GB2509032A - Authority maps for access to a database using a client device - Google Patents
Authority maps for access to a database using a client device Download PDFInfo
- Publication number
- GB2509032A GB2509032A GB201405803A GB201405803A GB2509032A GB 2509032 A GB2509032 A GB 2509032A GB 201405803 A GB201405803 A GB 201405803A GB 201405803 A GB201405803 A GB 201405803A GB 2509032 A GB2509032 A GB 2509032A
- Authority
- GB
- United Kingdom
- Prior art keywords
- database
- principal
- entity
- authorities
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
Managing access to a database within a distributed system comprising a client device, a server, and the database. Allocating authorities for access to entities within the database to a plurality of principals; generating an authority map and transmitting the authority map to the client device, so that operational access to an entity can be determined using precedence of the authorities allocated to the principal and relevant to the entity. The key for the access map may use an identifier for the database entity and the type(s) of operation which can be performed, such as deletion. The key maps to a list of authorities ordered by precedent, so that access may be granted or denied when allocated to a principal user. This allows client side determination of access privileges in a distributed database, which may reduce latency by shifting processing overhead to the client whilst maintaining data security.
Description
Distributed Database Access Control Method and System
Field of Invention
The present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to distributed database access control.
Background
Existing technologies for managing access control to databases derive from the terminal-server model of computing architecture where the server manages all processing and the terminal merely acts a conduit between the user and the server.
Consequently, these technologies control security access at the server or database-side, but this introduces inefficiencies in processing and limits functionality at the client-side.
It is an object of the present invention to provide a database access control method and system which overcomes the disadvantages of the prior art, or at least provides a useful alternative.
Summary of Invention
According to a first aspect of the invention there is provided a method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising: a) allocating authorities for access to entities within the database to a plurality of principals; b) generating an authority map from the authorities allocated to the entities for a principal at the client device; c) transmitting the authority map to the client device; d) determining operational access to an entity within the database for the principal at the client device using the authority map and using precedence of the authorities allocated to the principal and relevant to the entity; and S e) determining operational access to the entity within the database for the principal at the server or the database based upon precedence of the authorities allocated to the principal and relevant to the entity.
A key to the authority map may be comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity. The key may map to a list of authorities relevant to the entity ordered by precedent.
An authority may be granted or denied when allocated to a principal.
Authorities may be allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups may be allocated to the principal.
Authorities denied to the principal and relevant to the entity may take precedence over otherwise identical authorities granted to the principal.
Authorities allocated directly to the principal may take precedence over authorities allocated to groups associated with the principal.
Authorities may be ranked higher in precedence dependent on the increased specificity of identification of the entity.
The principal may be a user.
According to a further aspect of the invention there is provided a distributed system for access control of a database by a principal, comprising: a client device; a server; and a database; wherein the distributed system is configured to perform the method of the first S aspect.
Other aspects of the invention are described within the claims.
Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which: Figure 1: shows a block diagram illustrating a system in accordance with an embodiment of the invention; Figure 2: shows a block diagram illustrating a database for use with an embodiment of the invention; Figure 3: shows a flow diagram illustrating a method in accordance with an embodiment of the invention; Figure 4: shows a sequence diagram illustrating a method in accordance with an embodiment of the invention; Figure 5a: shows a table illustrating keys for an authority map generated in accordance with an embodiment of the invention; and Figure 5b: shows a table illustrating an authority table for an authority map generated in accordance with an embodiment of the invention.
Detailed Description of Preferred Embodiments
The present invention provides a distributed database access control method and system.
In Figure 1, a system 100 in accordance with an embodiment of the invention is shown.
The system 100 may comprise a database 101, a server 102, and one or more clients 103, 104, and 105. The server 102 may comprise a memory 106 and a processor 107.
The clients 103, 104, and 105 may be user devices or automated devices.
The clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals. A principal is an actor, which may be a user or an automated process.
The server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
It will be appreciated that a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
The server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
In one embodiment, the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
The database 101 will be described with reference to Figure 2.
The database 101 may comprise a plurality of entities 200, 201, and 202.
S Each entity 200, 201, 202 may comprise one or more properties 203, 204, and 205. One of the properties 204 may identify the type of entity. One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101.
One or more of the entities 200 may be associated 206 with one or more other entities 202.
The database 101 may be a relational database such as an SQL database.
It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
A method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
In step 301, one or more authorities may be allocated for the entities within the database to a plurality of principals. An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity. The authority may define different types of operations on the entity. For example, the authority may relate to access to create, read, update and/or delete the entity. Operations may be defined by the authority in relation to specific properties of the entity.
The authorities may be granted or denied when allocated to a principal.
The authorities may be allocated directly to the principal, or the authorities may be allocated indirectly to the principal. In the case of the latter, the authorities may be allocated to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted or denied an authority or is associated with a group to which an authority is granted or denied, then the principal may inherit the grant or denial of that authority.
In step 302, an authority map may be generated from the authorities allocated to the entities for a principal of a client device.
The authority map may be generated within the system. In one embodiment, the map is generated at the server. The authority map may be a key-value mapping container where the key is formed of, at least, the entity type and the operation. The key may also include a group identifier. The key may be hashed.
The key may correspond to rows comprising, at least, the following fields: an entity identifier, whether the authority is granted or denied, and the precedence of the authority. The precedence of the authority may be defined by a numeric value.
The numeric value for the precedence may be calculated by the following method: a) If the authority directly identifies the entity, set the numeric precedence value to 0 b) Otherwise, if the authority identifies the entity indirectly by identifying an associated entity, set the numeric precedence to 10 c) Otherwise, if the authority identifies the entity indirectly by identifying the type of an associated entity, set the numeric precedence to 20 d) Otherwise, set the numeric precedence to 30 e) If the authority was obtained by direct allocation to the principal, add 0 to the numeric precedence value f) Otherwise, if the authority was obtained indirectly by the principal by allocation to a group to which the principal is a member, add 100 to the numeric precedence value In alternative embodiments, the authority map includes one or more of the following additional fields: property (identifying the property within the entity to which the operation relates), associated entity identifier, and associated entity type.
Data may not be required for the following fields: entity identifier, property, associated entity identifier, and associated entity type.
In step 303, the authority map may be transmitted to the client device.
In step 304, a determination for permission to perform an operation on an entity within a database for the principal of the client device may be made using the authority map. This determination step may extract the relevant authorities and precedence from the authority map, and then permission may be determined based upon the precedence of the authorities allocated to the principal and relevant to the entity.
The determination for permission may be driven in response to a request for that operation by the principal. The request may be generated at the client device and permission determined, and then transmitted to the server.
The process of determining permission may use the key within the authority map to locate the rows relevant to the entity and operation within the authority map. For example, the operation type and the entity type from the request are hashed together to generate the key, and this key is used as the index to the authority map. The authority of the highest precedence from these rows is extracted and if the authority is granted determines that the principal has permission to perform the operation on the entity and if the authority is denied determines that the principal does not have permission to perform the operation on the entity.
S
In step 305, the server (or database) may also determine operational access to the entity within the database for the principal. The server (or database) may use precedence of authorities allocated to the principal and relevant to the entity to determine whether the access should be granted or denied.
A sequence diagram illustrating one implementation of the method above will be described in reference to Figure 4.
The client 400, server 401 and database 402 are shown.
The principal 403 may make a request 404 for an operation on an entity at the client. The client may determine 405 whether permission for this operation is possible at the client using, for example, the authority map.
If the request is possible, the request is transmitted 406 to the server 401. The server 401 may also determine 407 permission for the operation.
If the request is possible, the request is transmitted 408 to the database 402 to be applied. In applying the operation, the database 402 may determine 409 whether the request is possible.
Pseudo-code outlining an algorithm for determining permission is detailed below: isF'erniitted(secured[ntity, operationlype, property) OrderedList orderedAuthorities = authorityMap. getbyKey( securedEritity. type, operationType, securedEritity.owningOrganisation); For Each auth in orderedAuthorities If operationType.scope = Property' if (auth.property is not wildcard And auth.property property) Continue If auth.securedEntity is defined If auth.securedEntity = securedEntity Return auth.whetherGranted Else Continue Else If auth.associatedSecuredEntity is defined If securedEntity.isAssociatedTo(auth.associatedsecuredEntity) Return auth.whetherGranted Else Continue Else If auth.associatedSecuredEntityType is defined If securedEritity. isAssociatedToType(auth. associatedSecuredEntityType) Return auth.whetherGranted Else Continue Else Return auth.whetherGranted Return denied An example of an authority map generated in accordance with an embodiment of the invention is shown at Figures 5a and 5b.
A principal is granted directly the following authorities: Authority 1: Update entity of type Article and ID 1 Authority 2: Delete entity of type Article and ID 1 And denied the following authorities: Authority 3: Update entities of type Article associated with entity ID 1 of type Category Authority 4: Delete entities of type Article The principal is a member of a group -Group A -which has been granted the following authorities: Authority 5: Update entities of type Article Authority 6: Delete entities of type Article associated with entity ID 1 of type Category And denied the following authorities: Authority 7: Update entity of type Category Keys for the authority map are shown in a table in Figure 5a.
Row 501 shows key JsdfE which is a hash of the operation type "Update" and the entity type "Article'.
Row 502 shows key FFEeI which is a hash of the operation type "Delete" and the entity type "Article".
Row 503 shows key lldsW which is a hash of the operation type "Update" and the entity type "Category".
The mapped table is shown in Figure Sb.
Row 504 corresponds to authority 1.
Row 505 corresponds to authority 2.
Row 506 corresponds to authority 3.
Row 507 corresponds to authority 4.
Row 508 corresponds to authority 5.
Row 509 corresponds to authority 6.
Row 510 corresponds to authority 7.
A potential advantage of some embodiments of the present invention is that distributed access control at multiple locations permits rich client-side functionality and reduces latency in data delivery by shifting processing overhead to the client while maintaining data security.
While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art.
Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicants general inventive concept.
Claims (13)
- Claims 1. A method of managing access to a database within a distributed system comprising a client device, a server, and the database, S comprising: a) allocating authorities for access to entities within the database to a plurality of principals; b) generating an authority map from the authorities allocated to the entities for a principal at the client device; c) transmitting the authority map to the client device; d) determining operational access to an entity within the database for the principal at the client device using the authority map and using precedence of the authorities allocated to the principal and relevant to the entity; and e) determining operational access to the entity within the database for the principal at the server or the database based upon precedence of the authorities allocated to the principal and relevant to the entity.
- 2. A method as claimed in claim 1, wherein a key to the authority map is comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity.
- 3. A method as claimed in claim 2, wherein the key maps to a list of authorities relevant to the entity ordered by precedent.
- 4. A method as claimed in any one of the preceding claims, wherein an authority is granted or denied when allocated to a principal.
- 5. A method as claimed in any one of the preceding claims, wherein authorities are allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups are allocated to the principal.
- 6. A method as claimed in any one of the preceding claims when dependent on claim 4, wherein authorities denied to the principal and relevant to the entity take precedence over otherwise identical S authorities granted to the principal.
- 7. A method as claimed in any one of the preceding claims, wherein authorities allocated directly to the principal take precedence over authorities allocated to groups associated with the principal.
- 8. A method as claimed in any one of the preceding claims, wherein authorities are ranked higher in precedence dependent on the increased specificity of identification of the entity.
- 9. A method as claimed in any one of the preceding claims, wherein the principal is a user.
- 10. A distributed system for access control of a database by a principal, comprising: a client device; a server; and a database; wherein the distributed system is configured to perform the method of any one of claims 1 to 9.
- 11. A client device configured for use with the distributed system of claim 10.
- 12. An authority map generated by the method of any one of claims 1 to 9.
- 13. A method or system for access control of a database as herein described with reference to the Figures.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB201405803A GB2509032A (en) | 2014-03-31 | 2014-03-31 | Authority maps for access to a database using a client device |
| PCT/GB2015/051009 WO2015150802A1 (en) | 2014-03-31 | 2015-03-31 | Distributed database access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB201405803A GB2509032A (en) | 2014-03-31 | 2014-03-31 | Authority maps for access to a database using a client device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB201405803D0 GB201405803D0 (en) | 2014-05-14 |
| GB2509032A true GB2509032A (en) | 2014-06-18 |
Family
ID=50737772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB201405803A Withdrawn GB2509032A (en) | 2014-03-31 | 2014-03-31 | Authority maps for access to a database using a client device |
Country Status (2)
| Country | Link |
|---|---|
| GB (1) | GB2509032A (en) |
| WO (1) | WO2015150802A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160125197A1 (en) * | 2014-11-05 | 2016-05-05 | Ab Initio Technology Llc | Database Security |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107239710B (en) * | 2016-03-29 | 2020-06-16 | 北京明略软件系统有限公司 | Database permission implementation method and system |
| KR102376254B1 (en) * | 2019-03-21 | 2022-03-21 | 한국전자통신연구원 | Method and apparatus for managing decentralized identifier |
| CN112149070B (en) * | 2019-06-27 | 2024-04-23 | 杭州海康威视数字技术股份有限公司 | Authority control method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8627490B2 (en) * | 2005-12-29 | 2014-01-07 | Nextlabs, Inc. | Enforcing document control in an information management system |
| US8689285B1 (en) * | 2012-09-14 | 2014-04-01 | Siemens Product Lifecycle Management Software Inc. | Rule-based derived-group security data management |
-
2014
- 2014-03-31 GB GB201405803A patent/GB2509032A/en not_active Withdrawn
-
2015
- 2015-03-31 WO PCT/GB2015/051009 patent/WO2015150802A1/en active Application Filing
Non-Patent Citations (1)
| Title |
|---|
| None * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160125197A1 (en) * | 2014-11-05 | 2016-05-05 | Ab Initio Technology Llc | Database Security |
| US11531775B2 (en) * | 2014-11-05 | 2022-12-20 | Ab Initio Technology Llc | Database security |
Also Published As
| Publication number | Publication date |
|---|---|
| GB201405803D0 (en) | 2014-05-14 |
| WO2015150802A1 (en) | 2015-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11128465B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US11082226B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US8458337B2 (en) | Methods and apparatus for scoped role-based access control | |
| US7827403B2 (en) | Method and apparatus for encrypting and decrypting data in a database table | |
| US11886547B2 (en) | Systems and methods for entitlement management | |
| CN108259422B (en) | Multi-tenant access control method and device | |
| US9860256B2 (en) | Geofencing of data in a cloud-based environment | |
| EP4092547A1 (en) | Sensitive data service access | |
| EP3561636A1 (en) | Record level data security | |
| US10439992B2 (en) | System for accessing data | |
| US20070174271A1 (en) | Database system with second preprocessor and method for accessing a database | |
| US6697811B2 (en) | Method and system for information management and distribution | |
| WO2020202082A1 (en) | Distributed management of user privacy information | |
| WO2016054498A1 (en) | Securing a distributed file system | |
| US20210176054A1 (en) | Personal information validation and control | |
| US20170004291A1 (en) | Hybrid digital rights management system and related document access authorization method | |
| CA3177369C (en) | Method and system for a data custodian implemented as an entity-centric, resource-oriented database within a shared cloud platform | |
| WO2015150802A1 (en) | Distributed database access control method and system | |
| CN108021677A (en) | The control method of cloud computing distributed search engine | |
| CN112511599A (en) | Civil air defense data sharing system and method based on block chain | |
| EP3479274B1 (en) | Sensitive data service storage | |
| WO2015150792A1 (en) | An improved database access control method and system | |
| Ulbricht et al. | CoMaFeDS: Consent management for federated data sources | |
| AU2018100311A4 (en) | A File Access Control System Based on Cloud Storage | |
| CN108141462B (en) | Method and system for database query |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |