Method and system for controlling access to data
Patent Information
- Authority / Receiving Office
- HK · HK
- Patent Type
- Patents
- Current Assignee / Owner
- JPMORGAN CHASE BANK NA
- Filing Date
- 2022-09-20
- Publication Date
- 2026-07-10
AI Technical Summary
The strict definition of the storage structure in existing database schemas leads to inconsistent data access control, making it difficult to implement independently across different applications and platforms, and lacking flexible access control strategies.
By receiving access requests, extracting access criteria, defining a meta-model based on the attributes of the dataset, and using access control policies to determine whether access is permitted, including policy classes, asset specification classes, participant specification classes, action specification classes, and constraint classes, and combining physical, logical, and enterprise-level classification information, cross-platform access control is achieved.
It implements cross-platform data access control, supports flexible access management for different applications, and improves the security and consistency of dataset access.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
[0001] Cross-references to related applications
[0002] This application claims the benefit of U.S. Provisional Patent Application Serial No. 62 / 966,185, filed January 27, 2020, the entire contents of which are incorporated herein by reference. Technical Field
[0003] This technology generally relates to methods and systems for protecting datasets, and more specifically to methods and systems for controlling access to datasets using access control policies and dataset attributes. Background Technology
[0004] Many business entities collect and utilize large amounts of data by using database management systems to implement database schemas, which define the datasets within the database. Historically, the use of such database schemas has led to varying degrees of success in manipulating datasets, providing access to datasets, and validating datasets.
[0005] One drawback of using conventional database schemas such as relational database schemas is that, in many cases, the storage structure must be explicitly defined. As a result, the strict structure of predefined tables does not allow for logical approaches to data retrieval that are independent of the mechanisms for storing and retrieving individual datasets. Furthermore, defining the storage structure at the table definition level leads to application-specific storage structures that need to be reworked for implementation across different applications and platforms.
[0006] To consistently apply data access control across multiple datasets, the datasets themselves need to be described in a way that allows consistency strategies to be applied independently of the database schema of each dataset. This enables different applications to use the dataset's attributes to control access to the dataset. Summary of the Invention
[0007] This disclosure provides, in particular, various systems, servers, devices, methods, media, programs, and platforms for controlling access to datasets using access control policies and dataset attributes, through its various aspects, embodiments, and / or specific features or sub-components.
[0008] According to an aspect of this disclosure, a method for controlling access to a dataset is provided. The method is implemented by at least one processor. The method may include: receiving, via an interface, at least one request from at least one agent for accessing a dataset in at least one database, the at least one agent including at least one human agent and at least one non-human software agent; extracting from the at least one request at least one access criterion related to predefined data access constraints and predetermined data access policies; and using the at least one access criterion to determine whether the agent may be permitted to access the dataset, wherein the at least one access criterion may be based on at least one attribute associated with at least one element within the dataset.
[0009] According to an exemplary embodiment, the method may further include: defining a metamodel for at least one control objective; determining a data frame based on the at least one request; and expressing the metamodel in the determined data frame.
[0010] According to an exemplary embodiment, the metamodel may include at least one class, which may include at least one of a strategy class, an asset specification class, a participant specification class, an action specification class, a rule class, and a constraint class.
[0011] According to an exemplary embodiment, the at least one control objective may include rules that define the desired control outcome for a group of participants.
[0012] According to an exemplary embodiment, the at least one access criterion can be linked to the at least one control target based on the at least one attribute.
[0013] According to an exemplary embodiment, the at least one attribute may be derived from at least one physical data model relating to a representation of the system storing and managing the dataset.
[0014] According to an exemplary embodiment, the at least one attribute may be derived from at least one logical data model relating to an application-level description of the dataset.
[0015] According to an exemplary embodiment, the at least one attribute may be derived from at least one business category associated with an enterprise-level category of the dataset based on the predetermined data access strategy, the business category including an application-independent description of the dataset.
[0016] According to an exemplary embodiment, the at least one attribute may be derived from at least one data lineage associated with the lifecycle information of the dataset, the lifecycle information including at least one of the original information of the dataset and the movement history information of the dataset.
[0017] According to an exemplary embodiment, the predetermined data access policy may correspond to at least one of business requirements, regulatory requirements, customer requirements, and operational requirements.
[0018] According to an aspect of this disclosure, a computing device is disclosed, configured to implement a method for controlling access to a dataset. The computing device includes: a processor; a memory; and a communication interface coupled to each of the processor and the memory; wherein the processor is configured to: receive, via the interface, at least one request from at least one agent for accessing a dataset in at least one database, the at least one agent including at least one human agent and at least one non-human software agent; extract from the at least one request at least one access criterion related to predefined data access constraints and predetermined data access policies; and use the at least one access criterion to determine whether to permit the at least one agent to access the dataset; wherein the at least one access criterion may be based on at least one attribute associated with at least one element within the dataset.
[0019] According to an exemplary embodiment, the processor may also be configured to: define a metamodel for at least one control objective; determine a data frame based on the at least one request; and express the metamodel in the determined data frame.
[0020] According to an exemplary embodiment, the metamodel may include at least one class, which includes at least one of a strategy class, an asset specification class, a participant specification class, an action specification class, a rule class, and a constraint class.
[0021] According to an exemplary embodiment, the at least one control objective may include rules that define the desired control outcomes for a set of participants.
[0022] According to an exemplary embodiment, the processor may also be configured to link the at least one access criterion to the at least one control target based on the at least one attribute.
[0023] According to an exemplary embodiment, the processor may also be configured to derive the at least one attribute from at least one physical data model relating to a representation of the system storing and managing the dataset.
[0024] According to an exemplary embodiment, the processor may also be configured to derive the at least one attribute from at least one logical data model relating to a representation of the application-level description of the dataset.
[0025] According to an exemplary embodiment, the processor may also be configured to: derive the at least one attribute from at least one business category associated with an enterprise-level category of the dataset based on the predetermined data access strategy, the business category including an application-independent description of the dataset.
[0026] According to an exemplary embodiment, the processor may also be configured to derive the at least one attribute from at least one data lineage associated with lifecycle information of the dataset, the lifecycle information including at least one of original information of the dataset and movement history information of the dataset.
[0027] According to an exemplary embodiment, the predetermined data access policy may correspond to at least one of business requirements, regulatory requirements, customer requirements, and operational requirements. Attached Figure Description
[0028] In the following detailed description, the present disclosure is further described with reference to the given drawings and non-limiting examples of preferred embodiments, wherein similar characters in various views of the drawings represent similar elements.
[0029] Figure 1 An exemplary computer system is shown.
[0030] Figure 2 An exemplary diagram of a network environment is shown.
[0031] Figure 3 An exemplary system is shown for implementing a method of controlling access to a dataset using access control policies and dataset attributes.
[0032] Figure 4 This is a flowchart illustrating an exemplary process for implementing a method to control access to a dataset using access control policies and dataset attributes.
[0033] Figure 5 This is a diagram illustrating an ontology of a control target domain for implementing an exemplary process of controlling access to a dataset using access control policies and dataset attributes.
[0034] Figure 6 This is a diagram illustrating data-level access control based on an exemplary process for implementing methods that control access to a dataset using access control policies and dataset attributes. Detailed Implementation
[0035] The embodiments and / or specific features or sub-components of this disclosure, through one or more of their various aspects, are intended to provide one or more advantages as specifically described above and pointed out below.
[0036] Examples may also be embodied in one or more non-transitory computer-readable media having instructions stored thereon for one or more aspects of the present technology as described and illustrated by the examples herein. Some of the instructions in the examples include executable code that, when executed by one or more processors, causes the processors to perform the steps required to implement the methods of the examples of the present technology described and illustrated herein.
[0037] Figure 1 This is an exemplary system used according to the embodiments described herein. System 100 is generally shown and may include a generally indicated computer system 102.
[0038] Computer system 102 may include a set of instructions that can be executed to cause computer system 102, alone or in combination with other described devices, to perform any one or more of the methods or computer-based functions disclosed herein. Computer system 102 may operate as a standalone device or may be connected to other systems or peripheral devices. For example, computer system 102 may include or be included within any one or more computers, servers, systems, communication networks, or cloud environments. Furthermore, the instructions may operate in such a cloud-based computing environment.
[0039] In a networked deployment, computer system 102 can operate as a server or as a client user computer in a server-client user network environment, a client user computer in a cloud computing environment, or as a peer-to-peer (or distributed) network environment. Computer system 102 or portions thereof can be implemented as or incorporated into various devices such as personal computers, tablet computers, set-top boxes, personal digital assistants, mobile devices, handheld computers, laptop computers, desktop computers, communication devices, wireless smartphones, personal trusted devices, wearable devices, global positioning satellite (GPS) devices, web devices, or any other machine capable of executing a set of instructions (sequentially or otherwise) specifying actions to be taken by that machine. Furthermore, while a single computer system 102 is shown, additional embodiments may include any collection of systems or subsystems that individually or jointly execute instructions or perform functions. Throughout this disclosure, the term "system" should be considered as including any collection of systems or subsystems that individually or jointly execute one or more sets of instructions to perform one or more computer functions.
[0040] like Figure 1As shown, computer system 102 may include at least one processor 104. Processor 104 is tangible and non-transitory. As used herein, the term "non-transitory" should not be construed as a permanent characteristic of a state, but rather a characteristic of a state that will persist for a period of time. The term "non-transitory" specifically negates transient characteristics, such as the characteristics of a particular carrier or signal, or other forms that exist only temporarily at any time and in any place. Processor 104 is an article of manufacture and / or a machine component. Processor 104 is configured to execute software instructions to perform the functions described in the various embodiments herein. Processor 104 may be a general-purpose processor or may be part of an application-specific integrated circuit (ASIC). Processor 104 may also be a microprocessor, microcomputer, processor chip, controller, microcontroller, digital signal processor (DSP), state machine, or programmable logic device. Processor 104 may also be logic circuitry, including a programmable gate array (PGA) such as a field-programmable gate array (FPGA), or another type of circuitry including discrete gate and / or transistor logic. Processor 104 may be a central processing unit (CPU), a graphics processing unit (GPU), or both. Additionally, any processor described herein may include multiple processors, parallel processors, or both. Multiple processors may be included in or coupled to a single device or multiple devices.
[0041] Computer system 102 may also include computer memory 106. Computer memory 106 may include communication-enabled static memory, dynamic memory, or both. The memory described herein is a tangible storage medium capable of storing data and executable instructions, and is non-transitory for the duration in which instructions are stored. Again, as used herein, the term "non-transitory" is not to be interpreted as a permanent characteristic of a state, but rather a characteristic of a state that will persist for a period of time. The term "non-transitory" specifically negates transient characteristics, such as the characteristics of a particular carrier wave or signal, or other forms that exist only temporarily at any time and in any place. Memory is an article of manufacture and / or a machine component. The memory described herein is a computer-readable medium from which a computer can read data and execute instructions. The memory described herein may be random access memory (RAM), read-only memory (ROM), flash memory, electrically programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), registers, hard disks, caches, removable disks, magnetic tapes, compact disc read-only memory (CD-ROM), digital versatile disks (DVDs), floppy disks, Blu-ray discs, or any other form of storage medium known in the art. The memory can be volatile or non-volatile, secure and / or encrypted, insecure and / or unencrypted. Of course, computer memory 106 can include any combination of memories or a single storage device.
[0042] Computer system 102 may also include display 108, such as liquid crystal display (LCD), organic light-emitting diode (OLED), flat panel display, solid-state display, cathode ray tube (CRT), plasma display, or any other type of display, examples of which are well known to those skilled in the art.
[0043] Computer system 102 may also include at least one input device 110, such as a keyboard, touch-sensitive input screen or tablet, voice input, mouse, remote control device with wireless keypad, microphone coupled to a speech recognition engine, camera such as a video camera or still camera, cursor control device, Global Positioning System (GPS) device, altimeter, gyroscope, accelerometer, proximity sensor, or any combination thereof. Those skilled in the art will understand that various embodiments of computer system 102 may include multiple input devices 110. Furthermore, those skilled in the art will understand that the exemplary input devices 110 listed above are not exhaustive, and computer system 102 may include any additional or alternative input devices 110.
[0044] Computer system 102 may also include a media reader 112 configured to read any one or more sets of instructions, such as software, from any memory described herein. When executed by a processor, the instructions may be used to perform one or more of the methods and processes described herein. In certain embodiments, the instructions may reside wholly or at least partially within memory 106, media reader 112, and / or processor 110 during execution by computer system 102.
[0045] Furthermore, computer system 102 may include any additional devices, components, parts, peripherals, hardware, software, or any combination thereof, which are generally referred to as being included within or incorporated into the computer system, such as, but not limited to, network interface 114 and output device 116. Output device 116 may be, but is not limited to, speakers, audio outputs, video outputs, remote control outputs, printers, or any combination thereof.
[0046] Each component of computer system 102 can be interconnected and communicate via bus 118 or other communication links. For example... Figure 1 As shown, the components can be interconnected and communicate via an internal bus. However, those skilled in the art will understand that any component can also be connected via an expansion bus. Furthermore, bus 118 can communicate via any standard or other specification generally known and understood, such as, but not limited to, peripheral component interconnect, peripheral component interconnect fast, parallel advanced technology attachment, serial advanced technology attachment, etc.
[0047] Computer system 102 can communicate with one or more additional computer devices 120 via network 122. Network 122 can be, but is not limited to, a local area network (LAN), a wide area network (WAN), the Internet, a telephone network, a short-range network, or any other network known and understood in the art. Short-range networks can include, for example, Bluetooth, Zigbee, infrared, near-field communication, ultra-wideband, or any combination thereof. Those skilled in the art will understand that additional networks 122 known and understood can be used additionally or alternatively, and exemplary networks 122 are not limiting or exhaustive. Furthermore, while network 122 is in Figure 1 While shown as a wireless network, those skilled in the art will understand that network 122 could also be a wired network.
[0048] Additional computer equipment 120 Figure 1 The device 120 is shown as a personal computer. However, those skilled in the art will understand that in alternative embodiments of this application, the computer device 120 may be a laptop computer, tablet PC, personal digital assistant, mobile device, handheld computer, desktop computer, communication device, wireless telephone, personal trusted device, network device, server, or any other device capable of sequentially or otherwise executing a set of instructions specifying actions to be taken by the device. Of course, those skilled in the art will understand that the devices listed above are merely exemplary devices, and device 120 may be any additional device or apparatus known and understood in the art without departing from the scope of this application. For example, computer device 120 may be the same as or similar to computer system 102. Furthermore, those skilled in the art will similarly understand that the apparatus may be any combination of apparatus and device.
[0049] Of course, those skilled in the art will understand that the components of the computer system 102 listed above are merely exemplary and not exhaustive and / or inclusive. Furthermore, the examples of the components listed above are also meant to be exemplary and similarly do not imply exhaustive and / or inclusive.
[0050] According to various embodiments of this disclosure, the methods described herein can be implemented using a hardware computer system that executes a software program. Furthermore, in exemplary, non-limiting embodiments, implementation may include distributed processing, component / object distributed processing, and parallel processing. Virtual computer system processing can be constructed to implement one or more of the methods or functions described herein, and the processors described herein can be used to support virtual processing environments.
[0051] As described herein, various embodiments provide optimized methods and systems for controlling access to a dataset using access control policies and dataset attributes.
[0052] refer to Figure 2This illustration shows a schematic diagram of an exemplary network environment 200 for implementing a method of controlling access to a dataset using access control policies and dataset attributes. In an exemplary embodiment, the method can be executed on any network computer platform (e.g., a personal computer (PC)).
[0053] The method for controlling access to a dataset using access control policies and dataset attributes can be implemented by a Data Access Determination and Control (DADC) device 202. The DADC device 202 can communicate with... Figure 1 The computer system 102 described is the same as or similar to this one. The DADC device 202 may store one or more applications, which may include executable instructions that, when executed by the DADC device 202, cause the DADC device 202 to perform actions, such as sending, receiving, or otherwise processing network messages, and perform other actions described and illustrated below with reference to the figures. The application may be implemented as a module or component of other applications. Furthermore, the application may be implemented as an operating system extension, module, plug-in, etc.
[0054] Furthermore, the application can operate in a cloud-based computing environment. The application can be executed within or as a virtual machine or virtual server that can be managed in a cloud-based computing environment. Moreover, the application, and even the DADC device 202 itself, can reside in a virtual server running in a cloud-based computing environment, rather than being bound to one or more specific physical network computing devices. Additionally, the application can run within one or more virtual machines (VMs) running on the DADC device 202. Furthermore, in one or more embodiments of this technology, the virtual machines running on the DADC device 202 can be managed or supervised by a hypervisor.
[0055] exist Figure 2 In the network environment 200, the DADC device 202 is coupled to multiple server devices 204(1)-204(n) hosting multiple databases 206(1)-206(n) via a communication network 210, and is also coupled to multiple client devices 208(1)-208(n). The communication interface of the DADC device 202 (e.g., Figure 1 The network interface 114 of the computer system 102 is operatively coupled and communicates between the DADC device 202, server devices 204(1)-204(n) and / or client devices 208(1)-208(n), all of which are coupled together via the communication network 210, but other types and / or numbers of communication networks or systems may also be used, which have other types and / or numbers of connections and / or configurations to other devices and / or elements.
[0056] Communication network 210 can communicate with about Figure 1The network 122 described is identical or similar, but DADC devices 202, server devices 204(1)-204(n) and / or client devices 208(1)-208(n) may be coupled together via other topologies. Additionally, network environment 200 may include other network devices, such as one or more routers and / or switches, which are well known in the art and therefore will not be described herein. This technology provides numerous advantages, including methods, non-transitory computer-readable media, and DADC devices, which effectively implement methods for controlling access to datasets using access control policies and dataset attributes.
[0057] By way of example only, communication network 210 may include a local area network (LAN) or a wide area network (WAN) and may use TCP / IP and industry-standard protocols over Ethernet, although other types and / or numbers of protocols and / or communication networks may also be used. Communication network 210 in this example may employ any suitable interface mechanism and network communication technology, including, for example, any suitable form of telecommunications service (e.g., voice, modem, etc.), the Public Switched Telephone Network (PSTN), an Ethernet-based packet data network (PDN), a combination thereof, etc.
[0058] For example, DADC device 202 may be a standalone device or integrated with one or more other devices or apparatuses (e.g., one or more of server devices 204(1)-204(n)). In a particular example, DADC device 202 may include one of or be hosted by server devices 204(1)-204(n), and other arrangements are also possible. Furthermore, for example, one or more devices of DADC device 202 may be in the same or different communication networks including one or more public, private, or cloud networks.
[0059] Multiple server devices 204(1)-204(n) can be associated with about Figure 1 The computer system 102 or computer device 120 described are identical or similar, including any features or combinations of features described therewith. For example, any of the server devices 204(1)-204(n) may include one or more processors, memory, and communication interfaces coupled together via a bus or other communication link, although other numbers and / or types of network devices may also be used. For example, in this example, server devices 204(1)-204(n) may process requests received from DADC device 202 via communication network 210 according to HTTP and / or JavaScript Object Notation (JSON) protocols, but other protocols may also be used.
[0060] Server devices 204(1)-204(n) can be hardware or software, or can represent a system with multiple servers in a pool, which may include an internal or external network. Server devices 204(1)-204(n) host databases 206(1)-206(n), which are configured to store data related to dataset access constraints, dataset access policies, dataset attributes, and dataset storage.
[0061] Although server devices 204(1)-204(n) are shown as a single device, one or more actions of each of server devices 204(1)-204(n) can be distributed together on one or more different network computing devices including one or more of server devices 204(1)-204(n). Furthermore, server devices 204(1)-204(n) are not limited to a specific configuration. Therefore, server devices 204(1)-204(n) can contain multiple network computing devices operating using a master / slave approach, whereby one of the network computing devices of server devices 204(1)-204(n) operates to manage and / or otherwise coordinate the operation of the other network computing devices.
[0062] For example, server devices 204(1)-204(n) can operate as multiple network computing devices within a cluster architecture, a peer-to-peer architecture, a virtual machine, or a cloud architecture. Therefore, the techniques disclosed herein should not be construed as limited to a single environment, and other configurations and architectures are also envisioned.
[0063] Multiple client devices 208(1)-208(n) can also be used with respect to... Figure 1 The computer system 102 or computer device 120 described are identical or similar, including any features or combinations of features described therewith. For example, client devices 208(1)-208(n) in this example can include any type of computing device that can interact with DADC device 202 via communication network 210. Thus, client devices 208(1)-208(n) can be, for example, mobile computing devices hosting chat, email, or voice-to-text applications, desktop computing devices, laptop computing devices, tablet computing devices, virtual machines (including cloud-based computers), etc. In an exemplary embodiment, at least one client device 208 is a wireless mobile communication device, i.e., a smartphone.
[0064] Client devices 208(1)-208(n) may run interface applications, such as standard web browsers or standalone client applications, which can provide an interface to communicate with DADC device 202 via communication network 210 to transmit user requests and information. Among other features, client devices 208(1)-208(n) may also include display devices (e.g., displays or touch screens) and / or input devices (e.g., keyboards).
[0065] Although this document describes and illustrates an exemplary network environment 200 having DADC device 202, server devices 204(1)-204(n), client devices 208(1)-208(n) and communication network 210, other types and / or numbers of systems, devices, components and / or elements in other topologies may be used. It should be understood that the example systems described herein are for illustrative purposes, as many variations of the specific hardware and software used to implement the examples are possible, as will be understood by those skilled in the art.
[0066] One or more devices depicted in network environment 200 (e.g., DADC device 202, server devices 204(1)-204(n) or client devices 208(1)-208(n)) can be configured to operate as virtual instances on the same physical machine. In other words, one or more of DADC device 202, server devices 204(1)-204(n) or client devices 208(1)-208(n) can operate on the same physical device, rather than as separate devices communicating via communication network 210. Additionally, there may be... Figure 2 The DADC device 202, server device 204(1)-204(n) or client device 208(1)-208(n) shown are more or fewer.
[0067] Furthermore, in any example, two or more computing systems or devices can replace any one of the systems or devices. Therefore, the principles and advantages of distributed processing, such as redundancy and replication, can be implemented as needed to increase the robustness and performance of the example devices and systems. The example can also be implemented on computer systems across any suitable network extension using any suitable interface mechanism and business technology, including, as examples only, any suitable form of telecommunications service (e.g., voice and modems), wireless service networks, cellular service networks, packet data networks (PDNs), the Internet, intranets, and combinations thereof.
[0068] DADC device 202 in Figure 3The data access determination and control module 302 is described and shown as including such a module, although it may include, for example, other rules, policies, modules, databases, or applications. As described below, the data access determination and control module 302 is configured to implement a method for access control of the dataset using access control policies and attributes of the dataset.
[0069] exist Figure 3 An exemplary process 300 was performed, which was achieved by utilizing... Figure 2 In a network environment, access control policies and dataset attributes are used to implement mechanisms for controlling access to the dataset. Specifically, a first client device 208(1) and a second client device 208(2) are shown communicating with a DADC device 202. In this respect, the first client device 208(1) and the second client device 208(2) can be “clients” of the DADC device 202, and are thus described herein. However, it should be understood and appreciated that the first client device 208(1) and / or the second client device 208(2) are not necessarily “clients” of the DADC device 202 or any entity described herein in relation to them. There may be any additional or alternative relationship between one or both of the first client device 208(1) and the second client device 208(2) and the DADC device 202, or no relationship may exist.
[0070] Furthermore, the DADC device 202 is shown to be able to access a dataset access constraint and dataset access policy database 206(1) and a dataset attribute and dataset repository 206(2). The data access determination and control module 302 can be configured to access these databases to implement methods for controlling access to datasets using access control policies and dataset attributes.
[0071] The first client device 208(1) can be, for example, a smartphone. Of course, the first client device 208(1) can be any additional device described herein. The second client device 208(2) can be, for example, a personal computer (PC). Of course, the second client device 208(2) can also be any additional device described herein.
[0072] The processing can be performed via a communication network 210, which may include multiple networks as described above. For example, in an exemplary embodiment, either or both of the first client device 208(1) and the second client device 208(2) can communicate with the DADC device 202 via broadband or cellular communication. Of course, these embodiments are merely exemplary and are not limiting or exhaustive.
[0073] At the outset, the data access determination and control module 302 executes processes for controlling access to the dataset using access control policies and dataset attributes. The exemplary processes for controlling access to the dataset using access control policies and dataset attributes are generally... Figure 4 The flowchart in the document indicates this at point 400.
[0074] exist Figure 4 In processing 400, at step S402, a meta-model for the control objective in ontology form can be formally defined and expressed in a data framework. For example, the data framework could be a Resource Description Framework (RDF), JavaScript Object Notation (JSON) framework, APACHEAVRO framework, Microsoft Active Directory framework, or other commercial database frameworks with more restrictive attribute-based licensing schemes. In an exemplary embodiment, the control objective can represent rules defining the desired control outcomes for a set of participants and can be implemented using, for example, a Scope Access Reference Implementation (SARI).
[0075] While general data policies can typically be specified across all actors, SARI can focus solely on access control policies, such as policies that constrain user actions on data assets. Specific actors applying control objectives can be defined by constraints on sets of actions, users, and data assets. Constraints can be described using the concept of NodeShape from generic RDF ontology. Generic RDF ontology can include computer programming languages for describing and validating RDF graphs, such as the Shape Constraint Language (SHACL) specified by the World Wide Web Consortium (W3C).
[0076] In another exemplary embodiment, much of the metamodel used to control the target domain can be directly derived from W3C standard ontologies. W3C standard ontologies can include policy expression languages, such as the Open Digital Rights Language (ODRL), which provides a flexible and interoperable information model, vocabulary, and encoding mechanism for expressing statements about the use of content and services. In another exemplary embodiment, the ODRL standard can be used to derive a proprietary digital rights language.
[0077] In another exemplary embodiment, an RDF ontology can be used to define a metamodel of the participants. The metamodel can be a model of a model, for example, an alternative model for the analysis, construction, and development of frames, rules, constraints, models, and theories used to model predefined control objectives.
[0078] In another exemplary embodiment, the metamodel may include classes such as strategy classes, asset specification classes, participant specification classes, action specification classes, rule classes, and constraint classes. Strategy classes may include a set of non-exempt permissions via a permission attribute, and / or prohibitions via a prohibition attribute, and / or responsibilities via an obligation attribute. Strategy classes may include subclasses, such as a collection subclass that supports the expression of general rules, a provision subclass that supports the provision of rules from allocators, and a protocol subclass that supports the granting of rules from allocators to allocators.
[0079] Asset specification classes may include specifications for data assets, which are the subject of rules via abstract relational attributes. Participant specification classes may include specifications for human or non-human actors who play roles in the rules via abstract functional attributes. In another exemplary embodiment, under SARI where the reading action can be the primary focus, the action specification class may not be deeply utilized and may be consistent with specification classes in the ODRL concept.
[0080] Rule classes may include abstract concepts representing common characteristics of subclasses, such as, for example, a permitting subclass that can define the ability to perform actions on an asset, a prohibition subclass that can define the inability to perform actions on an asset, and a duty subclass that can define the obligation to perform actions. In another exemplary embodiment, a permitting subclass may have a duty attribute, which represents an agreed action that must be performed as a prerequisite for granting a permit. Constraint classes may include expressions identifying specific actions, parties, or assets to which the rule applies.
[0081] In step S404, attributes associated with elements within the dataset can be derived. In an exemplary embodiment, the attributes can be derived from a representation of the system storing and managing the dataset, such as from a physical data model. In another exemplary embodiment, the attributes can be derived from an application-level description of the dataset, such as from a logical data model.
[0082] In another exemplary embodiment, the attribute may be derived from an enterprise-level category of the dataset based on a predetermined data access strategy (e.g., derived from a business category). The business category may include an application-independent description of the dataset, which may be implemented, for example, on different application frameworks. In another exemplary embodiment, the attribute may be derived from the dataset's lifecycle information (e.g., data lineage information). The lifecycle information may include at least one of the dataset's original information and its movement history.
[0083] At step S406, access criteria for the dataset can be linked to the control objective based on attributes. In an exemplary embodiment, the participant metamodel of the control objective can be linked via a generic RDF ontology used to describe the conditions. The generic RDF ontology may include a computer programming language for describing and validating RDF graphs, such as the Shape Constraint Language (SHACL) specified by the World Wide Web Consortium (W3C).
[0084] In another exemplary embodiment, SHACL can be used to define participants in a rule. Conditions can be provided as shapes and other constructs expressed in the form of an RDF graph. An RDF graph that can be used in this way can be referred to as a "shape graph" in SHACL, and an RDF graph that can be validated against a shape graph can be referred to as a "data graph." A SHACL shape graph can be used to validate a data graph by ensuring that the data graph satisfies a set of conditions. A SHACL shape graph can be viewed as a description of a data graph that satisfies the set of conditions.
[0085] In step S408, a request to access a dataset in the database may be received from an agent via an interface. The agent may include at least one of a human agent and a non-human software agent. The database may include any organized collection of data that is typically stored and accessed electronically from a computer system, such as distributed databases and relational databases. In an exemplary embodiment, the interface may include at least one of a graphical user interface (GUI) and an application programming interface (API). The API may include a standard application programming interface for interacting with other software agents. The GUI may interact with and be supported by an API consistent with the disclosures in this application. In another exemplary embodiment, the database may include a graphical structure for semantic queries with nodes, edges, and attributes to represent and store data, such as in a graph database.
[0086] In step S410, access criteria can be extracted from the request. Access criteria may include agent identification information, such as, for example, the agent's role within the enterprise, the agent's employee ID and authentication credentials, and terminal information related to the computing device from which the agent made the request. Access criteria may also include predefined data access constraints for controlling how data can be entered into the table, and predetermined data access policies for controlling agent actions on data assets.
[0087] In another exemplary embodiment, the predetermined data access policy may include at least one of business requirements, regulatory requirements, customer requirements, and operational requirements. Customer requirements may be associated with external customers and integrated into the predetermined data access policy. Operational requirements may model business functions independently of business needs. Operational requirements may be encoded in multiple existing systems and represented as additional policies to enable understanding and management of the relationship between business functions and business requirements.
[0088] Then, at step S412, access criteria can be used to determine whether the agent can be authorized to access the dataset. The determination of processing may include the use of electronic data processing techniques, such as batch processing, online processing, real-time processing, distributed processing, and artificial intelligence processing. Artificial intelligence processing may include machine learning algorithms, such as any one or more of the Naive Bayes classifier algorithm, k-means clustering algorithm, and support vector machine algorithm.
[0089] Figure 5 This is a diagram 500 illustrating an exemplary process for controlling the ontology of the target domain of a dataset, used to implement a method for controlling access to a dataset using access control policies and dataset attributes. Figure 5 In this embodiment, Figure 500 may be an exemplary reference implementation that utilizes portions of the ODRL 2.2 standard and concepts based on the SHACL ontology. In an exemplary embodiment, Figure 500 may include odrl:Policy, odrl:Rule, and ActionExpression, which may include concepts strongly aligned with and similar to the ODRL standard.
[0090] `odrl:Policy` can include `inheritFrom` functions, permission obligation prohibition functions, and subclasses such as `odrl:Set`, `odrl:Offer`, and `odrl:Agreement`. `odrl:Rule` can include action functions, failure functions, relationship / goal functions, function / assigner / assignee functions, and subclasses such as `odrl:Permission`, `odrl:Duty`, and `odrl:Prohibition`. Subclasses of `odrl:Permission` can include duty functions, `odrl:Duty` can include result functions, and `odrl:Prohibition` can include remedial functions. Action representations can include inclusion functions and implied functions.
[0091] In another exemplary embodiment, Figure 500 may include concepts such as DataExpression, ParticipantExpression, and UserExpression, which may be incorporated into the ontology to replace existing concepts in ODRL and to bind the ontology to SHACL via the sh:NodeShape concept. DataExpression may include the hasPolicy functionality. ParticipantExpression may include a subclass of sh:NodeShape.
[0092] Figure 6 This is a diagram 600 illustrating exemplary processing for controlling access to a dataset based on access control policies and dataset attributes. In diagram 600, a data access policy can be used to describe which agents can access what data and under what conditions. Data access policies can be driven by business and regulatory requirements and can be very detailed. For example, within a country, a call center representative (“reps”) 602 might need access to account numbers, products, and balances of deposit accounts within that country. However, the call center representative 602 might not be able to access identifying information, such as Social Security numbers, and might not be able to access high-value accounts. Similarly, a policy could specify that a data analyst 604 can access all products and balances in all countries. However, the data analyst 604 might not be able to access client identifiers, such as account numbers and Social Security numbers.
[0093] In another exemplary embodiment, the policy in Figure 600 can be expressed as the following ODRL policy, wherein the call center representative 602 may not read the government ID.
[0094]
[0095] In another exemplary embodiment, the binding between the ODRL strategy and SHACL in Figure 600 can be accomplished via a SHACL NodeShape (e.g., sh:NodeShape). The node shape can specify constraints that the focus node within the data graph needs to satisfy. Therefore, the following shapes, which can match any data in the database (where columns in the physical model map to logical attributes corresponding to the data concept of "Government ID"), can represent the data in Figure 600.
[0096]
[0097] In another exemplary embodiment, the following shape, which can match any user who can be assigned the role of call center representative 602, can represent the user in Figure 600:
[0098]
[0099] In another exemplary embodiment, the following shape may represent the action function in Figure 600.
[0100]
[0101] In another exemplary embodiment, the corporate strategies that enterprises and regulators may want to implement can be independent of the way data can be exposed in one or more data providers. Corporate strategies can be defined for a business taxonomy, which can be an application-independent description of the dataset. Individual data providers can embody logical and physical models, and the mechanisms used for individual data providers can implement strategies expressed individually for each model or for both models. Therefore, by defining the mapping between logical models, physical models, business taxonomy, and data lineage, corporate strategies expressed for business taxonomy can be translated into operational strategies for individual data providers.
[0102] In another exemplary embodiment, the scope access model can be an abstract model of how access to a dataset is protected. In the scope access model, access decisions can be presented based on the dataset rather than the application accessing the dataset. In another exemplary embodiment, the Scope Access Reference Implementation (SARI) can be an assembly suite of existing components that can provide a concrete implementation of the scope access model. The SARI can also be used to define interfaces that allow each component of the architecture to be interchangeable with the strategic firmware scope implementation.
[0103] In another exemplary embodiment, the scope access model may determine access to data based on attributes such as the physical data model of the system storing or managing the data, the logical data model of the application-level description of the data, the business taxonomy of the application-independent description of the data, and data rows containing information about the system managing the data and information about how the data flows from one system to another.
[0104] In another exemplary embodiment, the scope access model can be implemented such that policies are written to a metamodel at the highest level (e.g., the business level, where the policy relates to fundamental concepts in the business). The scope access model can be implemented to navigate along links between the business model and models expressed in lower-level metamodels to determine the descriptions of policies at the application and physical levels. The links between the lower-level and higher-level metamodels enable the implementation of policies.
[0105] In another exemplary embodiment, the scope access model allows policies to be written in all levels of the metamodel and to be mixed and matched between various metamodel levels. For example, policies can be written in various levels of the metamodel when the system cannot consistently map policies from business concepts to application concepts.
[0106] In another exemplary embodiment, SARI may include components such as a dataset metamodel that describes the dataset and the links of the dataset lineage in RDF, and an import tool for the dataset and the dataset lineage metamodel by scanning data sources from model repositories and other referencing systems.
[0107] SARI may also include components such as a metamodel of a policy item in RDF that describes a control objective, a user shape, and a dataset, a binding of the shape in the policy to a scoped role that can be granted to a user in an open-source multi-protocol instant messaging client, a user interface for creating instances of the control objective and shape metamodel, and a mapping from the policy metamodel to policy determinations in the Rego Query Language (RQL) used by the application programming interface policy.
[0108] Similarly, SARI may include components such as bindings between application programming interface policies and edges to allow partial evaluation of policies by the application programming interface, allow the transformation of the remaining policies implemented, and runtime resolution of scoped role grants at the implementation point.
[0109] Therefore, this technology provides optimized processing for controlling access to datasets using access control policies and dataset attributes.
[0110] Although the invention has been described with reference to several exemplary embodiments, it should be understood that the terms used are descriptive and explanatory, not limiting. Changes, as described and modified herein, may be made within the scope and spirit of the appended claims without departing from the various aspects of this disclosure. While the invention has been described with reference to specific devices, materials, and embodiments, it is not intended to be limited to the details disclosed; rather, it extends to structures, methods, and uses that are functionally equivalent within the scope of the appended claims.
[0111] For example, while a computer-readable medium may be described as a single medium, the term "computer-readable medium" includes single or multiple media, such as centralized or distributed databases, and / or associated caches and servers storing one or more sets of instructions. The term "computer-readable medium" should also include any medium capable of storing, encoding, or carrying a set of instructions executable by a processor or causing a computer system to perform any one or more embodiments disclosed herein.
[0112] Computer-readable media may include non-transitory computer-readable media and / or include transient computer-readable media. In certain non-limiting exemplary embodiments, computer-readable media may include solid-state memory, such as a memory card, or other package housing one or more non-volatile read-only memories. Furthermore, computer-readable media may be random access memory or other volatile rewritable memory. Additionally, computer-readable media may include magneto-optical or optical media, such as magnetic disks or magnetic tapes, or other storage devices, to capture carrier signals, such as signals transmitted via a transmission medium. Therefore, this disclosure is considered to include any computer-readable media or other equivalents and successor media in which data or instructions may be stored.
[0113] While this application describes specific embodiments that can be implemented as computer programs or code segments in a computer-readable medium, it should be understood that dedicated hardware implementations, such as application-specific integrated circuits, programmable logic arrays, and other hardware devices, can be constructed to implement one or more embodiments described herein. Applications that may include the various embodiments set forth herein can broadly encompass a wide range of electronic and computer systems. Therefore, this application may cover software, firmware, and hardware implementations, or combinations thereof. Nothing in this application should be construed as being implemented or achievable solely in software and not in hardware.
[0114] Although this specification describes components and functions that may be implemented in specific embodiments with reference to particular standards and protocols, this disclosure is not limited to such standards and protocols. Such standards are periodically replaced by faster or more efficient equivalents that have substantially the same functionality. Therefore, alternative standards and protocols with the same or similar functionality are considered their equivalents.
[0115] The description of the embodiments herein is intended to provide a general understanding of various embodiments. These illustrations are not intended to be a complete description of all elements and features of apparatuses and systems utilizing the structures or methods described herein. Many other embodiments will be apparent to those skilled in the art upon reading this disclosure. Other embodiments can be utilized and derived from this disclosure, allowing structural and logical substitutions and changes to be made without departing from the scope of this disclosure. Furthermore, the illustrations are merely representative and may not be drawn to scale. Some scales within the illustrations may be enlarged, while others may be minimized. Therefore, this disclosure and the accompanying drawings should be considered illustrative rather than restrictive.
[0116] One or more embodiments of this disclosure may be referred to herein individually and / or collectively by the term "invention," merely for convenience and not intended to voluntarily limit the scope of this application to any particular invention or inventive concept. Furthermore, although specific embodiments have been shown and described herein, it should be understood that any subsequent arrangements designed to achieve the same or similar purpose may replace the specific embodiments shown. This disclosure is intended to cover any and all subsequent modifications or variations of the various embodiments. Combinations of the above embodiments, as well as other embodiments not specifically described herein, will be apparent to those skilled in the art upon reading this specification.
[0117] This abstract of the disclosure is provided so that it will not be used to interpret or limit the scope or meaning of the claims. Furthermore, in the foregoing detailed description, various features may be grouped together or described in a single embodiment for the purpose of simplifying the invention. This disclosure should not be construed as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as reflected in the appended claims, the inventive subject matter may be directed to fewer than all features of any of the disclosed embodiments. Therefore, the following claims are incorporated into the detailed description, wherein each claim independently defines a separately claimed subject matter.
[0118] The subject matter disclosed above is to be considered illustrative rather than restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments falling within the true spirit and scope of this disclosure. Therefore, to the fullest extent permitted by law, the scope of this disclosure is determined by the widest permissible interpretation of the appended claims and their equivalents, and should not be construed as limited by the foregoing detailed description.
Claims
1. A method for controlling access to a dataset, the method being implemented by at least one processor, the method comprising: The at least one processor receives, via an interface, at least one request from at least one agent to access a dataset in at least one database, wherein the at least one database corresponds to a graph database, the graph database including a graph structure for semantic querying, the graph structure having nodes, edges and attributes to represent and store the dataset; The at least one processor extracts at least one access criterion related to predefined data access constraints and predetermined data access policies from the at least one request, wherein the at least one access criterion includes proxy identification information and terminal information, the terminal information corresponding to the device that issued the at least one request; and The at least one processor uses the at least one access criterion to determine whether to allow the at least one agent to access the dataset. The at least one access criterion is based on at least one attribute associated with at least one element within the dataset.
2. The method according to claim 1, further comprising: A meta-model for at least one control objective is defined by the at least one processor; The data frame is determined by the at least one processor based on the at least one request; as well as The meta-model is expressed by the at least one processor in the defined data framework.
3. The method according to claim 2, wherein, The metamodel includes at least one class, which includes at least one of the following: strategy class, asset specification class, participant specification class, action specification class, rule class, and constraint class.
4. The method according to claim 2, wherein, The at least one control objective includes rules that define the desired control outcome for a group of participants.
5. The method according to claim 2, wherein, Based on the at least one attribute, link the at least one access criterion to the at least one control target.
6. The method according to claim 1, wherein, The at least one attribute is derived from at least one physical data model relating to the representation of the system storing and managing the dataset.
7. The method according to claim 1, wherein, The at least one attribute is derived from at least one logical data model relating to the application-level description of the dataset.
8. The method according to claim 1, wherein, The at least one attribute is derived from at least one business category related to the enterprise-level classification of the dataset based on the predetermined data access strategy, the business category including an application-independent description of the dataset.
9. The method according to claim 1, wherein, The at least one attribute is derived from at least one data lineage associated with the lifecycle information of the dataset, the lifecycle information including at least one of the original information of the dataset and the movement history information of the dataset.
10. The method according to claim 1, wherein, The predetermined data access policy corresponds to at least one of business requirements, regulatory requirements, customer requirements, and operational requirements.
11. A computing device configured to implement a method for controlling access to a dataset, the computing device comprising: processor; Memory; as well as A communication interface, coupled to each of the processor and the memory; The processor is configured as follows: Receive at least one request from at least one agent via an interface for accessing a dataset in at least one database, wherein the at least one database corresponds to a graph database, the graph database including a graph structure for semantic querying, the graph structure having nodes, edges and attributes to represent and store the dataset; Extract at least one access criterion related to predefined data access constraints and predetermined data access policies from the at least one request, wherein the at least one access criterion includes proxy identification information and terminal information, the terminal information corresponding to the device that issued the at least one request; and Use the at least one access criterion to determine whether to allow the at least one proxy to access the dataset; The at least one access criterion is based on at least one attribute associated with at least one element within the dataset.
12. The computing device according to claim 11, wherein, The processor is also configured to: Define a meta-model for at least one control objective; Determine the data framework based on the at least one request; and The meta-model is expressed within the defined data framework.
13. The computing device according to claim 12, wherein, The metamodel includes at least one class, which includes at least one of the following: strategy class, asset specification class, participant specification class, action specification class, rule class, and constraint class.
14. The computing device according to claim 12, wherein, The at least one control objective includes rules that define the expected control outcomes for a set of participants.
15. The computing device according to claim 12, wherein, The processor is also configured to: Based on the at least one attribute, link the at least one access criterion to the at least one control target.
16. The computing device according to claim 11, wherein, The processor is also configured to: The at least one attribute is derived from at least one physical data model relating to the representation of the system that stores and manages the dataset.
17. The computing device according to claim 11, wherein, The processor is also configured to: The at least one attribute is derived from at least one logical data model relating to the application-level description of the dataset.
18. The computing device according to claim 11, wherein, The processor is also configured to: Based on the predetermined data access strategy, the at least one attribute is derived from at least one business category related to the enterprise-level classification of the dataset, the business category including an application-independent description of the dataset.
19. The computing device according to claim 11, wherein, The processor is also configured to: The at least one attribute is derived from at least one data source associated with the lifecycle information of the dataset, the lifecycle information including at least one of the original information of the dataset and the movement history information of the dataset.
20. The computing device according to claim 11, wherein, The predetermined data access policy corresponds to at least one of business requirements, regulatory requirements, customer requirements, and operational requirements.