US-12619752-B2 - Data management systems and methods

Abstract

This disclosure relates to systems and methods for managing access to data through enforcement of one or more associated rules. In various embodiments, a directory may be used to manage and/or otherwise record various relationships between objects, that may include governed objects such as data sets, and associated rules and rule sets. Access requests involving governed objects may be compared with relevant rules to determine whether the requested access should be allowed and what, if any, restrictions should be applied in connection with such access. Various embodiments of the disclosed systems and methods may allow for a data governance model that is flexible, allows for use across multiple complex organizations, and is highly extensible.

Inventors

• Eric Swenson
• Harbinder Singh Hayer

Assignees

• INTERTRUST TECHNOLOGIES CORPORATION

Dates

Publication Date

20260505

Application Date

20230323

Claims (17)

1. 1 . A method for managing access to a governed object performed by a data management system comprising at least one processor and at least one non-transitory computer-readable medium storing instructions that, when executed by the at least one processor, cause the data management system to perform the method, the method comprising: receiving, by a security service of the data management system, an access control request, the access control request comprising an indication of a subject associated with a validated access token, an indication of a specified data set associated with the access control request, and an indication of at least one requested access privilege associated with the request; accessing, by the security service, a directory database to identify: at least a first governed object in the directory database, the at least a first governed object corresponding with the specified data set associated with the access control request, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule, and at least a first role in the directory database, the at least a first role being associated with the indication of the subject associated with the access token; determining, by the security service, based on the at least a first rule, the at least a first role, and the access control request, that the access control request should be granted, wherein determining that the access control request should be granted comprises: comparing the indication of the subject associated with the access token, the at least a first role, the indication of the specified data set, and the indication of the at least one requested access privilege with the at least a first rule, and determining, based on the comparison, that the subject associated with the access token is permitted the at least one requested access privilege to the at least a first governed object associated with the specified data set; issuing, to a service originating the access control request by the security service, an access control response granting access to the specified data set based on determining that the access control request should be granted.
2. 2 . The method of claim 1 , wherein the access control request is received from a data service of the data management service.
3. 3 . The method of claim 2 , wherein the access control response is issued by the security service to the data service.
4. 4 . The method of claim 2 , wherein the access token is validated by the data service.
5. 5 . The method of claim 1 , wherein the access token is validated by an authentication service of the data management service.
6. 6 . The method of claim 1 , wherein the access token is validated by a remote authentication service.
7. 7 . The method of claim 1 , wherein the validated access token comprises an access token that is not expired.
8. 8 . The method of claim 1 , wherein the validated access token comprises an access token issued by an authentication service of the data management service based on determining that authentication credentials provided to the authentication service in connection with an access token request are associated with a valid account.
9. 9 . The method of claim 1 , wherein the directory database is managed by a directory service of the data management system.
10. 10 . The method of claim 1 , wherein the service originating the access control request comprises a data service of the data management system and the method further comprises: retrieving, by the data service based on the access control response, the specified data set from a data store; and transmitting, by the data service, a data access response to a requesting client system based on the retrieved specified data set.
11. 11 . The method of claim 10 , wherein the data store comprises a local data store of the data management system.
12. 12 . The method of claim 10 , wherein the data store comprises a remote data store.
13. 13 . The method of claim 10 , wherein the access control response comprises at least one restriction, and wherein retrieving the specified data set from the data store comprises retrieving the specified data set in accordance with the at least one restriction.
14. 14 . The method of claim 13 , wherein retrieving the specified data set in accordance with the at least one restriction comprises transmitting at least one data retrieval request issued to the data store in accordance with the at least one restriction.
15. 15 . The method of claim 1 , wherein the at least a second governed object comprises an object associated with an organization.
16. 16 . The method of claim 1 , wherein the method further comprises: identifying, by the security service, at least a second rule set in the directory database, the at least a second rule set being associated with the at least a first governed object in the directory database, the at least a second rule set comprising at least a second rule; and determining, by the security service, that the first rule set has a higher indicated priority than the second rule set.
17. 17 . The method of claim 1 , wherein the subject associated with the access token comprises an account associated with the validated access token.

Description

RELATED APPLICATION This application is a continuation of U.S. application Ser. No. 16/778,934, filed Jan. 31, 2020, and entitled “Data Management Systems and Methods,” which claims the benefit of priority under 35 U.S.C. § 119(e) to U.S. Provisional Patent Application No. 62/800,103, filed Feb. 1, 2019, and entitled “Policy Enforced Data Management Systems and Methods,” both of which are hereby incorporated by reference in their entireties. COPYRIGHT AUTHORIZATION Portions of the disclosure of this patent document may contain material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the U.S. Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. SUMMARY The present disclosure relates generally to systems and methods for managing data. More specifically, but not exclusively, the present disclosure relates to systems and methods for managing access to data through enforcement of one or more associated rules. Certain data management services may support rich access control for managed data. Actors using such services (human and non-human users) may be identified and authenticated, allowing for invocation of various data management service APIs. This alone, however, may not provide fine-grained access control to managed data. For example, simple access control systems that are based on users and/or groups with access control lists (“ACLs”) may be less suitable for situations where complex data sharing is expected among parties in multiple organizations, where relationships between users and organizations are not strictly hierarchical and/or change over time, and/or the like. User and/or group-based access control systems may also not be able to easily model situations where organizations within hierarchies wish to impose constraints on organizations above or below them within the hierarchy and/or where value-based access control decisions are desired. Various embodiments of the disclosed systems and methods provide a framework for data management and/or access control that uses one or more services that may include, for example and without limitation, one or more of an authentication service, a security service, a directory service, a catalog service, and/or a data service In certain embodiments, the security service may interact with an authentication service—a service that may support various identification and/or authentication operations. Consistent with embodiments disclosed herein, the security service may manage various access control determinations relative to governed data and/or other governed objects. Data access may be brokered using the data service, which may invoke in connection with data access processes the authentication service, security service, directory service, and/or the catalog service. In certain embodiments, the authentication service may be leveraged by other services to for authentication operations. Certain embodiments of the disclosed systems and methods may employ an access control model that uses a “rule” as a fundamental unit of access control. Consistent with embodiments described herein, rules may specify, for example and without limitation, one or more of a subject, an object, one or more privileges, flags for each privilege (e.g., an allow and/or deny flag), a depth, one or more restrictions (in certain instances denoted as “R”), and/or a restriction combinator (in certain instances denoted as “RC”). Rules may be specified by rule sets and/or may be formed when a role, which may comprise policies, is granted to a subject by means of a role grant. In various embodiments, a policy may comprise a set of partial rules. A partial rule may be similar to a rule but not comprise a subject. A role may comprise a set of policies and a role grant may comprise a binding between a subject and a role. In some embodiments, terms may be defined in rules allowing for time-based access control. Rule sets and/or role grants may be “attached” to an object within a data management directory in certain disclosed embodiments at an attachment point. Such an attachment point may define the root of a tree of objects that may be governed by the associated rules created by the rule set and/or role grant. A “depth” specified in a rule and/or partial rule may specify the depth in the directory tree hierarchy that the derived rules may be applied, starting from the lower of the object specified in the rule and the attachment point. For example, a rule and/or partial rule may specify a depth of 0, which may mean the rule and/or partial rule applies at the attachment point, a depth of 1, which may mean the rule and/or partial rule applies to an object at attachment point and the immediate children of the object, a depth of −1, which may denote that the rule and/or partial rule applies to an object at the attachment poin