Search

CN-115004149-B - Method and system for controlling access to data

CN115004149BCN 115004149 BCN115004149 BCN 115004149BCN-115004149-B

Abstract

A method for controlling access to a data set is provided. The method includes receiving a request from an agent via an interface to access a dataset in a database, extracting access criteria from the request related to predefined data access constraints and a predetermined data access policy, and determining whether the agent is permitted to access the dataset using the criteria, wherein the access criteria is based on attributes associated with elements within the dataset.

Inventors

  • D. LAWRENCE
  • M. G. Norman

Assignees

  • 摩根大通国家银行

Dates

Publication Date
20260512
Application Date
20210127
Priority Date
20200127

Claims (20)

  1. 1. A method for controlling access to a data set, the method being implemented by at least one processor, the method comprising: Receiving, by the at least one processor, at least one request from at least one agent via an interface to access a dataset in at least one database, wherein the at least one database corresponds to a graph database comprising a graph structure for semantic queries, the graph structure having nodes, edges, and attributes to represent and store the dataset; Extracting, by the at least one processor, from the at least one request at least one access criterion related to a predefined data access constraint and a predetermined data access policy, wherein the at least one access criterion comprises agent identification information and terminal information, the terminal information corresponding to a device issuing the at least one request, and Determining by the at least one processor whether to grant the at least one agent access to the dataset using the at least one access criterion, Wherein the at least one access criterion is based on at least one attribute associated with at least one element within the dataset.
  2. 2. The method of claim 1, further comprising: defining, by the at least one processor, a metamodel for at least one control objective; Determining, by the at least one processor, a data frame based on the at least one request, and The metamodel is expressed in the determined data frame by the at least one processor.
  3. 3. The method of claim 2, wherein the metamodel comprises at least one class including at least one of a policy class, an asset specification class, a participant specification class, an action specification class, a rule class, and a constraint class.
  4. 4. The method of claim 2, wherein the at least one control objective includes rules defining desired control outcomes for a group of participants.
  5. 5. The method of claim 2, wherein the at least one access criterion is linked to the at least one control objective based on the at least one attribute.
  6. 6. The method of claim 1, wherein the at least one attribute is derived from at least one physical data model related to a representation of a system storing and managing the dataset.
  7. 7. The method of claim 1, wherein the at least one attribute is derived from at least one logical data model related to a representation of an application level description of the dataset.
  8. 8. The method of claim 1, wherein the at least one attribute is derived from at least one traffic classification associated with enterprise class classification of the dataset based on the predetermined data access policy, the traffic classification comprising an application-independent description of the dataset.
  9. 9. The method of claim 1, wherein the at least one attribute is derived from at least one data lineage related to lifecycle information of the dataset, the lifecycle information including at least one of raw information of the dataset and movement history information of the dataset.
  10. 10. The method of claim 1, wherein the predetermined data access policy corresponds to at least one of a business requirement, a regulatory requirement, a customer requirement, and an operational requirement.
  11. 11. A computing device configured to implement a method for controlling access to a data set, the computing device comprising: A processor; Memory, and A communication interface coupled to each of the processor and the memory; wherein the processor is configured to: Receiving at least one request from at least one agent via an interface to access a dataset in at least one database, wherein the at least one database corresponds to a graph database comprising a graph structure for semantic queries, the graph structure having nodes, edges, and attributes to represent and store the dataset; extracting at least one access criterion from the at least one request, the at least one access criterion being related to a predefined data access constraint and a predefined data access policy, wherein the at least one access criterion comprises agent identification information and terminal information, the terminal information corresponding to a device issuing the at least one request, and Determining, using the at least one access criterion, whether to grant the at least one agent access to the dataset; wherein the at least one access criterion is based on at least one attribute associated with at least one element within the dataset.
  12. 12. The computing device of claim 11, wherein the processor is further configured to: Defining a metamodel for at least one control objective; Determining a data frame based on the at least one request, and The meta-model is expressed in the determined data frame.
  13. 13. The computing device of claim 12, wherein the metamodel comprises at least one class comprising at least one of a policy class, an asset specification class, a participant specification class, an action specification class, a rule class, and a constraint class.
  14. 14. The computing device of claim 12, wherein the at least one control objective comprises a rule defining a desired control outcome for a group of participants.
  15. 15. The computing device of claim 12, wherein the processor is further configured to: The at least one access criterion is linked to the at least one control objective based on the at least one attribute.
  16. 16. The computing device of claim 11, wherein the processor is further configured to: the at least one attribute is derived from at least one physical data model related to a representation of a system storing and managing the dataset.
  17. 17. The computing device of claim 11, wherein the processor is further configured to: the at least one attribute is derived from at least one logical data model related to a representation of an application level description of the dataset.
  18. 18. The computing device of claim 11, wherein the processor is further configured to: the at least one attribute is derived from at least one business class associated with an enterprise class classification of the dataset based on the predetermined data access policy, the business class including an application-independent description of the dataset.
  19. 19. The computing device of claim 11, wherein the processor is further configured to: deriving the at least one attribute from at least one data lineage associated with lifecycle information of the dataset, the lifecycle information including at least one of raw information of the dataset and movement history information of the dataset.
  20. 20. The computing device of claim 11, wherein the predetermined data access policy corresponds to at least one of a business requirement, a regulatory requirement, a customer requirement, and an operational requirement.

Description

Method and system for controlling access to data Cross Reference to Related Applications The present application claims the benefit of U.S. provisional patent application Ser. No. 62/966,185, filed 1/27/2020, which is incorporated herein by reference in its entirety. Technical Field The present technology relates generally to methods and systems for protecting data sets, and more particularly to methods and systems for controlling access to data sets using access control policies and attributes of the data sets. Background Many business entities collect and utilize large amounts of data by implementing a database schema using a database management system, the database schema defining the data sets in the database. Historically, the use of such database schemas resulted in varying degrees of success with respect to manipulating the data set, providing access to the data set, and verifying the data set. One disadvantage of using a conventional database schema, such as a relational database schema, is that in many cases the storage structure must be clearly defined. As a result, the strict structure of the predefined table does not allow for a logical way of retrieving data independent of the mechanism of storing and retrieving the respective data sets. In addition, defining the storage structure at the table definition level results in an application specific storage structure that requires reworking to be implemented on different applications and platforms. In order to apply data access control consistently across multiple data sets, the data sets themselves need to be described in such a way that a consistency policy can be applied independent of the database schema of the respective data set, thereby enabling use by different applications and allowing use of the attributes of the data sets to control access to the data sets. Disclosure of Invention The present disclosure provides, by way of one or more of its various aspects, embodiments, and/or specific features or sub-components, among other things, various systems, servers, devices, methods, media, programs, and platforms for controlling access to a data set using access control policies and attributes of the data set. According to an aspect of the present disclosure, a method for controlling access to a data set is provided. The method is implemented by at least one processor. The method may include receiving, via an interface, at least one request from at least one agent to access a dataset in at least one database, the at least one agent may include at least one of a human agent and a non-human software agent, extracting at least one access criterion from the at least one request related to a predefined data access constraint and a predetermined data access policy, and determining, using the at least one access criterion, whether the agent may be permitted to access the dataset, wherein the at least one access criterion may be based on at least one attribute associated with at least one element within the dataset. According to an exemplary embodiment, the method may further comprise defining a meta-model for at least one control objective (control objective), determining a data frame based on the at least one request, and expressing the meta-model in the determined data frame. According to an example embodiment, the metamodel may include at least one class, which may include at least one of a policy class, an asset specification class, a participant specification class, an action specification class, a rule class, and a constraint class. According to an exemplary embodiment, the at least one control objective may include rules defining desired control results for a group of participants. According to an exemplary embodiment, the at least one access criterion may be linked to the at least one control target based on the at least one attribute. According to an exemplary embodiment, the at least one attribute may be derived from at least one physical data model related to a representation of a system storing and managing the data set. According to an exemplary embodiment, the at least one attribute may be derived from at least one logical data model related to a representation of an application level description of the dataset. According to an exemplary embodiment, the at least one attribute may be derived from at least one traffic classification associated with enterprise classification of the dataset based on the predetermined data access policy, which may include an application-independent description of the dataset. According to an exemplary embodiment, the at least one attribute may be derived from at least one data lineage related to lifecycle information of the dataset, which may include at least one of raw information of the dataset and movement history information of the dataset. According to an exemplary embodiment, the predetermined data access policy may correspond to at least one of a business requirement, a regulatory requirement, a custom