WO2024072452A1 - User credential parameter space partitioning in a rule based access control system - Google Patents

User credential parameter space partitioning in a rule based access control system Download PDF

Info

Publication number
WO2024072452A1
WO2024072452A1 PCT/US2022/077249 US2022077249W WO2024072452A1 WO 2024072452 A1 WO2024072452 A1 WO 2024072452A1 US 2022077249 W US2022077249 W US 2022077249W WO 2024072452 A1 WO2024072452 A1 WO 2024072452A1
Authority
WO
WIPO (PCT)
Prior art keywords
product data
users
session parameters
parameters
access privileges
Prior art date
Application number
PCT/US2022/077249
Other languages
French (fr)
Inventor
Reiner K. KAISER
Original Assignee
Siemens Industry Software Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Industry Software Inc. filed Critical Siemens Industry Software Inc.
Priority to PCT/US2022/077249 priority Critical patent/WO2024072452A1/en
Publication of WO2024072452A1 publication Critical patent/WO2024072452A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This application is generally related to access control management and, more specifically, to rule-based access control management with parameter space partitioning.
  • PDM product data management
  • SQL Structured Query Language
  • Many of these product data management systems also include access management systems to grant and restrict user access to the product data stored in the relational databases.
  • the access management systems typically utilize an authentication process in which users log into the product data management systems, for example, through a credential challenge process, and then selectively grant or restrict user access to product data based on the characteristics of the user, such as groups, roles, project, or the like associated with the user.
  • Some access management systems can utilize a complex rule-based access management scheme that processes hierarchical rule trees against session parameters corresponding to the user characteristics to selectively grant users privileges associated with corresponding instances of product data stored in the product data management systems.
  • the hierarchical rule trees can include a set of rules arranged in a hierarchical format, with each of the rules having a corresponding access control list (ACL) identifying users or types of users that can be granted access to the product data associated with the hierarchical rule tree.
  • ACL access control list
  • the access management system can process the hierarchical rule trees by determining which rules to evaluate based on rule applicability to the use case or instance data and then process the corresponding access control list to evaluate the rules against the session parameters of the user to determine whether to selectively grant access privileges for the user to the instance of product data.
  • some access management systems can generate expressions from the hierarchical rule trees, which can correspond to a function that receives the session parameters of users as input and identifies access privileges to associated product data.
  • the access management system can determine access privileges to product data by evaluating the expression using the session parameters as input rather than processing the hierarchical rule tree corresponding to the product data. While evaluating the expressions can allow the access management system to selectively grant user access privileges the user to the instance of product data, often changes in user characteristics or in the rule trees can render the expressions stale.
  • Some product data management systems can include diagnostic systems to test the hierarchical rule trees and the corresponding expressions to validate the access management systems accuracy grant access privileges to authorized users. Given the complexity of the session parameters, the hierarchical rule trees, access control lists, and the number of instances of product data stored in the product data management system, exhaustive testing by the diagnostic systems is often impractical, leaving the diagnostic systems to perform non-exhaustive testing of the hierarchical rule trees and the corresponding expressions.
  • This application discloses a computing system to process rules defining access privileges for product data of an organization stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data.
  • the computing system can identify session parameters for a plurality of users.
  • the session parameters can correspond to user characteristics in the organization.
  • the computing system can correlate the accessor parameters for the product data to the session parameters for the plurality of users, which can partition a parameter space of the session parameters for the plurality of the users.
  • the computing system can selectively evaluate the access privileges to the product data for at least one of the users by selecting one of the users in each partition, evaluating the access privileges to the product data using the session parameters of the selected users, and skipping evaluation of the access privileges to the product data using the session parameters of non-selected users. Embodiments will be described below in greater detail.
  • Figure 1 illustrates an example distributed database system to implement a product data management environment according to various embodiments.
  • Figures 2 and 3 illustrate an example of a computer system of the type that may be used to implement various embodiments of the distributed database system.
  • Figure 4 illustrates an example of a rule-based access management diagnostic system to perform validation of an access management system in a product data management system according to various embodiments.
  • Figure 5 illustrates an example flowchart for implementing rule-based access management diagnostics according to various embodiments.
  • Figures 6A-6C illustrate an example of parameter space partitioning using a hierarchical rule tree having rules that reference access control lists according to various embodiments.
  • FIG. 1 illustrates an example distributed database system 100 to implement a product data management environment according to various embodiments of the invention.
  • the distributed database system 100 includes a server-side, for example, a product data management system 110, and a client-side, for example, a client system 120, which can communicate with each other over a network 130.
  • the server-side can include the server system 111 to implement the product data management environment for the client-side of the distributed database system 100.
  • the server system 111 can include multiple servers 112-1 to 112-N or other processing devices capable of implementing the product data management environment for the client system 120.
  • the servers 112-1 to 112-N can access a memory system 113, for example, including one or more relational databases, storing product data.
  • the client-side for example, a client system 120, can include multiple client devices 122-1 to 122-M, such as computers, laptops, workstations, tablets, handsets, or other processing devices, which can communicate with the server system 111 directly or through a network 130.
  • the network 130 can include one or more packet-switched networks, one or more circuit-switched networks, a combination of both, or the like, which can exchange communication between the server-side and the client-side over wired, wireless, cellular, or any other transmission medium.
  • the client devices 122-1 to 122-M can request access to the product data management system 110 directly or over the network 130.
  • At least one of the servers 112-1 to 112-N in the product data management system 110 can implement an access management system 114 to authenticate credentials associated with users of the client devices 122-1 to 122-M and to selectively grant access privileges to product data stored in the memory system 130.
  • the access management system 114 can utilize the credentials associated with users of the client devices 122-1 to 122-M to determine a set of session parameters corresponding to the user, such as a user parameter that identifies the user, at least one group parameter that correlates the user to one or more groups of users, at least one role parameter that correlates the user to one or more roles held by users, at least one project parameter that correlates the user to one or more projects in the organization, or the like.
  • the access management system 114 can implement a complex rule-based access management scheme, for example, that processes hierarchical rule trees against the session parameters, to selectively grant users access privileges associated with corresponding instances of product data in the memory system 130.
  • the hierarchical rule trees can include a set of rules arranged in a hierarchical format. Each of the rules can have a corresponding access control list (ACL), which can include a list of users or types of users that can be granted access to the product data associated with the hierarchical rule tree.
  • ACL access control list
  • the access management system 114 can generate expressions from the hierarchical rule trees, which can correspond to a function that uses the session parameters to identify access privileges to associated product data. For example, the access management system 114 can utilize the session parameters determined from the user credentials to determine access privileges to product data by evaluating the expression using the session parameters as input rather than processing the hierarchical rule tree corresponding to the product data.
  • Figures 2 and 3 illustrate an example of a computer system that may implement various embodiments of the distributed database system.
  • a computing device 201 such as a programmable computer.
  • Figure 2 shows an illustrative example of a computing device 201.
  • the computing device 201 includes a computing unit 203 with a processing unit 205 and a system memory 207.
  • the processing unit 205 may be any type of programmable electronic device for executing software instructions, but will conventionally be a microprocessor.
  • the system memory 207 may include both a read-only memory (ROM) 209 and a random access memory (RAM) 211.
  • ROM read-only memory
  • RAM random access memory
  • both the read-only memory (ROM) 209 and the random access memory (RAM) 211 may store software instructions for execution by the processing unit 205.
  • the processing unit 205 and the system memory 207 are connected, either directly or indirectly, through a bus 213 or alternate communication structure, to one or more peripheral devices 215-223.
  • the processing unit 205 or the system memory 207 may be directly or indirectly connected to one or more additional memory storage devices, such as a hard disk drive 217, which can be magnetic and/or removable, a removable optical disk drive 219, and/or a flash memory card.
  • the processing unit 205 and the system memory 207 also may be directly or indirectly connected to one or more input devices 221 and one or more output devices 223.
  • the input devices 221 may include, for example, a keyboard, a pointing device (such as a mouse, touchpad, stylus, trackball, or joystick), a scanner, a camera, and a microphone.
  • the output devices 223 may include, for example, a monitor display, a printer and speakers.
  • one or more of the peripheral devices 215-223 may be internally housed with the computing unit 203. Alternately, one or more of the peripheral devices 215-223 may be external to the housing for the computing unit 203 and connected to the bus 213 through, for example, a Universal Serial Bus (USB) connection.
  • USB Universal Serial Bus
  • the computing unit 203 may be directly or indirectly connected to a network interface 215 for communicating with other devices making up a network.
  • the network interface 215 can translate data and control signals from the computing unit 203 into network messages according to one or more communication protocols, such as the transmission control protocol (TCP) and the Internet protocol (IP).
  • TCP transmission control protocol
  • IP Internet protocol
  • the network interface 215 may employ any suitable connection agent (or combination of agents) for connecting to a network, including, for example, a wireless transceiver, a modem, or an Ethernet connection.
  • connection agent or combination of agents
  • the computing device 201 is illustrated as an example only, and it not intended to be limiting. Various embodiments may be implemented using one or more computing devices that include the components of the computing device 201 illustrated in Figure 2, which include only a subset of the components illustrated in Figure 2, or which include an alternate combination of components, including components that are not shown in Figure 2. For example, various embodiments may be implemented using a multi-processor computer, a plurality of single and/or multiprocessor computers arranged into a network, or some combination of both.
  • the processor unit 205 can have more than one processor core.
  • Figure 3 illustrates an example of a multi-core processor unit 205 that may be employed with various embodiments.
  • the processor unit 205 includes a plurality of processor cores 301A and 30 IB.
  • Each processor core 301A and 301B includes a computing engine 303A and 303B, respectively, and a memory cache 305A and 305B, respectively.
  • a computing engine 303A and 303B can include logic devices for performing various computing functions, such as fetching software instructions and then performing the actions specified in the fetched instructions.
  • Each computing engine 303A and 303B may then use its corresponding memory cache 305A and 305B, respectively, to quickly store and retrieve data and/or instructions for execution.
  • Each processor core 301A and 301B is connected to an interconnect 307.
  • the particular construction of the interconnect 307 may vary depending upon the architecture of the processor unit 205. With some processor cores 301A and 301B, such as the Cell microprocessor created by Sony Corporation, Toshiba Corporation and IBM Corporation, the interconnect 307 may be implemented as an interconnect bus. With other processor units 301A and 301B, however, such as the OpteronTM and AthlonTM dual-core processors available from Advanced Micro Devices of Sunnyvale, California, the interconnect 307 may be implemented as a system request interface device. In any case, the processor cores 301A and 30 IB communicate through the interconnect 307 with an input/output interface 309 and a memory controller 310.
  • the input/output interface 309 provides a communication interface to the bus 213.
  • the memory controller 310 controls the exchange of information to the system memory 207.
  • the processor unit 205 may include additional components, such as a high-level cache memory accessible shared by the processor cores 301A and 301B. It also should be appreciated that the description of the computer network illustrated in Figure 2 and Figure 3 is provided as an example only, and it not intended to suggest any limitation as to the scope of use or functionality of alternate embodiments.
  • Figure 4 illustrates an example of a rule-based access management diagnostic system 410 to perform validation of an access management system 402 in a product data management (PDM) system 400 according to various embodiments.
  • Figure 5 illustrates an example flowchart for implementing rule-based access management diagnostics according to various embodiments.
  • the product data management system 400 can manage product data 401 stored in a memory system 404.
  • the product data 401 managed by the product data management system 400 can correspond to design data for a product, verification results for the design data, a bill of materials (BOM) for the product, organization data, or the like.
  • BOM bill of materials
  • the product data management system 400 can correspond to a relational database management system (RDBMS) and the memory system 404 can utilize a relational database to store the product data 401 based on a relational model, for example, using a Structured Query Language (SQL) for querying and maintaining the relational database.
  • the memory system 404 utilizing the relational database can utilize the relational model to organize data into tables having a row-column format, with each row having a key or an identifier.
  • the columns of the tables can store data corresponding to the identifier and, in some embodiments, can include identifiers corresponding to one or more of the other tables.
  • the relational database can link rows of one table to rows of the other tables, allowing the relational database to nest stored data based on the relational model.
  • the product data management system 400 can include an access management system 402 to manage access to the product data 401 stored in the memory system 404 by the product data management system 400. Similar to the access management system 114 described above with reference to Figure 1, the access management system 402 can authenticate users of the product data management system 400, for example, by performing a credential challenge.
  • the access management system 402 can utilize a rule-based access management scheme to selectively grant users access privileges associated with corresponding instances of the product data 401 in the memory system 404.
  • the access management system 402 can utilize the complex rule-based access management scheme by processing hierarchical rule trees against session parameters of the authenticated users.
  • the hierarchical rule trees can include a set of rules 405 arranged in a hierarchical format. Each of the rules 405 can have a corresponding access control list (ACL), which can include a list of users or types of users that can be granted access to the product data associated with the hierarchical rule tree.
  • ACL access control list
  • a rule-based access management diagnostic system 410 can be utilized to categorize, test, validate, or the like, the rule-based access management scheme utilized by the access management system 402.
  • the rule-based access management diagnostic system 410 can receive an organization structure file 403 from the product data management system 400, which can include a listing of users and their associated characteristics within the organization employing the product data management system 400.
  • the organization structure file 403 can identify the users, groups the users belong to within the organization, roles the users have in the organization, projects associated with the users, or the like.
  • the rule-based access management diagnostic system 410 can include a session identification system 412, in a block 501 of Figure 5, can identify session parameters for a plurality of users of a product data management system 400.
  • the session identification system 412 can parse the organization structure file 403 to identify the users of the product data management system 400 and their corresponding user characteristics.
  • the session identification system 412 for each user, can determine a set of session parameters corresponding to the user characteristics from the organization structure file 403.
  • the session parameters can include at least one of a user parameter that identifies a user, a group parameter that correlates the user to the plurality of the users, a role parameter that correlates the user to a role in the organization, or a project parameter that correlates the user to a project in the organization.
  • the rule-based access management diagnostic system 410 also can receive the rules 405 and associated access control lists from the product data management system 400.
  • the product data management system 400 can provide the rule-based access management diagnostic system 410 with the hierarchical rule trees that include the rules 405 arranged in a hierarchical format along with the access control lists referenced by the rules 405.
  • the rule-based access management diagnostic system 410 can include a rule processing system 414 that, in a block 501 of Figure 5, can process the rules 405 defining access privileges for the product data 401 stored in a product data management system 405.
  • the rule processing system 414 can traverse hierarchical rule trees having the rules 405 to determine which of the rules 405 catch the session parameters of at least one user and, for the rules 405 that catch, identify one or more access control lists referenced within the rules 405.
  • the rule processing system 414 in a block 502 of Figure 5, can determine accessor parameters capable of satisfying the rules 405 for accessing the product data 401 based on the processing of the rules 405.
  • the rule processing system 414 can analyze the access control lists corresponding to the rules that catch to identify which characteristics of users or user parameters can be granted access privileges to the instances of the product data 401 based on the contents of the access control lists.
  • the rule processing system 414 can set the accessor parameters for each instance of the product data 401 based on the identification.
  • the rule processing system 414 can generate a string of accessor parameter identifiers, such as a read expression, that can be utilized to determine which sets of session parameters can access the product data 401.
  • An example hierarchical rule tree, access control lists, and identifying accessor parameters will be described below with reference to Figures 6A and 6B.
  • FIGs 6A and 6B illustrates an example hierarchical rule tree 600 having rules 601-606 that reference access control lists 610 according to various embodiments.
  • the hierarchical rule tree 600 can have a plurality of rules 601-606 arranged in a hierarchical format.
  • a graphical representation of the hierarchical rule tree 600 can include multiple nodes or vertices representing the rules 601-606, which can be coupled using paths or lines to describe the respective dependencies between the rules 601- 606.
  • the hierarchical rule tree 600 also can be described in a table-format with each row corresponding to a different rule 601-606 in the hierarchical rule tree 600 and the order and indention of the row corresponding to the respective dependencies between the rules 601- 606.
  • Each of the rules 601-606 in the hierarchical rule tree 600 can include a condition and a reference to an access control list.
  • session parameters of users can be compared to the conditions in the rules 601-606 to determine which of the rules 601-606 catch or have their condition satisfied by the session parameters.
  • the access control lists 610 referenced in the caught rules can be accessed and evaluated to determine access privileges to product data for the user with the session parameters.
  • the rule 601 can reference an item access control list 611
  • the rule 602 can reference a classification access control list 612
  • the rule 603 can reference a project access control list 613.
  • the access control lists 610 can each include a parameter list and corresponding access privileges that apply to session parameters matching to the corresponding entry in the parameter list.
  • the item access control list 611 can have a parameter list including an owning group having a corresponding grant access privilege and no permission group having a corresponding deny access privilege.
  • the classification access control list 612 can have a parameter list including an owning user having a corresponding grant access privilege and world having a corresponding deny access privilege.
  • the project access control list 613 can have a parameter list including a project team (PRJ1) having a corresponding grant access privilege, a role in project team having a corresponding grant access privilege, and world having a corresponding deny access privilege.
  • PRJ1 project team having a corresponding grant access privilege
  • a role in project team having a corresponding grant access privilege and world having a corresponding deny access privilege.
  • the rule-based access management diagnostic system 410 can include a parameter space partitioning system 416 that, in a block 504 of Figure 5, can correlate the accessor parameters for the product data 401 to the session parameters for the plurality of users.
  • the parameter space partitioning system 416 can perform a string comparison function that compares different portions of the session parameters to the accessor parameters to identify subsets of the session parameters that match the accessor parameters for an instance of the product data
  • the parameter space partitioning system 416 in a block 505 of Figure 5, can partition a parameter space of the session parameters for the plurality of the users based on the correlation.
  • the parameter space can correspond to the different subsets of the session parameters across the different users in the organization capable of being granted access privileges to an instance of the product data 401.
  • the parameter space partitioning system 416 can divide parameter space by identifying the different subsets of the session parameters held by one or more users that capable of being granted access privileges to an instance of the product data 401.
  • the parameter space partitioning system 416 can generate a table including entries, each identifying one of the subsets of the session parameters and a corresponding instance of the product data 401 accessible using the identified subset.
  • the parameter space partitioning system 416 can selectively populate the table with non-redundant new entries. Embodiments of partitioning of the parameter space will be described below with reference to Figure 6C.
  • Figure 6C illustrates an example of parameter space partitioning using a hierarchical rule tree 600 having rules 601-606 that reference access control lists 610 according to various embodiments.
  • the parameter space 620 for an instance of product data can include three primary subsets of session parameters, owning group 621 from item access control list 611 of Figure 6B, owning user 622 from classification access control list 612 of Figure 6B, and project team 623 from the project access control list 613 of Figure 6B.
  • the intersections 624-627 of the primary subsets of the session parameters can correspond to other subsets of session parameters within the parameter space 620.
  • intersection 624 can correspond to a combination of owning group 621 and owning user 622
  • intersection 625 can correspond to a combination of owning user 622 and project team 623
  • intersection 626 can correspond to a combination of owning group 621 and project team 623
  • intersection 627 can correspond to a combination of owning group 621, owning user 622, and project team 623.
  • Each of the subsets of the session parameters 621-627 can have a same access control behavior and can be correlated to the session parameters of one or more users of a product data management system.
  • the rule-based access management diagnostic system 410 can include a rule evaluation system 418 that, in a block 506 of Figure 5, can select at least one user associated with each partition of the parameter space and, in a block 507 of Figure 5, can evaluate the access privileges to the product data 401 using the session parameters of the selected users.
  • the rule evaluation system 418 can perform the user selection and the access privilege evaluation by processing the entries in the table generated by the parameter space partitioning system 416.
  • the access privilege evaluation can correspond to processing the hierarchical rule tree associated with the subsets of the session parameters of the selected user or the table entry to validate the accuracy of the hierarchical rule trees, any access expressions generated from the hierarchical rule trees, the operation of the logic tree evaluator within the access management system 402, or the like.
  • the rule evaluation system 418 in a block 508 of Figure 5, can skip evaluation of the access privileges to the product data using the session parameters of non-selected users.
  • the parameter space partitioning system 416 can populate the table with unique and non-redundant entries, which can consolidate the users having the same subset of session parameters correlated to accessor parameters.
  • the consolidation of the users through the population of the table can allow the rule evaluation system 418 to evaluate access privileges of one of the consolidated users and avoid having to evaluate the other users having been consolidated through the table entry.
  • the system and apparatus described above may use dedicated processor systems, micro controllers, programmable logic devices, microprocessors, or any combination thereof, to perform some or all of the operations described herein.
  • the processing device may execute instructions or "code" stored in memory.
  • the memory may store data as well.
  • the processing device may include, but may not be limited to, an analog processor, a digital processor, a microprocessor, a multi-core processor, a processor array, a network processor, or the like.
  • the processing device may be part of an integrated control system or system manager, or may be provided as a portable electronic device configured to interface with a networked system either locally or remotely via wireless transmission.
  • the processor memory may be integrated together with the processing device, for example RAM or FLASH memory disposed within an integrated circuit microprocessor or the like.
  • the memory may comprise an independent device, such as an external disk drive, a storage array, a portable FLASH key fob, or the like.
  • the memory and processing device may be operatively coupled together, or in communication with each other, for example by an I/O port, a network connection, or the like, and the processing device may read a file stored on the memory.
  • Associated memory may be "read only" by design (ROM) by virtue of permission settings, or not.
  • Other examples of memory may include, but may not be limited to, WORM, EPROM, EEPROM, FLASH, or the like, which may be implemented in solid state semiconductor devices.
  • Other memories may comprise moving parts, such as a known rotating disk drive. All such memories may be "machine- readable” and may be readable by a processing device.
  • Operating instructions or commands may be implemented or embodied in tangible forms of stored computer software (also known as "computer program” or “code”).
  • Programs, or code may be stored in a digital memory and may be read by the processing device.
  • “Computer-readable storage medium” (or alternatively, “machine-readable storage medium”) may include all of the foregoing types of memory, as well as new technologies of the future, as long as the memory may be capable of storing digital information in the nature of a computer program or other data, at least temporarily, and as long at the stored information may be "read” by an appropriate processing device.
  • the term “computer- readable” may not be limited to the historical usage of "computer” to imply a complete mainframe, mini-computer, desktop or even laptop computer.
  • “computer-readable” may comprise storage medium that may be readable by a processor, a processing device, or any computing system.
  • Such media may be any available media that may be locally and/or remotely accessible by a computer or a processor, and may include volatile and non-volatile media, and removable and non-removable media, or any combination thereof.
  • a program stored in a computer-readable storage medium may comprise a computer program product.
  • a storage medium may be used as a convenient means to store or transport a computer program.
  • the operations may be described as various interconnected or coupled functional blocks or diagrams. However, there may be cases where these functional blocks or diagrams may be equivalently aggregated into a single logic device, program or operation with unclear boundaries.

Abstract

This application discloses a computing system to process rules defining access privileges for product data stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data. The computing system can identify session parameters corresponding to user characteristics in an organization for a plurality of users, and correlate the accessor parameters for the product data to the session parameters for the users, which can partition a parameter space of the session parameters for the plurality of the users. The computing system can selectively evaluate the access privileges to the product data for at least one of the users by selecting one of the users in each partition, evaluating the access privileges to the product data using the session parameters of the selected users, and skipping evaluation of the access privileges to the product data using the session parameters of non-selected users.

Description

USER CREDENTIAL PARAMETER SPACE PARTITIONING IN A RULE BASED
ACCESS CONTROL SYSTEM
TECHNICAL FIELD
[0001] This application is generally related to access control management and, more specifically, to rule-based access control management with parameter space partitioning.
BACKGROUND
[0002] Many product data management (PDM) systems utilize relational databases to store product data, for example, based on a relational model using a Structured Query Language (SQL) for querying and maintaining the relational databases. Many of these product data management systems also include access management systems to grant and restrict user access to the product data stored in the relational databases. The access management systems typically utilize an authentication process in which users log into the product data management systems, for example, through a credential challenge process, and then selectively grant or restrict user access to product data based on the characteristics of the user, such as groups, roles, project, or the like associated with the user.
[0003] Some access management systems can utilize a complex rule-based access management scheme that processes hierarchical rule trees against session parameters corresponding to the user characteristics to selectively grant users privileges associated with corresponding instances of product data stored in the product data management systems. The hierarchical rule trees can include a set of rules arranged in a hierarchical format, with each of the rules having a corresponding access control list (ACL) identifying users or types of users that can be granted access to the product data associated with the hierarchical rule tree. For example, when a user requests access to an instance of product data stored in the product data management system, the access management system can process the hierarchical rule trees by determining which rules to evaluate based on rule applicability to the use case or instance data and then process the corresponding access control list to evaluate the rules against the session parameters of the user to determine whether to selectively grant access privileges for the user to the instance of product data.
[0004] Since processing hierarchical rule trees dynamically can be a time consuming and resource intensive process, some access management systems can generate expressions from the hierarchical rule trees, which can correspond to a function that receives the session parameters of users as input and identifies access privileges to associated product data. The access management system can determine access privileges to product data by evaluating the expression using the session parameters as input rather than processing the hierarchical rule tree corresponding to the product data. While evaluating the expressions can allow the access management system to selectively grant user access privileges the user to the instance of product data, often changes in user characteristics or in the rule trees can render the expressions stale.
[0005] Some product data management systems can include diagnostic systems to test the hierarchical rule trees and the corresponding expressions to validate the access management systems accuracy grant access privileges to authorized users. Given the complexity of the session parameters, the hierarchical rule trees, access control lists, and the number of instances of product data stored in the product data management system, exhaustive testing by the diagnostic systems is often impractical, leaving the diagnostic systems to perform non-exhaustive testing of the hierarchical rule trees and the corresponding expressions.
SUMMARY
[0006] This application discloses a computing system to process rules defining access privileges for product data of an organization stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data. The computing system can identify session parameters for a plurality of users. The session parameters can correspond to user characteristics in the organization. The computing system can correlate the accessor parameters for the product data to the session parameters for the plurality of users, which can partition a parameter space of the session parameters for the plurality of the users. The computing system can selectively evaluate the access privileges to the product data for at least one of the users by selecting one of the users in each partition, evaluating the access privileges to the product data using the session parameters of the selected users, and skipping evaluation of the access privileges to the product data using the session parameters of non-selected users. Embodiments will be described below in greater detail.
DESCRIPTION OF THE DRAWINGS
[0007] Figure 1 illustrates an example distributed database system to implement a product data management environment according to various embodiments.
[0008] Figures 2 and 3 illustrate an example of a computer system of the type that may be used to implement various embodiments of the distributed database system.
[0009] Figure 4 illustrates an example of a rule-based access management diagnostic system to perform validation of an access management system in a product data management system according to various embodiments.
[0010] Figure 5 illustrates an example flowchart for implementing rule-based access management diagnostics according to various embodiments.
[0011] Figures 6A-6C illustrate an example of parameter space partitioning using a hierarchical rule tree having rules that reference access control lists according to various embodiments.
DETAILED DESCRIPTION
Illustrative Operating Environment
[0012] Figure 1 illustrates an example distributed database system 100 to implement a product data management environment according to various embodiments of the invention. Referring to Figure 1, the distributed database system 100 includes a server-side, for example, a product data management system 110, and a client-side, for example, a client system 120, which can communicate with each other over a network 130. The server-side can include the server system 111 to implement the product data management environment for the client-side of the distributed database system 100. In some embodiments, the server system 111 can include multiple servers 112-1 to 112-N or other processing devices capable of implementing the product data management environment for the client system 120. The servers 112-1 to 112-N can access a memory system 113, for example, including one or more relational databases, storing product data.
[0013] The client-side, for example, a client system 120, can include multiple client devices 122-1 to 122-M, such as computers, laptops, workstations, tablets, handsets, or other processing devices, which can communicate with the server system 111 directly or through a network 130. The network 130 can include one or more packet-switched networks, one or more circuit-switched networks, a combination of both, or the like, which can exchange communication between the server-side and the client-side over wired, wireless, cellular, or any other transmission medium.
[0014] The client devices 122-1 to 122-M can request access to the product data management system 110 directly or over the network 130. At least one of the servers 112-1 to 112-N in the product data management system 110 can implement an access management system 114 to authenticate credentials associated with users of the client devices 122-1 to 122-M and to selectively grant access privileges to product data stored in the memory system 130. In some embodiments, the access management system 114 can utilize the credentials associated with users of the client devices 122-1 to 122-M to determine a set of session parameters corresponding to the user, such as a user parameter that identifies the user, at least one group parameter that correlates the user to one or more groups of users, at least one role parameter that correlates the user to one or more roles held by users, at least one project parameter that correlates the user to one or more projects in the organization, or the like.
[0015] The access management system 114 can implement a complex rule-based access management scheme, for example, that processes hierarchical rule trees against the session parameters, to selectively grant users access privileges associated with corresponding instances of product data in the memory system 130. The hierarchical rule trees can include a set of rules arranged in a hierarchical format. Each of the rules can have a corresponding access control list (ACL), which can include a list of users or types of users that can be granted access to the product data associated with the hierarchical rule tree. Since processing hierarchical rule trees dynamically can be time consuming and resource intensive process, in some embodiments, the access management system 114 can generate expressions from the hierarchical rule trees, which can correspond to a function that uses the session parameters to identify access privileges to associated product data. For example, the access management system 114 can utilize the session parameters determined from the user credentials to determine access privileges to product data by evaluating the expression using the session parameters as input rather than processing the hierarchical rule tree corresponding to the product data.
[0016] Figures 2 and 3 illustrate an example of a computer system that may implement various embodiments of the distributed database system. Referring to Figures 2 and 3, various examples may be implemented through the execution of software instructions by a computing device 201, such as a programmable computer. Accordingly, Figure 2 shows an illustrative example of a computing device 201. As seen in this figure, the computing device 201 includes a computing unit 203 with a processing unit 205 and a system memory 207. The processing unit 205 may be any type of programmable electronic device for executing software instructions, but will conventionally be a microprocessor. The system memory 207 may include both a read-only memory (ROM) 209 and a random access memory (RAM) 211. As will be appreciated by those of ordinary skill in the art, both the read-only memory (ROM) 209 and the random access memory (RAM) 211 may store software instructions for execution by the processing unit 205.
[0017] The processing unit 205 and the system memory 207 are connected, either directly or indirectly, through a bus 213 or alternate communication structure, to one or more peripheral devices 215-223. For example, the processing unit 205 or the system memory 207 may be directly or indirectly connected to one or more additional memory storage devices, such as a hard disk drive 217, which can be magnetic and/or removable, a removable optical disk drive 219, and/or a flash memory card. The processing unit 205 and the system memory 207 also may be directly or indirectly connected to one or more input devices 221 and one or more output devices 223. The input devices 221 may include, for example, a keyboard, a pointing device (such as a mouse, touchpad, stylus, trackball, or joystick), a scanner, a camera, and a microphone. The output devices 223 may include, for example, a monitor display, a printer and speakers. With various examples of the computing device 201, one or more of the peripheral devices 215-223 may be internally housed with the computing unit 203. Alternately, one or more of the peripheral devices 215-223 may be external to the housing for the computing unit 203 and connected to the bus 213 through, for example, a Universal Serial Bus (USB) connection.
[0018] With some implementations, the computing unit 203 may be directly or indirectly connected to a network interface 215 for communicating with other devices making up a network. The network interface 215 can translate data and control signals from the computing unit 203 into network messages according to one or more communication protocols, such as the transmission control protocol (TCP) and the Internet protocol (IP). Also, the network interface 215 may employ any suitable connection agent (or combination of agents) for connecting to a network, including, for example, a wireless transceiver, a modem, or an Ethernet connection. Such network interfaces and protocols are well known in the art, and thus will not be discussed here in more detail.
[0019] It should be appreciated that the computing device 201 is illustrated as an example only, and it not intended to be limiting. Various embodiments may be implemented using one or more computing devices that include the components of the computing device 201 illustrated in Figure 2, which include only a subset of the components illustrated in Figure 2, or which include an alternate combination of components, including components that are not shown in Figure 2. For example, various embodiments may be implemented using a multi-processor computer, a plurality of single and/or multiprocessor computers arranged into a network, or some combination of both.
[0020] With some implementations, the processor unit 205 can have more than one processor core. Accordingly, Figure 3 illustrates an example of a multi-core processor unit 205 that may be employed with various embodiments. As seen in this figure, the processor unit 205 includes a plurality of processor cores 301A and 30 IB. Each processor core 301A and 301B includes a computing engine 303A and 303B, respectively, and a memory cache 305A and 305B, respectively. As known to those of ordinary skill in the art, a computing engine 303A and 303B can include logic devices for performing various computing functions, such as fetching software instructions and then performing the actions specified in the fetched instructions. These actions may include, for example, adding, subtracting, multiplying, and comparing numbers, performing logical operations such as AND, OR, NOR and XOR, and retrieving data. Each computing engine 303A and 303B may then use its corresponding memory cache 305A and 305B, respectively, to quickly store and retrieve data and/or instructions for execution.
[0021] Each processor core 301A and 301B is connected to an interconnect 307. The particular construction of the interconnect 307 may vary depending upon the architecture of the processor unit 205. With some processor cores 301A and 301B, such as the Cell microprocessor created by Sony Corporation, Toshiba Corporation and IBM Corporation, the interconnect 307 may be implemented as an interconnect bus. With other processor units 301A and 301B, however, such as the Opteron™ and Athlon™ dual-core processors available from Advanced Micro Devices of Sunnyvale, California, the interconnect 307 may be implemented as a system request interface device. In any case, the processor cores 301A and 30 IB communicate through the interconnect 307 with an input/output interface 309 and a memory controller 310. The input/output interface 309 provides a communication interface to the bus 213. Similarly, the memory controller 310 controls the exchange of information to the system memory 207. With some implementations, the processor unit 205 may include additional components, such as a high-level cache memory accessible shared by the processor cores 301A and 301B. It also should be appreciated that the description of the computer network illustrated in Figure 2 and Figure 3 is provided as an example only, and it not intended to suggest any limitation as to the scope of use or functionality of alternate embodiments.
Rule-Based Access Control Management With Parameter Space Partitioning [0022] Figure 4 illustrates an example of a rule-based access management diagnostic system 410 to perform validation of an access management system 402 in a product data management (PDM) system 400 according to various embodiments. Figure 5 illustrates an example flowchart for implementing rule-based access management diagnostics according to various embodiments. Referring to Figures 4 and 5, the product data management system 400 can manage product data 401 stored in a memory system 404. The product data 401 managed by the product data management system 400 can correspond to design data for a product, verification results for the design data, a bill of materials (BOM) for the product, organization data, or the like.
[0023] The product data management system 400, in some embodiments, can correspond to a relational database management system (RDBMS) and the memory system 404 can utilize a relational database to store the product data 401 based on a relational model, for example, using a Structured Query Language (SQL) for querying and maintaining the relational database. The memory system 404 utilizing the relational database can utilize the relational model to organize data into tables having a row-column format, with each row having a key or an identifier. The columns of the tables can store data corresponding to the identifier and, in some embodiments, can include identifiers corresponding to one or more of the other tables. By including the identifiers from the other tables, the relational database can link rows of one table to rows of the other tables, allowing the relational database to nest stored data based on the relational model.
[0024] The product data management system 400 can include an access management system 402 to manage access to the product data 401 stored in the memory system 404 by the product data management system 400. Similar to the access management system 114 described above with reference to Figure 1, the access management system 402 can authenticate users of the product data management system 400, for example, by performing a credential challenge. The access management system 402 can utilize a rule-based access management scheme to selectively grant users access privileges associated with corresponding instances of the product data 401 in the memory system 404. In some embodiments, the access management system 402 can utilize the complex rule-based access management scheme by processing hierarchical rule trees against session parameters of the authenticated users. The hierarchical rule trees can include a set of rules 405 arranged in a hierarchical format. Each of the rules 405 can have a corresponding access control list (ACL), which can include a list of users or types of users that can be granted access to the product data associated with the hierarchical rule tree.
[0025] A rule-based access management diagnostic system 410 can be utilized to categorize, test, validate, or the like, the rule-based access management scheme utilized by the access management system 402.
[0026] The rule-based access management diagnostic system 410 can receive an organization structure file 403 from the product data management system 400, which can include a listing of users and their associated characteristics within the organization employing the product data management system 400. For example, the organization structure file 403 can identify the users, groups the users belong to within the organization, roles the users have in the organization, projects associated with the users, or the like.
[0027] The rule-based access management diagnostic system 410 can include a session identification system 412, in a block 501 of Figure 5, can identify session parameters for a plurality of users of a product data management system 400. In some embodiments, the session identification system 412 can parse the organization structure file 403 to identify the users of the product data management system 400 and their corresponding user characteristics. The session identification system 412, for each user, can determine a set of session parameters corresponding to the user characteristics from the organization structure file 403. The session parameters, in some embodiments, can include at least one of a user parameter that identifies a user, a group parameter that correlates the user to the plurality of the users, a role parameter that correlates the user to a role in the organization, or a project parameter that correlates the user to a project in the organization.
[0028] The rule-based access management diagnostic system 410 also can receive the rules 405 and associated access control lists from the product data management system 400. In some embodiments, the product data management system 400 can provide the rule-based access management diagnostic system 410 with the hierarchical rule trees that include the rules 405 arranged in a hierarchical format along with the access control lists referenced by the rules 405.
[0029] The rule-based access management diagnostic system 410 can include a rule processing system 414 that, in a block 501 of Figure 5, can process the rules 405 defining access privileges for the product data 401 stored in a product data management system 405. In some embodiments, the rule processing system 414 can traverse hierarchical rule trees having the rules 405 to determine which of the rules 405 catch the session parameters of at least one user and, for the rules 405 that catch, identify one or more access control lists referenced within the rules 405.
[0030] The rule processing system 414, in a block 502 of Figure 5, can determine accessor parameters capable of satisfying the rules 405 for accessing the product data 401 based on the processing of the rules 405. In some embodiments, the rule processing system 414 can analyze the access control lists corresponding to the rules that catch to identify which characteristics of users or user parameters can be granted access privileges to the instances of the product data 401 based on the contents of the access control lists. The rule processing system 414 can set the accessor parameters for each instance of the product data 401 based on the identification. In some embodiments, the rule processing system 414 can generate a string of accessor parameter identifiers, such as a read expression, that can be utilized to determine which sets of session parameters can access the product data 401. An example hierarchical rule tree, access control lists, and identifying accessor parameters will be described below with reference to Figures 6A and 6B.
[0031] Figures 6A and 6B illustrates an example hierarchical rule tree 600 having rules 601-606 that reference access control lists 610 according to various embodiments. Referring to Figures 6A and 6B, the hierarchical rule tree 600 can have a plurality of rules 601-606 arranged in a hierarchical format. A graphical representation of the hierarchical rule tree 600 can include multiple nodes or vertices representing the rules 601-606, which can be coupled using paths or lines to describe the respective dependencies between the rules 601- 606. The hierarchical rule tree 600 also can be described in a table-format with each row corresponding to a different rule 601-606 in the hierarchical rule tree 600 and the order and indention of the row corresponding to the respective dependencies between the rules 601- 606.
[0032] Each of the rules 601-606 in the hierarchical rule tree 600 can include a condition and a reference to an access control list. During evaluation of the hierarchical tree 600, session parameters of users can be compared to the conditions in the rules 601-606 to determine which of the rules 601-606 catch or have their condition satisfied by the session parameters. When any of the rules 601-606 catch, the access control lists 610 referenced in the caught rules can be accessed and evaluated to determine access privileges to product data for the user with the session parameters. In the instant example, the rule 601 can reference an item access control list 611, the rule 602 can reference a classification access control list 612, and the rule 603 can reference a project access control list 613.
[0033] The access control lists 610 can each include a parameter list and corresponding access privileges that apply to session parameters matching to the corresponding entry in the parameter list. For example, the item access control list 611 can have a parameter list including an owning group having a corresponding grant access privilege and no permission group having a corresponding deny access privilege. The classification access control list 612 can have a parameter list including an owning user having a corresponding grant access privilege and world having a corresponding deny access privilege. The project access control list 613 can have a parameter list including a project team (PRJ1) having a corresponding grant access privilege, a role in project team having a corresponding grant access privilege, and world having a corresponding deny access privilege.
[0034] Referring back to Figures 4 and 5, the rule-based access management diagnostic system 410 can include a parameter space partitioning system 416 that, in a block 504 of Figure 5, can correlate the accessor parameters for the product data 401 to the session parameters for the plurality of users. In some embodiments, the parameter space partitioning system 416 can perform a string comparison function that compares different portions of the session parameters to the accessor parameters to identify subsets of the session parameters that match the accessor parameters for an instance of the product data
401.
[0035] The parameter space partitioning system 416, in a block 505 of Figure 5, can partition a parameter space of the session parameters for the plurality of the users based on the correlation. The parameter space can correspond to the different subsets of the session parameters across the different users in the organization capable of being granted access privileges to an instance of the product data 401. The parameter space partitioning system 416 can divide parameter space by identifying the different subsets of the session parameters held by one or more users that capable of being granted access privileges to an instance of the product data 401. In some embodiments, the parameter space partitioning system 416 can generate a table including entries, each identifying one of the subsets of the session parameters and a corresponding instance of the product data 401 accessible using the identified subset. Since different users may have the same subsets of the session parameters for an instance of the product data 401, the parameter space partitioning system 416 can selectively populate the table with non-redundant new entries. Embodiments of partitioning of the parameter space will be described below with reference to Figure 6C.
[0036] Figure 6C illustrates an example of parameter space partitioning using a hierarchical rule tree 600 having rules 601-606 that reference access control lists 610 according to various embodiments. Referring to Figure 6C, the parameter space 620 for an instance of product data can include three primary subsets of session parameters, owning group 621 from item access control list 611 of Figure 6B, owning user 622 from classification access control list 612 of Figure 6B, and project team 623 from the project access control list 613 of Figure 6B. The intersections 624-627 of the primary subsets of the session parameters can correspond to other subsets of session parameters within the parameter space 620. For example, intersection 624 can correspond to a combination of owning group 621 and owning user 622, intersection 625 can correspond to a combination of owning user 622 and project team 623, intersection 626 can correspond to a combination of owning group 621 and project team 623, intersection 627 can correspond to a combination of owning group 621, owning user 622, and project team 623. Each of the subsets of the session parameters 621-627 can have a same access control behavior and can be correlated to the session parameters of one or more users of a product data management system. By selecting one user for each of these different partitions of the parameter space 620 as representative of the access control behavior for the partition, subsequent evaluation of the hierarchical rule tree 600 and access control lists 610 can be reduced by eliminating redundant evaluation by users having the same subsets of session parameters that trigger the corresponding access privileges.
[0037] Referring back to Figures 4 and 5, the rule-based access management diagnostic system 410 can include a rule evaluation system 418 that, in a block 506 of Figure 5, can select at least one user associated with each partition of the parameter space and, in a block 507 of Figure 5, can evaluate the access privileges to the product data 401 using the session parameters of the selected users. In some embodiments, the rule evaluation system 418 can perform the user selection and the access privilege evaluation by processing the entries in the table generated by the parameter space partitioning system 416. The access privilege evaluation can correspond to processing the hierarchical rule tree associated with the subsets of the session parameters of the selected user or the table entry to validate the accuracy of the hierarchical rule trees, any access expressions generated from the hierarchical rule trees, the operation of the logic tree evaluator within the access management system 402, or the like.
[0038] The rule evaluation system 418, in a block 508 of Figure 5, can skip evaluation of the access privileges to the product data using the session parameters of non-selected users. In some embodiments, the parameter space partitioning system 416 can populate the table with unique and non-redundant entries, which can consolidate the users having the same subset of session parameters correlated to accessor parameters. The consolidation of the users through the population of the table can allow the rule evaluation system 418 to evaluate access privileges of one of the consolidated users and avoid having to evaluate the other users having been consolidated through the table entry. [0039] The system and apparatus described above may use dedicated processor systems, micro controllers, programmable logic devices, microprocessors, or any combination thereof, to perform some or all of the operations described herein. Some of the operations described above may be implemented in software and other operations may be implemented in hardware. Any of the operations, processes, and/or methods described herein may be performed by an apparatus, a device, and/or a system substantially similar to those as described herein and with reference to the illustrated figures.
[0040] The processing device may execute instructions or "code" stored in memory. The memory may store data as well. The processing device may include, but may not be limited to, an analog processor, a digital processor, a microprocessor, a multi-core processor, a processor array, a network processor, or the like. The processing device may be part of an integrated control system or system manager, or may be provided as a portable electronic device configured to interface with a networked system either locally or remotely via wireless transmission.
[0041] The processor memory may be integrated together with the processing device, for example RAM or FLASH memory disposed within an integrated circuit microprocessor or the like. In other examples, the memory may comprise an independent device, such as an external disk drive, a storage array, a portable FLASH key fob, or the like. The memory and processing device may be operatively coupled together, or in communication with each other, for example by an I/O port, a network connection, or the like, and the processing device may read a file stored on the memory. Associated memory may be "read only" by design (ROM) by virtue of permission settings, or not. Other examples of memory may include, but may not be limited to, WORM, EPROM, EEPROM, FLASH, or the like, which may be implemented in solid state semiconductor devices. Other memories may comprise moving parts, such as a known rotating disk drive. All such memories may be "machine- readable" and may be readable by a processing device.
[0042] Operating instructions or commands may be implemented or embodied in tangible forms of stored computer software (also known as "computer program" or "code"). Programs, or code, may be stored in a digital memory and may be read by the processing device. “Computer-readable storage medium" (or alternatively, "machine-readable storage medium") may include all of the foregoing types of memory, as well as new technologies of the future, as long as the memory may be capable of storing digital information in the nature of a computer program or other data, at least temporarily, and as long at the stored information may be "read" by an appropriate processing device. The term "computer- readable" may not be limited to the historical usage of "computer" to imply a complete mainframe, mini-computer, desktop or even laptop computer. Rather, "computer-readable" may comprise storage medium that may be readable by a processor, a processing device, or any computing system. Such media may be any available media that may be locally and/or remotely accessible by a computer or a processor, and may include volatile and non-volatile media, and removable and non-removable media, or any combination thereof.
[0043] A program stored in a computer-readable storage medium may comprise a computer program product. For example, a storage medium may be used as a convenient means to store or transport a computer program. For the sake of convenience, the operations may be described as various interconnected or coupled functional blocks or diagrams. However, there may be cases where these functional blocks or diagrams may be equivalently aggregated into a single logic device, program or operation with unclear boundaries.
Conclusion
[0044] While the application describes specific examples of carrying out embodiments of the invention, those skilled in the art will appreciate that there are numerous variations and permutations of the above described systems and techniques that fall within the spirit and scope of the invention as set forth in the appended claims.
[0045] One of skill in the art will also recognize that the concepts taught herein can be tailored to a particular application in many other ways. In particular, those skilled in the art will recognize that the illustrated examples are but one of many alternative implementations that will become apparent upon reading this disclosure. [0046] Although the specification may refer to “an”, “one”, “another”, or “some” example(s) in several locations, this does not necessarily mean that each such reference is to the same example(s), or that the feature only applies to a single example.

Claims

1. A method comprising: processing, by a computing system, rules defining access privileges for product data of an organization stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data; identifying, by a computing system, session parameters for a plurality of users of the product data management system, wherein the session parameters correspond to user characteristics in the organization; correlating, by the computing system, the accessor parameters for the product data to the session parameters for the plurality of users; and selectively evaluating, by the computing system, the access privileges to the product data for at least one of the users based, at least in part, on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users.
2. The method of claim 1, wherein correlating the accessor parameters for the product data to the session parameters for the plurality of users further comprises partitioning of a parameter space of the session parameters for the plurality of the users based on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users, and wherein selectively evaluating the access privileges to the product data for at least one of the users further comprises selecting one of the users in each partition and evaluating the access privileges to the product data using the session parameters of the selected users for each partition.
3. The method of claim 2, wherein selectively evaluating the access privileges to the product data for at least one of the users further comprises skipping evaluation of the access privileges to the product data using the session parameters of non-selected users.
4. The method of claim 1, wherein processing the rules defining the access privileges to the product data further comprises generating read expressions from the rules, wherein the read expressions, when evaluated by the computing system with the session parameters, are configured to identify whether at least one of the users having the session parameters is granted access to the product data.
5. The method of claim 4, wherein selectively evaluating the access privileges to the product data for at least one of the users further comprises checking the read expressions against the rules utilized to generate the read expressions for at least one of the users.
6. The method of claim 1, wherein the session parameters include at least one of a user parameter that identifies a user, a group parameter that correlates the user to the plurality of the users, a role parameter that correlates the user to a role in the organization, or a project parameter that correlates the user to a project in the organization.
7. The method of claim 1, wherein the product data management system utilizes a relational database to store the product data in relational tables and the access management system includes hierarchical rule trees populated with the rules having corresponding access control lists defining the access privileges to the product data.
8. A system comprising: a memory device configured to store machine-readable instructions; and a computing system including one or more processing devices, in response to executing the machine-readable instructions, configured to process rules defining access privileges for product data of an organization stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data; identify session parameters for a plurality of users of the product data management system, wherein the session parameters correspond to user characteristics in the organization; correlate the accessor parameters for the product data to the session parameters for the plurality of users; and selectively evaluate the access privileges to the product data for at least one of the users based, at least in part, on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users.
9. The system of claim 8, wherein the one or more processing devices, in response to executing the machine-readable instructions, are further configured to: correlate the accessor parameters for the product data to the session parameters for the plurality of users by partitioning a parameter space of the session parameters for the plurality of the users based on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users; and selectively evaluate the access privileges to the product data for at least one of the users by selecting one of the users in each partition and evaluating the access privileges to the product data using the session parameters of the selected users.
10. The system of claim 9, wherein the one or more processing devices, in response to executing the machine-readable instructions, are further configured to selectively evaluate the access privileges to the product data for at least one of the users by skipping evaluation of the access privileges to the product data using the session parameters of non-selected users.
11. The system of claim 8, wherein the one or more processing devices, in response to executing the machine-readable instructions, are further configured to process the rules defining the access privileges to the product data by generating read expressions from the rules, and wherein the read expressions, when evaluated by the computing system with the session parameters, are configured to identify whether at least one of the users having the session parameters is granted access to the product data.
12. The system of claim 11, wherein the one or more processing devices, in response to executing the machine-readable instructions, are further configured to selectively evaluate the access privileges to the product data for at least one of the users by checking the read expressions against the rules utilized to generate the read expressions for at least one of the users.
13. The system of claim 8, wherein the session parameters include at least one of a user parameter that identifies a user, a group parameter that correlates the user to the plurality of the users, a role parameter that correlates the user to a role in the organization, or a project parameter that correlates the user to a project in the organization.
14. An apparatus comprising at least one computer-readable memory device storing instructions configured to cause one or more processing devices to perform operations comprising: processing rules defining access privileges for product data of an organization stored in a product data management system, which identifies accessor parameters capable of satisfying the rules for accessing the product data; identifying session parameters for a plurality of users of the product data management system, wherein the session parameters correspond to user characteristics in the organization; correlating the accessor parameters for the product data to the session parameters for the plurality of users; and selectively evaluating the access privileges to the product data for at least one of the users based, at least in part, on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users.
15. The apparatus of claim 14, wherein the instructions are configured to cause the one or more processing devices to perform operations further comprising correlating the accessor parameters for the product data to the session parameters for the plurality of users by partitioning a parameter space of the session parameters for the plurality of the users based on the correlation of the accessor parameters for the product data to the values of the session parameters for the plurality of users; and selectively evaluating the access privileges to the product data for at least one of the users by selecting one of the users in each partition and evaluating the access privileges to the product data using the session parameters of the selected users.
16. The apparatus of claim 15, wherein the instructions are configured to cause the one or more processing devices to perform operations further comprising selectively evaluating the access privileges to the product data for at least one of the users by skipping evaluation of the access privileges to the product data using the session parameters of nonselected users.
17. The apparatus of claim 14, wherein the instructions are configured to cause the one or more processing devices to perform operations further comprising processing the rules defining the access privileges to the product data by generating read expressions from the rules, wherein the read expressions, when evaluated by the computing system with the session parameters, are configured to identify whether at least one of the users having the session parameters is granted access to the product data.
18. The apparatus of claim 17, wherein the instructions are configured to cause the one or more processing devices to perform operations further comprising selectively evaluating the access privileges to the product data for at least one of the users by checking the read expressions against the rules utilized to generate the read expressions for at least one of the users.
19. The apparatus of claim 14, wherein the session parameters include at least one of a user parameter that identifies a user, a group parameter that correlates the user to the plurality of the users, a role parameter that correlates the user to a role in the organization, or a project parameter that correlates the user to a project in the organization.
20. The apparatus of claim 14, wherein the product data management system utilizes a relational database to store the product data in relational tables and the access management system includes hierarchical rule trees populated with the rules having corresponding access control lists defining the access privileges to the product data.
PCT/US2022/077249 2022-09-29 2022-09-29 User credential parameter space partitioning in a rule based access control system WO2024072452A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2022/077249 WO2024072452A1 (en) 2022-09-29 2022-09-29 User credential parameter space partitioning in a rule based access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2022/077249 WO2024072452A1 (en) 2022-09-29 2022-09-29 User credential parameter space partitioning in a rule based access control system

Publications (1)

Publication Number Publication Date
WO2024072452A1 true WO2024072452A1 (en) 2024-04-04

Family

ID=83996628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2022/077249 WO2024072452A1 (en) 2022-09-29 2022-09-29 User credential parameter space partitioning in a rule based access control system

Country Status (1)

Country Link
WO (1) WO2024072452A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014115901A (en) * 2012-12-11 2014-06-26 Nippon Telegr & Teleph Corp <Ntt> Data access control device and method
EP2953051A1 (en) * 2013-01-31 2015-12-09 NEC Corporation Network system
CN114116609A (en) * 2020-08-28 2022-03-01 山东爱城市网信息技术有限公司 Space authority management method, device and medium based on IPFS

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014115901A (en) * 2012-12-11 2014-06-26 Nippon Telegr & Teleph Corp <Ntt> Data access control device and method
EP2953051A1 (en) * 2013-01-31 2015-12-09 NEC Corporation Network system
CN114116609A (en) * 2020-08-28 2022-03-01 山东爱城市网信息技术有限公司 Space authority management method, device and medium based on IPFS

Similar Documents

Publication Publication Date Title
US20230350774A1 (en) Methods and systems for determining system capacity
Krishna et al. Too much automation? The bellwether effect and its implications for transfer learning
US7299171B2 (en) Method and system for processing grammar-based legality expressions
US8655824B1 (en) Global policy framework analyzer
US7730024B2 (en) Distributed data mining using analysis services servers
EP3805962B1 (en) Project-based permission system
Galtier et al. Substra: a framework for privacy-preserving, traceable and collaborative machine learning
US11288254B2 (en) Method of and system for processing request in distributed database
US7801844B2 (en) Surrogate key generation and utilization
CN109062965B (en) Big data analysis system, server, data processing method and storage medium
US20190005252A1 (en) Device for self-defense security based on system environment and user behavior analysis, and operating method therefor
US20230054226A1 (en) System and method of providing an interactive development platform in a distributed computing environment
Zheng Database as a service-current issues and its future
Ouared et al. Deepcm: Deep neural networks to improve accuracy prediction of database cost models
CN116541372A (en) Data asset management method and system
Ammar et al. XACML policy evaluation with dynamic context handling
WO2024072452A1 (en) User credential parameter space partitioning in a rule based access control system
US20200012808A1 (en) System and method for managing permissions of users for a single data type column-oriented data structure
US20220309155A1 (en) Defending against adversarial queries in a data governance system
CN115658794A (en) Data query method and device, computer equipment and storage medium
SE1051167A1 (en) A system and method for performing partial evaluation in order to construct a simplified policy
CN115442137A (en) Service access processing method and equipment based on identity authentication
Ameri et al. On a new approach to the index selection problem using mining algorithms
CN114239035A (en) Block chain-based collaborative flow execution system and data access control method thereof
Mozaffari et al. CONST: Continuous online NoSQL schema tuning