US20050223006A1 - Method and device for controlling the access to knowledge networks - Google Patents

Method and device for controlling the access to knowledge networks Download PDF

Info

Publication number
US20050223006A1
US20050223006A1 US10/512,778 US51277804A US2005223006A1 US 20050223006 A1 US20050223006 A1 US 20050223006A1 US 51277804 A US51277804 A US 51277804A US 2005223006 A1 US2005223006 A1 US 2005223006A1
Authority
US
United States
Prior art keywords
rights
owner
user
tree
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/512,778
Inventor
Clara Hammeu
Jan Schummer
Christian Schuckmann
Elke Siemon
Patrick Closhen
Ralf Rath
Hans Scholz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intelligent Views GmbH
Original Assignee
Intelligent Views GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intelligent Views GmbH filed Critical Intelligent Views GmbH
Assigned to INTELLIGENT VIEWS GMBH reassignment INTELLIGENT VIEWS GMBH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RATH, RALF, SIEMON, ELKE, CLOSHEN, PATRICK, HAMMEN, CLARA, SCHOLZ, HANS, SCHUCKMANN, CHRISTIAN, SCHUMMER, JAN
Publication of US20050223006A1 publication Critical patent/US20050223006A1/en
Priority to US12/136,058 priority Critical patent/US9870431B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the invention relates essentially to a method for deriving user rights in a semantic network.
  • Semantic networks are being used in increasing numbers for linking information items with one another and finding them again at a later time. These forms of networks with their algorithms are also referred to as knowledge networks or ontologies, whereby information objects are connected with one another by edges which exhibit specific semantics.
  • the problem of the invention is to provide an efficient and flexibly configurable access control which is technically and ergonomically integrated, and which take account of the complexity of knowledge networks.
  • the users are presented in the same semantic network as the information objects. Access rights are derived from the semantic relations between users and information objects.
  • This solution has the advantage that no further metadata is required, such as is the case, for example, with relational databanks. Rather, existing algorithms and inference rules can be used in order to derive user rights. In addition to this, the same efficient memory system can be used for contents and access information.
  • a further technical advantage lies in the fact that no adaptation of the code for the representation of the access information is required. The users and their relations to the information objects are part of the knowledge network as a whole.
  • the rights system of the present invention makes the decision on access entitlements on the basis of information from the knowledge network.
  • These user nodes are placed in a relationship with the nodes in the knowledge network which serve as starting points for the access rights of the member users.
  • Roles are likewise defined in the knowledge network and simplify the configuration of the rights system. Depending on the role of a person, it is therefore possible for different rights to be defined for entire groups.
  • a right r: ⁇ o, t, op> pertains from the three components of user, target, and operation.
  • the user of a right can carry out the operation specified (operation) on the target of the right (target). If a part of the right is not defined, the right is deemed to apply to all the objects of the knowledge network which come into question for this part.
  • the components can contain quantities. As a result of this, it is possible for groups of users of a right to be defined.
  • Rights are for preference positively formulated. This means that a negative response will be given at the examination of the right if no positive answer is found.
  • enquiries to the rights system attestations for the user, the target, and the knowledge network object respectively are transferred.
  • the rights system seeks a positive response in the rights definitions.
  • a negation it is possible for a negation to be presented to a right.
  • the rights of a knowledge network are defined in a rights tree.
  • This rights tree consists of folders which are arranged and structured in tree fashion. The roots, and therefore the highest folder of this space, is for preference anchored in the central part of the knowledge network, the “root”.
  • the root is the organizational root of the knowledge network. If no rights tree exists in this preferred embodiment, or if this space consists solely of a root folder, then all operations are allowed for all users on all knowledge network objects.
  • Rights are defined and allocated in sub-folders of the root folder of the rights tree.
  • a right is divided in each case into a folder with its components, which are likewise arranged in folders.
  • the folders, with their user and operations components, form filters of a right, while the folder for the target can contain a search query.
  • the folders of a right do not stand next to each other in the rights tree, but form a part tree of the rights tree as a whole. If rights have the same components, e.g. the same operations, then the same folders can be used for them, i.e. the same components.
  • the other components of these rights are then subdivided into other sub-folders.
  • the components of a right are in each case the elements of a folder. They are defined in different ways and means, or arranged in their folders, as explained hereinafter.
  • op in the rights system is effected for preference by the enumeration of the permitted operations (in the preferred implementation “Read”, “Modify”, “Generate” and “Delete”), which form the elements of an operations folder.
  • the number of owners (o) of a right is represented by the number of elements of the owner folder.
  • individual elements (instances) of a term of the knowledge network come into question, which were indicated as the owner term in the configuration of the rights system.
  • the number of the owners of a right can be a part quantity of these individual elements.
  • the selection of the owners can be for preference effected in three different ways during the processing of the user/owner folder; firstly by explicitly indication, secondly by the accessibility of the owner by and from a knowledge network object, and thirdly by the determination of the role which an owner has adopted.
  • the owner or owners of a rights part tree are input explicitly, e.g. by means of an editor. In this situation, individual elements (instances) of the owner term are determined.
  • the owner term Person has the individual elements Miller and Meier.
  • a further object in the knowledge network may be “Mill”. If, for the indication of an owner, only the beginning of the name “Mi” is entered, the system will then find, as a possible object, only the individual item Miller, and will transfer this as the owner into the folder. The object Mill will not be found, because it does not involve an individual element of an owner term.
  • the owner is in this case derived from a relationship which pertains between a knowledge network object and the user.
  • the knowledge network object and the relationship are then explicitly indicated in an editor (see above also).
  • the rights part tree accordingly applies to all user objects which can reach the knowledge network object via this relationship.
  • the owner object from which the relationship is pursued is not determined until the time of the assessment of the rights tree, and not as early as the rights tree definition.
  • the contents of the owner folder is defined by means of a role. This role is explicitly indicated at the processing of the folder.
  • the elements of the owner/user folder are calculated at the rights examination.
  • the number of targets of a rights part tree can either be indicated explicitly or calculated by means of a search query.
  • Any knowledge network object can be drawn into any folder by drag and drop, but for preference not into a search folder of the rights tree.
  • a knowledge network object is the target of a right.
  • a search query is set up in a search folder.
  • the search query is carried out at the examination of the rights, and the knowledge network objects found at this juncture represent the targets of the rights part tree.
  • the folders of a part tree are checked recursively.
  • the folders for operations and owners behave like filters.
  • the sub-folders of these folders are checked if the operation or owner to be examined fulfil the filter criterion. If this is the case, then either the sub-folders will be checked or, if there are none available, a positive response will be returned.
  • a check is carried out in a search folder as to whether the target of the query is an element of the quantity which is being calculated during the performance of the search query indicated in the folder. If that is the case, then the answer to the examination is positive.
  • FIG. 1 An extract from a knowledge network with the user/owner nodes “Ms. Miller”, responsible for the knowledge network object “Reiber Street Residential Building”;
  • FIG. 2 Rights in tree form with operations folders and user/owner folders
  • FIG. 3 Rights part tree with negative filter.
  • FIG. 1 shows a section from a knowledge network, in which the project structure of a construction company is deposited. Accordingly, “Ms. Miller” is responsible for the project of the “Reiber Street Residential Building”, in the role of “Building Manager”.
  • the rights system can now be configured in such a way, for example, that Ms. Miller receives writing rights to the building sections relating to the “Reiber Street Residential Building” construction project. Construction sections from other construction projects (e.g. “Landburg Street Car Park”), for which Ms. Miller is not responsible, cannot be processed by her. New construction sections, such as in the sector of “Reiber Street External Installations”, automatically fall into the access area of Ms. Miller.
  • the components of a right are defined in folders which form a part tree in the rights tree (see FIG. 2 ).
  • the leaves of the rights tree it is mostly the target objects of the rights which are defined.
  • the possible operations and the users are filtered out in the folders between the leaves and the roots. Accordingly, the topmost part tree in FIG. 2 shows that the operations Modify and Read can be carried out by all users who hold the role of Project Manager on all objects which can be calculated from the search query in the “Projects” folder.
  • a part tree of the rights tree does not need to define explicitly all three components of a right.
  • the second part tree in FIG. 2 contains two levels, since there is no indication of the operations. Accordingly, the right defined in this part tree signifies that the user, “Mr. Schuckmann”, may carry out all operations on the calculated objects in the “Road Construction Projects” sub-folder.
  • the third part tree in FIG. 2 shows that any user can carry out the “Create” operation on any objects of the knowledge network.
  • FIG. 3 shows the definition of Prohibition, with the aid of a negative filter in the rights part tree, which is set in front of the folder which is to be negated. All the elements contained in this folder form exceptions for which the rights part tree does not apply.
  • the unfolded rights part tree in FIG. 2 indicates that everything can be read by all users except the elements in the search folder “Group Companies”.

Abstract

The invention relates to an efficient system for user rights in a semantic digital network, whereby users are arranged in the same semantic network as the information objects. The rights are thus derived from the semantic relations between users and information objects in a common semantic network.

Description

  • The invention relates essentially to a method for deriving user rights in a semantic network.
  • Semantic networks are being used in increasing numbers for linking information items with one another and finding them again at a later time. These forms of networks with their algorithms are also referred to as knowledge networks or ontologies, whereby information objects are connected with one another by edges which exhibit specific semantics.
  • Navigation through the network is effected along these edges and for preference by means of inferential algorithms. These traverse the network in the quest for statements.
  • Because of the complexity of knowledge networks, the need arises for access to be restricted or made possible to specific areas of the network.
  • In the considerations regarding the structure of the user management, criteria such as efficiency and usability of existing algorithms and data structures play a decisive part.
  • Known solutions pursue the access control on the table level, such as is known, for example, from relational databanks.
  • The problem of the invention is to provide an efficient and flexibly configurable access control which is technically and ergonomically integrated, and which take account of the complexity of knowledge networks.
  • This problem is resolved by the inventions in accordance with the features of the independent claims. Advantageous further embodiments of the inventions are described in the Sub-claims.
  • If the invention is regarded in abstract terms, the users are presented in the same semantic network as the information objects. Access rights are derived from the semantic relations between users and information objects.
  • This solution has the advantage that no further metadata is required, such as is the case, for example, with relational databanks. Rather, existing algorithms and inference rules can be used in order to derive user rights. In addition to this, the same efficient memory system can be used for contents and access information. A further technical advantage lies in the fact that no adaptation of the code for the representation of the access information is required. The users and their relations to the information objects are part of the knowledge network as a whole.
  • Thanks to the use of the efficient memory system and the high-performing algorithms, it is possible for the user rights to be calculated at the time of access. This has the advantage that, instead of static rules, enquiries can also be defined which describe the rights. This is described in detail hereinafter.
  • The rights system of the present invention makes the decision on access entitlements on the basis of information from the knowledge network.
  • Users who are intended to be subject to an access control by the rights system are presented as nodes in the knowledge network.
  • These user nodes are placed in a relationship with the nodes in the knowledge network which serve as starting points for the access rights of the member users.
  • By means of the rules which configure the rights system it is determined which access rights pertain for the individual user for the knowledge network objects. In this situation a check is carried out as to whether rules exist which allow for an access. This check is effected dynamically in relation to the run time. This ensures that any changes in the knowledge network are immediately deposited in the knowledge network, including in changed access rights.
  • Users can appear in several roles in relation to the system.
  • Roles are likewise defined in the knowledge network and simplify the configuration of the rights system. Depending on the role of a person, it is therefore possible for different rights to be defined for entire groups.
  • Considered in formal terms, a right r: <o, t, op> pertains from the three components of user, target, and operation.
  • This means that the user of a right (user) can carry out the operation specified (operation) on the target of the right (target). If a part of the right is not defined, the right is deemed to apply to all the objects of the knowledge network which come into question for this part. In addition to the notification of the individual elements, the components can contain quantities. As a result of this, it is possible for groups of users of a right to be defined.
  • Rights are for preference positively formulated. This means that a negative response will be given at the examination of the right if no positive answer is found. With enquiries to the rights system, attestations for the user, the target, and the knowledge network object respectively are transferred. The rights system seeks a positive response in the rights definitions. In a further preferred embodiment it is possible for a negation to be presented to a right.
  • In the preferred embodiment, the rights of a knowledge network are defined in a rights tree. This rights tree consists of folders which are arranged and structured in tree fashion. The roots, and therefore the highest folder of this space, is for preference anchored in the central part of the knowledge network, the “root”. The root is the organizational root of the knowledge network. If no rights tree exists in this preferred embodiment, or if this space consists solely of a root folder, then all operations are allowed for all users on all knowledge network objects.
  • Rights are defined and allocated in sub-folders of the root folder of the rights tree. A right is divided in each case into a folder with its components, which are likewise arranged in folders. The folders, with their user and operations components, form filters of a right, while the folder for the target can contain a search query. The folders of a right do not stand next to each other in the rights tree, but form a part tree of the rights tree as a whole. If rights have the same components, e.g. the same operations, then the same folders can be used for them, i.e. the same components. The other components of these rights are then subdivided into other sub-folders.
  • The individual components of a right and the definition possibilities are explained hereinafter. The combination of the components will then be considered.
  • The components of a right are in each case the elements of a folder. They are defined in different ways and means, or arranged in their folders, as explained hereinafter.
  • Operations:
  • The definition of op in the rights system is effected for preference by the enumeration of the permitted operations (in the preferred implementation “Read”, “Modify”, “Generate” and “Delete”), which form the elements of an operations folder.
  • Owner:
  • The number of owners (o) of a right is represented by the number of elements of the owner folder. For o, individual elements (instances) of a term of the knowledge network come into question, which were indicated as the owner term in the configuration of the rights system. The number of the owners of a right can be a part quantity of these individual elements. The selection of the owners can be for preference effected in three different ways during the processing of the user/owner folder; firstly by explicitly indication, secondly by the accessibility of the owner by and from a knowledge network object, and thirdly by the determination of the role which an owner has adopted.
  • 1. Explicit Indication
  • The owner or owners of a rights part tree are input explicitly, e.g. by means of an editor. In this situation, individual elements (instances) of the owner term are determined.
  • If it was intended, for example, that only the beginning of a name should be entered, the system will then look for an object which matches this under the individual elements of the owner term.
  • Example: The owner term Person has the individual elements Miller and Meier. A further object in the knowledge network may be “Mill”. If, for the indication of an owner, only the beginning of the name “Mi” is entered, the system will then find, as a possible object, only the individual item Miller, and will transfer this as the owner into the folder. The object Mill will not be found, because it does not involve an individual element of an owner term.
  • 2. Owner Accessible from a Knowledge Network Object
  • The owner is in this case derived from a relationship which pertains between a knowledge network object and the user.
  • The knowledge network object and the relationship are then explicitly indicated in an editor (see above also). The rights part tree accordingly applies to all user objects which can reach the knowledge network object via this relationship. The owner object from which the relationship is pursued is not determined until the time of the assessment of the rights tree, and not as early as the rights tree definition.
  • 3. Owner of a Specific Role
  • The contents of the owner folder is defined by means of a role. This role is explicitly indicated at the processing of the folder. The elements of the owner/user folder are calculated at the rights examination.
  • Target:
  • The number of targets of a rights part tree can either be indicated explicitly or calculated by means of a search query.
  • 1. Explicit Indication
  • Any knowledge network object can be drawn into any folder by drag and drop, but for preference not into a search folder of the rights tree. As an element of a corresponding folder in the rights tree, a knowledge network object is the target of a right.
  • 2. Calculation of the Targets in a Search Query
  • For the calculation of the targets by a search query, a search query is set up in a search folder. The search query is carried out at the examination of the rights, and the knowledge network objects found at this juncture represent the targets of the rights part tree.
  • With the aid of search enquiries, rules can be created for the targets of rights.
  • If it is intended that a target object which was calculated in a search query should be accessible by the users/owners in the rights part tree via the edges in the knowledge network, this can be indicated by means of the owner query.
  • From all the relations indicated in the search, those can be selected by means of which it is intended that the owner should be reachable from the target objects. If it is intended, for example, that in a knowledge network with project data only the knowledge network objects should be accessible for each owner/user from their own project in each case, this can be attained by providing the relationship ‘is project participant in’ as the owner query.
  • Inverting of Definitions
  • In exceptional cases it may be a good idea for constituent parts of a right to be formulated negatively (e.g. “all knowledge network types except for individual items from the term Person”). The negation can be applied to owners and targets of a right. It is defined by a negative filter being set in the rights part tree in front of the folder which is to be negated. All the elements contained in this folder form exceptions, to which the rights part tree does not apply.
  • Restrictions on Attributes and Relations
  • In the event of it being intended that a right should only apply to certain specific attributes or relations of a knowledge network object, this can then be defined at any point in the rights tree. However, it needs to be borne in mind in that case that this restriction applies for preference to the whole sub-tree, and the rights in this part tree still apply to these objects with this restriction. That is to say, if it is defined in the root folder of the rights tree that operations can only be carried out on the attributes of name and telephone number from the individual items of persons, then all the rights in the sub-folders apply as a maximum to these attributes on these individual items, regardless of the elements in these folders.
  • Examination of a Right
  • During the examination of whether an owner may carry out an operation on a knowledge network object, all the part trees of the rights tree will be run through until the requirements formulated in the query can be fulfilled in one of the part trees. In this case, the access being enquired about will be permitted. If no part tree corresponding to the query is found, then the access will be rejected as not permissible.
  • An examination will be carried out in every folder to determine whether the target of the query is an element of the folder. For this reason, knowledge network objects can be drawn as targets in owner and operations folders.
  • The folders of a part tree are checked recursively. The folders for operations and owners behave like filters. The sub-folders of these folders are checked if the operation or owner to be examined fulfil the filter criterion. If this is the case, then either the sub-folders will be checked or, if there are none available, a positive response will be returned.
  • A check is carried out in a search folder as to whether the target of the query is an element of the quantity which is being calculated during the performance of the search query indicated in the folder. If that is the case, then the answer to the examination is positive.
  • The invention is explained in greater detail hereinafter on the basis of embodiments, which are represented in diagrammatic form in the Figures. The same reference numbers in the individual Figures designate the same elements. Specifically, the Figures show:
  • FIG. 1 An extract from a knowledge network with the user/owner nodes “Ms. Miller”, responsible for the knowledge network object “Reiber Street Residential Building”;
  • FIG. 2 Rights in tree form with operations folders and user/owner folders;
  • FIG. 3 Rights part tree with negative filter.
  • Within the scope of the invention, numerous derivations and further formulations of the embodiments described can be realised.
  • FIG. 1 shows a section from a knowledge network, in which the project structure of a construction company is deposited. Accordingly, “Ms. Miller” is responsible for the project of the “Reiber Street Residential Building”, in the role of “Building Manager”.
  • The rights system can now be configured in such a way, for example, that Ms. Miller receives writing rights to the building sections relating to the “Reiber Street Residential Building” construction project. Construction sections from other construction projects (e.g. “Landwehr Street Car Park”), for which Ms. Miller is not responsible, cannot be processed by her. New construction sections, such as in the sector of “Reiber Street External Installations”, automatically fall into the access area of Ms. Miller.
  • Changes in the knowledge network, such as a restructuring, in which the responsibilities for “Residential Building” and “Landscape Gardening” are separated in terms of organization, also automatically change the access entitlements of the users concerned (in this case, Ms. Miller would lose her writing right to the “Reiber Street External Installations”).
  • The components of a right are defined in folders which form a part tree in the rights tree (see FIG. 2). In the leaves of the rights tree it is mostly the target objects of the rights which are defined. The possible operations and the users are filtered out in the folders between the leaves and the roots. Accordingly, the topmost part tree in FIG. 2 shows that the operations Modify and Read can be carried out by all users who hold the role of Project Manager on all objects which can be calculated from the search query in the “Projects” folder.
  • A part tree of the rights tree does not need to define explicitly all three components of a right. The second part tree in FIG. 2 contains two levels, since there is no indication of the operations. Accordingly, the right defined in this part tree signifies that the user, “Mr. Schuckmann”, may carry out all operations on the calculated objects in the “Road Construction Projects” sub-folder.
  • The third part tree in FIG. 2 shows that any user can carry out the “Create” operation on any objects of the knowledge network.
  • FIG. 3 shows the definition of Prohibition, with the aid of a negative filter in the rights part tree, which is set in front of the folder which is to be negated. All the elements contained in this folder form exceptions for which the rights part tree does not apply.
  • As has already been described earlier, the unfolded rights part tree in FIG. 2 indicates that everything can be read by all users except the elements in the search folder “Group Companies”.
  • LITERATURE LIST
    • 1. Knowledge Engineering: Principles and Methods (Rudi Studer, V. Richard Benjamins, and Dieter Fensel).
    • 2. Fausto Rabitti, Elisa Bertino, Won Kim, and Darrell Woelk: A Model of Authorization for Next-Generation Database Systems, in: ACM Transactions on Database Systems, Vol. 16, No. 1, March 1991.
    • 3. Martin S. Olivier and Sebastian H. von Solms: A Taxonomy for Secure Object-Oriented Databases, in: ACM Transactions on Database Systems, Vol. 19, No. 1, March 1994.
    • 4. Gail-Joon Ahn and Ravi Sandhu: Role-Based Authorization Constraints Specification, in: ACM Transactions on Information and System Security, Vol. 3, No. 4, November 2000.
    • 5. Elias Bertino, Sushil Jajodia, and Pierangela Samaratia: Flexible Authorization Mechanism for Relational Data Management Systems, in: ACM Transactions on Information Systems, Vol. 17, No. 2, April 1999.
    • 6. John F. Sowa: Knowledge Representation: Logical, philosophical, and computational foundations. Brooks/Cole Publishing House, 2000.
    • 7. And other references disclosed in the documents referred to above.

Claims (15)

1. Method for the efficient representation of rights in a semantic network deposited in a digital storage medium, which consists of nodes and edges, whereby the nodes represent information objects and the edges represent semantic relations, wherein
users or user groups are stored as nodes which are set in relationship with other information objects, whereby the rights are derived via the relations.
2. Method according to the foregoing claim 1 wherein the rights are determined by derivation dynamically in relation to the run time.
3. Method according to claim 1 wherein a right is defined by r:<o, t, op>, whereby the right is composed of the components of owner, target, and operation, and wherein an owner (o) of the right may or may not be allowed to carry out the operation (op) on a target (t).
4. Method according to the claim 3 characterised in that rights are defined positively or negatively.
5. Method according to claim 1, wherein the rights are arranged in a rights tree in the semantic network.
6. Method according to claim 1, wherein the rights are defined in a folder hierarchy, whereby the folder hierarchy comprises the levels of Operation, Owner/user, and Target Object.
7. Method according to claim 1, wherein the rights of an owner is indicated explicitly by referencing of a user or owner group, or by the existence of a relationship between an information object and a user or by the determination of the roles which a user has.
8. Method according to claim 1, wherein the target is determined explicitly or by a search query.
9. Method according to claim 1, wherein rights which have concordant components share these components by referencing with one another.
10. Method according to claim 1 wherein during the examination as to whether a user may carry out an operation on an information object, all the part trees of the rights tree are run through for as long as required until the response from a part tree provides a positive answer; by contrast, if no part tree is found, the response is negative.
11. Data structure for the deposition of digital rights in a semantic network consisting of nodes and edges, whereby the nodes for represent information objects and the edges represent semantic relations,
wherein users or groups are stored as nodes, which are set in relationship with other information objects via the data structure, and whereby the rights are derived via the relations.
12. Data structure according to claim 11, wherein the right is defined by r:<o, t, op>, whereby the right is composed of the components of owner, target, and operation, whereby an owner o of the right may or may not be allowed to carry out the operation op on a target t, whereby the data structure provides a memory area for the direct or indirect deposition, in particular by means of pointers.
13. (canceled)
14. Data carrier comprising a data structure which allows the running of the method according to claim 1, when loaded into a computer.
15. Data carrier comprising a data structure according to claim 11.
US10/512,778 2002-04-26 2003-04-28 Method and device for controlling the access to knowledge networks Abandoned US20050223006A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/136,058 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10218905.6A DE10218905B4 (en) 2002-04-26 2002-04-26 Method and data structure for access control in knowledge networks
DE10218905.6 2002-04-26
PCT/EP2003/004373 WO2003092198A2 (en) 2002-04-26 2003-04-28 Method and device for controlling the access to knowledge networks

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/136,058 Continuation-In-Part US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Publications (1)

Publication Number Publication Date
US20050223006A1 true US20050223006A1 (en) 2005-10-06

Family

ID=29224827

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/512,778 Abandoned US20050223006A1 (en) 2002-04-26 2003-04-28 Method and device for controlling the access to knowledge networks
US12/136,058 Active 2025-11-17 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/136,058 Active 2025-11-17 US9870431B2 (en) 2002-04-26 2008-06-10 Method and device for controlling the access to knowledge networks

Country Status (6)

Country Link
US (2) US20050223006A1 (en)
EP (1) EP1502211B1 (en)
AT (1) ATE521943T1 (en)
AU (1) AU2003233076A1 (en)
DE (1) DE10218905B4 (en)
WO (1) WO2003092198A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US20110109829A1 (en) * 2009-11-10 2011-05-12 Mathew Dinesh C Methods for fabricating display structures
US8332782B1 (en) * 2008-02-22 2012-12-11 Adobe Systems Incorporated Network visualization and navigation

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100174577A1 (en) * 2009-01-07 2010-07-08 Red Hat, Inc. Automated Task Delegation Based on Skills
US8805713B2 (en) * 2009-01-07 2014-08-12 Red Hat, Inc. Interface for project and task submission for automated delegation
US10339123B2 (en) * 2014-11-01 2019-07-02 Hewlett Packard Enterprise Development Lp Data management for tenants
US9628555B2 (en) * 2015-06-18 2017-04-18 Live Nation Entertainment, Inc Enhanced load processing using linked hierarchical data structures
US9857960B1 (en) * 2015-08-25 2018-01-02 Palantir Technologies, Inc. Data collaboration between different entities

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4815005A (en) * 1986-11-29 1989-03-21 Kabushiki Kaisha Toshiba Semantic network machine for artificial intelligence computer
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US20020013909A1 (en) * 2000-04-29 2002-01-31 Markus Baumeister Method of dynamic determination of access rights
US20020162005A1 (en) * 2000-04-24 2002-10-31 Masaomi Ueda Access right setting device and manager terminal
US20020161768A1 (en) * 2001-04-30 2002-10-31 International Business Machines Corporation Group access privatization in clustered computer system
US20030126136A1 (en) * 2001-06-22 2003-07-03 Nosa Omoigui System and method for knowledge retrieval, management, delivery and presentation

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19954358A1 (en) * 1999-01-07 2000-07-20 Hewlett Packard Co User role access controller has computer-legible storage media and program code resident in the media for generating one or more user roles
WO2001041039A2 (en) * 1999-12-02 2001-06-07 Secure Computing Corporation Security management system in an heterogenous network environment
US7185359B2 (en) * 2001-12-21 2007-02-27 Microsoft Corporation Authentication and authorization across autonomous network systems
JP4284497B2 (en) * 2003-01-29 2009-06-24 日本電気株式会社 Information sharing method, apparatus, and program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4815005A (en) * 1986-11-29 1989-03-21 Kabushiki Kaisha Toshiba Semantic network machine for artificial intelligence computer
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US20020162005A1 (en) * 2000-04-24 2002-10-31 Masaomi Ueda Access right setting device and manager terminal
US20020013909A1 (en) * 2000-04-29 2002-01-31 Markus Baumeister Method of dynamic determination of access rights
US20020161768A1 (en) * 2001-04-30 2002-10-31 International Business Machines Corporation Group access privatization in clustered computer system
US20030126136A1 (en) * 2001-06-22 2003-07-03 Nosa Omoigui System and method for knowledge retrieval, management, delivery and presentation

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8615531B2 (en) 2007-09-28 2013-12-24 Xcerion Aktiebolag Programmatic data manipulation
US9344497B2 (en) 2007-09-28 2016-05-17 Xcerion Aktiebolag State management of applications and data
US20090172568A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US20090193410A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US20090192969A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US8280925B2 (en) 2007-09-28 2012-10-02 Xcerion Aktiebolag Resolution of multi-instance application execution
US8112460B2 (en) 2007-09-28 2012-02-07 Xcerion Aktiebolag Framework for applying rules
US8156146B2 (en) * 2007-09-28 2012-04-10 Xcerion Aktiebolag Network file system
US8234315B2 (en) 2007-09-28 2012-07-31 Xcerion Aktiebolag Data source abstraction system and method
US8239511B2 (en) 2007-09-28 2012-08-07 Xcerion Aktiebolag Network operating system
US11838358B2 (en) 2007-09-28 2023-12-05 Xcerion Aktiebolag Network operating system
US20090172078A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US8688627B2 (en) 2007-09-28 2014-04-01 Xcerion Aktiebolag Transaction propagation in a networking environment
US8620863B2 (en) 2007-09-28 2013-12-31 Xcerion Aktiebolag Message passing in a collaborative environment
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US8738567B2 (en) 2007-09-28 2014-05-27 Xcerion Aktiebolag Network file system with enhanced collaboration features
US8843942B2 (en) 2007-09-28 2014-09-23 Xcerion Aktiebolag Interpreting semantic application code
US8954526B2 (en) 2007-09-28 2015-02-10 Xcerion Aktiebolag Network operating system
US8959123B2 (en) 2007-09-28 2015-02-17 Xcerion Aktiebolag User interface framework
US8996459B2 (en) 2007-09-28 2015-03-31 Xcerion Aktiebolag Offline and/or client-side execution of a network application
US9071623B2 (en) 2007-09-28 2015-06-30 Xcerion Aktiebolag Real-time data sharing
US9621649B2 (en) 2007-09-28 2017-04-11 Xcerion Aktiebolag Network operating system
US8332782B1 (en) * 2008-02-22 2012-12-11 Adobe Systems Incorporated Network visualization and navigation
US20110109829A1 (en) * 2009-11-10 2011-05-12 Mathew Dinesh C Methods for fabricating display structures

Also Published As

Publication number Publication date
AU2003233076A1 (en) 2003-11-10
US9870431B2 (en) 2018-01-16
ATE521943T1 (en) 2011-09-15
EP1502211A2 (en) 2005-02-02
EP1502211B1 (en) 2011-08-24
US20080275879A1 (en) 2008-11-06
WO2003092198A2 (en) 2003-11-06
WO2003092198A3 (en) 2004-06-17
AU2003233076A8 (en) 2003-11-10
DE10218905A1 (en) 2003-11-13
DE10218905B4 (en) 2016-03-17

Similar Documents

Publication Publication Date Title
Denning et al. Views for multilevel database security
US7257599B2 (en) Data organization in a fast query system
EP2863333B1 (en) A method, an apparatus, a computer system, a security component and a computer readable medium for defining access rights in metadata-based file arrangement
US8046366B1 (en) Orchestrating indexing
US9870431B2 (en) Method and device for controlling the access to knowledge networks
US8386520B2 (en) Database security structure
US20110010758A1 (en) Method and apparatus for ascertaining data access permission of groups of users to groups of data elements
US20070073695A1 (en) Server side filtering and sorting with field level security
CA2459004A1 (en) Method and system to control data acces using security label components
WO2008061254A1 (en) Storing, maintaining and locating information
US7689629B1 (en) Method of the use of fractal semantic networks for all types of database applications
EP1193587B1 (en) Data protection
Jodłowski et al. Objects and roles in the stack-based approach
Kurmanbekovna et al. Development of technology to support large information storage and organization of reduced user access to this information
CN110472111A (en) Rights management, user right inquiry and resource information authorization method
US20080256030A1 (en) Fine-grained authorization framework
Kozankiewicz et al. Implementing Mediators through Virtual Updateable Views.
Shenoi Multilevel database security using information clouding
Tan et al. The conceptual design of OSEA: an object-oriented semantic data model
Adeleke et al. A B+-Tree-Based Indexing and Storage of Numerical Records in School Databases
Garuba et al. A constraint-based query modification engine for retrofitting COTS DBMS's
Eder et al. Self-maintained folder hierarchies as document repositories
Sallam et al. Comparative study of polyinstantiation models in MLS database
Ruan et al. Data protection in distributed database systems
Furuse et al. Abstract Indexing Mechanism of the Extensible DBMS Modus

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTELLIGENT VIEWS GMBH, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAMMEN, CLARA;SCHUMMER, JAN;SCHUCKMANN, CHRISTIAN;AND OTHERS;REEL/FRAME:016629/0336;SIGNING DATES FROM 20041018 TO 20041025

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION