Search

WO-2026093092-A1 - CONTROLLING DATA ACCESS

WO2026093092A1WO 2026093092 A1WO2026093092 A1WO 2026093092A1WO-2026093092-A1

Abstract

A method (M) for controlling data access (114) of a plurality of predefined services (104, 108, 116, 122, 124, 126, 138) of a computer network, in particular a computer network of a process network in chemical industry, the method including: providing (S10) predefined service access rules (102), each service access rule (102) including at least one authentication and/or authorization mechanism; providing (S12) at least one predefined authentication service (108), which is configured to authenticate a user (100) based on at least one of the provided service access rules (102); and providing (S16) at least one predefined operation service (122, 124, 126), which is configured to determine an authorization of a user (100), that is authenticated by the authentication service (108), based on a provided service access rule (102), and is configured to grant to an authorized user (100) data access (114) to data. A computer-program product.

Inventors

  • REINHARD, Jannik
  • LE, MICHAEL
  • FRIEDEL, Swetlana

Assignees

  • BASF SE

Dates

Publication Date
20260507
Application Date
20251022
Priority Date
20241031

Claims (11)

  1. 1. A method (M) for controlling data access (114) of a plurality of predefined services (104, 108, 116, 122, 124, 126, 138) of a computer network, in particular a computer network of a process network in chemical industry, the method including: providing (S10) predefined service access rules (102), each service access rule (102) including at least one authentication and/or authorization mechanism; providing (S12) at least one predefined authentication service (108), which is configured to authenticate a user (100) based on at least one of the provided service access rules (102); and providing (S16) at least one predefined operation service (122, 124, 126), which is configured to determine an authorization of a user (100), that is authenticated by the authentication service (108), based on a provided service access rule (102), and is configured to grant to an authorized user (100) data access (114) to data.
  2. 2. The method of claim 1, wherein the authentication service (108) is configured to assign at least one identity value (120) to the user (100) if the user (100) is authenticated, and wherein the operation service (122, 124, 126) is configured to determine an authorization of a user (100) by determining whether an identity value (120) assigned to this user (100) complies with a provided service access rule (102).
  3. 3. The method of claim 1 or 2, further including: providing (S18) at least one pipeline service (116), wherein the at least one operation service (122, 124, 126) is configured to grant data access (114) via a pipeline service (116).
  4. 4. The method of any of claims 1 to 3, wherein if the operation service (122, 124, 126) is a deployment service, then the provided service access rule (102) associated to this deployment service is configured to require a presence of a release indicator authenticated by a different user.
  5. 5. The method of claim 4, wherein the deployment service is configured to perform a pre-deployment scan, and is configured to deploy a service (104) only if the pre-deployment scan is successfully terminated.
  6. 6. The method of any of claims 1 to 5, wherein at least one role indicator is assigned to the user (100) and/or to the identity value (120), when the authentication service (108) authenticates the user (100), and wherein at least one provided service access rule (102) assigns at least one data access (114) to said role indicator. 230234 10
  7. 7. The method of any of claims 1 to 6, wherein there is provided a plurality of operation services (122, 124, 126), and wherein a first operation service (122) is configured to grant operation access to an authorized user (100) to a second operation service (124).
  8. 8. The method of claim 1 to 7, further including: providing (S14) a plurality of operation networks (106, 128, 130, 132), wherein each operation service (122, 124, 126) is assigned to one operation network (106, 128, 130, 132), and wherein each operation service (122, 124, 126) is configured to grant operation access to an authorized user (100) only to another operation service (122, 124, 126), if both operation services (122, 124, 126) share an operation network (106, 128, 130, 132).
  9. 9. The method of any of claims 1 to 8, further including: appending (S22) for each operation (114) performed by an operation service (122, 124, 126), including when access (114) to data and/or to a service is granted, an operation indicator (136) indicative of the respective operation to an operation protocol (134).
  10. 10. The method of claim 9, further including: providing a supervisor service (138), which is configured to determine whether a request for data access (114) by an operation service (122, 124, 126) statistically matches the operation protocol (134), and to prevent the requested data access (114) when a statistical match is not determined.
  11. 11. A computer-program product for controlling data access of a plurality of predefined services of a computer network, in particular a computer network of a process network in chemical industry, the computer-program product comprising a program code for executing the method (M) of any of claims 1 to 10 by a computerized device when run on at least one computerized device.

Description

230234 1 Controlling data access This disclosure relates to a method for controlling data access of a plurality of predefined services of a computer network, in particular a computer network of a process network in chemical industry. This method further relates to a computer-program product. In computer networks, especially in the chemical industry, there is an increasing demand for safe and transparent data access control. It is therefore an object of the present disclosure to provide means for granting safe and transparent data access control. According to one aspect of this invention, a method for controlling data access of a plurality of predefined services of a computer network, in particular a computer network of a process network in chemical industry, is suggested. The suggested method includes: providing predefined service access rules, each service access rule including at least one authentication and/or authorization mechanism; providing at least one predefined authentication service, which is configured to authenticate a user based on at least one of the provided service access rules; and providing at least one predefined operation service, which is configured to determine an authorization of a user, that is authenticated by the authentication service, based on a provided service access rule, and is configured to grant to an authorized user data access to data. The suggested method may be understood as a combination of a) a separation of function with b) a coordination of rules. First, functions are provided by separate predefined services, where each service is prepared to fulfill its objective function, such as an authentication function and an operation function. Thus, each service may be audited by different people with appropriate different skills, which makes the functions safely implementable. Having different predefined services for different functions can keep a software transparent even through multiple updates I revisions. Second, the service access rules can be integrated and administered together. Thus, the service access rules can be coordinated. This makes the predefined service access rules transparent for an administrator, even through multiple updates I revisions. In this context, it may be important that an update or revision preferably refers to single services, as this method allows to update and/or revise services and/or rules in a decentralized manner. Optionally, the/each authentication service may be configured to assign at least one identity value to a/the user if the user is authenticated. Further, the/each operation service may be configured to determine an authorization of a/the user by determining whether an identity value assigned to this user complies with a provided service access rule. In other words, an original user identity is replaced by an identity value assigned to the user. The original user identity is usually related to a login identity, a password, a second factor of a multi-factor authorization, and the like, which are best kept secret. Accordingly, this option keeps these user identity data secret from non-authorization services, which 230234 2 increases safety and security. The identity value may be indicative of the authentication service, to increase security of user credentials. Optionally, the suggested method may have: providing at least one predefined pipeline service, wherein the at least one operation service and/or the at least one authentication service and/or a supervisor service may preferably be configured to grant data access via a pipeline service. Preferably, the pipeline service is pre-selected and/or it is predefined based on the data access. A pipeline service may preferably mean a service configured for handling data transfer and/or transferring between a user and an operation service, between different operation services, between an operation service and a data storage, and/or between operation services in different operation networks. A pipeline service is preferably configured for repeated and/or data-information-independent and/or data-type-specific data transfer. Having the at least one pipeline service reduces complexity and increases transparency of the provided rules, services, and pipelineZ-s, which may collectively be referred to as a software kit. Optionally, if the operation service is a deployment service, then the provided service access rule associated to this deployment service may be configured to require a presence of a release indicator authenticated by a different user. A deployment service may mean an operation service that is configured to grant data access to data, which data includes a service. In short: a deployment service is configured to overwrite data of an existing service. Thus, a new service and/or an updated service may be deployed by use of the deployment service. This option ensures a 4-eye principle via the service access rule. Optionally, the deployment service may be configured to perform a