CN1530792A - Method and system for preventing electronic data object from unauthorized access - Google Patents
Method and system for preventing electronic data object from unauthorized access Download PDFInfo
- Publication number
- CN1530792A CN1530792A CNA2004100397120A CN200410039712A CN1530792A CN 1530792 A CN1530792 A CN 1530792A CN A2004100397120 A CNA2004100397120 A CN A2004100397120A CN 200410039712 A CN200410039712 A CN 200410039712A CN 1530792 A CN1530792 A CN 1530792A
- Authority
- CN
- China
- Prior art keywords
- data object
- access
- data
- access rights
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012545 processing Methods 0.000 claims abstract description 45
- 230000001419 dependent effect Effects 0.000 abstract description 10
- 230000006870 function Effects 0.000 description 12
- 230000008859 change Effects 0.000 description 8
- 238000012217 deletion Methods 0.000 description 5
- 230000037430 deletion Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000001341 grazing-angle X-ray diffraction Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000011160 research Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 241001673391 Entandrophragma candollei Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000003902 lesion Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6236—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention concerns a method and a data processing system to protect an electronic data object from unauthorized access. Via a method, a) in a first step, an electronic data object identifier is generated dependent on the content of the data object, b) in a further step, an access right is determined dependent on the data object identifier, and c) in a last step, an access to the data object is allowed dependent of the access right. The data processing system comprises a data processing device and an access control module. Via the access control module, an electronic data object identifier can be generated dependent on the content of a data object, and an access right can be determined dependent on the data object identifier. The access right can comprises standard rights such as 'Read' or 'Write' and an 'Execute' right to execute specific functionalities.
Description
Technical Field
The present invention relates to a method for protecting electronic data objects against unauthorized access and a data processing system implementing the method, and a storage medium having stored thereon information for implementing the method on a data processing apparatus.
Background
The increasing use of electronic data objects requires more and more intelligent mechanisms for protecting electronic data objects from unauthorized access. The data object can be a single file, a combined file system or a file structure for storing or storing information, for example. Protection of data objects is particularly important in workplaces used by multiple people and from which confidential information may be invoked. Such information is presented, among other things, in medical work environments, in laboratory, research, development, etc., or in work environments where demographics are performed. Basically, information, in particular about individuals, requires special protective measures.
A well-known protection mechanism is based on encryption of data objects. However, encryption and decryption of data objects takes a lot of time, especially in the case of large-scale data objects, and is therefore not practical in a working environment where it is necessary to be operationally rational and economical. Moreover, the corresponding operation of a sufficiently reliable cipher for the encryption system constitutes a considerable expense. Especially for changes in the encryption system, this can only be done directly on the data inventory itself, but not for other copies of the data object (e.g. data carrier or mobile workstation).
In addition, encryption-based protection of data objects does not provide protection against deletion of data objects and does not allow differentiated assignment of access rights, such as differentiation of read, write or delete accesses. In particular, in the case of asymmetric encryption methods, all receivers must already be known during encryption, since the public key of each receiver must be taken into account.
It is also known to protect data objects at the operating system level, the scope of access to data being predefined by the authority of a user logged on to the operating system. The scope of data access rights is determined by means of so-called Access Control Lists (ACLs), which are assigned to each data object in the file system by the operating system. User-dependent access rights specific to the respective operating system are listed in the ACL of each data object.
However, ACLs have heretofore been part of the operating system or file system, rather than merely data objects that were copied (i.e., inherited) within the file system along with the data object at the time of copying, which were not available when copied outside of the respective file system. This is not possible because of the way the ACL acts on the operating system. Furthermore, changes to the access rights of data objects which occur in the case of multiple copies in the file system likewise cannot be made centrally, since they cannot be automatically transferred to the copy of the data object.
Furthermore, it is preferable to limit specific functions not only to specific users, but also to relate data to be processed, for example in a medical system in an outpatient environment or in a personnel or financial management system. This makes it possible, for example, in an outpatient setting to set up a particular case of complete access to the patient's private data for the attending physician only, while allowing all physicians access to the data of all other patients. In addition, the data types of, for example, laboratory reports can be distinguished, for which in principle only laboratory personnel should have processing rights, while other hospital personnel only need the right to read. Similar differentiation is also of interest in other work environments such as banking or human management.
Typically, a combination of "create", "read", "update" and "delete" rights (i.e., corresponding to standard rights) are made to the user depending on the user and the current system or domain (domain). The functional rights, referred to as "execute" rights, are only given within the application by the application itself, depending on the type of data or the content of the data. The "execute" authority determines whether a particular function, such as an image processing measure, an evaluation of a data set, a diagnosis of an electronic patient record, etc., is permitted to be performed. The assignment of standard rights to a user is independent of the data-dependent assignment of rights to functionality "execute". The data-dependent assignment of the functionality "execution" rights is in turn application-dependent and may therefore be treated differently in an undesirable manner by different applications in different domains.
A particular problem with conventional access control is the copying of data objects, for example by e-mail or transmission on portable memory carriers, which occur in uncontrollable numbers and ranges. Thereby, it is not possible to centrally change the access rights afterwards for copies or modified copies associated or consistent with the content. Conventional control mechanisms are thus not able to work for all data objects, since the number of data objects and the place of occurrence are not known.
Disclosure of Invention
The object of the invention is to provide a method and a data processing system for granting access rights to electronic data objects stored for storing information, which access rights are granted in such a way that the access rights to the data objects, including all copies, can be changed from a central location.
The present invention solves the above mentioned technical problem by a method, a data processing system and a storage medium.
The basic idea of the invention is to provide a method for protecting electronic data objects stored for storing information against unauthorized access, wherein in a first step an electronic data object identification is generated on the basis of the content of the electronic data object, in a next step access rights are determined on the basis of the data object identification, and in a last step access to the electronic data object is allowed on the basis of the access rights. A data object is understood here to mean a file or an object made up of one file or a plurality of files or a file structure or directory structure. Here, the access rights can be understood as both standard rights and functional "execution" rights. I.e. the standard rights are supplemented by freely definable access rights.
The basic element of this idea is to use an electronic data object identification that depends on the content of the data object. Access rights can thus be determined starting from the data object itself. The content of the data objects which is important for determining the access rights is also copied, i.e. inherited, during the copying, since it also belongs to the content itself, so that each copy of the data object likewise contains the information required for determining the access rights. The assignment between the access rights and the identification of the data objects according to which the access rights are allowed can be stored centrally, for example in the form of a table, and can be changed so that changes to this assignment are automatically made available to all copies of the data objects. Thereby, the access rights can be changed from the central location at any time, independently or even without knowledge of the number and location of copies. Here, the access rights include all standard rights and "execute" rights valid for the data object.
A further basic idea of the invention is to provide a data processing system having a data processing apparatus with access to electronic data objects and an access control module, by means of which an electronic data object identification can be generated on the basis of the content of the data object, by means of which access rights can be determined on the basis of the data object identification, and by means of which access to the electronic data object can be granted on the basis of the access rights. The access control module makes it possible to give access rights to the data objects on the basis of the information contained in the data objects. Since the content of the data object is copied together when the copy is made, the access rights are thus given consistently for the data object and are made for all copies of the data object from a central location and independently of the storage locations of the possible copies. Access rights are understood here as all standard rights and "execute" rights valid for a data object.
In a preferred configuration of the invention, the data object identification is generated automatically using information stored in the data object. For example, the data object identification is combined with the stored name of the person, the date of birth, and the type of content (e.g., image or text). This allows the generation of data object identifications with information about the content of the data objects therein, so that the data objects can be systematically classified and categorized according to the data object identifications. Such data identification can also be successfully applied to systematically assign access rights to classes of data objects if, for example, all data objects associated with a particular content (for example, for all laboratory reports, research results, diagnostic findings or calculation data) should be assigned the same access rights.
In a further preferred embodiment of the invention, an electronic identifier is stored as such a data object identifier in the data object. Thus, it is sufficient that the data object identification is generated as a copy in the data object. In other words, the identification need only be read from the data object. The generation of the data object identification as a direct copy of the identification contained in the data object also reduces the possibility of tampering, since a tampering-capable step cannot be used to generate the data object identification indirectly from the content of the data object, for example by integrating the data object identification from the stored name of the person and the date of birth.
A further preferred embodiment of the invention provides that the method is implemented on a data processing system comprising an access rights module, by means of which module the assignment of the subscriber identity and the access rights to one another can be stored, wherein the access control module of the data processing system can determine the access rights on the basis of access to the access rights module. A module is understood here to be an electronic service in various forms, such as a server, an electronic library or a process running on a computer. Thereby, a modular arrangement of access rights modules within the data processing system is formed, which arrangement enables a central positioning in a flexible location. This allows the access right to be changed from a central location. By means of the access rights module of the so-called central mark storage module, access rights categories are defined, within which certain access rights, for example the rights to read, write, delete, copy or functionality, are assigned to certain subscriber identifications. The subscriber identity here includes both individual and grouped subscriber identities.
A further preferred embodiment of the invention is characterized in that the data processing system comprises a data object classification module, by means of which the assignment of data object identifications and access right classifications to one another can be stored, and an access control module, by means of which the access rights can be determined on the basis of access to the data object classification module. Also as above, a module is understood herein as various forms of electronic services, such as a server, an electronic library, or a process running on a computer. The data object classification module allows the assignment of data object identifications and access rights classifications to each other to be determined and altered. The data object identification can be assigned to other access right classes and thus changed from a central location by means of a change in the data object classification module.
The invention has the advantage that all data objects and all copies thereof are protected in a consistent manner. That is, as long as the user is within the data processing system, the user has equal access rights for each data object and its copy, and is independent of where the data object is accessed and where the data object is stored. Such a data processing system may be a network with a plurality of machines having flexible access possibilities. It is ensured that the data object does not leave the security domain by means of appropriate device access rights.
The invention also has the advantage that the access rights of a user to a data object can be determined independently of the data object itself. Nevertheless, it is sufficient to know the data object identification. This can be achieved simply if the data object identification is systematically derived from the content of the data object or other information relating to the data object. Thus, it is sufficient to know system information (e.g. four items of data of a patient and the current lesion in a certain workflow) in order to determine access rights with respect to the data objects. Thereby, access rights to data objects that can be assigned to a certain system class can be determined independently of the location in which they are located.
Another advantage of the present invention is that the transfer of data objects can occur within the secure domain independent of the data transfer protocol or operating system. It is sufficient to ensure only the integrity of the data object during the transmission, so that the data object identification required for determining the access rights can also be generated from the copy of the data object.
Ensuring that information used to generate the data object identification also preferably enables controlled transfer of the data object from one security domain to another. This allows access rights to be changed automatically without having to change the content of the data object. The use of such different security domains is particularly applicable in workflow systems where data objects are transferred from one department to another. This allows different access rights to be granted to the receiving patient, radiology department and prescription in a medical environment by representing the steps of each workflow with a specific security domain. For this purpose, different access rights and data object classifications are set in different security domains. Thereby, different domain-dependent access rights are generated in a predetermined manner. In addition, different user groups can be provided if necessary, so that different group attributes can be formed in particular.
It is a particular advantage of the invention that the data object identification can be generated from the content stored in the data object. Thereby, access rights can also be set according to the content. If changes are made to the data object, which may occur, for example, when processing information corresponding to tasks and memory, the changed access rights can be generated last. For example, access may be automatically prohibited to a particular class of people after the data object has been added to confidential information about the person.
Drawings
The embodiments are further described with reference to the accompanying drawings. Wherein,
figure 1 illustrates a data processing system for implementing the present invention,
FIG. 2 shows a schematic structure of the internal logical layers of the data processing system, an
Figure 3 shows the method steps of the invention.
Detailed Description
A data processing system for implementing the present invention is shown in fig. 1. The system comprises a data processing apparatus 1 having a display 3 and a keyboard 5 through which electronic data objects can be accessed. Data objects that can be accessed are located in the application memory 9. Access to data objects in the application memory 9 is controlled by the access control module 7.
The access control module 7 works independently of the access control mechanism of the operating system (e.g. relying on the user's file-specific ACLs). In a preferred embodiment, it is designed as an additional program layer (data access layer) and can be connected to the data bus of the data processing device 1 as a modular hardware component. However, it may also be implemented within the data processing device 1 solely on a software layer. The access control module 7 controls all data accesses to the data objects it controls, for example deletion, copying, generation, editing or execution of functions, that is to say all data accesses to data objects in the security domain. Furthermore, it is naturally also possible to store other data objects, for example applications or public, unsecured data objects, in the data storage 9 and by the data processing device 1 independently of the access control module 7, i.e. from outside the secure domain.
The user is typically required to log in when starting up the operating system of the data processing device 1, wherein the user must be identified and authenticated for data access. Such authentication includes both identifying the user and authorizing the user for access to the data. In order to identify the user, a security query is provided, for which a user identification and a password must be entered, for example, via the keyboard 5. In this sense, every kind of input device may act as a recognition device 6. In a particularly preferred embodiment, the identification device 6 (e.g. a chip card) automatically performs an interrogation of the fingerprint or iris structure that uniquely identifies the user. Although the access control by the access control module 7 is independent of the user login on the operating system, the identification of the user may also be indicated. For this purpose, the user can use the same recognition method via the keyboard 5 or the recognition means 6.
The essential element of the invention is that a unique data object identification can be generated for each electronic data object stored under access by the access control module 7. The data object identification may be stored in the data object or automatically generated from the content of the data object. For example, it may be a DICOM-UID as is common in DICOM data objects. The access control module 7 serves both to generate the identification, which is in turn stored in the data object, and to generate (or in other words extract) the identification of the data object from the content of the data object.
The data object identifiers can be systematically structured in such a way that structural associations of the access rights can be described, for example, work groups, research teams, staff hierarchies, contents relating to staff or assignments to business areas or research in access rights systematics. For example, for an electronic patient medical record, the data objects are identified as four items identifying the patient including the patient's name, gender, date of birth, and hospital identification. Such four patient items of data are generally sufficient to uniquely identify a patient. In addition, the data object identifiers may reflect medical record attributes for medical studies, diagnostic findings, or sequences over a longer period of time or for a particular diagnostic image type (e.g., radiograph or sonogram). This structural information can be taken into account in the assignment of the access rights in such a way that different access rights indicate, for example, the treating physician, the instructor in the study, the professional in the radiology department, or the calculation department. A unique data object identification can be provided for each electronic data object independently of the respective operating environment, with full use of this system information.
In order to be assigned with the described systematic identification of data objects being exploited, the access control module 7 requires attribute information about the accessing user, their group and information about the assignment of the data object type to a specific access permission class. These pieces of information are stored separately and can be accessed modularly within the data processing system.
In a preferred embodiment of the invention, the system has an access rights module 11, for example a server, an electronic library or a process running on a computer, which has access to an access rights memory 13, and a user group module 15, for example a server, an electronic library or a process running on a computer, which has access to a user group memory 17. Information for assigning a user identification to an access right category is stored in the access right memory 13. The access right categories describe which users or groups of users, respectively, are allowed which access right size. For example, the access right category may be defined as follows:
user A has no access rights
User B has read access rights only
User group C has all access rights
User group D can perform functions 1 and 2
User group E can perform function 2
Possible access rights include, for example, the generation of data objects, the generation of copies or the inheritance of information from data objects, the reading, alteration and deletion of information stored in data objects, alteration of access rights and the execution of specific functions within the respective access rights categories as long as they are available at the workplace.
In the user group memory 17 information is stored which makes it possible to assign a user identification or a user group on the basis of previously determined information for identifying and authenticating a user. The user identification or user group is characterized by a separate, electronic user identification which makes it possible to identify it uniquely within the data processing system. The group attributes may reflect, for example, attributes for a workgroup, attributes for a function such as a superior physician on duty, attributes for a hierarchy such as a clinic master, attributes for a professional setting such as a radiology department, or department attributes such as a human department or a settlement department.
The user identification and the properties of the group allow a complete description of the structure of the work environment which is important for determining the access rights. The identification of the users and the assignment of the groups can be changed centrally in the user group memory 17 and thus effected for each data access of the respective user throughout the system, whenever or wherever the user accesses data.
The access control module 7 allocates the electronic data object to the access rights storage 13 in dependence on the electronic data object identification. The access authorization category is also configured for the accessing user on the basis of the access to the access authorization module 11 on the basis of the electronic user identification. With both settings it can be determined which user is allowed to use which access right when accessing a particular data object.
The change in the access rights module 11 or in the user group module 15 makes it possible to change the permission to access rights for all data objects from which a particular data object identification is generated, from a central location, independently of the location of the data object. Such a change in settings also automatically affects each copy of the data object, since the portion of the content from which the particular data object identification was generated remains unchanged in the copy.
In a further preferred embodiment, the system has an access rights module 11, a user group module 15 and an additional data object classification module 12, which can likewise be, for example, a server, an electronic library or a process running on a computer. Data object classification module 12 may access a data object classification memory 14 in which information is stored for identifying data objects corresponding to access rights classifications, and may change that information.
This embodiment is more modular than described above. As described above, the user group module 15 provides information for determining an electronic user identification, while the access privileges module 11 provides information how to assign user identifications and access privileges categories as described above. Data object classification module 12 provides a supplement to the information that enables assignment of user identification and access rights classifications. Each data object can be predetermined and changed by the data object classification module 12 to which access right classification they belong.
In this way, the user and the user group assigned in each access right class in the access right class have access rights predefined therein. By changing the allocation in the data object classification module 12 by sequentially making different users or groups of users accessible to the data objects, the access rights to a data object can be changed, for example, corresponding to the execution of a predefined workflow. In a medical work environment, such a state may be, for example: the patient is received in a clinic, the admission examination, the subsequent examination by means of a method for generating images by means of radiology, the treatment and the final diagnosis, wherein the patient data objects are processed by respectively different groups of users, such as medical technicians, radiology personnel and treatment personnel.
When data is to be accessed all the time within the data processing system, i.e. within the security domain, a data object identification of the data object to be accessed is first generated by the access control module 7. By accessing the user group module 15, the access control module 7 determines a user identification and, based on the user identification, an access rights classification by accessing the access rights module 11. Which access right class belongs to the data object is determined by the access data object classification module 12 based on the previously generated data object identification. All information is thus determined by the assignment of the data object identification and the user identification so that a specific access right to the data object can be granted to the user.
The mode of action of the access control module 7 can also be used for data access from a remotely located workstation. For example, a mobile data processing device 21 (such as a PDA or laptop) can access data objects of the system via a data long-range connection 19 (such as a modem connection or a mobile radio connection). This may be the case in a home workplace for example or in a work environment of a mobile device like a clinic.
The structure of the data processing system described above allows its modularity to be changed without changing the way the access control module 7 functions. For example, the user group memory 17 and the access rights memory 13 may be combined on a common memory medium, or the access rights module 11 and the user group module 15 may be integrated in a single data processing device. A separate arrangement from the access control module 7 is also not necessary for the mode of operation, but can be integrated therein. The modular design makes it possible to use the system particularly flexibly in accordance with all structural requirements of the respective operating environment.
The logical layers within the data processing system (i.e., within the secure domain) are schematically illustrated in FIG. 2. The electronic data objects, the access of which is controlled, are on the lowest layer 31. These data objects have content 33 that is important for identification, from which content 33 a data object identification can be generated. The content 33 important for identification has to be arranged at a higher level so far, since the data object identification has to be accessible independently of the access rights of the user in order to be able to determine the size of such access rights.
An ACL 35 is provided above the data layer, which ACL controls access to data at the operating system level and within the respective operating system independently of user login at the operating system. The ACL 35 is not part of the data object layers 31, 33 until now, because it cannot be maintained after leaving the respective file system or after making changes to the operating system. It is not inherited along with the data, but is lost. Thus, ACL 35 is represented in the schematic representation as a separate layer.
An operating system layer 37 is provided above the ACL 35, which controls the ACL 35 and controls the data object layers 31, 33 via the ACL 35.
The access control layer 39 is located above the operating system layer 37, and performs the functions of the access control module 7 therein. In addition to the currently existing operating system access controls, it also controls access to all data.
An application layer 41 of applications with respective operating environments is located above the access control layer 39.
Such a logical layer is exemplarily shown in the right part of the figure, which may proceed with transferring files to another operating system as indicated by the arrow. The other operating system does not have an ACL in the selected example. In particular, the data object identification 33 is transmitted together, the data object layers 31, 33 remain unchanged. However, access rights control through the operating system layer 37 is not provided due to the lack of ACLs.
However, access to the data object layers 31, 33 can only be made via the access control layer 39 depending on their positioning. That is, control of data access in the set range remains unchanged after data import and is independent of operating system transformations. The application layer 41 may access the data only through the access control layer 39.
Method steps for accessing data objects within a security domain are illustrated in fig. 3. Access to the data object is started from the user or application side in step 51.
A user identification for identifying the user is determined in step 53. As described above, the necessary information is collected based on keyboard input or biometrics data collection. The user identification is determined from the data thus collected by accessing the user group memory 17 via the user group module 15.
In step 55 a check is made to see if the data object to be accessed can generate a data object identification. The data object identification is either stored in the data object itself or contains information that enables automatic identification determination.
If it turns out that the data object identification cannot be generated, a default data object identification is assigned in step 56, on the basis of which a standard access rights range can subsequently be set. Thus, access control to the data object can be achieved in accordance with the standard and without time-consuming further method steps for determining the scope of the access rights, for example without introducing a data object identification in the system.
The data object identification is generated as a copy of the identification stored in the data object or automatically from the content stored in the data object, if possible, in step 57.
Access is made to the access rights module 11 in step 59 to determine an access rights classification based on the information in the access rights storage 15. Here, an assignment between the user identification and the access rights classification is called, which assignment can be stored in tabular form or as a graph.
The data object classification module 12 is accessed in step 61 to obtain information from the data object classification store 14 from which a class of access rights assigned to the previously determined data object identification can be determined.
After all information for user identification, group identification and data object classification is obtained, the access rights allowed by the user are determined in step 63. This determination is made either on the basis of the data called for in steps 59 and 61 or on the basis of the standard values assigned in step 56. Here, the assignment of the standard values can take place without further access to the module, in order to avoid unnecessary access and to save access time.
Access to the data is made in step 65 in accordance with the previously determined access rights.
The access to the data is ended in step 67. For example, the user may log off from the system, may have an automatic timeout performed by the system, or may have a change in the classification used to determine access rights in the system.
In order to illustrate the procedural aspects of the invention, a few very simplified semantic applications for carrying out the method steps of the invention are reproduced below. Simplification includes, for example, the read-out for variable definition and error handling.
The user group module allows for user and group identification to be added, modified, deleted, and invoked. Furthermore, it comprises measures for identifying the respective user. Its implementation may find application in the following allocations:
bool createUser(wchar_t*theUserName,wchar_t*thepassword,wchar_t*&heSID); bool deleteUser(wchar_t*theUserName); bool querySID(wchar_t*theUserName,wchar_t*&theSID); bool createGroup(wchar_t*theGroupName,wchar_t*&heGID); bool deleteGroup(wchar_t*theGroupName); bool queryGID(wchar_t*theGroupName,wchar_t*&theGID); bool addUserToGroup(wchar_t*theSID,wchar_t*theGID); bool removeUserFromGrouP(wchar_t*theSID,wchar_t*theGID); bool authenticateUser(wchar_t*theUserName,wchar_t*theUserPassword, wchar_t*theUID); bool releaseUID(wchar_t*theUID); bool analyzeUID(wchar_t*thetUID,wchar_t*&theSID,wchar_t*&theGID)
where "pool" is a C + + key that may take the Boolean value TRUE or FALSE, and precedes a variable definition, a method definition, or a method specification. "wchar _ t" defines a Microsoft data type. "enum" is a C + + key that can define an enumeration type (Enumerations). "struct" is a C + + key that can define a new composite data type.
SIDs and GIDs are unique identifiers for user identification and group identification and are used within a secure domain. They function to represent users and groups within the secure domain without using actual identifications or names for this purpose.
Other so-called pointers, such as createGroup or deleteGroup, are individually selected and may be interpreted from their own word senses.
With each successful authentication of the user, a UID will be generated that uniquely identifies the user and the work environment. Once the user logs out of the system or the work environment ends up in a secure area due to a timeout, the UID is deleted.
The access rights module may be implemented using the following instructions:
Enum TokenRights{ Create,// allow creation of new child objects Read in a hierarchically organized file,// allow reading of file content Update,// allow modification of file content Delete,// allow deletion of the entire file, i.e. physically corrupt Execute,// allow updating of the current protection Execute spec function for the file// allow special functions to be performed on the content of the file }; pool createtonken (WChar _ t × medtokenname); b00l assign mght (WChar _ t11eTokenName, WChar _ t the SID, TokenRights the GrantedRights); (ii) pool assign Right (WChar _ t the TokenName, WChar _ t the GID, TokenRights the GrantedRights); b001 removeToken (WChar _ t × medokenname); tokenrrights authority (WChar _ t the tokenname, WChar _ t the sid WChar _ t the gid);
to be able to determine the access rights of the user, the access rights module 11 uses its SID and GID. Different access rights can be configured for group identification and user identification, and one user can take multiple identifications, so that all sID and GID must be evaluated in order to determine the access rights scope of each user.
The assignment of data objects to categories, denoted in the foregoing instruction examples as "Token", allows for the addition, deletion, searching and modification of individual assignments. This can be achieved by using the following instructions:
struct securityID// sample definition for DICOM constituent files { WChar _ t the PatiemQuadrple; WChar _ t the studylnstanceid: }; (vii) pool setdefaultProtection (wcar _ t the tokenNames);<!-- SIPO <DP n="13"> --> <dp n="d13"/>bool addProtection(SecurityID &theDocumentSecurityID,wchar_t*theTokenNames);bool quetyProtection(SecurityID &theDocumentServiceID,wchar_t*&theTokenNames);bool removeProtection(SecurityID &theDocumentServiceID,wchar_t*theTokenNames);
one data object identification may be assigned to multiple categories. Data objects not assigned to a category identify the scope to obtain standard default access rights.
Claims (15)
1. A method of protecting an electronic data object against unauthorized access, said data object being arranged for storing information, wherein a) in a first step (56, 57) an electronic data object identification is generated on the basis of the content of said electronic data object, b) in a next step (63) access rights are determined on the basis of the data object identification, and c) in a last step (65) access to the electronic data object is allowed on the basis of the access rights.
2. The method of claim 1, wherein the data object identification is generated as a copy of an identification contained in the data object.
3. The method of claim 1, wherein the data object identification is generated using information stored in the data object.
4. Method according to any of the preceding claims, wherein in a further step (53) an electronic user identification is determined for the operator, and the access rights are determined on the basis of the user identification.
5. Method according to claim 4, wherein in a further step (59) information is determined which enables the assignment of the user identification to an access rights classification, and the access rights are determined from the assignment of the user identification to an access rights classification.
6. Method according to one of the preceding claims, wherein in a further step (61) information is determined which enables an assignment of the data object identification to an access rights classification, and the access rights are determined from the assignment of the data object identification to the access rights classification.
7. The method of any preceding claim, wherein the access rights comprise a standard right and a functional right.
8. The method according to any of the preceding claims, wherein medical data about an individual is stored in the data object.
9. A data processing system having a data processing apparatus (1) with access to electronic data objects and an access control module (7), an electronic data object identification being generated by the access control module (7) on the basis of the content of said data object, an access right being determined by said access control module (7) on the basis of said data object identification, and access to said electronic data object being permitted by said access control module (7) on the basis of said access right.
10. A data processing system as claimed in claim 9, wherein the data processing system comprises a recognition means (6) by means of which the electronic user identification of the operator can be determined.
11. Data processing system according to claim 10, said data processing system comprising an access rights module (13), by means of which module (13) the mutual assignment of the electronic user identification and the access rights classification is stored, and which module (13) is accessible to said access control module (7), wherein said access rights are determined by means of said access control module (7) on the basis of access to said access rights module (13).
12. The data processing system of any one of claims 9 to 11, comprising a data object classification module (12), by means of which module (12) the assignment of electronic data object identifications and access right classifications to each other is stored, and which module (12) is accessible to the access control module (7), wherein the access rights can be determined by means of the access control module (7) from the access to the data object classification module (12).
13. The data processing system of any of claims 9 to 12, wherein the data processing system determines one standard right and one functional right as access rights.
14. The data processing system of any of claims 9 to 13, wherein the data processing system is designed as a medical workstation.
15. A storage medium having stored thereon information which can be interacted with by a data processing system in order to carry out a method according to any one of claims 1 to 8.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE10311648.6 | 2003-03-14 | ||
| DE10311648 | 2003-03-14 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1530792A true CN1530792A (en) | 2004-09-22 |
| CN100449450C CN100449450C (en) | 2009-01-07 |
Family
ID=32920851
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100397120A Expired - Fee Related CN100449450C (en) | 2003-03-14 | 2004-03-15 | Method and system for preventing electronic data object from unauthorized access |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100449450C (en) |
| DE (1) | DE102004004101A1 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100412743C (en) * | 2004-12-17 | 2008-08-20 | 摩托罗拉公司 | Method and apparatus for digital right management |
| CN101903910A (en) * | 2007-10-19 | 2010-12-01 | 瓦斯科普斯公司 | The automatic geometric and mechanical analyzing method and the system that are used for tubular structure |
| CN101399695B (en) * | 2007-09-26 | 2011-06-01 | 阿里巴巴集团控股有限公司 | Method and device for operating shared resource |
| CN105117582A (en) * | 2015-07-29 | 2015-12-02 | 苏州麦迪斯顿医疗科技股份有限公司 | Medical data platform information processing method |
| CN105872108A (en) * | 2016-06-15 | 2016-08-17 | 深圳市清时捷科技有限公司 | Data screening-transmitting method and device for plurality of receiving terminals |
| CN106664636A (en) * | 2014-10-29 | 2017-05-10 | 华为技术有限公司 | Data frame transmission method and apparatus |
| CN107103245A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | The right management method and device of file |
| CN107944297A (en) * | 2017-12-11 | 2018-04-20 | 北京奇虎科技有限公司 | A kind of control method and device for accessing file |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102018127949A1 (en) * | 2018-11-08 | 2020-05-14 | Samson Aktiengesellschaft | Control of access rights in a networked system with data processing |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FI103543B (en) * | 1996-09-30 | 1999-07-15 | Nokia Telecommunications Oy | Marking of electronic documents |
| WO2000062292A1 (en) * | 1999-04-14 | 2000-10-19 | Matsushita Electric Industrial Co., Ltd. | Data management apparatus, data management method, and record medium recording data management program |
| US6671696B1 (en) * | 2001-08-20 | 2003-12-30 | Pardalis Software, Inc. | Informational object authoring and distribution system |
-
2004
- 2004-01-27 DE DE200410004101 patent/DE102004004101A1/en not_active Ceased
- 2004-03-15 CN CNB2004100397120A patent/CN100449450C/en not_active Expired - Fee Related
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100412743C (en) * | 2004-12-17 | 2008-08-20 | 摩托罗拉公司 | Method and apparatus for digital right management |
| CN101399695B (en) * | 2007-09-26 | 2011-06-01 | 阿里巴巴集团控股有限公司 | Method and device for operating shared resource |
| CN101903910A (en) * | 2007-10-19 | 2010-12-01 | 瓦斯科普斯公司 | The automatic geometric and mechanical analyzing method and the system that are used for tubular structure |
| CN101903910B (en) * | 2007-10-19 | 2013-06-12 | 瓦斯科普斯公司 | Automatic geometrical and mechanical analyzing method and system for tubular structures |
| CN106664636A (en) * | 2014-10-29 | 2017-05-10 | 华为技术有限公司 | Data frame transmission method and apparatus |
| CN106664636B (en) * | 2014-10-29 | 2020-06-16 | 华为技术有限公司 | Data frame transmission method and device |
| US10925015B2 (en) | 2014-10-29 | 2021-02-16 | Huawei Technologies Co., Ltd. | Method and apparatus for transmitting data frame in a long term evolution unlicensed (LTE-U)system |
| CN105117582A (en) * | 2015-07-29 | 2015-12-02 | 苏州麦迪斯顿医疗科技股份有限公司 | Medical data platform information processing method |
| CN107103245A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | The right management method and device of file |
| CN107103245B (en) * | 2016-02-23 | 2022-08-02 | 中兴通讯股份有限公司 | File authority management method and device |
| CN105872108A (en) * | 2016-06-15 | 2016-08-17 | 深圳市清时捷科技有限公司 | Data screening-transmitting method and device for plurality of receiving terminals |
| CN105872108B (en) * | 2016-06-15 | 2019-02-22 | 深圳市清时捷科技有限公司 | A kind of multiple data screening, transmission method and its devices for receiving terminal |
| CN107944297A (en) * | 2017-12-11 | 2018-04-20 | 北京奇虎科技有限公司 | A kind of control method and device for accessing file |
| CN107944297B (en) * | 2017-12-11 | 2020-11-24 | 北京奇虎科技有限公司 | Control method and device for accessing file |
Also Published As
| Publication number | Publication date |
|---|---|
| DE102004004101A1 (en) | 2004-09-30 |
| CN100449450C (en) | 2009-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4550056B2 (en) | Method, system, and program storage device for realizing data access control function | |
| US8271527B2 (en) | Refined permission constraints using internal and external data extraction in a role-based access control system | |
| US5504814A (en) | Efficient security kernel for the 80960 extended architecture | |
| US8185411B2 (en) | Method, system, and apparatus for patient controlled access of medical records | |
| EP1732024A1 (en) | Techniques for providing role-based security with instance-level granularity | |
| CN1770169A (en) | Systems and methods of access control enabling ownership of access control lists to users or groups | |
| EP1503266A2 (en) | Zone based security administration for data items | |
| CN1846221A (en) | Method for online management of medical record forms | |
| CN1629826A (en) | Method and apparatus for data retention in a storage system | |
| US20070022091A1 (en) | Access based file system directory enumeration | |
| US7761382B2 (en) | Method and system to protect electronic data objects from unauthorized access | |
| CN113711220B (en) | Method and system for controlling access to stored data | |
| CN100449450C (en) | Method and system for preventing electronic data object from unauthorized access | |
| Hale et al. | Security policy coordination for heterogeneous information systems | |
| Longstaff et al. | The tees confidentiality model: an authorisation model for identities and roles | |
| Galiasso et al. | Policy mediation for multi-enterprise environments | |
| Rai et al. | Access control mechanism in health care information system | |
| Chinaei et al. | User-managed access control for health care systems | |
| Simpson et al. | On tracker attacks in health grids | |
| Adamu et al. | A Robust Context and Role-Based Dynamic Access Control for Distributed Healthcare Information Systems | |
| Kohler et al. | Classification model for access control constraints | |
| Kohl | From social requirements to technical solutions-bridging the gap with user-oriented data security | |
| Tall et al. | Access Control in the Era of Big-Data Driven Models and Simulations | |
| Rhodes et al. | A review paper role based access control | |
| Baryshev et al. | METHOD OF THE PROTECTED STORAGE OF MEDICAL DATA, BASED ON THE RELATIONAL DATABASE AND BLOCKCHAIN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090107 Termination date: 20180315 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |