WO2008064049A2 - Filtering access to data objects - Google Patents

Filtering access to data objects Download PDF

Info

Publication number
WO2008064049A2
WO2008064049A2 PCT/US2007/084744 US2007084744W WO2008064049A2 WO 2008064049 A2 WO2008064049 A2 WO 2008064049A2 US 2007084744 W US2007084744 W US 2007084744W WO 2008064049 A2 WO2008064049 A2 WO 2008064049A2
Authority
WO
WIPO (PCT)
Prior art keywords
source code
user
code
request
server
Prior art date
Application number
PCT/US2007/084744
Other languages
French (fr)
Other versions
WO2008064049A3 (en
Inventor
Jianyu Chen
Jan Gronski
Jian Yang
Xiaoqing Lu
Yang Song
Original Assignee
Cisco Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2006101382009A external-priority patent/CN101187965B/en
Application filed by Cisco Technology, Inc. filed Critical Cisco Technology, Inc.
Priority to GB0910339.1A priority Critical patent/GB2457840B/en
Publication of WO2008064049A2 publication Critical patent/WO2008064049A2/en
Publication of WO2008064049A3 publication Critical patent/WO2008064049A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Definitions

  • Embodiments of the present invention generally relate to software development and more specifically to filtering access to portions of source code being developed.
  • source code In a software development cycle, source code is typically developed by many different teams. The different teams may be responsible for different portions of the source code. As software programs become more complicated, the source code generated becomes very complex and large.
  • the source code may be built during the development process. This may convert source code files into executable code.
  • the build may occur periodically, such as daily, or at any other time.
  • the build typically compiles and links various files that are interdependent in the source code.
  • To compile and link the files together the source code is typically stored on the same server.
  • the editing and compilation is also performed on the same server so the files can be built together.
  • users who are editing the source code have visibility to all of the source code at once. This may allow access to portions of source code to different teams that may not be developing those portions. This may not be desirable when intellectual property is being protected. For example, an organization may not want some teams to be able to view other portions of the source code.
  • Fig. 1 depicts an example system for managing source code.
  • FIG. 2 depicts a more detailed example of the system depicted in Fig. 1.
  • FIG. 3 depicts an example of a method for controlling access to source code.
  • FIG. 4 depicts an example method for determining if a user is authorized to access a portion of source code from a code server.
  • a code server and edit server are provided.
  • the code server stores the source code. Users do not access the code server directly. Rather, an edit server is used where users can log in to the edit server and send requests to edit portions of the source code. The edit server then sends requests to the code server for requested portions of the source code.
  • Different users may have different access rights to portions of the code. For example, a first user may be able to access a first portion of the code and a second user may be able to access a second portion of the code but not vice versa.
  • the code server determines the user requesting the portion of the source code does not have access rights to it, then the code server does not allow the portion of code to be accessed. However, if the user does have access rights, then the portion of the source code is retrieved and sent to the edit server. The user can then edit the source code on the edit server.
  • the edit server sends the edited source code back to the code server.
  • the code server then stores the portion of the source code back into the source code.
  • the above process is performed such that the source code can still be built/compiled. Even though portions are sent to the edit server for editing, the source code directory is maintained. The edited source code is then stored back in the directory such that the source code can be built with the edited code.
  • FIG. 1 depicts an example system 100 for managing source code.
  • a code server 102 an edit server 104, storage 106, and user devices 108 are provided.
  • Code server 102 may be any computing device.
  • code server 102 may be a server.
  • code server 102 may include a storage system, mainframe, or any other computing device.
  • Code server 102 includes source code.
  • source code may be stored in a directory or file system in storage 106.
  • the source code may be any software code.
  • the source code may include code that needs to be built.
  • building the source code involves compiling and linking files in the source code into an executable form. A person skilled in the art will appreciate various method of building source code and different forms of source code.
  • Edit server 104 may be any computing device, such as a server. Further, in other embodiments, edit server 104 may be a mainframe, workstation, personal computer, or any other computing device.
  • Edit server 104 and code server 102 may be separate devices. In this case, a user needs to use edit server 104 to interact with code server 102. However, it will be understood that edit server 104 and code server 102 may be part of the same device, but are partitioned such that a user cannot directly access code server 102.
  • User devices 108 are devices that a user uses to access edit server 104.
  • user devices 108 include personal computers, laptop computers, workstations, etc.
  • User devices 108 may be associated with various users where users may be separated into workgroups.
  • Workgroups may be a group of users that have the same access rights or permissions. For example, a certain group may have first access rights and a second group may have second access rights. These access rights may allow access to different portions of the source code.
  • workgroups are described for groups of users, it will be understood that different users in workgroups may have different rights. For example, rights for all users may be individually tailored. Or, the process may be simplified by subdividing users into various workgroups.
  • Embodiments of the present invention restrict access to source code. Also, users do not access the source code directly from code server 102. Rather, the requests are sent to edit server 104. Edit server 104 then sends the requests to code server 102, which then can determine the access rights for the user. If the user is allowed to access the portion of code requested, the code is retrieved and sent to edit server 104. The user can then edit the portion of the source code using edit server 104.
  • edit server 104 may send the edited source code back to code server 102, which can then restore the edited portion of the source code in the source code.
  • Fig. 2 depicts a more detailed example of system.
  • code server 102 includes a proxy 202, a provisioner 204, and storage 106.
  • Edit server 104 includes a request generator 206, a code receiver 208, and a code sender 210.
  • Request generator 206 receives requests from users. For example, a user may use a user device 108 to send a request for a portion of the source code.
  • a user may browse the directory of the source code using edit server 104.
  • the directory of the source code stored on code server 102 may be duplicated on edit server 104.
  • Request generator 206 then generates a request for the portion of code for coder server 102.
  • the request may identify a portion of code, e.g. file (or files), and also include information about the user who is requesting the source code.
  • the information about the user may include a user identifier, the workgroup the user is associated with, the product the user is working on, the project the user is working on, etc.
  • the information is used to determine what portions of the source code stored on code server 102 the user is authorized to access.
  • the request may also be secured using any security protocol.
  • secure shell (ssh) may be used to send the request from request generator 206 to proxy 202.
  • other methods of securing the request such as using certificates, passwords, etc. may be used.
  • Proxy 202 receives the request and then authenticates the request.
  • the authentication may include device authentication and user authentication.
  • proxy 202 may authenticate a key that has been used to encrypt the request.
  • the authentication may be to make sure that the request was sent by an authorized device that can request portions of the source code.
  • User authentication may be authenticated through log-in name and password, public key, private key, certificates.
  • Provisioner 204 is provisioned through an administrator and is used to determine the authorizations for the user. Provisioner 204, after authentication, may use the authenticated info (such as user name) to determine the access rights. For example, an access filter may be provisioned for each user or workgroup. Different workgroups may be given different authorizations, which allow access to different sections of the source code. Also, proxy 202 may detect if the user is listed in an authorized user list for the product included in the request, determine if the request is within the project scope, etc.
  • Provisioner 204 determines the access filter for the user and applies it to the request. If the requested portion of code is found in the access filter as being a portion of code that the user can access, then the request is approved. If the access filter shows the user is not authorized to access the portion of code requested, then provisioner 204 may deny the request. In the case of denying the request, proxy 202 sends a message back to request generator 206 indicating the request is denied. The user may then be sent a message that the user's request is denied.
  • proxy 202 then retrieves the portion of the source code from storage 106. An encrypted session with edit server 104 is then established. In the encrypted session, proxy 202 transfers the portion of source code to code receiver 208. For example, any number of source code files may be transferred in the encrypted session.
  • the user can view, modify, and edit the source code files from edit server 104.
  • the files may be accessed from edit server 104.
  • device 108 uses a virtual terminal (such as VNC) to view/edit the source code directly on device 104.
  • a user may use user device 108-1 to download the portion of source code. The user may then edit, view, and modify the source code on user device 108-1.
  • Edit server 104 thus allows editing of the source code either while it is stored on it or by allowing download of the source code.
  • Code server 102 does not allow editing of the source code and may only send it to code server 102 such that code server 102 can allow the editing.
  • code sender 210 may establish another encrypted session with code server 102. In this session, code sender 210 sends the edited source code back to proxy 202.
  • the modified source code files are transferred from edit server 104 to code server 102.
  • Proxy 202 then stores the edited portion of source code back into the source code stored in storage 106.
  • the edited files may replace the same files found in the source code.
  • Source code unlike text documents, is not the final form of a final product. In order for source code to be "useful", a build process needs to be applied to the source code, which transforms the source code into machine language, later to be executed on another device. For example, this transformation from source code to machine language is called a "compile process or a build" process. This process may require all or partial source code from the project code base.
  • the build may require .h header files.
  • the built binaries can be transferred from code server 102 to edit server 104 for debugging, packaging, etc.
  • the source code in storage 106 may be built at any time. Even if a portion of the source code has been checked out, the original source code (i.e., the portion that is not being edited) can be built. However, once the edited portion of source code is stored in storage 106, a command to build the source code may be sent. In one embodiment, a request may be sent remotely from edit server 104 to code server 102.
  • the build may proceed but the user may not edit the interdependent files. This preserves protection of IP information but also allows a build to be performed.
  • Fig. 3 depicts an example of a method for controlling access to source code.
  • edit server 104 receives a request for a portion of source code. The request may be received from a user.
  • edit server 104 determines information for the user.
  • the information may be the user identity, a workgroup the user is associated with, etc.
  • edit server 104 generates a request for the portion of source code.
  • edit server 104 establishes an encrypted session with code server 102.
  • the encrypted session may be established using any encryption methods.
  • edit server 104 sends the request in the encrypted session.
  • edit server 104 receives a response from code server 102.
  • the response may be a denial of the request if the user is not authorized to access the portion of source code. Also, the response may be the portion of the source code that was requested by the user if the user is authorized to access that portion of source code.
  • Fig. 4 depicts an example method for determining if a user is authorized to access a portion of source code from code server 102.
  • code server 102 receives a request for a portion of code in an encrypted session.
  • the request includes information about the user who submitted the request.
  • step 404 code server 102 authenticates the user. In this case, code server 102 determines if the request is valid.
  • code server 102 determines authorizations for the user. For example, for a workgroup that the user is in, different portions of code may be accessible to that workgroup. Code server 102 determines if the portion of code requested is part of the source code that the user is authorized to access. This is done based on filters or any other methods.
  • code server 102 If the user is not authorized, code server 102 returns a message indicating the user is not authorized to access the portion of code.
  • step 410 If the user is authorized, in step 410, the portion of source code is retrieved from storage 106.
  • step 412 an encrypted session with edit server 104 is established and the portion of source code is sent to edit server 104.
  • Particular embodiments partition the source code such that different portions of the source code may be accessed from code server 102.
  • the code can then be viewed, modified, and edited on edit server 104.
  • users cannot access code server 102 directly.
  • This allows the control of the source code on code server 102 but also allows users to modify portions of the source code they are allowed to access.
  • the underlying operating system is not changed such that a build can be performed on the source code stored on code server 102.
  • code and edit servers are virtual servers. They need not be bounded by hardware.
  • edit and code servers can run on the same physical server via a virtualization program, (vmware for example).
  • code servers can be one or multiple servers that are logically joined as to give the user an appearance of one server.
  • routines of embodiments of the present invention can be implemented using C, C++, Java, assembly language, etc.
  • Different programming techniques can be employed such as procedural or object oriented.
  • the routines can execute on a single processing device or multiple processors. Although the steps, operations, or computations may be presented in a specific order, this order may be changed in different embodiments. In some embodiments, multiple steps shown as sequential in this specification can be performed at the same time.
  • the sequence of operations described herein can be interrupted, suspended, or otherwise controlled by another process, such as an operating system, kernel, etc.
  • the routines can operate in an operating system environment or as stand-alone routines occupying all, or a substantial part, of the system processing. Functions can be performed in hardware, software, or a combination of both. Unless otherwise stated, functions may also be performed manually, in whole or in part.
  • a "computer-readable medium” for purposes of embodiments of the present invention may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, system or device.
  • the computer readable medium can be, by way of example only but not by limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory.
  • Embodiments of the present invention can be implemented in the form of control logic in software or hardware or a combination of both.
  • the control logic may be stored in an information storage medium, such as a computer-readable medium, as a plurality of instructions adapted to direct an information processing device to perform a set of steps disclosed in embodiments of the present invention.
  • an information storage medium such as a computer-readable medium
  • a person of ordinary skill in the art will appreciate other ways and/or methods to implement the present invention.
  • a "'processor” or “process” includes any human, hardware and/or software system, mechanism or component that processes data, signals or other information.
  • a processor can include a system with a general -purpose central processing unit, multiple processing units, dedicated circuitry for achieving functionality, or other systems. Processing need not be limited to a geographic location, or have temporal limitations. For example, a processor can perform its functions in "real time,” “offline,” in a “batch mode,” etc. Portions of processing can be performed at different times and at different locations, by different (or the same) processing systems.
  • Embodiments of the invention may be implemented by using a programmed general purpose digital computer, by using application specific integrated circuits, programmable logic devices, field programmable gate arrays, optical, chemical, biological, quantum or nanoengineered systems, components and mechanisms may be used.
  • the functions of embodiments of the present invention can be achieved by any means as is known in the art.
  • Distributed, or networked systems, components and circuits can be used.
  • Communication, or transfer, of data may be wired, wireless, or by any other means.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

In one embodiment, a code server and edit server are provided. The code server stores the source code. Users do not access the code server directly. Rather, an edit server is used where users can log in to the edit server and send requests to edit portions of the source code. The edit server then sends requests to the code server for requested portions of the source code. Different users may have different access rights to portions of the code. When the request is received from the edit server, if the code server determines the user requesting the portion of the source code does not have access rights to it, then the code server does not allow the portion of code to be accessed. However, if the user does have access rights, then the portion of the source code is retrieved and sent to the edit server. The user can then edit the source code on the edit server.

Description

PATENT APPLICATION FILTERING ACCESS TO DATA OBJECTS
Cross References to Related Applications
Pursuant to Article 4 of the Paris Convention, this application claims priority to Chinese Patent Application No. 200610138200.9 entitled "Filtering Access to Data Objects" filed on November 16, 2006, which is incorporated by reference in its entirety for all purposes.
Technical Field
[01] Embodiments of the present invention generally relate to software development and more specifically to filtering access to portions of source code being developed.
Background
[02] In a software development cycle, source code is typically developed by many different teams. The different teams may be responsible for different portions of the source code. As software programs become more complicated, the source code generated becomes very complex and large.
[03] The source code may be built during the development process. This may convert source code files into executable code. The build may occur periodically, such as daily, or at any other time. The build typically compiles and links various files that are interdependent in the source code. To compile and link the files together, the source code is typically stored on the same server. The editing and compilation is also performed on the same server so the files can be built together. Thus, users who are editing the source code have visibility to all of the source code at once. This may allow access to portions of source code to different teams that may not be developing those portions. This may not be desirable when intellectual property is being protected. For example, an organization may not want some teams to be able to view other portions of the source code.
Brief Description of the Drawings
[04] Fig. 1 depicts an example system for managing source code.
[05] Fig. 2 depicts a more detailed example of the system depicted in Fig. 1.
[06] Fig. 3 depicts an example of a method for controlling access to source code.
[07] Fig. 4 depicts an example method for determining if a user is authorized to access a portion of source code from a code server.
Description of Example Embodiments
Overview
[08] In one embodiment, a code server and edit server are provided. The code server stores the source code. Users do not access the code server directly. Rather, an edit server is used where users can log in to the edit server and send requests to edit portions of the source code. The edit server then sends requests to the code server for requested portions of the source code.
[09] Different users may have different access rights to portions of the code. For example, a first user may be able to access a first portion of the code and a second user may be able to access a second portion of the code but not vice versa. When the request is received from the edit server, if the code server determines the user requesting the portion of the source code does not have access rights to it, then the code server does not allow the portion of code to be accessed. However, if the user does have access rights, then the portion of the source code is retrieved and sent to the edit server. The user can then edit the source code on the edit server. [10] When the user is finished editing the source code, the edit server sends the edited source code back to the code server. The code server then stores the portion of the source code back into the source code. The above process is performed such that the source code can still be built/compiled. Even though portions are sent to the edit server for editing, the source code directory is maintained. The edited source code is then stored back in the directory such that the source code can be built with the edited code.
Example Embodiments
[11] Fig. 1 depicts an example system 100 for managing source code. As shown, a code server 102, an edit server 104, storage 106, and user devices 108 are provided.
[12] Code server 102 may be any computing device. For example, code server 102 may be a server. In other particular embodiments, code server 102 may include a storage system, mainframe, or any other computing device.
[13] Code server 102 includes source code. In one embodiment, source code may be stored in a directory or file system in storage 106. The source code may be any software code. For example, the source code may include code that needs to be built. For example, building the source code involves compiling and linking files in the source code into an executable form. A person skilled in the art will appreciate various method of building source code and different forms of source code.
[14] Edit server 104 may be any computing device, such as a server. Further, in other embodiments, edit server 104 may be a mainframe, workstation, personal computer, or any other computing device.
[15] Edit server 104 and code server 102 may be separate devices. In this case, a user needs to use edit server 104 to interact with code server 102. However, it will be understood that edit server 104 and code server 102 may be part of the same device, but are partitioned such that a user cannot directly access code server 102.
[16] User devices 108 are devices that a user uses to access edit server 104. In one embodiment, user devices 108 include personal computers, laptop computers, workstations, etc.
[17] User devices 108 may be associated with various users where users may be separated into workgroups. Workgroups may be a group of users that have the same access rights or permissions. For example, a certain group may have first access rights and a second group may have second access rights. These access rights may allow access to different portions of the source code.
[18] Although workgroups are described for groups of users, it will be understood that different users in workgroups may have different rights. For example, rights for all users may be individually tailored. Or, the process may be simplified by subdividing users into various workgroups.
[19] Embodiments of the present invention restrict access to source code. Also, users do not access the source code directly from code server 102. Rather, the requests are sent to edit server 104. Edit server 104 then sends the requests to code server 102, which then can determine the access rights for the user. If the user is allowed to access the portion of code requested, the code is retrieved and sent to edit server 104. The user can then edit the portion of the source code using edit server 104.
[20] When the user is finished editing the source code, edit server 104 may send the edited source code back to code server 102, which can then restore the edited portion of the source code in the source code.
[21] Fig. 2 depicts a more detailed example of system. As shown, code server 102 includes a proxy 202, a provisioner 204, and storage 106. Edit server 104 includes a request generator 206, a code receiver 208, and a code sender 210.
[22] Request generator 206 receives requests from users. For example, a user may use a user device 108 to send a request for a portion of the source code. In one embodiment, a user may browse the directory of the source code using edit server 104. For example, the directory of the source code stored on code server 102 may be duplicated on edit server 104. When a portion of the source code, such as a file, is desired by the user, the user can browse for that file and then send a request to request generator 206. Request generator 206 then generates a request for the portion of code for coder server 102. The request may identify a portion of code, e.g. file (or files), and also include information about the user who is requesting the source code.
[23] The information about the user may include a user identifier, the workgroup the user is associated with, the product the user is working on, the project the user is working on, etc. The information is used to determine what portions of the source code stored on code server 102 the user is authorized to access.
[24] The request may also be secured using any security protocol. For example, secure shell (ssh) may be used to send the request from request generator 206 to proxy 202. Additionally, other methods of securing the request, such as using certificates, passwords, etc. may be used.
[25] Proxy 202 receives the request and then authenticates the request. The authentication may include device authentication and user authentication. For example, proxy 202 may authenticate a key that has been used to encrypt the request. The authentication may be to make sure that the request was sent by an authorized device that can request portions of the source code. User authentication may be authenticated through log-in name and password, public key, private key, certificates.
[26] Provisioner 204 is provisioned through an administrator and is used to determine the authorizations for the user. Provisioner 204, after authentication, may use the authenticated info (such as user name) to determine the access rights. For example, an access filter may be provisioned for each user or workgroup. Different workgroups may be given different authorizations, which allow access to different sections of the source code. Also, proxy 202 may detect if the user is listed in an authorized user list for the product included in the request, determine if the request is within the project scope, etc.
[27] Provisioner 204 determines the access filter for the user and applies it to the request. If the requested portion of code is found in the access filter as being a portion of code that the user can access, then the request is approved. If the access filter shows the user is not authorized to access the portion of code requested, then provisioner 204 may deny the request. In the case of denying the request, proxy 202 sends a message back to request generator 206 indicating the request is denied. The user may then be sent a message that the user's request is denied.
[28] If the user is authorized to access the portion of the source code, proxy 202 then retrieves the portion of the source code from storage 106. An encrypted session with edit server 104 is then established. In the encrypted session, proxy 202 transfers the portion of source code to code receiver 208. For example, any number of source code files may be transferred in the encrypted session.
[29] After the transfer, the user can view, modify, and edit the source code files from edit server 104. For example, the files may be accessed from edit server 104. In one embodiment, device 108 uses a virtual terminal (such as VNC) to view/edit the source code directly on device 104. In another embodiment, a user may use user device 108-1 to download the portion of source code. The user may then edit, view, and modify the source code on user device 108-1. Edit server 104 thus allows editing of the source code either while it is stored on it or by allowing download of the source code. Code server 102 does not allow editing of the source code and may only send it to code server 102 such that code server 102 can allow the editing.
[30] When the user is finished working on the portion of source code, code sender 210 may establish another encrypted session with code server 102. In this session, code sender 210 sends the edited source code back to proxy 202.
[31] For example, the modified source code files are transferred from edit server 104 to code server 102. Proxy 202 then stores the edited portion of source code back into the source code stored in storage 106. For example, the edited files may replace the same files found in the source code.
[32] Accordingly, separation of editing and storing of source code is provided. The source code is stored on a first device and the editing is allowed on a second device. Editing is not allowed on the first device. This ensures that portions of source code can be partitioned and access can be restricted to certain portions. Intellectual property (IP) is thus protected by the separation and restriction of access. [33] Source code, unlike text documents, is not the final form of a final product. In order for source code to be "useful", a build process needs to be applied to the source code, which transforms the source code into machine language, later to be executed on another device. For example, this transformation from source code to machine language is called a "compile process or a build" process. This process may require all or partial source code from the project code base. For example, the build may require .h header files. The built binaries can be transferred from code server 102 to edit server 104 for debugging, packaging, etc. The source code in storage 106 may be built at any time. Even if a portion of the source code has been checked out, the original source code (i.e., the portion that is not being edited) can be built. However, once the edited portion of source code is stored in storage 106, a command to build the source code may be sent. In one embodiment, a request may be sent remotely from edit server 104 to code server 102.
[34] In a build, various files in the source code may be interdependent and in order to build the file, the other interdependent files need to be accessed. However, certain users may not have access to the dependent files. Accordingly, conventionally, a user would have had to access all of those files. However, in this case, particular embodiments allow a user to access a file but since all the files are stored on code server 102, the file may be built where other files that are not accessible to the user may also be used in the build.
[35] The build may proceed but the user may not edit the interdependent files. This preserves protection of IP information but also allows a build to be performed.
[36] Fig. 3 depicts an example of a method for controlling access to source code. In step 302, edit server 104 receives a request for a portion of source code. The request may be received from a user.
[37] In step 304, edit server 104 determines information for the user. For example, the information may be the user identity, a workgroup the user is associated with, etc.
[38] In step 306, edit server 104 generates a request for the portion of source code.
[39] In step 308, edit server 104 establishes an encrypted session with code server 102. The encrypted session may be established using any encryption methods. [40] In step 310, edit server 104 sends the request in the encrypted session.
[41 ] In step 312, edit server 104 receives a response from code server 102. The response may be a denial of the request if the user is not authorized to access the portion of source code. Also, the response may be the portion of the source code that was requested by the user if the user is authorized to access that portion of source code.
[42] Fig. 4 depicts an example method for determining if a user is authorized to access a portion of source code from code server 102. In step 402, code server 102 receives a request for a portion of code in an encrypted session. The request includes information about the user who submitted the request.
[43] In step 404, code server 102 authenticates the user. In this case, code server 102 determines if the request is valid.
[44] In step 406, code server 102 determines authorizations for the user. For example, for a workgroup that the user is in, different portions of code may be accessible to that workgroup. Code server 102 determines if the portion of code requested is part of the source code that the user is authorized to access. This is done based on filters or any other methods.
[45] If the user is not authorized, code server 102 returns a message indicating the user is not authorized to access the portion of code.
[46] If the user is authorized, in step 410, the portion of source code is retrieved from storage 106.
[47] In step 412, an encrypted session with edit server 104 is established and the portion of source code is sent to edit server 104.
[48] Particular embodiments partition the source code such that different portions of the source code may be accessed from code server 102. The code can then be viewed, modified, and edited on edit server 104. Thus, users cannot access code server 102 directly. This allows the control of the source code on code server 102 but also allows users to modify portions of the source code they are allowed to access. Also, the underlying operating system is not changed such that a build can be performed on the source code stored on code server 102.
[49] Although the invention has been described with respect to specific embodiments thereof, these embodiments are merely illustrative, and not restrictive of the invention. For example, the code and edit servers are virtual servers. They need not be bounded by hardware. For example, edit and code servers can run on the same physical server via a virtualization program, (vmware for example). Also code servers can be one or multiple servers that are logically joined as to give the user an appearance of one server.
[50] Any suitable programming language can be used to implement the routines of embodiments of the present invention including C, C++, Java, assembly language, etc. Different programming techniques can be employed such as procedural or object oriented. The routines can execute on a single processing device or multiple processors. Although the steps, operations, or computations may be presented in a specific order, this order may be changed in different embodiments. In some embodiments, multiple steps shown as sequential in this specification can be performed at the same time. The sequence of operations described herein can be interrupted, suspended, or otherwise controlled by another process, such as an operating system, kernel, etc. The routines can operate in an operating system environment or as stand-alone routines occupying all, or a substantial part, of the system processing. Functions can be performed in hardware, software, or a combination of both. Unless otherwise stated, functions may also be performed manually, in whole or in part.
[51] In the description herein, numerous specific details are provided, such as examples of components and/or methods, to provide a thorough understanding of embodiments of the present invention. One skilled in the relevant art will recognize, however, that an embodiment of the invention can be practiced without one or more of the specific details, or with other apparatus, systems, assemblies, methods, components, materials, parts, and/or the like. In other instances, well-known structures, materials, or operations are not specifically shown or described in detail to avoid obscuring aspects of embodiments of the present invention.
[52] A "computer-readable medium" for purposes of embodiments of the present invention may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, system or device. The computer readable medium can be, by way of example only but not by limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory.
[53] Embodiments of the present invention can be implemented in the form of control logic in software or hardware or a combination of both. The control logic may be stored in an information storage medium, such as a computer-readable medium, as a plurality of instructions adapted to direct an information processing device to perform a set of steps disclosed in embodiments of the present invention. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the present invention.
[54] A "'processor" or "process" includes any human, hardware and/or software system, mechanism or component that processes data, signals or other information. A processor can include a system with a general -purpose central processing unit, multiple processing units, dedicated circuitry for achieving functionality, or other systems. Processing need not be limited to a geographic location, or have temporal limitations. For example, a processor can perform its functions in "real time," "offline," in a "batch mode," etc. Portions of processing can be performed at different times and at different locations, by different (or the same) processing systems.
[55] Reference throughout this specification to "one embodiment", "an embodiment", or "'a specific embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention and not necessarily in all embodiments. Thus, respective appearances of the phrases "'in one embodiment", "in an embodiment", or "in a specific embodiment" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics of any specific embodiment of the present invention may be combined in any suitable manner with one or more other embodiments. It is to be understood that other variations and modifications of the embodiments of the present invention described and illustrated herein are possible in light of the teachings herein and are to be considered as part of the spirit and scope of the present invention. [56] Embodiments of the invention may be implemented by using a programmed general purpose digital computer, by using application specific integrated circuits, programmable logic devices, field programmable gate arrays, optical, chemical, biological, quantum or nanoengineered systems, components and mechanisms may be used. In general, the functions of embodiments of the present invention can be achieved by any means as is known in the art. Distributed, or networked systems, components and circuits can be used. Communication, or transfer, of data may be wired, wireless, or by any other means.
[57] It will also be appreciated that one or more of the elements depicted in the drawings/figures can also be implemented in a more separated or integrated manner, or even removed or rendered as inoperable in certain cases, as is useful in accordance with a particular application. It is also within the spirit and scope of the present invention to implement a program or code that can be stored in a machine-readable medium to permit a computer to perform any of the methods described above.
[58] Additionally, any signal arrows in the drawings/Figures should be considered only as exemplary, and not limiting, unless otherwise specifically noted. Furthermore, the term "or" as used herein is generally intended to mean "and/or" unless otherwise indicated. Combinations of components or steps will also be considered as being noted, where terminology is foreseen as rendering the ability to separate or combine is unclear.
[59] As used in the description herein and throughout the claims that follow, "a", "an", and "the" includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of "in" includes "in" and "on" unless the context clearly dictates otherwise.
[60] The foregoing description of illustrated embodiments of the present invention, including what is described in the Abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed herein. While specific embodiments of, and examples for, the invention are described herein for illustrative purposes only, various equivalent modifications are possible within the spirit and scope of the present invention, as those skilled in the relevant art will recognize and appreciate. As indicated, these modifications may be made to the present invention in light of the foregoing description of illustrated embodiments of the present invention and are to be included within the spirit and
 [61] Thus, while the present invention has been described herein with reference to particular embodiments thereof, a latitude of modification, various changes and substitutions are intended in the foregoing disclosures, and it will be appreciated that in some instances some features of embodiments of the invention will be employed without a corresponding use of other features without departing from the scope and spirit of the invention as set forth. Therefore, many modifications may be made to adapt a particular situation or material to the essential scope and spirit of the present invention. It is intended that the invention not be limited to the particular terms used in following claims and/or to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include any and all embodiments and equivalents falling within the scope of the appended claims.

Claims

ClaimsWe claim:
1. A method comprising: receiving, at a first device, a request for a portion of source code stored on the first device from a second device, wherein a user submits the request through the second device; determining if a user associated with the request is authorized to access the portion of the source code from the first device; retrieving the portion of the source code; sending the portion of the source code to the second device, wherein the second device allows editing of the portion of the source code, wherein the portion of the source code is not editable on the first device; receiving, at the first device, an edited portion of the source code from the second device; and storing the edited portion of the source code.
2. The method of claim 1 , further comprising authenticating the request from the second device.
3. The method of claim 1 , wherein determining if a user associated with the request is authorized to access the portion of the source code comprising: determining user information associated with the user; and using the information to determine if the user is authorized to access the portion of the source code.
4. The method of claim 1 , further comprising providing a build of the portion of source code, wherein a second portion of source code that the user is not authorized to access is used in the build.
5. The method of claim 1, wherein the source code is built on the first device but not edited, and the second device allows editing of the portion of the source code.
6. A method comprising: receiving, at a first device, a user request for a portion of source code stored on a second device; generating a code request for the portion of source code stored on the second device; receiving the portion of the source code from the second device if the second determines a user associated with the user request is authorized to access the portion of the source code; allowing editing of the portion of the source code through the first device, wherein the source code is not editable on the second device; and sending the edited portion of the source code to the second device after editing.
7. The method of claim 6, further comprising determining user information associated with the user to include in code request for determining if the user is authorized to access the portion of the source code.
8. The method of claim 7, wherein the user information comprises a workgroup associated with the user, wherein the workgroup is associated with portions of the source code that are accessible to users in the workgroup.
9. The method of claim 6, wherein the source code is built on the second device but not edited, and first device allows editing of the portion of the source code.
10. The method of claim 6, further comprising: establishing an encrypted session with the second device; and sending the code request in the encrypted session.
11. An apparatus comprising: one or more processors; and logic encoded in one or more tangible media for execution by the one or more processors and when executed operable to: receive, at a first device, a request for a portion of source code stored on the first device from a second device, wherein a user submits the request through the second device; determine if a user associated with the request is authorized to access the portion of the source code from the first device; retrieve the portion of the source code; send the portion of the source code to the second device, wherein second device allows editing of the portion of the source code, wherein the portion of the source code is not editable on the first device; receive, at the first device, an edited portion of the source code from the second device; and store the edited portion of the source code in the source code.
12. The apparatus of claim 11 , wherein the logic, when executed, is further operable to authenticate the request from the second device.
13. The apparatus of claim 11 , wherein the logic, when executed, is further operable to: determine user information associated with the user; and use the information to determine if the user is authorized to access the portion of the source code.
14. The apparatus of claim 11 , wherein the logic, when executed, is further operable to provide a build of the portion of source code, wherein a second portion of source code that the user is not authorized to access is used in the build.
15. The apparatus of claim 11 , wherein the source code is built on the first device but not edited, and the second device allows editing of the portion of the source code.
16. An apparatus comprising: one or more processors; and logic encoded in one or more tangible media for execution by the one or more processors and when executed operable to: receive, at a first device, a user request for a portion of source code stored on a second device; generate a code request for the portion of source code stored on the second device; receive the portion of the source code from the second device if the second determines a user associated with the user request is authorized to access the portion of the source code; allow editing of the portion of the source code through the first device, wherein the source code is not editable on the second device; and send the edited portion of the source code to the second device after editing.
17. The apparatus of claim 16, wherein the logic, when executed, is further operable to determine user information associated with the user to include in code request for determining if the user is authorized to access the portion of the source code.
18. The apparatus of claim 17, wherein the user information comprises a workgroup associated with the user, wherein the workgroup is associated with portions of the source code that are accessible to users in the workgroup.
19. The apparatus of claim 16, wherein the source code is built on the second device but not edited, and the first device allows editing of the portion of the source code.
20. The apparatus of claim 16, wherein the logic, when executed, is further operable to: establish an encrypted session with the second device; and send the code request in the encrypted session.
21. An apparatus comprising: means for receiving, at a first device, a request for a portion of source code stored on the first device from a second device, wherein a user submits the request through the second device; means for determining if a user associated with the request is authorized to access the portion of the source code from the first device; means for retrieving the portion of the source code; means for sending the portion of the source code to the second device, wherein the second device allows editing of the portion of the source code, wherein the portion of the source code is not editable on the first device; means for receiving, at the first device, an edited portion of the source code from the second device; and means for storing the edited portion of the source code in the source code.
22. An apparatus comprising: means for receiving, at a first device, a user request for a portion of source code stored on a second device; means for generating a code request for the portion of source code stored on the second device; means for receiving the portion of the source code from the second device if the second determines a user associated with the user request is authorized to access the portion of the source code; means for allowing editing of the portion of the source code through the first device, wherein the source code is not editable on the second device; and means for sending the edited portion of the source code to the second device after editing.
PCT/US2007/084744 2006-11-16 2007-11-15 Filtering access to data objects WO2008064049A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0910339.1A GB2457840B (en) 2006-11-16 2007-11-15 Filtering access to data objects

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200610138200.9 2006-11-16
CN2006101382009A CN101187965B (en) 2006-11-16 2006-11-16 Filtering of access to data object
US11/638,765 US8151365B2 (en) 2006-11-16 2006-12-13 Filtering access to data objects
US11/638,765 2006-12-13

Publications (2)

Publication Number Publication Date
WO2008064049A2 true WO2008064049A2 (en) 2008-05-29
WO2008064049A3 WO2008064049A3 (en) 2008-09-04

Family

ID=39430495

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/084744 WO2008064049A2 (en) 2006-11-16 2007-11-15 Filtering access to data objects

Country Status (1)

Country Link
WO (1) WO2008064049A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111324884A (en) * 2020-03-19 2020-06-23 苏州羿景睿图信息科技有限公司 Multi-authority authorization verification method based on FPGA

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5937192A (en) * 1996-01-16 1999-08-10 British Telecommunications Public Limited Company Compilation of computer program for execution on single compiling computer and for execution on multiple distributed computer system
US6110228A (en) * 1994-12-28 2000-08-29 International Business Machines Corporation Method and apparatus for software maintenance at remote nodes
US20050097197A1 (en) * 2003-10-07 2005-05-05 International Business Machines Corporation Web browser control for customer support

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6110228A (en) * 1994-12-28 2000-08-29 International Business Machines Corporation Method and apparatus for software maintenance at remote nodes
US5937192A (en) * 1996-01-16 1999-08-10 British Telecommunications Public Limited Company Compilation of computer program for execution on single compiling computer and for execution on multiple distributed computer system
US20050097197A1 (en) * 2003-10-07 2005-05-05 International Business Machines Corporation Web browser control for customer support

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111324884A (en) * 2020-03-19 2020-06-23 苏州羿景睿图信息科技有限公司 Multi-authority authorization verification method based on FPGA
CN111324884B (en) * 2020-03-19 2023-03-14 苏州羿景睿图信息科技有限公司 Multi-authority authorization verification method based on FPGA

Also Published As

Publication number Publication date
WO2008064049A3 (en) 2008-09-04

Similar Documents

Publication Publication Date Title
US8151365B2 (en) Filtering access to data objects
JP6207697B2 (en) Safe mobile framework
CN105027107B (en) Migrate the computer implemented method and computing system of computing resource
US9854063B2 (en) Enterprise application store for an orchestration framework for connected devices
KR101770417B1 (en) Validating the identity of a mobile application for mobile application management
CN104838630B (en) Application program management based on strategy
KR101738400B1 (en) Mobile device locking with context
CN109074274A (en) Virtual browser is integrated
CN105308923A (en) Data management for an application with multiple operation modes
WO2022026316A1 (en) Secure token transfer between untrusted entities
EP4423645A1 (en) Control of access to computing resources implemented in isolated environments
CN116601916A (en) Attribute-based encryption key as keying material for key hash message authentication code user authentication and authorization
WO2008064049A2 (en) Filtering access to data objects
JP2013516004A (en) Safe execution of computational resources
CN109359450A (en) Safety access method, device, equipment and the storage medium of linux system
De Clercq et al. Microsoft Windows Security Fundamentals: For Windows 2003 SP1 and R2
Katamreddy et al. Securing Web Applications
Mwanyika Confidentiality protection model for securing data in cloud computing
Moroney et al. Expert web services security in the. NET platform
Albayati et al. Profile Based Access Control Model Using JSON Web Tokens
JP2024539854A (en) Control of access to computing resources implemented in an isolated environment
JP3528714B2 (en) Download restriction system
WO2022231827A1 (en) Method for authenticating an end-user account, method for single authenticating within a cluster of hsm, and method for implementing access control
Shetty et al. New Security Architecture for Big Data Hadoop
Brown et al. Security in Web Applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07871475

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

ENP Entry into the national phase in:

Ref document number: 0910339

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20071115

WWE Wipo information: entry into national phase

Ref document number: 0910339.1

Country of ref document: GB

122 Ep: pct application non-entry in european phase

Ref document number: 07871475

Country of ref document: EP

Kind code of ref document: A2