WO2015150802A1 - Distributed database access control method and system - Google Patents
Distributed database access control method and system Download PDFInfo
- Publication number
- WO2015150802A1 WO2015150802A1 PCT/GB2015/051009 GB2015051009W WO2015150802A1 WO 2015150802 A1 WO2015150802 A1 WO 2015150802A1 GB 2015051009 W GB2015051009 W GB 2015051009W WO 2015150802 A1 WO2015150802 A1 WO 2015150802A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- principal
- entity
- database
- authorities
- authority
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000001419 dependent effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Definitions
- the present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to distributed database access control.
- a method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
- a key to the authority map may be comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity.
- the key may map to a list of authorities relevant to the entity ordered by precedent.
- An authority may be granted or denied when allocated to a principal.
- authorities may be allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups may be allocated to the principal.
- authorities denied to the principal and relevant to the entity may take precedence over otherwise identical authorities granted to the principal.
- authorities may be ranked higher in precedence dependent on the increased specificity of identification of the entity.
- the principal may be a user.
- a distributed system for access control of a database by a principal comprising: a client device;
- the distributed system is configured to perform the method of the first aspect.
- Figure 1 shows a block diagram illustrating a system in accordance with an embodiment of the invention
- Figure 2 shows a block diagram illustrating a database for use with an embodiment of the invention
- Figure 3 shows a flow diagram illustrating a method in accordance with an embodiment of the invention
- Figure 4 shows a sequence diagram illustrating a method in accordance with an embodiment of the invention
- Figure 5a shows a table illustrating keys for an authority map generated in accordance with an embodiment of the invention.
- Figure 5b shows a table illustrating an authority table for an authority map generated in accordance with an embodiment of the invention.
- the present invention provides a distributed database access control method and system.
- FIG. 1 a system 100 in accordance with an embodiment of the invention is shown.
- the system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105.
- the server 102 may comprise a memory 106 and a processor 107.
- the clients 103, 104, and 105 may be user devices or automated devices.
- the clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals.
- a principal is an actor, which may be a user or an automated process.
- the server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
- a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems.
- the server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
- a communications network 108 such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet.
- the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
- the database 101 will be described with reference to Figure 2.
- the database 101 may comprise a plurality of entities 200, 201 , and 202.
- Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205.
- One of the properties 204 may identify the type of entity.
- One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 .
- One or more of the entities 200 may be associated 206 with one or more other entities 202.
- the database 101 may be a relational database such as an SQL database. It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
- a hardware memory such as flash memory or a hard-drive
- one or more authorities may be allocated for the entities within the database to a plurality of principals.
- An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity.
- the authority may define different types of operations on the entity. For example, the authority may relate to access to create, read, update and/or delete the entity. Operations may be defined by the authority in relation to specific properties of the entity.
- the authorities may be granted or denied when allocated to a principal.
- the authorities may be allocated directly to the principal, or the authorities may be allocated indirectly to the principal. In the case of the latter, the authorities may be allocated to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted or denied an authority or is associated with a group to which an authority is granted or denied, then the principal may inherit the grant or denial of that authority.
- an authority map may be generated from the authorities allocated to the entities for a principal of a client device.
- the authority map may be generated within the system. In one embodiment, the map is generated at the server.
- the authority map may be a key-value mapping container where the key is formed of, at least, the entity type and the operation.
- the key may also include a group identifier.
- the key may be hashed.
- the key may correspond to rows comprising, at least, the following fields: an entity identifier, whether the authority is granted or denied, and the precedence of the authority.
- the precedence of the authority may be defined by a numeric value.
- the numeric value for the precedence may be calculated by the following method:
- the authority map includes one or more of the following additional fields: property (identifying the property within the entity to which the operation relates), associated entity identifier, and associated entity type.
- the authority map may be transmitted to the client device.
- a determination for permission to perform an operation on an entity within a database for the principal of the client device may be made using the authority map.
- This determination step may extract the relevant authorities and precedence from the authority map, and then permission may be determined based upon the precedence of the authorities allocated to the principal and relevant to the entity.
- the determination for permission may be driven in response to a request for that operation by the principal.
- the request may be generated at the client device and permission determined, and then transmitted to the server.
- the process of determining permission may use the key within the authority map to locate the rows relevant to the entity and operation within the authority map. For example, the operation type and the entity type from the request are hashed together to generate the key, and this key is used as the index to the authority map.
- the authority of the highest precedence from these rows is extracted and if the authority is granted determines that the principal has permission to perform the operation on the entity and if the authority is denied determines that the principal does not have permission to perform the operation on the entity.
- the server may also determine operational access to the entity within the database for the principal.
- the server may use precedence of authorities allocated to the principal and relevant to the entity to determine whether the access should be granted or denied.
- the client 400, server 401 and database 402 are shown.
- the principal 403 may make a request 404 for an operation on an entity at the client.
- the client may determine 405 whether permission for this operation is possible at the client using, for example, the authority map. If the request is possible, the request is transmitted 406 to the server 401 .
- the server 401 may also determine 407 permission for the operation.
- the request is transmitted 408 to the database 402 to be applied.
- the database 402 may determine 409 whether the request is possible.
- Authority 1 Update entity of type Article and ID 1
- Authority 7 Update entity of type Category Keys for the authority map are shown in a table in Figure 5a.
- Row 501 shows key JsdfE which is a hash of the operation type "Update” and the entity type "Article”.
- Row 502 shows key FFEel which is a hash of the operation type "Delete” and the entity type "Article”.
- Row 503 shows key HdsW which is a hash of the operation type "Update” and the entity type "Category”.
- the mapped table is shown in Figure 5b.
- Row 504 corresponds to authority 1 .
- Row 505 corresponds to authority 2.
- Row 506 corresponds to authority 3.
- Row 507 corresponds to authority 4.
- Row 508 corresponds to authority 5.
- Row 509 corresponds to authority 6.
- Row 510 corresponds to authority 7.
- a potential advantage of some embodiments of the present invention is that distributed access control at multiple locations permits rich client-side functionality and reduces latency in data delivery by shifting processing overhead to the client while maintaining data security.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a method of managing access to a database within a distributed system comprising a client device, a server, and the database. The method includes allocating authorities for access to entities within the database to a plurality of principals; generating an authority map from the authorities allocated to the entities for a principal at the client device; transmitting the authority map to the client device; determining operational access to an entity within the database for the principal at the client device using the authority map and using precedence of the authorities allocated to the principal and relevant to the entity; and determining operational access to the entity within the database for the principal at the server or the database based upon precedence of the authorities allocated to the principal and relevant to the entity.
Description
Distributed Database Access Control Method and System Field of Invention The present invention is in the field of database access control. More particularly, but not exclusively, the present invention relates to distributed database access control.
Background
Existing technologies for managing access control to databases derive from the terminal-server model of computing architecture where the server manages all processing and the terminal merely acts a conduit between the user and the server.
Consequently, these technologies control security access at the server or database-side, but this introduces inefficiencies in processing and limits functionality at the client-side. It is an object of the present invention to provide a database access control method and system which overcomes the disadvantages of the prior art, or at least provides a useful alternative.
Summary of Invention
According to a first aspect of the invention there is provided a method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
a) allocating authorities for access to entities within the database to a plurality of principals;
b) generating an authority map from the authorities allocated to the entities for a principal at the client device;
c) transmitting the authority map to the client device;
d) determining operational access to an entity within the database for the principal at the client device using the authority map and using precedence of the authorities allocated to the principal and relevant to the entity; and e) determining operational access to the entity within the database for the principal at the server or the database based upon precedence of the authorities allocated to the principal and relevant to the entity.
A key to the authority map may be comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity. The key may map to a list of authorities relevant to the entity ordered by precedent.
An authority may be granted or denied when allocated to a principal. Authorities may be allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups may be allocated to the principal. Authorities denied to the principal and relevant to the entity may take precedence over otherwise identical authorities granted to the principal.
Authorities allocated directly to the principal may take precedence over authorities allocated to groups associated with the principal.
Authorities may be ranked higher in precedence dependent on the increased specificity of identification of the entity.
The principal may be a user.
According to a further aspect of the invention there is provided a distributed system for access control of a database by a principal, comprising:
a client device;
a server; and
a database;
wherein the distributed system is configured to perform the method of the first aspect.
Other aspects of the invention are described within the claims. Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:
Figure 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention;
Figure 2: shows a block diagram illustrating a database for use with an embodiment of the invention; Figure 3: shows a flow diagram illustrating a method in accordance with an embodiment of the invention;
Figure 4: shows a sequence diagram illustrating a method in accordance with an embodiment of the invention;
Figure 5a: shows a table illustrating keys for an authority map generated in accordance with an embodiment of the invention; and
Figure 5b: shows a table illustrating an authority table for an authority map generated in accordance with an embodiment of the invention.
Detailed Description of Preferred Embodiments
The present invention provides a distributed database access control method and system.
In Figure 1 , a system 100 in accordance with an embodiment of the invention is shown.
The system 100 may comprise a database 101 , a server 102, and one or more clients 103, 104, and 105. The server 102 may comprise a memory 106 and a processor 107.
The clients 103, 104, and 105 may be user devices or automated devices. The clients 103, 104, and 105 are configured to generate requests of the server 102 for access to the database 101 from principals. A principal is an actor, which may be a user or an automated process.
The server 102 and the database 101 may be connected, for example, via a network connection, or the database may reside at the server.
It will be appreciated that a distributed architecture may be used where the database 101 and/or server 102 are split over a plurality of devices connected by communications systems. The server 102 and clients 103, 104, and 105 may communicate with one another via a communications network 108, such as a local-area network (LAN) or Wide Area Network (WAN), or a combination of interconnected networks such the Internet. In one embodiment, the server 102 and database 101 comprise a content management system to provide the publishing, editing, and modifying of content by a plurality of users.
The database 101 will be described with reference to Figure 2.
The database 101 may comprise a plurality of entities 200, 201 , and 202. Each entity 200, 201 , 202 may comprise one or more properties 203, 204, and 205. One of the properties 204 may identify the type of entity. One of the properties, or two or more properties 203 and 204 in conjunction, may uniquely identify the entity within the database 101 . One or more of the entities 200 may be associated 206 with one or more other entities 202.
The database 101 may be a relational database such as an SQL database. It will be appreciated that Figure 2 illustrates a logical representation of a database. Physically, the database may be stored within a hardware memory, such as flash memory or a hard-drive, within an apparatus, or it may be stored, in multiple forms and/or parts, across a plurality of hardware memory and/or apparatuses.
A method 300 in accordance with an embodiment of the invention will be described with reference to Figure 3.
In step 301 , one or more authorities may be allocated for the entities within the database to a plurality of principals. An authority may identify an entity directly, identify entities via a property of the entity (for example, the type), or identify entities via association with another entity. The authority may define different types of operations on the entity. For example, the authority may relate to access to create, read, update and/or delete the entity. Operations may be defined by the authority in relation to specific properties of the entity. The authorities may be granted or denied when allocated to a principal.
The authorities may be allocated directly to the principal, or the authorities may be allocated indirectly to the principal. In the case of the latter, the authorities may be allocated to one or more groups, and the principal may be allocated to a group. If the group to which the principal is allocated is granted or denied an authority or is associated with a group to which an authority is granted or denied, then the principal may inherit the grant or denial of that authority.
In step 302, an authority map may be generated from the authorities allocated to the entities for a principal of a client device.
The authority map may be generated within the system. In one embodiment, the map is generated at the server. The authority map may be a key-value mapping container where the key is formed of, at least, the entity type and the operation. The key may also include a group identifier. The key may be hashed.
The key may correspond to rows comprising, at least, the following fields: an entity identifier, whether the authority is granted or denied, and the precedence of the authority. The precedence of the authority may be defined by a numeric value.
The numeric value for the precedence may be calculated by the following method:
a) If the authority directly identifies the entity, set the numeric precedence value to 0
b) Otherwise, if the authority identifies the entity indirectly by identifying an associated entity, set the numeric precedence to 10
c) Otherwise, if the authority identifies the entity indirectly by identifying the type of an associated entity, set the numeric precedence to 20
d) Otherwise, set the numeric precedence to 30
e) If the authority was obtained by direct allocation to the principal, add 0 to the numeric precedence value
f) Otherwise, if the authority was obtained indirectly by the principal by allocation to a group to which the principal is a member, add 100 to the numeric precedence value
In alternative embodiments, the authority map includes one or more of the following additional fields: property (identifying the property within the entity to which the operation relates), associated entity identifier, and associated entity type.
Data may not be required for the following fields: entity identifier, property, associated entity identifier, and associated entity type. In step 303, the authority map may be transmitted to the client device.
In step 304, a determination for permission to perform an operation on an entity within a database for the principal of the client device may be made using the authority map. This determination step may extract the relevant authorities and precedence from the authority map, and then permission may be determined based upon the precedence of the authorities allocated to the principal and relevant to the entity.
The determination for permission may be driven in response to a request for that operation by the principal. The request may be generated at the client device and permission determined, and then transmitted to the server.
The process of determining permission may use the key within the authority map to locate the rows relevant to the entity and operation within the authority map. For example, the operation type and the entity type from the request are hashed together to generate the key, and this key is used as the index to the authority map. The authority of the highest precedence from these rows is
extracted and if the authority is granted determines that the principal has permission to perform the operation on the entity and if the authority is denied determines that the principal does not have permission to perform the operation on the entity.
In step 305, the server (or database) may also determine operational access to the entity within the database for the principal. The server (or database) may use precedence of authorities allocated to the principal and relevant to the entity to determine whether the access should be granted or denied.
A sequence diagram illustrating one implementation of the method above will be described in reference to Figure 4.
The client 400, server 401 and database 402 are shown.
The principal 403 may make a request 404 for an operation on an entity at the client. The client may determine 405 whether permission for this operation is possible at the client using, for example, the authority map. If the request is possible, the request is transmitted 406 to the server 401 . The server 401 may also determine 407 permission for the operation.
If the request is possible, the request is transmitted 408 to the database 402 to be applied. In applying the operation, the database 402 may determine 409 whether the request is possible.
Pseudo-code outlining an algorithm for determining permission is detailed below:
isPermitted ( secu redEntity, operationType, property) O rderedList orderedAut orities
= aut orityMap. getByKey(
securedEntity. type, operationType, securedEntity. owningOrganisation) ;
For Each auth in orderedAuthorities
If operationType. scope = 'Property' if (auth. property is not wildcard And auth. property
!= property)
Continue
If auth. securedEntity is defined
If auth. securedEntity = securedEntity Return auth.whetherGranted
Else
Continue
Else If auth. associatedSecuredEntity is defined If
securedEntity. isAssociatedTo(auth. associatedSecuredEntity)
Return auth.whetherGranted
Else
Continue
Else If auth. associatedSecuredEntityType is defined If
securedEntity. isAssociatedToType( auth. associatedSecuredEntityType)
Return auth.whetherGranted
Else
Continue Else
Return auth.whetherG ranted
Return denied
An example of an authority map generated in accordance with an embodiment of the invention is shown at Figures 5a and 5b.
A principal is granted directly the following authorities:
Authority 1 : Update entity of type Article and ID 1
Authority 2: Delete entity of type Article and ID 1
And denied the following authorities:
Authority 3: Update entities of type Article associated with entity ID 1 of type Category
Authority 4: Delete entities of type Article
The principal is a member of a group - Group A - which has been granted the following authorities:
Authority 5: Update entities of type Article
Authority 6: Delete entities of type Article associated with entity ID 1 of type Category
And denied the following authorities:
Authority 7: Update entity of type Category Keys for the authority map are shown in a table in Figure 5a.
Row 501 shows key JsdfE which is a hash of the operation type "Update" and the entity type "Article". Row 502 shows key FFEel which is a hash of the operation type "Delete" and the entity type "Article".
Row 503 shows key HdsW which is a hash of the operation type "Update" and the entity type "Category". The mapped table is shown in Figure 5b. Row 504 corresponds to authority 1 . Row 505 corresponds to authority 2.
Row 506 corresponds to authority 3. Row 507 corresponds to authority 4. Row 508 corresponds to authority 5. Row 509 corresponds to authority 6. Row 510 corresponds to authority 7.
A potential advantage of some embodiments of the present invention is that distributed access control at multiple locations permits rich client-side functionality and reduces latency in data delivery by shifting processing overhead to the client while maintaining data security.
While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples
shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept.
Claims
A method of managing access to a database within a distributed system comprising a client device, a server, and the database, comprising:
a) allocating authorities for access to entities within the database to a plurality of principals;
b) generating an authority map from the authorities allocated to the entities for a principal at the client device;
c) transmitting the authority map to the client device;
d) determining operational access to an entity within the database for the principal at the client device using the authority map and using precedence of the authorities allocated to the principal and relevant to the entity; and
e) determining operational access to the entity within the database for the principal at the server or the database based upon precedence of the authorities allocated to the principal and relevant to the entity.
A method as claimed in claim 1 , wherein a key to the authority map is comprised of, at least, an identifier for the entity and a type for the operation to be performed on the entity.
A method as claimed in claim 2, wherein the key maps to a list of authorities relevant to the entity ordered by precedent.
A method as claimed in any one of the preceding claims, wherein an authority is granted or denied when allocated to a principal.
A method as claimed in any one of the preceding claims, wherein authorities are allocated to one or more of a plurality of groups and, where the principal is a member of one or more of the plurality of groups, the authorities allocated to the one or more groups are allocated to the principal.
A method as claimed in any one of the preceding claims when dependent on claim 4, wherein authorities denied to the principal and relevant to the entity take precedence over otherwise identical authorities granted to the principal.
A method as claimed in any one of the preceding claims, wherein authorities allocated directly to the principal take precedence over authorities allocated to groups associated with the principal.
A method as claimed in any one of the preceding claims, wherein authorities are ranked higher in precedence dependent on the increased specificity of identification of the entity.
A method as claimed in any one of the preceding claims, wherein the principal is a user.
A distributed system for access control of a database by a principal, comprising:
a client device;
a server; and
a database;
wherein the distributed system is configured to perform the method of any one of claims 1 to 9.
A client device configured for use with the distributed system of claim 10.
12. An authority map generated by the method of any one of claims 1 to 9.
13. A method or system for access control of a database as herein described with reference to the Figures.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB1405803.6 | 2014-03-31 | ||
| GB201405803A GB2509032A (en) | 2014-03-31 | 2014-03-31 | Authority maps for access to a database using a client device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2015150802A1 true WO2015150802A1 (en) | 2015-10-08 |
Family
ID=50737772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/GB2015/051009 WO2015150802A1 (en) | 2014-03-31 | 2015-03-31 | Distributed database access control method and system |
Country Status (2)
| Country | Link |
|---|---|
| GB (1) | GB2509032A (en) |
| WO (1) | WO2015150802A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107239710A (en) * | 2016-03-29 | 2017-10-10 | 北京明略软件系统有限公司 | A kind of data base authority method and system |
| KR20200112236A (en) * | 2019-03-21 | 2020-10-05 | 한국전자통신연구원 | Method and apparatus for managing decentralized identifier |
| CN112149070A (en) * | 2019-06-27 | 2020-12-29 | 杭州海康威视数字技术股份有限公司 | Authority control method and device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016073701A1 (en) * | 2014-11-05 | 2016-05-12 | Ab Initio Technology Llc | Database security |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070162749A1 (en) * | 2005-12-29 | 2007-07-12 | Blue Jungle | Enforcing Document Control in an Information Management System |
| US20140082688A1 (en) * | 2012-09-14 | 2014-03-20 | Siemens Product Lifecycle Management Software Inc. | Rule-based derived-group security data management |
-
2014
- 2014-03-31 GB GB201405803A patent/GB2509032A/en not_active Withdrawn
-
2015
- 2015-03-31 WO PCT/GB2015/051009 patent/WO2015150802A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070162749A1 (en) * | 2005-12-29 | 2007-07-12 | Blue Jungle | Enforcing Document Control in an Information Management System |
| US20140082688A1 (en) * | 2012-09-14 | 2014-03-20 | Siemens Product Lifecycle Management Software Inc. | Rule-based derived-group security data management |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107239710A (en) * | 2016-03-29 | 2017-10-10 | 北京明略软件系统有限公司 | A kind of data base authority method and system |
| KR20200112236A (en) * | 2019-03-21 | 2020-10-05 | 한국전자통신연구원 | Method and apparatus for managing decentralized identifier |
| KR102376254B1 (en) | 2019-03-21 | 2022-03-21 | 한국전자통신연구원 | Method and apparatus for managing decentralized identifier |
| CN112149070A (en) * | 2019-06-27 | 2020-12-29 | 杭州海康威视数字技术股份有限公司 | Authority control method and device |
| CN112149070B (en) * | 2019-06-27 | 2024-04-23 | 杭州海康威视数字技术股份有限公司 | Authority control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| GB201405803D0 (en) | 2014-05-14 |
| GB2509032A (en) | 2014-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11128465B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US11082226B2 (en) | Zero-knowledge identity verification in a distributed computing system | |
| CN108259422B (en) | Multi-tenant access control method and device | |
| US11126743B2 (en) | Sensitive data service access | |
| US7827403B2 (en) | Method and apparatus for encrypting and decrypting data in a database table | |
| US11886547B2 (en) | Systems and methods for entitlement management | |
| US20200320219A1 (en) | Distributed management of user privacy information | |
| US10439992B2 (en) | System for accessing data | |
| US20170262546A1 (en) | Key search token for encrypted data | |
| US20110246475A1 (en) | System and method for locating and retrieving private information on a network | |
| CA3177369C (en) | Method and system for a data custodian implemented as an entity-centric, resource-oriented database within a shared cloud platform | |
| US6697811B2 (en) | Method and system for information management and distribution | |
| WO2015150802A1 (en) | Distributed database access control method and system | |
| CN108021677A (en) | The control method of cloud computing distributed search engine | |
| EP3479274B1 (en) | Sensitive data service storage | |
| WO2015150792A1 (en) | An improved database access control method and system | |
| Singh et al. | Aggregating privatized medical data for secure querying applications | |
| WO2015150797A1 (en) | Distributed database access control method and system | |
| CN109818907A (en) | One kind being based on UCON model user anonymity access method and system | |
| WO2015150788A1 (en) | Improved access control mechanism for databases | |
| US10708253B2 (en) | Identity information including a schemaless portion | |
| KR20140077132A (en) | Method, system, and device for digital content transmission | |
| Varghese et al. | Homomorphic Encryption for Multi-keyword based Search and Retrieval over Encrypted Data | |
| CN116401706A (en) | File processing method and device based on block chain | |
| Youn et al. | Bucket Index Ordering Problem in Range Queries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15721294 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase | ||
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 15721294 Country of ref document: EP Kind code of ref document: A1 |