the user of a right can carry out the operation specified (operation) on the target of the right (target). If a part of the right is not defined, the right is deemed to apply to all the objects of the knowledge network which come into question for this part.
  • the components can contain quantities. As a result of this, it is possible for groups of users of a right to be defined.
  • Rights are for preference positively formulated. This means that a negative response will be given at the examination of the right if no positive answer is found.
  • enquiries to the rights system attestations for the user, the target, and the knowledge network object respectively are transferred.
  • the rights system seeks a positive response in the rights definitions.
  • a negation it is possible for a negation to be presented to a right.
  • the rights of a knowledge network are defined in a rights tree.
  • This rights tree consists of folders which are arranged and structured in tree fashion. The roots, and therefore the highest folder of this space, is for preference anchored in the central part of the knowledge network, the “root”.
  • the root is the organizational root of the knowledge network. If no rights tree exists in this preferred embodiment, or if this space consists solely of a root folder, then all operations are allowed for all users on all knowledge network objects.
  • Rights are defined and allocated in sub-folders of the root folder of the rights tree.
  • a right is divided in each case into a folder with its components, which are likewise arranged in folders.
  • the folders, with their user and operations components, form filters of a right, while the folder for the target can contain a search query.
  • the folders of a right do not stand next to each other in the rights tree, but form a part tree of the rights tree as a whole. If rights have the same components, e.g. the same operations, then the same folders can be used for them, i.e. the same components.
  • the other components of these rights are then subdivided into other sub-folders.
  • the components of a right are in each case the elements of a folder. They are defined in different ways and means, or arranged in their folders, as explained hereinafter.
  • op in the rights system is effected for preference by the enumeration of the permitted operations (in the preferred implementation “Read”, “Modify”, “Generate” and “Delete”), which form the elements of an operations folder.
  • the number of owners (o) of a right is represented by the number of elements of the owner folder.
  • individual elements (instances) of a term of the knowledge network come into question, which were indicated as the owner term in the configuration of the rights system.
  • the number of the owners of a right can be a part quantity of these individual elements.
  • the selection of the owners can be for preference effected in three different ways during the processing of the user/owner folder; firstly by explicitly indication, secondly by the accessibility of the owner by and from a knowledge network object, and thirdly by the determination of the role which an owner has adopted.
  • the owner or owners of a rights part tree are input explicitly, e.g. by means of an editor. In this situation, individual elements (instances) of the owner term are determined.
  • the owner term Person has the individual elements Miller and Meier.
  • a further object in the knowledge network may be “Mill”. If, for the indication of an owner, only the beginning of the name “Mi” is entered, the system will then find, as a possible object, only the individual item Miller, and will transfer this as the owner into the folder. The object Mill will not be found, because it does not involve an individual element of an owner term.
  • the owner is in this case derived from a relationship which pertains between a knowledge network object and the user.
  • the knowledge network object and the relationship are then explicitly indicated in an editor (see above also).
  • the rights part tree accordingly applies to all user objects which can reach the knowledge network object via this relationship.
  • the owner object from which the relationship is pursued is not determined until the time of the assessment of the rights tree, and not as early as the rights tree definition.
  • the contents of the owner folder is defined by means of a role. This role is explicitly indicated at the processing of the folder.
  • the elements of the owner/user folder are calculated at the rights examination.
  • the number of targets of a rights part tree can either be indicated explicitly or calculated by means of a search query.
  • Any knowledge network object can be drawn into any folder by drag and drop, but for preference not into a search folder of the rights tree.
  • a knowledge network object is the target of a right.
  • a search query is set up in a search folder.
  • the search query is carried out at the examination of the rights, and the knowledge network objects found at this juncture represent the targets of the rights part tree.
  • the folders of a part tree are checked recursively.
  • the folders for operations and owners behave like filters.
  • the sub-folders of these folders are checked if the operation or owner to be examined fulfil the filter criterion. If this is the case, then either the sub-folders will be checked or, if there are none available, a positive response will be returned.
  • a check is carried out in a search folder as to whether the target of the query is an element of the quantity which is being calculated during the performance of the search query indicated in the folder. If that is the case, then the answer to the examination is positive.
  • FIG. 1 An extract from a knowledge network with the user/owner nodes “Ms. Miller”, responsible for the knowledge network object “Reiber Street Residential Building”;
  • FIG. 2 Rights in tree form with operations folders and user/owner folders
  • FIG. 3 Rights part tree with negative filter.
  • FIG. 1 shows a section from a knowledge network, in which the project structure of a construction company is deposited. Accordingly, “Ms. Miller” is responsible for the project of the “Reiber Street Residential Building”, in the role of “Building Manager”.
  • the rights system can now be configured in such a way, for example, that Ms. Miller receives writing rights to the building sections relating to the “Reiber Street Residential Building” construction project. Construction sections from other construction projects (e.g. “Landburg Street Car Park”), for which Ms. Miller is not responsible, cannot be processed by her. New construction sections, such as in the sector of “Reiber Street External Installations”, automatically fall into the access area of Ms. Miller.
  • the components of a right are defined in folders which form a part tree in the rights tree (see FIG. 2 ).
  • the leaves of the rights tree it is mostly the target objects of the rights which are defined.
  • the possible operations and the users are filtered out in the folders between the leaves and the roots. Accordingly, the topmost part tree in FIG. 2 shows that the operations Modify and Read can be carried out by all users who hold the role of Project Manager on all objects which can be calculated from the search query in the “Projects” folder.
  • a part tree of the rights tree does not need to define explicitly all three components of a right.
  • the second part tree in FIG. 2 contains two levels, since there is no indication of the operations. Accordingly, the right defined in this part tree signifies that the user, “Mr. Schuckmann”, may carry out all operations on the calculated objects in the “Road Construction Projects” sub-folder.
  • the third part tree in FIG. 2 shows that any user can carry out the “Create” operation on any objects of the knowledge network.
  • FIG. 3 shows the definition of Prohibition, with the aid of a negative filter in the rights part tree, which is set in front of the folder which is to be negated. All the elements contained in this folder form exceptions for which the rights part tree does not apply.
  • the unfolded rights part tree in FIG. 2 indicates that everything can be read by all users except the elements in the search folder “Group Companies”.
US10/512,778 2002-04-26 2003-04-28 Method and device for controlling the access to knowledge networks Abandoned US20050223006A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/136,058 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10218905.6A DE10218905B4 (de) 2002-04-26 2002-04-26 Verfahren und Datenstruktur zur Zugriffssteuerung in Wissensnetzen
DE10218905.6 2002-04-26
PCT/EP2003/004373 WO2003092198A2 (de) 2002-04-26 2003-04-28 Verfahren und vorrichtung zur zugriffssteuerung in wissensnetzen

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/136,058 Continuation-In-Part US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Publications (1)

Publication Number Publication Date
US20050223006A1 true US20050223006A1 (en) 2005-10-06

Family

ID=29224827

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/512,778 Abandoned US20050223006A1 (en) 2002-04-26 2003-04-28 Method and device for controlling the access to knowledge networks
US12/136,058 Active 2025-11-17 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/136,058 Active 2025-11-17 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Country Status (6)

Country Link
US (2) US20050223006A1 (de)
EP (1) EP1502211B1 (de)
AT (1) ATE521943T1 (de)
AU (1) AU2003233076A1 (de)
DE (1) DE10218905B4 (de)
WO (1) WO2003092198A2 (de)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US20110109829A1 (en) * 2009-11-10 2011-05-12 Mathew Dinesh C Methods for fabricating display structures
US8332782B1 (en) * 2008-02-22 2012-12-11 Adobe Systems Incorporated Network visualization and navigation

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174577A1 (en) * 2009-01-07 2010-07-08 Red Hat, Inc. Automated Task Delegation Based on Skills
US8805713B2 (en) * 2009-01-07 2014-08-12 Red Hat, Inc. Interface for project and task submission for automated delegation
WO2016069034A1 (en) * 2014-11-01 2016-05-06 Hewlett Packard Enterprise Development Lp Data management for tenants
US9628555B2 (en) * 2015-06-18 2017-04-18 Live Nation Entertainment, Inc Enhanced load processing using linked hierarchical data structures
US9857960B1 (en) * 2015-08-25 2018-01-02 Palantir Technologies, Inc. Data collaboration between different entities
US11972356B2 (en) * 2020-10-16 2024-04-30 App Orchid Inc. System and/or method for an autonomous linked managed semantic model based knowledge graph generation framework

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4815005A (en) * 1986-11-29 1989-03-21 Kabushiki Kaisha Toshiba Semantic network machine for artificial intelligence computer
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US20020013909A1 (en) * 2000-04-29 2002-01-31 Markus Baumeister Method of dynamic determination of access rights
US20020162005A1 (en) * 2000-04-24 2002-10-31 Masaomi Ueda Access right setting device and manager terminal
US20020161768A1 (en) * 2001-04-30 2002-10-31 International Business Machines Corporation Group access privatization in clustered computer system
US20030126136A1 (en) * 2001-06-22 2003-07-03 Nosa Omoigui System and method for knowledge retrieval, management, delivery and presentation

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19954358A1 (de) * 1999-01-07 2000-07-20 Hewlett Packard Co Benutzerrollenzugriffssteuerung
AU1940601A (en) * 1999-12-02 2001-06-12 Secure Computing Corporation Locally adaptable security management framework for networks
US7185359B2 (en) * 2001-12-21 2007-02-27 Microsoft Corporation Authentication and authorization across autonomous network systems
JP4284497B2 (ja) * 2003-01-29 2009-06-24 日本電気株式会社 情報共有方法、装置、およびプログラム

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4815005A (en) * 1986-11-29 1989-03-21 Kabushiki Kaisha Toshiba Semantic network machine for artificial intelligence computer
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US20020162005A1 (en) * 2000-04-24 2002-10-31 Masaomi Ueda Access right setting device and manager terminal
US20020013909A1 (en) * 2000-04-29 2002-01-31 Markus Baumeister Method of dynamic determination of access rights
US20020161768A1 (en) * 2001-04-30 2002-10-31 International Business Machines Corporation Group access privatization in clustered computer system
US20030126136A1 (en) * 2001-06-22 2003-07-03 Nosa Omoigui System and method for knowledge retrieval, management, delivery and presentation

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8615531B2 (en) 2007-09-28 2013-12-24 Xcerion Aktiebolag Programmatic data manipulation
US9344497B2 (en) 2007-09-28 2016-05-17 Xcerion Aktiebolag State management of applications and data
US20090172078A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US20090192969A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US20090193410A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US8280925B2 (en) 2007-09-28 2012-10-02 Xcerion Aktiebolag Resolution of multi-instance application execution
US8112460B2 (en) 2007-09-28 2012-02-07 Xcerion Aktiebolag Framework for applying rules
US8156146B2 (en) * 2007-09-28 2012-04-10 Xcerion Aktiebolag Network file system
US8234315B2 (en) 2007-09-28 2012-07-31 Xcerion Aktiebolag Data source abstraction system and method
US8239511B2 (en) 2007-09-28 2012-08-07 Xcerion Aktiebolag Network operating system
US11838358B2 (en) 2007-09-28 2023-12-05 Xcerion Aktiebolag Network operating system
US20090172568A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US8688627B2 (en) 2007-09-28 2014-04-01 Xcerion Aktiebolag Transaction propagation in a networking environment
US8620863B2 (en) 2007-09-28 2013-12-31 Xcerion Aktiebolag Message passing in a collaborative environment
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US8738567B2 (en) 2007-09-28 2014-05-27 Xcerion Aktiebolag Network file system with enhanced collaboration features
US8843942B2 (en) 2007-09-28 2014-09-23 Xcerion Aktiebolag Interpreting semantic application code
US8954526B2 (en) 2007-09-28 2015-02-10 Xcerion Aktiebolag Network operating system
US8959123B2 (en) 2007-09-28 2015-02-17 Xcerion Aktiebolag User interface framework
US8996459B2 (en) 2007-09-28 2015-03-31 Xcerion Aktiebolag Offline and/or client-side execution of a network application
US9071623B2 (en) 2007-09-28 2015-06-30 Xcerion Aktiebolag Real-time data sharing
US9621649B2 (en) 2007-09-28 2017-04-11 Xcerion Aktiebolag Network operating system
US8332782B1 (en) * 2008-02-22 2012-12-11 Adobe Systems Incorporated Network visualization and navigation
US20110109829A1 (en) * 2009-11-10 2011-05-12 Mathew Dinesh C Methods for fabricating display structures

Also Published As

Publication number Publication date
AU2003233076A1 (en) 2003-11-10
WO2003092198A3 (de) 2004-06-17
DE10218905A1 (de) 2003-11-13
ATE521943T1 (de) 2011-09-15
AU2003233076A8 (en) 2003-11-10
EP1502211A2 (de) 2005-02-02
DE10218905B4 (de) 2016-03-17
WO2003092198A2 (de) 2003-11-06
US20080275879A1 (en) 2008-11-06
US9870431B2 (en) 2018-01-16
EP1502211B1 (de) 2011-08-24

Similar Documents

Publication Publication Date Title
Denning et al. Views for multilevel database security
US9870431B2 (en) Method and device for controlling the access to knowledge networks
US7257599B2 (en) Data organization in a fast query system
EP2863333B1 (de) Verfahren, Vorrichtung, Computersystem, Sicherheitskomponenten und computerlesbares Medium zur Definition von Zugriffsrechten in einer Dateianordnung auf Metadatenbasis
US8046366B1 (en) Orchestrating indexing
US6990492B2 (en) Method for controlling access to information
US6405202B1 (en) System and method for adding property level security to an object oriented database
US8386520B2 (en) Database security structure
US20110010758A1 (en) Method and apparatus for ascertaining data access permission of groups of users to groups of data elements
US20070073695A1 (en) Server side filtering and sorting with field level security
WO2008061254A1 (en) Storing, maintaining and locating information
EP2659351A1 (de) Verfahren und vorrichtung zur bestätigung einer datenzugrifferlaubnis von benutzergruppen an gruppen von datenelementen
US7689629B1 (en) Method of the use of fractal semantic networks for all types of database applications
EP1193587B1 (de) Datenschutz
Jodłowski et al. Objects and roles in the stack-based approach
Kurmanbekovna et al. Development of technology to support large information storage and organization of reduced user access to this information
US20080256030A1 (en) Fine-grained authorization framework
Kozankiewicz et al. Implementing Mediators through Virtual Updateable Views.
Shenoi Multilevel database security using information clouding
Tan et al. The conceptual design of OSEA: an object-oriented semantic data model
Eder et al. Self-maintained folder hierarchies as document repositories
Garuba et al. A constraint-based query modification engine for retrofitting COTS DBMS's
Sallam et al. Comparative study of polyinstantiation models in MLS database
Biros et al. Managing digital forensic knowledge an applied approach
Johnson et al. Scalable Semantically Driven Decision Trees for Crime Data.

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTELLIGENT VIEWS GMBH, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAMMEN, CLARA;SCHUMMER, JAN;SCHUCKMANN, CHRISTIAN;AND OTHERS;REEL/FRAME:016629/0336;SIGNING DATES FROM 20041018 TO 20041025

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION