MXPA06001884A

MXPA06001884A - Discoverability and enumeration mechanisms in a hierarchically secure storage system

Info

Publication number: MXPA06001884A
Application number: MXPA/A/2006/001884A
Authority: MX
Inventors: T Hunter Jason; A Dubhashi Kedarnath; Skaria Simon
Original assignee: Microsoft Corporation*
Priority date: 2005-02-28
Filing date: 2006-02-17
Publication date: 2007-04-10

Abstract

A system that generates a per user abstraction of a store from a connection point. Filtering a view set of a hierarchically secured containment hierarchy based on the access permissions of the principal is one of the novel features of the invention. The invention can offer a collection of primitives that can operate on this aggregation that span multiple container hierarchies with potentially heterogeneous security descriptors. The model can reduce the necessity to traverse the container hierarchy to discover all the accessible items in a domain.

Description

DISCOVERY CAPACITY AND ENUMERATION MECHANISMS IN A STORAGE SYSTEM HIERARCHICALLY SAFE Cross Referencing Related Requests This application claims the benefit of the US Provisional Patent Application Serial No. 60 / 657,536, entitled "CAPACITY OF DISCOVERY AND ENUMERATION MECHANISMS IN A HIERARCHICALLY SAFE STORAGE SYSTEM" and filed on February 28. of 2005. The entirety of the application noted above is incorporated herein for reference.

BACKGROUND Storage systems traditionally use a containment hierarchy to organize storage units. According to these systems, a container and, consequently, inherently the data units maintained inside the container, can be independently secured in order to facilitate the proportion of access to the main ones. Conventional systems offer discovery capability through path that could limit access to data after finding a container that is not accessible to the principal. These systems suffer from at least the following limitations. One limitation is that a principal can not visualize the global set of data for which they have access. In other words, after the conversion of a global data set, if a container is found through which a user does not have access, the content (for example, the data units) of this container may not be converted. Consider a situation where there is a sub-folder or sub-container inside a container with access restrictions placed on the main one. In this scenario, the principal would not be able to visualize (for example, discover) or access the contents of the sub-folder even if the appropriate permissions were found instead. This restrictive discovery capability is due to the lack of adequate permissions to access the main folder. Another limitation of traditional systems that a principal can not operate on all data at once. For example, a restriction to the operation, such as "granting access to FABRIKAM / alice for all data in the structure similar to a tree originating in a given node" would not be possible since restrictions could be found instead that would limit the access to some of the data in the structure similar to a tree. In some traditional systems, such an operation is performed in the context of the user and instead of a system context. Yet another limitation of some conventional systems is that data access requires adequate permissions in place for all containers from the connection point to the immediate relative of the data unit in addition to access permissions in the storage unit. In other words, in some systems, even if the direct file path of the data is known, the access permission to the data can be restricted if the access permissions do not exist from the point of connection to the immediate relative where the data are stored. data. Yet another limitation is that, for efficient enumeration in the existing file system model, traditional storage systems distinguish between data and metadata. For rich end-user types, this separation creates difficulty in recognizing the distinction between metadata and data.

BRIEF DESCRIPTION The following presents a brief simplified description of the invention in order to provide a basic understanding of some aspects of the invention. This brief description is not an extensive overview of the invention. No attempt is made to identify key / critical elements of the invention or to outline the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later. The invention disclosed and claimed herein, in one aspect thereof, comprises a system that generates an abstraction per user of a store from a connection point. This abstraction can facilitate the ability to discover data held in a hierarchically secure storage system according to the applicable permissions. The filtering of a view set of a hierarchically secure containment structure based on the access permissions of the principal is one of the novel features of the invention. The invention can offer a collection of primitives that can operate in this addition that spans multiple container hierarchies with potentially heterogeneous security policies (eg, security descriptors). The model can reduce the need to traverse the hierarchy of the container to discover all articles accessible by reading in a domain. In yet another aspect, an artificial intelligence component (Al) is provided that uses a probabilistic and / or statistical basis analysis in order to predict or deduce an action that a user wishes to carry out automatically. For the fulfillment of the above and related purposes, certain illustrative aspects of the invention are described herein in connection with the following description and the attached drawings. These aspects are indicative, however, of only a few of the various ways in which the principles of the invention and the subject invention may be employed, it is proposed to include all such aspects and their equivalences. Other novel features and advantages of the invention will become apparent from the following detailed description of the invention when considered in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates a block diagram of components in general of a system that facilitates data discovery capability in a secure hierarchical storage system, in accordance with an aspect of the invention. FIG. 2 illustrates a block diagram of a system including a single table of instances and a safety descriptor table, in accordance with an aspect of the invention. FIG. 3 illustrates a system that classifies items in a type system as instances of generic container types and composite article types, according to one aspect. FIG. 4 illustrates a block diagram of a system having a warehouse component and a client component on opposite sides of a confidence limit according to an aspect of the invention. FIG. 5 illustrates an initialization methodology according to an aspect of the invention. FIG. 6 is a relational diagram illustrating those operations that query the views that can operate in the user context where the access control to selection parameters can be reinforced by security by row level, in accordance with an aspect of the invention. FIG. 7 is a block diagram of a system employing mechanisms based on artificial intelligence, in accordance with an aspect of the invention.

FIG. 8 illustrates a block diagram of a computer operable to execute the exposed architecture. FIG. 9 illustrates a matic block diagram of an exemplary computing environment, in accordance with the subject invention.

DETAILED DESCRIPTION The invention is now described with reference to the drawings, wherein like reference numbers are used to refer to similar elements throughout the same. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the subject invention. However, it may be evident that the invention can be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate the description of the invention. As used in this application, the terms "component" and "system" attempt to refer to an entity related to the computer, be it hardware, a combination of hardware and software, software or software being executed. For example, a component can be, but is not limited to, a process running on a processor, a processor, an object, an executable, an execution row, a program and / or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components may reside within a process and / or execution row, and a component may be located on a computer and / or distributed between two or more computers. As used herein, the term "deduct" or "deduction" generally refers to the process of reasoning about or deducing states of the system, environment, and / or user from a set of observations as captured through events and / or data. The deduction can be used to identify a specific context or action, or it can generate a probability distribution on states, for example. Inference can be probabilistic-that is, the calculation of a probability distribution on states of interest based on a consideration of data and events. The inference can also refer to techniques used for the composition of higher level events from a set of events and / or data. Such a deduction results in the construction of new events or actions from a set of observed events and / or stored event data, whether or not the events are correlated in exact temporal proximity and whether the events and data come from from one or several sources of events and data. The aspects of this invention relate to computer systems and more particularly to the ability to discover data maintained in a hierarchically secure storage system (s). As described above, traditional storage systems have limitations with respect to discovery capacity mechanisms related to security. For this purpose, emerging database-oriented file systems can support a rich query and provide schematic end-user types for common data units (for example, contacts). These types of schematic end users facilitate and can improve the interoperability of applications with respect to data. The subject invention takes into account a hierarchical representation of data. More particularly, this invention takes into account those data that can be "diverted" into different folders and subsequently placed in different containers. Users can use these containers to organize their data. For example, data can be organized (for example, diverted) into categories such as images, music, documents, etc. Additionally, these categories can also be organized in containers, thus establishing a hierarchical representation of the data. As an example, within the images, there could be images of "my family", "my vacation", "my wedding", etc. Also, sub-categories may exist according to the hierarchy. In accordance with this hierarchical representation, the invention can facilitate the association of a security policy (eg, security descriptor) with each object. It will be appreciated that an object can be any data element contained within a container as well as the container itself. Also, each object can be represented in a single row of a table. This row-based representation will be better understood after a discussion of the figures that follow. In one aspect, the security descriptor may allow the proportion of these objects to access data. By way of example, in accordance with one aspect of the invention, a security policy can facilitate the establishment of a "my vacation" folder in order to allow access by any one in a group, "my family". Also, within "my vacation" a user can further limit access to certain "my family" members to access a sub-folder (for example, "my trip to Seattle"). Based on conventional systems, accessible scanning of a data store terminates at any point where a folder is reached for which the user does not have enumeration access. Consider a hierarchy where F1 contains F2 which contains F3 - the moment the user reaches F2 where he does not have permission, the user will not have the ability to see data within F3. Even when the user can access F3, conventional systems will prohibit discovery because F3 is contained within F2 for which permits are not in place - this is a limitation. The subject invention allows a user to have uniform access to explore (eg, discover) and / or convert, thereby allowing the use of all data in a data warehouse whereby permits are granted and are in place. As described above, this uniform access can be facilitated through a security policy associated with each object in a data warehouse. As will be understood, each security policy can be associated with one item per row level. Traditional file systems employ two access modes to recover files. First, these systems provide a limited discovery method by which a user can discover data elements for which there are adequate security permissions. The other is a direct access mechanism by which a user can access a file if the full path is known and the access permission is in place. In addition to the two triggered modes, the subject invention may employ a third mode which is a query mode (e.g., data warehouse filtering) that allows access and discovery based on security credentials. Unlike traditional systems, the subject invention can provide a mechanism to query all data based on a specific property defined as well as to operate on other data. With this invention, as long as the access credentials are in place, the data can be discovered and operated as desired. According to the same, the subject invention can allow a security policy (eg, security descriptor) that can be established at the root of a tree-like structure (eg, hierarchical data organization) and propagated through the structure similar to a tree towards all minors in the structure. It is understood that the propagated security descriptor may be based on the parent security policy, the child security policy and / or the type of object. Logic can be used that effects the generation and propagation of a security policy through an entire structure similar to a tree. As will be described below, rules-based logic and / or artificial intelligence can be used to propagate a security policy. Consider a scenario where a user creates a new article. In this scenario, there would be certain security policies (for example, descriptors) of the parents that can be inherited or combined in the minor. In one aspect, a user can have a folder (for example, container) with permissions and when an object is created, the permissions for that object can be assumed to be the same. Alternatively, the permissions propagated to the newly created object can be determined intelligently based on both the permissions for the folder as well as the permissions for the object. The preceding are examples of inheritance according to aspects of innovation. It will be appreciated that, in traditional file systems, this propagation is not possible. Rather, to change permits according to conventional systems, an administrator must walk through each minor of a tree-like structure and change the permissions as applicable. On the contrary, according to aspects of this invention, when a root permit is changed (or is established), the permit can automatically spread to the whole structure similar to a tree, including the minors. It is important to note that, in some traditional systems, security permissions could be propagated only in the "user context" at the time of the update. Although there are situations where permits can change at a later time, conventional systems can not automatically update these permissions. Subject subject can propagate permits in the "system context". Therefore, even if a user does not have permission for an intervening folder, if the permissions are in place for a sub, sub-sub, etc. , structure similar to a tree, these permits can be propagated according to the invention. This aspect will be better understood when considering F1, F2 and F3 examples, mentioned previously. Continuing with the example, even if the permissions are not in place for F2, if there are permits for F3, the permissions can be propagated from F1 to F3. Unlike previous file systems that distinguish between attributes (for example, file name, size, date of creation) and data (for example, file content), in rich data systems it is difficult to determine between an attribute and data. Therefore, the "articles" were created and used to grant access permissions on a per "article" basis without taking into account the data element that is an attribute or data. According to the above, with respect to the subject invention, the management of the security model can be simplified in a particular way since the system does not have to keep track of two separate security permissions. Rather, in one respect, only one "read" permission or only one "write" per article is used instead of using two "read" permissions and two "write" per article permissions. As a result, the invention can make it easier for a user to observe an abstraction of all the data for which the permissions are in place. These views can be defined on the entire store and then displayed to a user. The view can be defined as an intersection of items visible from a connection point and the set of allowed security permissions. As a result, a user can observe and / or access articles below a connection point for which the user has security permissions to observe and / or access. Referring initially to FIG. 1, a 1 00 system is shown that facilitates the conversion of a content representation of the archive store. In general, the system 100 may include a query component 102 and a security component by row level 104. In operation, the query component 102, together with the row-level security component 104, may identify items within a data component 1 06 that satisfies a security or permission policy. Once identified, the resulting data set can be presented to a user and / or application. For example, as previously described, the invention may present the resulting assembly through a deployment device to a user. With reference now to FIG. 2, a more detailed block diagram of the row-level security component 104 is shown. In particular, the tier-level security component 104 may include a security descriptor table 202 and a single instance table 204. Each of these tables will be described in more detail below. The security component 104 can provide one security realization per security level. When the user connects to a portion (e.g., data component 106), the implicit view definitions for each of the data types can be defined within the scope of the connection. In order to add context to the invention, below is an exemplary view definition for a type of "Contact".

CREATE VISTA [Sistema.AImacenamiento.Contactos.Almacén]. [Contact] COMO SELECT Artículo, Tipold. NameSpaceName, ContainerI D, ArticleSetMetadata, TRY (Article AS [System, Storage, Contacts, Store]. [Contact] AS Article, TrajectoryManagement, EntityStatus, ObjectSize, Change Information, PromotionState, DE [Storage System, Storage]. Article] WHERE Article ES DE ([System, Storage, Contacts, Warehouse]. [Contact]) Y (@@ ARTICLE_DOMINIO_ES_RAÍZ = 1 O (TrajectoriaManejo >; = @@ ARTÍCULO_DOMINIO Y TrajectoriaManejo < @@ ARTICLE_DOMAIN_LIME) Each article is stored as a row in the entity tables (202, 204). The above exemplary expression can effect the filtration separation of Contact types from the global scope of items in the warehouse. Implicit in this filtration is the dimension of access control where a user could see those items that can be read according to the security descriptors in the corresponding row. In this example, a view definition can include the "WHERE" clause identified above that limits a view to articles that are Contacts. The rest of the example can limit access to articles from the connection point. It should be understood that the definition of the previous view does not include the definition of security. As described above, the security mechanism is a security function per row level stored in the tables (202, 204). This mechanism is applied at the underlying table level of the view and has propagation effects in the view. When security is enabled on a per-row basis, the rows for which a user does not have read access do not appear in the resulting set provided by the query component 1 02. In a file system model, each "article" It is in a row, and each row has security associated with it. The row-level security mechanism 104 limits the rows to appear in the results for those rows for which a user does not have read access. The view, given a definition transmitted to the query component 102, (as in the previous example) may limit the presentation (e.g., vision) based at least in part to the connection point. Therefore, the resulting set can be the intersection of these two limitations. It will be appreciated that these security mechanisms can occur implicit to the definition of query. As a result, the user can protect himself from any of the operations. The subject invention employs a single instance mechanism that verifies the security descriptor of each row in the table (e.g., 204). This mechanism of individual instances makes it possible to appear that the system is carrying out a verification through each row. A single instance of security descriptors through rows can verify this mechanism in terms of efficiency. It will be appreciated that security policies (eg, access control lists) can be used in place of exemplary security descriptors. Accordingly, it is to be understood that these additional novel aspects are intended to fall within the scope of this invention and the claims appended thereto. Additionally, although ACLs are mentioned above, it should be understood that there are other aspects that employ security policies triggered. These security policies triggered are intended to fall within the scope of this exhibition and the claims attached to it. In operation, two tables (202, 204) are maintained - a table of security descriptors 202 and a table of a single graphic representation instance between the key calculation (eg, SHA-I) of the security descriptor and an identification Security descriptor (SDID). It will be appreciated that this SDID is a unique value. According to the invention, the individual instance refers to a mechanism where, for each unique security descriptor in the store, the system maintains a map between the SDID and the key calculation of the security descriptor. Therefore, for each row, instead of storing a security descriptor, the SDI D that corresponds to it is stored. In one aspect, when a user creates an article, the user has the option to provide a security descriptor or leave it empty. If you leave it empty, the security descriptor can be inherited from the father of the article that is created. When the user chooses to explicitly provide a security descriptor, the system can combine the explicitly defined descriptor with the security descriptor of the parent in order to create one. Once a determination of what the security descriptor will be in the new article is made, a determination will be made as to whether it already exists. If it exists, the existing one will be used. If it does not exist, the new one will be saved. To determine whether a security descriptor exists, the invention refers to the single-instance table 204 that includes a graphical representation of the security descriptor for a key calculation (eg, calculus SHA-I) of the security descriptor . Accordingly, in order to determine whether another article with the same security descriptor exists, a key calculation of the subject security descriptor is performed. The system then queries the single-instance table 204 for a row to see if any row contains the same key calculation (for example, SHA-I) of the security descriptor. If a match is found, there is a high probability that it exists. Next, a comparison of the actual security descriptor is performed in order to verify if the security descriptor exists. If the actual security descriptor is not the same, the system stores the security descriptor independently. It should be noted that the system only depends on the key calculation algorithm (for example, SHA-I) to guarantee non-individuality. In other words, if the value of the key calculation does not match a calculated value in the table of a single instance 204, a determination can be made that the security descriptor does not exist. There are three properties for a security descriptor - the key calculation (mathematically calculated value based on the binary of the security descriptor), the security descriptor itself (binary), and the SDID (integer value pointing to the security descriptor) ). For each row, the system stores the ID of that particular row for which the security descriptor is relevant. Then, in the single-instance table 204, the system represents between the key calculation (for example, SHA-I) and the SDID. In security descriptor table 202, the system represents between SDID and binary. Accordingly, the single instance table 204 and security descriptor table 202 together give a complete graphical representation of a key calculation SHA-I for SDID to binary. Indeed, these two tables (202, 204) can be used to carry out a single instance check. A security descriptor can have the following logical form: O: owner_sid G: group_sid D: dacMdentifiers (accel) (ace2) ... (acen) S: sacMdentifiers (accel) (ace2) ... (acen) In the example above, O: identifies the owner, G: identifies the group, D: identifies the Discrete Access Control List (DACL) (the section of the security descriptor in the scope of the exhibition) and S: identifies the Control List of Access to the System (SACL). DACL is a collection of Access Control Entries (ACE) - each can take the following form. ace_type; ace_identifiers; rights; account_sid A given principal can grant or deny access to specific items. According to the above, the articles denied can be filtered out implicitly from the user's views. A filtering engine or query component 102 can scan all items in the agnostic store to any container semantics and produce a uniform set thus counteracting the limitations of the paths in traditional file systems. The two internal tables (202, 204) can be used to facilitate storage and access control in the system. In an exemplary aspect, the system may employ a table 204 of [System-Storage. Warehouse]. [Table Security Instancialndividual Descriptor] (for example, security descriptive table). The table Sys.seguridad_descriptores 202 is a catalog view of the security descriptors. These descriptors can be created or omitted by using data definition language (DDL) primitives provided by the SQL Server. The single-instance table 204 can be key to a central processing unit (CPU) and memory optimizations in the system. According to one aspect, it may be common for a significant number of items to share the same security policy or descriptor. In an example, the maximum size of an access control list (ACL) is 64Kb, therefore, a given security descriptor can be of the order of 128KB. It will be appreciated that it may be inefficient to store a value of this size with each article given its potentially high degree of agreement. Accordingly, each unique security descriptor can be stored in the table Sys-security_descriptors 202 and a graphic representation between the descriptor and its key calculation SHA-I can be maintained in the table of a single instance 204. As previously established, an SHA -I is not guaranteed the individuality of the emissions, but a collision is extremely unlikely given its large emission range (for example, 2? 160). Since the instance table 204 can have a self-healing nature, it can guarantee that the system can self-recover from corruption or inconsistencies. The Article / Extension / Fragment / Link tables have an entry for SDID that can be marked with the SAFETY attribute. This can ensure that all access to these tables and any views built on top of these views are subject to an access verification request (ARCHlVO_LEER_DATOS | ARCHIVO_LEER_ATRIBUTOS). The rows in the ArticleExtension, Link, and ArticleFrag tables have the same security descriptor as the corresponding row in the Article table. The mechanism described above can be considered to be at the core of an authorization model in the read path for the emerging file systems. Any authorization model may inherently depend on an authentication model. In one example, when a user connects to the store, the user can authenticate (for example, appear reliable) by using the preferred mechanisms of operating system authentication (for example, NTLM (NT LAN Manager), Kerberos). The net result of authentication can be a security badge representing the user who has access to the file system. This badge can be used later to make authorization decisions for the principal. According to another aspect of the invention, items insured by the use of row-level security or registration (RLS) can be protected from the storage service account as well. For security evaluation, the service account can be considered as any other NT brand account. Although this can particularly guarantee uniform security semantics, it results in interesting problems in the update path. For example, consider a user trying to create an article with a name of given SpaceName. Names of Namespace in emerging file systems are guaranteed to be unique in their contention folder, providing an unambiguous mention system. During the creation operations, the system guarantees this individuality by ensuring the non-existence of other articles in the same folder with the same name of namespace. In this scenario, an article may already exist in the folder with access permissions denied to the service account. This invention can address this problem by the use of a signature mechanism. Update primitives that require global access to the store can be signed with certificates that are granted "RLS exempt" privilege. From the inside of the context of such a primitive, the system can consult the warehouse and security by row level will be deviated in this case. As described above, traditional file systems have made a distinction between attributes and data to allow path semantics. The lack of discovery capability and query-based semantics induced a model where attributes and data are distinguished for access control decisions. The subject invention provides sutureless access to data and attributes by facilitating all or none of the semantics in the type system. Below is a detailed discussion of an exemplary file system security model. The discussion that follows describes component functionality in a number of triggered scenarios. It should be appreciated that these described scenarios are provided merely to provide context to the invention and are not intended to limit the invention or claims appended thereto in any way. Referring first to the security model of the file system, in one aspect, the data can be organized in a warehouse as an "article" that can refer to the smallest unit of consistency in the file system. An "article" can be assured, ordered in series, synchronized, copied, backed up / restored, etc. , independently. It will be appreciated that a file system article can be described as an instance of a type whose ancestor is the System type. Storage. Article, which is a type of entity. All items in the file system can be stored in a global extension of articles. Also, each item can have a unique decryptor that is guaranteed to be unique for all items in a given file system store. Referring now to FIG. 3, a system 300 is shown. The system 300 is in accordance with the context of this security discussion as long as the items in a type system 302 can be classified as instances of generic container types 304 and composite article types 306. The generic containers 304 can be used to model folders and any other detour of hierarchical data collection. Compound article types 306 can be used to model a single logical unit of data for an application. Instances of this type can give all or no semantics to typical data operations such as copy, move, synchronize, etc. Examples of the latter include, but are not limited to, mail messages, images, contacts, etc. Instances (denoted by dotted lines) of composite article types 306 may be further classified as backup 308 file items (FBIs) and non-file backup items 310 (nFBIs). It will be appreciated that a Win32 brand access is semantically limited to FBIs and generic containers. The following containment hierarchy (for example, structure similar to a tree) is applied to the articles. The generic containers 304 and composite articles 306 may contain any other type of article, including generic containers. Items within these additional generic containers can also be insured independently.

FBIs 308 can not contain other items and thus form leaf nodes in the hierarchy. Referring now to FIG. 4, it will be appreciated that a file system 400 can include two main components on opposite sides of a confidence limit 402 - a warehouse component 404 and a customer component 406. As illustrated. The store component 404 may include 1 to N object components, where N is an integer. The object components 1 through N can be referred to individually or collectively as the object components 408. The store component 404 that deals with the storage and retrieval of the object 408 can form a sub-system of the trusted file system between the store component 404 and client component 406. The client component 406 that can provide programming semantics to the platform is normally executed in the user processes. It will be understood that users can authenticate at the moment of connection. Recovered objects 408 (for example, articles) can materialize in the client's space. In one aspect, no security or access verification limit is enforced by the client on these objects 408. According to the invention, the warehouse component 404 can reinforce the access control (through the access control component 410) when the programming context is persistent with the storage component 404. A discussion of user authentication is presented below.

The file system 400 can expose the notion of a security principal that can carry out actions against the articles 408 contained in a store of the file system 404. In aspects of the invention, a security principal could be a user or group of security. According to the above, the security principal can be represented by a security identifier (SID). As illustrated in FIG. 4, a connection to the file system service is found in the context of a security principal that is successfully authenticated by the access control component 410. It will be understood that the file system authentication (e.g. through the access control component 41 0) can be a derivative of the operating system authentication mechanism. For example, a file system authentication can be a derivative of a Windows brand authentication available in the SQL security model (structured query language). For example, it will be appreciated that SQL offers another construction authentication mechanism called SQL authentication that may not be supported on file system 400. Continuing the example, a connection attempted by a Windows-branded user can be authenticated by the file system 400 while leveraging the authentication services provided by the Windows brand such as Kerberos, NTLM, etc. In the example, an authenticated user is represented for a "public" role in SQL, which is used for authorization decisions in warehouse 404. In one aspect, a construction administration (BA) will be rendered for SQL administrators that grant SQL administrative privileges to the BA. In an alternative aspect, the management of the file system can be conformed only by the use of primitives of the file system. Therefore, BA would not be a member of the SQL administrators in the alternative aspect. The net result of the authentication is a security badge representing the principal that has access to the file system 400. This data structure can include the SID of the principal entrant as well as the SIDs of all the groups for which it is a member the main one In addition, all privileges maintained by the user can be allowed, by default, while they are connected to the 400 file system. As will be better understood after the discussion below, this badge can be used later to make authorization decisions. Returning now to an authorization discussion, as described above, file system authorization can be conformed to security by compartment level and security by item level. As used in this description, a "compartment" can refer to an alias of an article 408 in store 410. When a store 410 is created, a default compartment similar to the source article is created. Users with sufficient privileges can create compartments similar to any generic container (for example, article 40) in store 41 0. The file system can use conventional paths of universal mention to expose namespace locally and remotely. Therefore, the clients of the file system are connected to a compartment whereby the relative hierarchy of the names constitutes the addressing mechanism for the objects of the 408 file system. As an example, suppose a user connects to a root compartment to access foo. According to the above, the access would appear as // Maqu i naName / StoreName / RootCompartimiento /.,. / foo. Similarly, the user connected to a compartment named AliceCompartimiento would have access to the same object as // MachineName / To the Compartment / ... / foo. In this example, the effective permission in the article can be a function of the security descriptor in the connected compartment and the article. It should be understood that the former defines a security by compartment level and the latter defines a security by item level. The details in each of these mechanisms as well as the rules for composing the effective security descriptors are described below. Starting with a discussion of security by compartment level, the file system compartments according to the invention are somewhat similar to Windows branded compartments. In order to provide uniform semantics over local and remote access, for each created file system compartment, a mirror compartment can also be created. The compartments can be stored as articles in a catalog store and can be secured by the use of security per article which is the topic that follows. The permissions on these articles and on the compartments can be the same ones that grant semantics of uniform access both in local and remote access. The default permissions can be granted as desired with respect to the articles. For example, articles fired in a compartment may have different default permissions applied with respect to the user's characteristics (for example, administrator of the local system construction, authenticated, interactive ...). Similar to Windows branded bins, the default values for the bin security descriptor are configurable by using the logging parameter in ServerManName / ByOmissionSecurity / ServiceOmissionCompanyInfo. Security mechanisms per article can use security descriptors to perform access control. According to the above, in one aspect, a security descriptor can communicate through APIs (application program interfaces) in a security descriptor definition language string format and stored in the database in a packaged binary format under the VARBINARY column of Sys.Security_Descriptors, the security descriptor table (202 of FIG 2). A new security descriptor table, 202 of FIG. 2 as described above, Sys.Security_Descriptors, exists to contain each unique Security Descriptor, stored as a binary security descriptor packaged with a unique ID (SDID) to be used as a foreign key in the base tables of the file system. For example, a security descriptor table may appear as follows: Although the above safety descriptive table employs a binary representation for the safety descriptor, it should be appreciated that any suitable representation can be employed without departing from the spirit and scope of the invention and the appended claims thereto. Referring now to a discussion of the representation and storage of security descriptors and related data, as described above, the invention employs two internal tables that may contain information related to the security descriptor - a security descriptor table (e.g. sys.seguridad_descriptores and a table of a single instance (for example, [System, Storage, Warehouse]. [TablalSecurity Descriptorl ndividual Instance]). Continuing with the example, Sys.seguridad_descriptores is a catalog view maintained by SQL. stores in a row corresponding to the SDI D. The individual instance table can be maintained by the file system It contains a map of a key calculation of the binary security descriptor for the SDI D identified in the view or table of Sys.seguridad_descriptores mentioned above In one example, an SHA-I key calculation can be used. e create multiple articles with the same security descriptors, there may be a single entry in both tables. As stated above, another novel feature of the invention is that if the ndividual instance table is continuously corrupted, it can be destroyed since it is a self-healing table. In other words, if corruption occurs, a new table can be created merely by generating new key calculation values and associating it with the appropriate SDI D. In one aspect, the Article / Extension / tables Fragment / Link may have an entry for the SDID that is marked with a "security" attribute. It will be understood that this can ensure that any read access to these tables and any view formed on top of these views could be subject to an access verification request for (FILE_LEAR_DATA | ARCHIVE_LEAR_ATRIBUTES). It will also be understood that the table of ArticuloExtension, Enlace and Fragment Articulo must have the same safety descriptive table as the table of Article. FIG. 5 illustrates an initialization methodology according to an aspect of the invention. Although, for purposes of simplicity of explanation, the one or more methodologies shown herein, for example, in the form of a flow chart, are shown and described as a series of acts, it must be understood and appreciated that the subject invention does not it is limited by the order of acts, since some acts may, in accordance with the invention, occur in a different order and / or concurrently with other acts from what is shown and described herein. For example, those skilled in the art will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events, such as in a state diagram. Furthermore, not all illustrated acts may be required to implement a methodology according to the invention. While forming a model database during the construction process, the security data structures are initialized. In 502, the tables are established. In one example, the establishment of tables can include the establishment of Sys.primary_server, Sys. Main_database, Sys.server_member_function, and Sys.database_function_members. In 504, a single-instance table is created. According to our example, [System. Storage. Warehouse]. [Table! SecurityDescriptor Individualstatus] can be created in 504. In 506, a root security descriptor is created. This root security descriptor corresponds to the root of the store (for example, administrators have complete control). In 508, security descriptors are created by item level. For example, at 508, security descriptors can be created for broadcast announcement items performed in such a way that administrators have complete control and authenticated users have read access. In 510, these entries are added to the table of a single instance. The file system can support the inheritance of ACLs. For example, from the moment the article is created (for example, CreateArticle or CreateComplexArticles), the security descriptor for the article can be calculated by using the supplied security descriptor (if any), the parent security descriptor, the type of the item and the badge (for example, NT brand badge) of the caller. Referring now to a discussion of access checks, all update APIs perform appropriate access checks by calling [System. Storage. Warehouse] . [Has Access Security]. The API ensures that the requested permission bit is granted to the caller both at the compartment level as well as at the level of the security descriptor (for example, article, record). In a specific aspect, the access verification carried out in the security descriptor (of the parent) is different (ARCHIVO_OMITIR_MENOR) from the carried out (OMIT) in the compartment. For other cases, the two access checks may be consistent. Continuing with the example, the spread of ACL through the entire structure similar to a tree can be done when you call SetArticleSecurity (with a new DACL or SACL) or MoveArticle with a new parent. After the appropriate access checks are carried out to ensure that the caller is allowed to carry out the operation, the ACL propagation can take place in the context of the File system. Access checks are not performed on the structure similar to a sub-tree for which the ACLs are updated. It should be appreciated that the invention can employ asynchronous and / or synchronous propagation. A discussion of synchronous propagation is presented below. It should be understood that the root of the structure similar to a sub-tree has nothing to do with the articles of Compound. Rather, the root of the structure similar to a sub-tree is a generic term to describe the node over which is called SetArticleSecurity or MoveArticle. According to synchronous propagation, the new security descriptor for the root article is calculated. If DACL or SACL are not updated, the SDI D is updated for the article, extension, fragment and link tables and system returns. The entire structure similar to an article sub-tree is blocked starting at the article. In the example, it is not necessary to block any other table (Extension, Fragment, Link). Immediately, a temporary table can be created that contains all the articles in the previous act. The temporary table can have the following characteristics. The temporary table can have Container, Articule, and NewSdld. Initially, also NewSdld can be NULL for all except the root of the structure similar to a sub-tree. For each entry in the temporary table, the new SD can calculate by using the new father SD, the article type and the existing article SD. In the example, you can use CreatePrivateObjectSecurityEx (SEF_EVITAR_PRIVILEGIO_ VERI FICAR | SEF_EVITAR_PROPIETARO_VERI FICACIÓN). According to the above, the temporary table can be traversed level by level each time those rows are processed whose new parent SD has been calculated and the new SDID for the article is null. According to the example, this goes through the table one level at a time. The number of iterations is O (for example, depth of structure similar to a tree). Two points can be considered. First, the calculation of new security descriptors can be considered. Second, the updating of security descriptors in all minors can be considered. In the second scenario, the theoretical limit is O (for example, the number of minors).

In the first scenario, although it is not necessary, it is normally O (depth of the tree). If necessary, a new Security Descriptor can be created (for example, in the individual instance and the Sys.seguridad_descriptores tables). Next, the temporary SDI D table is updated in the temporary table. Finally, the table of Article, Extension, Link and Fragment can be updated by using the data calculated in the temporary table. The F1G 6 illustrates that the T / SQL Operations querying the Main Table Views operate in the User Context where the Access Control for SELECT statements is enforced by Security by Row Level. Additionally, calls to the Update API of the Archive System Store are made in the User Context but are executed in the System Context. Therefore, the implementation can reinforce permit checks for the caller. FIG. 7 illustrates a system 700 employing artificial intelligence (Al) that facilitates the automation of one or more features according to the subject invention. The subject invention (for example, in connection with the implementation of security policies) can employ various schemes based on Al to carry out various aspects of it. For example, a process to determine if a security descriptor should be established and, if so, the level of security to be employed can be facilitated through an automatic sorter system and process. In addition, when the single instance and security descriptor tables (202, 204 of FIG.2) are located remotely at multiple locations, the classifier can be used to determine which location will be selected for comparison. A classifier is a function that graphically represents an input attribute vector, x = (x1, x2, x3, x4, xp), with respect to a confidence that the input belongs to a class, that is, f (x) = Confidence (class) Such a classification can employ a probability and / or statistical analysis (for example, factoring in profits and analysis costs) in order to forecast or deduce an action that a user wishes to be carried out automatically. A support vector machine (SVM) is an example of a classifier that can be used. The SVM operates by finding a hypersurface in the space of possible inputs, whose hypersurface tries to divide the criterion of the activation of non-drive events. Intuitively, this makes correct the classification of the examination data that are close, but not identical to the training data. Other approaches of directed and non-directed model classification may be employed, including, for example, Bayes, Bayesian networks, decision trees, neural networks, fuzzy logic models, and probabilistic classification models that provide different patterns of independence. The classification, as used herein, is also inclusive of statistical regression that is used to develop priority models. As will be readily appreciated from the subject specification, the subject invention may employ classifiers that train explicitly (for example, through a generic training data) as well as implicitly trained (for example, through the observation of user behavior, receiving extrinsic information). For example, SVM's are configured through a learning or training phase within a classifier constructor and the feature selection module. In this way, the classifier (s) can be used to automatically learn and perform a number of functions, including, but not limited to, the determination according to a predetermined criterion. Referring now to FIG. 8, a block diagram of an operable computer for executing the exposed architecture is illustrated. In order to provide additional context to various aspects of the subject invention, FIG. 8 and the following discussion attempt to provide a brief, general description of an adequate computing environment 800 in which the various aspects of the invention can be implemented. Although the invention has been described above in the general context of computer executable instructions that can be executed on one or more computers, those skilled in the art will recognize that the invention can also be implemented in combination with other program modules and / or as a combination of hardware and software.

In general, the program modules include routines, programs, components, damage structures, etc. , that carry out particular tasks or that implement abstract data types in particular. In addition, those skilled in the art will appreciate that inventive methods can be practiced with other computer system configurations, including single-processor or multi-processor computer systems, minicomputers, mainframe computers, as well as personal computers, computer devices, portable, electronic, microprocessor-based or programmable consumer computing and the like, each of which can be operatively coupled to one or more associated devices. The illustrated aspects of the invention can also be practiced in distributed computing environments where certain tasks are carried out by remote processing devices that are linked through a communications network. In a distributed computing environment, the program modules can be located in both local and remote memory storage devices. A computer typically includes a variety of computer readable media. Computer-readable media can be any available medium that can be accessed by the computer and includes both volatile and non-volatile media, removable and non-removable media. By way of example, and without limitation, computer readable media may comprise computer storage media and media. The computer storage means include both volatile and non-volatile, removable and non-removable media, implemented by any method or technology for storing information such as computer-readable instructions, data structures, program modules or other data. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, snapshot or other memory technology, CD-ROM, digital video disc (DVD) or other optical disk storage, magnetic tapes, magnetic cassette , magnetic disk storage or other magnetic storage devices, or any other means that can be used to store the desired information and which can be accessed by the computer. The media typically incorporates computer readable instructions, data structures, program modules or other data into a modulated data signal such as a vehicle wave or other transport mechanism, and includes any means of information delivery. The term "modulated data signal" means a signal having one or more of its characteristics set or changed in such a way as to encode information in the signal. By way of example, and not as limitation, the communication means includes cable-connected means, such as a network connection connected by cable or direct wiring, and wireless means such as wireless acoustic, RF, infrared and other means. Combinations of any of the above should also be included within the scope of the computer readable medium. With reference again to FIG. 8, the exemplary environment 800 for implementing various aspects of the invention includes an 802 computer, the computer 802 including a processing unit 804, a system memory 806 and a system bus 808. The system bus 808 is coupled to the system components including, but not limited to, system memory 806 for processing unit 804. Processing unit 804 may be any of the various commercially available processors. The dual microprocessors and other multi-processor architectures can also be used as the processing unit 804. The system bus 808 can be any of several types of bus structure that can be further interconnected to a memory bus (with or without a controller). memory), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. The system memory 806 includes read-only memory (ROM) 81 0 and random access memory (RAM) 812. A basic input / output system (BIOS) is stored in a non-volatile memory 810 such as ROM, EPROM, EEPROM , whose BIOS contains the basic routines that help transfer information between elements within the 802 computer, such as during startup. The RAM 812 may also include high-speed RAM, such as static RAM for data capture. The computer 802 further includes an internal hard disk drive (HDD) 814 (e.g., EI DE, SATA), whose internal hard disk drive 814 can also be configured for external use in a suitable chassis (not shown), a drive unit, and magnetic floppy disk (FDD) 816 (for example, to read from or write to a removable diskette 81 8) and an optical disk drive 820 (for example, by reading a CD-ROM disc 822 or to read from or write to another high capacity optical medium, such as the DVD). The hard disk drive 814, the magnetic disk drive 816 and the optical disk drive 820 can be connected to the system bus 808 via a hard drive interface 824, a magnetic disk interface 826 and a unit interface optics 828, respectively. The interface 824 for external unit implementations includes at least one or both of the interface technologies of the Universal Serial Bus (USB) and IEEE 1394. Other external unit connection technologies are within the contemplation of the subject invention. The units and their associated computer-readable media provide non-volatile data storage, data structures, computer executable instructions and thereafter. For the 802 computer, the units and media accommodate the storage of any data in a suitable digital format. Although the description of computer-readable media refers above to an HDD, a removable magnetic diskette, and a removable optical medium such as a CD or DVD, it should be appreciated by those skilled in the art that other types of media can also be used that are readable by a computer, such as activity units, magnetic tapes, instant memory cards, cartridges and the like, in the exemplary operating environment and furthermore that any such means may contain computer executable instructions to carry out the methods of the invention. A number of program modules can be stored in the units and RAM 812, including an operating system 830, one or more application programs 832, other program modules 834 and program data 836. All or portions of the operating system, applications, Modules and / or data can also be stored in RAM 812. It is appreciated that the invention can be implemented with various commercially available operating systems or combinations of operating systems. A user can enter commands and information into the computer 802 through one or more wireless / wire-connected input devices, for example, an 838 keyboard and a pointing device, such as an 840 mouse. Other input devices (not shown) may include a microphone, an IR remote control, a joystick, a game pad, a needle pen, touch screen, or the like. These and other input devices are often connected to the processing unit 804 through an interface of the input device 842 which is coupled to the system bus 808, but can be connected by other interfaces, such as a parallel port, a port in IEEE 1394 series, a game port, a USB port, an IR interface, etc. A monitor 844 or other type of display device is also connected to the system bus 808 through an interface, such as a video adapter 846. In addition to the monitor 844, a computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc. The 802 computer can operate in a networked work environment by using logical connections over wired or wireless communications to one or more remote computers, such as a remote 848 computer (s). The 848 remote computer (s) can be a workstation, a server computer, a router, a personal computer, a laptop, an electronic entertainment device based on a microprocessor, a device of parity or other common network node, and typically includes mucos or all of the elements described in relation to computer 802, although, for brevity purposes, only one memory / storage device 850 is illustrated. The logical connections illustrated do not include connectivity. wired / wireless to a local area network (LAN) 852 and / or larger work networks, for example, a wide area work network (WAN) 854. Such networking environments LAN and WAN are common places in offices and companies, and facilitate computer networks throughout the company, such as intranets, all of which can connect to a global communications network, for example, the Internet. When used in a LAN networking environment, the computer 802 is connected to the local work network 852 through an interface or communication network adapter connected by cable and / or wireless 856. The 856 adapter can facilitate communication wired or wireless to the LAN 852, which may also include a wireless access point placed therein for communication with the 856 wireless adapter. When used in a WAN network work environment, the 802 computer may include a 858 modem , or it connects to a communications server on WAN 854, or has other means for establishing communications over WAN 854, such as via the Internet. The modem 858, which may be internal or external and a wired or wireless connected device, is connected to the system bus 808 through the serial port interface 842. In a networked working environment, the illustrated program modules with respect to the computer 802, or portions thereof, may be stored in the remote memory / storage device 850. It will be appreciated that the network connections shown are exemplary and other means may be used for the establishment of a communication link between the computers. The computer 802 is operable to communicate with any wireless entity or device operatively placed in wireless communication, eg, a printer, scanner, desktop and / or laptop computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable identifier (e.g., a newsstand, news shelf, bedroom) and telephone. This includes at least Bluetooth ™ and Wi-Fi wireless technologies. In this way, the communication can be a pre-defined structure as with a conventional network or simply an ad hoc communication between at least two devices. The Wi-Fi, or Wireless Fidelity, allows the connection to the Internet from a coach at home, a bed in a hotel room or a conference room at work, without cables. Wi-Fi is a wireless technology similar to that used in a cell phone that allows such devices, for example, computers, send and receive data in and out; where it is within the range of a base station. Wi-Fi networks use radio technologies called I EEE 802.1 1 (a, b, g, etc.) in order to provide wireless, fast, reliable, and secure connectivity. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to networks connected by cable (which use I EEE 802.3 or Ethernet). Wi-Fi networks operate in the 2.4 and 5 GHz radio bands, at a data transmission rate of 1 1 Mbps (802.1 1 a) or 54 Mbps), for example, or with products that contain both bands (double band), so that the networks can provide real-world performance similar to basic cable-connected Ethernet networks, Base T 10, used in many offices. Referring now to FIG. 9, a schematic block diagram of an exemplary computing environment 900 according to the subject invention is illustrated. The system 900 includes one or more clients 902. The client (s) 902 may be hardware and / or software (for example, filaments, processes, computing devices). The client (s) 902 may accommodate portion (s) and / or associated contextual information by employing the invention, for example. The system 900 also includes one or more servers 904. The server (s) 904 may also be hardware and / or software (e.g., filaments, processes, computing devices). The servers 904 can host filaments to carry out transformations by using the invention, for example. A possible communication between a client 902 and a server 904 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The data packet may include a portion and / or associated contextual information, for example. The system 900 includes a communication structure 906 (eg, a global communication network such as the Internet) that can be used to facilitate communications between the client (s) 902 and the server (s) 904 .

The communications can be facilitated through a technology connected by cable (including optical fiber) and / or wireless. The client (s) 902 is operatively connected to one or more customer data stores 908 that can be used to store local information in the client (s) 902 (e.g. es) and / or associated contextual information). Similarly, the server (s) 904 is operatively connected to one or more server data stores 910 that can be used to store local information on servers 904. What has been described above includes examples of the invention. Of course, it is not possible to describe any conceivable combination of components or methodologies for purposes of describing the subject matter, but one of ordinary skill in the art can recognize that many combinations and additional permutations of the invention are possible. In accordance with the above, the invention attempts to cover all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Further, to the extent that the term "includes" is used either in the detailed description or the claims, such a term is intended to be inclusive in a manner similar to the term "comprising" as interpreted by "comprising" when employed as a Transitional word in a claim.

Claims

CLAIMS 1. A system that facilitates access to data, characterized in that it comprises: a query component that generates an abstraction of a data store from a connection point; and a row-level security component that limits abstraction based on at least one access permission per row level. The system according to claim 1, characterized in that the data store is organized in a hierarchy and the query component transcends the hierarchy. The system according to claim 1, characterized in that it further comprises a component that provides a reliable identity establishment system, used in connection with a policy of access control reinforcement. 4. The system according to claim 1, characterized in that it also comprises a conversion component that has limited abstraction. The system according to claim 1, characterized in that the security component by row level associates a security policy with at least one row in the data warehouse. The system according to claim 5, characterized in that each row in the data store contains a single object. The system according to claim 6, characterized in that the security policy is at least one of an access control list (ACL) and a security descriptor. The system according to claim 7, characterized in that it is at least one of a data element and a container organized in a hierarchical organization. The system according to claim 8, characterized in that it also comprises a component that determines if the propagation is adequate and, if necessary, establishes the security policy at a root of the hierarchy and propagates the security policy towards at least one minor in the hierarchy. The system according to claim 9, characterized in that the component propagating the security policy intelligently uses a security descriptor of a parent in order to calculate an effective security descriptor for the object. eleven . The system according to claim 1, characterized in that the row level security component further comprises: a security descriptor table that graphically represents a security descriptor for a security descriptor identifier (SDID); and a single-instance table that graphically represents the SDID for a key calculation value of the SDID. The system according to claim 1 1, characterized in that the SDID is an integer value pointing towards the security descriptor. 13. The system according to claim 1, characterized in that the key calculation value is generated through a key calculation algorithm SHA-1. The system according to claim 1, characterized in that it also comprises an artificial intelligence component (Al) that employs a probability and / or statistical analysis in order to forecast or deduce an action that a user wishes to be carried out automatically. 15. A computer-readable medium having computer-executable instructions stored thereon for carrying out the system according to claim 1. 16. A method for providing data access control in a data warehouse, characterized in that it comprises: the data in a hierarchical organization; transcend hierarchical organization; establish a security policy in a root of the hierarchical organization; intelligently propagate the security policy to at least one minor in the hierarchical organization based on at least part in a parent security descriptor; generate a connection point abstraction of the data warehouse; and apply a security policy by row level in order to limit the abstraction to a subset of the data based at least in part on the row level security policy, the security policy per row level associates at least one of an ACL and a security descriptor with at least one row in the data warehouse. The method according to claim 16, characterized in that it further comprises the establishment of a reliable identity establishment system used in connection with the implementation of the security policy by row level. The method according to claim 17, characterized in that it also comprises the presentation of the limited abstraction. 9. A system that facilitates the control of data access in a data warehouse, characterized in that it comprises: means for organizing the data in a structure similar to a tree; means to transcend the structure similar to a tree; means to establish a security policy in a root of the structure similar to a tree; means to intelligently propagate the security policy to at least a minor in the structure similar to a tree; means to apply the security policy propagated based at least in part on a security policy of a parent and a child security policy; and means for filtering an abstraction of the connection point of the data warehouse based at least in part on one or more security policies, the one or more security policies associated with at least one row in the data warehouse. 20. The system according to claim 19, characterized in that it further comprises: means for establishing a reliable identity establishment system used in connection with the implementation of the security policy by row level.