Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1998-05-28
2001-04-17
Black, Thomas G. (Department: 2771)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000, C707S793000, C707S793000
Reexamination Certificate
active
06219667
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to regulating access to data objects contained in a database. More particularly, the invention concerns integer interval based access control enforcement.
2. Description of the Related Art
As the Internet has become a social infrastructure for data sharing and information management, the need to process and classify a large amount of diverse information resources within an enterprise, and make them available to a large set of “diverse” users has increased. Potential problems and the diversity of the applications make it necessary to re-examine some kernel problems, such as access control, data retrieval, and resource management. These problems have been central to traditional operating systems and large scale databases, and more efficient and scalable solutions need to be discovered.
The Internet is a complex environment where information is distributed across the Internet's infrastructure. Some information such as technology secrets and personal records is sensitive and should only be accessible to a select group of users depending on their right for information access. Access control determines which users are allowed to access certain information.
In many information management systems, such as the IBM Grand Central Station (GCS), an expedient “group” based access control model is used to specify which user can access which object. In such a model, each user belongs to one or more access groups and each information object is accessible only to certain set of groups. For example, sensitive personnel information is only accessible to members of the Personnel Managers group. In general, there is a hierarchial structure defined over the access groups. For example, Personnel Managers may be a subgroup of Group Manager, which means that it is a more restrictive group. The access control problem, in this setting, is to determine whether the group membership will allow a user to access a protected information object according to this group based access control model.
Group based access models have been used in the Andrew File System (AFS, developed at Carnegie Mellon University, see J. H. Morris et al., “Andrew: a Distributed Personal Computing Environment,”
Communications of the ACM,
29 (3), March 1986 for accessing in a shared file system, and in various operating systems and database systems. These models work well for databases having a smaller number of objects, groups, and users, and generally provide solid real-time response for information requests.
However, what is needed in an “interval” access method that can be applied to the enormous database comprising information available over the Internet. The method should be capable of handling very large numbers of objects, groups, and users, larger than could reasonably be handled by current group based access models. The method should also provide superior real-time response to an information request as compared to current methods.
SUMMARY OF THE INVENTION
Broadly, the present invention relates to efficiently regulating access to data objects contained in a database. More particularly, the invention concerns an integer interval based access control method and apparatus that allows groups and sub-groups access to designated data objects stored in a server unit accessed through the Internet.
The present invention addresses an access control problem for information processing over the Internet, providing an efficient solution for handling large scale access patterns, data objects and users.
In one embodiment, the method uses a representation of a hierarchical access group structure in terms of intervals over a set of integers, and a decomposition scheme that reduces any group structure to ones that have interval representation. This representation allows the problem for checking access rights to be reduced to an interval containment problem. An interval tree may be used to assist in efficiently solving the access-right checking problem.
In one embodiment, the invention may be implemented to provide a method to regulate access to a system's database using interval containment control. In this embodiment, a group of members g
m
is allowed access to a data object contained in a database. For example, the members may be selected employees of the database owner that are allowed access to the secured data, or they may be visitors to an Internet site that have paid a fee to gain access to the database objects. For each group g
m
allowed access, a first interval value is mapped to the group. If a user U—contained in a group g
n
mapped to a second interval value—desires access to the data object accessible by g
m
, U may only gain access if the second interval mapped to g
n
is contained within the first interval mapped to g
m
.
For example, if each group is mapped to an integer interval value, wherein b′ and e′ are integers defining the first interval and b′≦e′, and wherein b and e are integers defining the second interval and b≦e, the second interval is contained within the first interval if (b′≦b≦e≦e′). The mapping of integral values to groups is discussed below in detail.
In another embodiment, the invention may be implemented to provide an apparatus to implement the interval based access control method that allows designated users access to designated objects stored in a database. One version of the apparatus may include at least one client computer, an index unit, a web server, a database, and a file server all communicatively linked together. Storage and digital data processors are known to be commonly included in one or more of the above, and may be used to execute the steps of the method described above.
In still another embodiment, the invention may be implemented to provide an article of manufacture comprising a data storage medium tangibly embodying a program of machine-readable instructions executable by a digital data processing apparatus to perform method steps for regulating access to stored data objects using an integer interval based access control method. The data storage medium may be communicatively connected to the apparatus described above and the program contained thereon may be used to direct the apparatus as desired.
The invention affords its users with a number of distinct advantages. One advantage is that the invention provides a reduction in computation costs over commonly used group-based access control methods. This reduction in overhead allow fewer system resources to be dedicated to performing the access analysis. Another advantage is that the invention allows faster access to an object by a user due to the reduced computation costs. Yet another advantage is that the invention can handle enormous numbers of objects, groups, and users, larger than could be reasonably handled using current methods. The invention also provides a number of other advantages and benefits, which should be apparent from the following description of the invention.
REFERENCES:
patent: 5533107 (1996-07-01), Irwin et al.
patent: 5537468 (1996-07-01), Hartmann
patent: 5544052 (1996-08-01), Fujita et al.
patent: 5583793 (1996-12-01), Gray et al.
patent: 5764155 (1998-06-01), Kertesz et al.
J. H. Morris, M. Satyanarayanan, M. H. Corner, J. H. Howard, D. S. Rosenthal, F. D. Smith. Andrew: a distributed personal Computing environment. Communications of the ACM, 29 (3), Mar., 1986.
P. Racer, Web pages number 320 million; search engines overwhelmed. San Diego Union Tribune. Apr. 3, 1998.
Alfred V. Aho, et al., “The Desig and Analysis of Computer Algorithms,” Addison-wesley, 1974, pp. 52-55 and 84-86.
Franco P. Preparata et al., “Computational Geometry:An Introduction, Texts and Monographs in Computer Science,” Springer-Verlag, 1985, pp. 352-355.
T. H. Cormen et al., “Introduction to Algorithms”, The MIT Press, 1994, pp. 485-487.
K. Mulmuley, “Computational Geometry:An Introduction Through Randomized Algorithms,” Prentice Hall, 1994, pp. 312-317.
Lu Qi
Teng Shang-Hua
Black Thomas G.
Gray Cary Ware & Friedenrich LLP
International Business Machines - Corporation
Jung David
LandOfFree
Efficient large-scale access control for internet/intranet... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Efficient large-scale access control for internet/intranet..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Efficient large-scale access control for internet/intranet... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2493439