EP4649395A1 - Verfahren und server zur verwaltung von zugriffsrechten auf gemeinsame ressourcen - Google Patents

Verfahren und server zur verwaltung von zugriffsrechten auf gemeinsame ressourcen

Info

Publication number
EP4649395A1
EP4649395A1 EP24700230.6A EP24700230A EP4649395A1 EP 4649395 A1 EP4649395 A1 EP 4649395A1 EP 24700230 A EP24700230 A EP 24700230A EP 4649395 A1 EP4649395 A1 EP 4649395A1
Authority
EP
European Patent Office
Prior art keywords
server
client
access rights
clients
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP24700230.6A
Other languages
English (en)
French (fr)
Inventor
Thierry GAILLET
Sylvain LEROUX
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
Orange SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Orange SA filed Critical Orange SA
Publication of EP4649395A1 publication Critical patent/EP4649395A1/de
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present disclosure relates to the field of sharing of computer resources. More particularly, it relates to the management of access rights to shared IT resources.
  • Sharing, or pooling, of IT resources consists of sharing, between several actors, resources held by the different actors.
  • Resource sharing can take place between several clients of at least one server, who send requests to the server to share their resources and access those of other clients.
  • clients can share files, but also training bases for machine learning engines in order to pool their learning bases.
  • the pooling of resources can still, for example, involve federated elements of digital twins.
  • sharing a resource by a client carries the risk of unwanted access to the resource by third parties, or abusive use of the resource by another client.
  • a method for managing at least one resource from a set of resources provided by a plurality of clients comprising: the definition, by the at least one server least one server, in a structure defining access rights for a set of resources provided by a plurality of clients, and upon receipt of a first request from a first client of said plurality of clients, access rights at least one resource provided by said first client; receiving, by the at least one server, a second request from a second client of said plurality of clients, requesting access to the at least one resource provided by the first client; the provision, by the at least one server, of access to the at least one resource to said second client if the access rights allow it.
  • “Structure” means an organization of data making it possible to formalize computer data.
  • a structure can for example be a table or a database.
  • Resource means an element usable by an application for its execution.
  • a resource can be: a hardware resource, such as a calculation resource, a memory resource, a network resource, etc. content that can be used by applications, such as multimedia content, lines of code, passwords, etc.
  • the content can for example be defined in files or databases, models trained using content provided by the first client, etc. an API allowing the execution of a specific function.
  • client is meant an entity sending requests to the server in order to provide content, define access rights and/or access content.
  • a client can for example be defined by a user terminal, a terminal user, a company or an application executed for example in a virtual machine or a container.
  • a server for managing at least one resource from a set of resources provided by a plurality of clients comprising: access to a set of resources provided by a plurality of clients; access to a structure defining access rights for the set of resources; at least one calculation unit configured to: define in said structure, upon receipt of a first request from a first client of said plurality of clients, the access rights of at least one resource provided by said first client; receiving a request from a second client of said plurality of clients, requesting access to at least one resource provided by the first client; provide access to said at least one resource to said second client if the access rights allow it.
  • calculation unit means an electronic component capable of carrying out electronic or computer calculations to perform a specific function.
  • a calculation unit can designate any type of processor or electronic component capable of carrying out digital calculations.
  • a calculation unit can be an integrated circuit, an ASIC (from the English acronym “Application-Specific Integrated Circuit”, literally in French “integrated circuit specific to an application”, a microcontroller, a microprocessor, a DSP ( from the English acronym “Digital Signal Processor”, literally in French “digital signal processor”), a processor, a GPU (from the English acronym “Graphics Processing Unit”, literally in French “graphics computing unit”).
  • a calculation unit according to the invention is not limited to a particular type of computing architecture.
  • a processor can implement a Harvard or Von Neumann type architecture.
  • a computer program comprising instructions for the implementation of all or part of a method as defined herein when this program is executed by a processor.
  • a non-transitory recording medium is proposed, readable by a computer, on which such a program is recorded.
  • a computing device comprising at least one calculation unit configured to execute all or part of a method as defined herein.
  • the method is implemented by at least one calculation unit of a hypervisor of said server capable of reading and writing said structure.
  • the method includes electronic notarization of each request relating to a resource of said set by said at least one calculation unit of the hypervisor.
  • Electrode notarization means electronic certification and archiving of the date, origin and destination of a request.
  • the method comprises synchronization, by said at least one calculation unit of the hypervisor, of said access rights with at least one remote hypervisor executed by at least one remote calculation unit on at least one remote server .
  • the method comprises communication of the server with at least one central server configured to maintain a reference access rights structure.
  • central server is meant a server centralizing processing on behalf of several servers.
  • said method is implemented by at least one calculation unit of a virtualization at the operating system level executed by a hypervisor, said virtualization at the operating system level being capable of reading and writing said structure.
  • Virtualization at the operating system level is meant a user instance providing a virtual operating system.
  • Virtualization at the operating system level can for example be named in some types of operating systems container, virtual private server, partition, virtual environment or virtual kernel.
  • a container contains the elements necessary for virtualization.
  • said at least one resource is a machine learning model trained with data provided by said first client.
  • the second request is a request for use of the machine learning model on data provided by the second client; the method comprises: sending, by said server, a result of said use of the machine learning model to the second client; reception, by said server, of feedback from said second client on said result; the triggering, by said server: of a phase of improvement of said model from said feedback, and of an association to said improved model of access rights granted by said second client.
  • Trigger means the training of one or more actions.
  • the triggering of actions by the at least one calculation unit may for example consist of the execution of the actions by the calculation unit, or the sending of instructions to a remote calculation unit to perform the actions.
  • the remote computing unit may be a computing unit of a central server, and the at least one computing unit may provide feedback to the central server to perform model improvement on the central server.
  • improvement phase is meant a training phase of the model comprising an improvement of the prior training of the model.
  • the improvement phase may be a reinforcement learning phase and said result may be a reward granted by the second client.
  • feedback we mean an indication provided by the second client of the quality of the result provided.
  • feedback can be a reward [0040] This makes it possible to train a model with data provided by several clients, while ensuring at all times that the use of the model is subject to the provision of access rights by all clients having contributed to the model. 'training.
  • the method comprises: reception, by said server, of said machine learning model from a central server; the provision, by said server, of said said feedback to the central server in order to trigger said improvement phase
  • the set of resources comprises a plurality of federated models of a digital twin of a physical world element; the method comprises: upon receipt of the second request, the execution, by the server, of a federation of simulations of said element of the physical world for all the federated models of said plurality for which the second client has access rights ; upon receipt of feedback from the second client, the triggering, by the server, of: an update of said federated models; and an association with said updated federated models of access rights granted by said second client.
  • “Federated models” means a set of models jointly participating in the modeling of an element of the physical world. For example, federated templates can match templates from different parts of the element.
  • digital twin we mean a digital replica of an element of the physical world.
  • the method comprises: reception, by the server, of said federated models from a central server; the provision, by the server, of said feedback to the central server in order to trigger said update of the federated models
  • said structure is a table indicating, for each pair of clients, the access rights granted by the first client of the pair to the second client of the pair, and of the second client of the pair to the first client of the pair. pair, authorizations belonging to a group including: a creation right; a reading right; a right to update; a right of deletion.
  • FIG. 1 shows an example of a server according to a set of embodiments.
  • FIG. 2 shows an example of modules implemented by a server according to a set of embodiments of the invention, in which management of access to resources is carried out by a hypervisor.
  • FIG. 3 shows an example of a network of servers in which the management of access to resources is implemented by a hypervisor according to one embodiment.
  • FIG. 4 shows an example of modules implemented by a server according to a set of embodiments of the invention, in which management of access to resources is carried out by a container.
  • FIG. 5 shows an example of a method for managing at least one resource from a set of resources according to a set of embodiments of the invention.
  • FIG. 6 shows an example of sharing resources relating to a machine learning model according to a set of embodiments of the invention.
  • FIG. 7 shows an example of sharing resources relating to federated models of a digital twin according to a set of embodiments of the invention.
  • FIG. 8 shows an example of a structure defining access rights according to a set of embodiments.
  • Figure 1 represents a server according to a set of embodiments of the invention.
  • the servicing server is a server for managing at least one resource from a set of resources provided by a plurality of clients.
  • the Servi server is thus able to manage the set of resources, that is to say create, modify, or even provide access to the resources of the set.
  • the Servi server therefore allows a plurality of clients to exchange resources.
  • Figure 1 represents two clients Clt1 and Clt2.
  • Customers can be of different types.
  • a client can for example be a user terminal, a terminal user, a company or an application.
  • the Servi server may include one or more communication links to communicate with clients.
  • a communication link with a client may include any means of communication. Communication with customers can, for example, be carried out via an internet network or a mobile network.
  • the communication link with the clients thus allows the server to receive requests from clients.
  • Requests can for example consist of requests to add resources, modify access rights to resources, or even request access to a resource.
  • the Servi server can also include means of client authentication, in order to secure data exchanges between clients.
  • Figure 1 represents two distinct clients Clt1 and Clt2. This number is of course provided as a non-limiting example only, and the invention is applicable to any number of clients greater than or equal to 2.
  • the Servi server also includes access to a set of resources provided by the plurality of clients.
  • the resources can include any type of computing resource, for example hardware resources, software resources or content that can be exchanged between clients.
  • the resources can for example be stored in at least one Mem memory to which the Servi server has access.
  • the at least one Mem memory can belong to different types of data storage capable of storing resources. It can for example be a RAM, a ROM, a volatile memory, a flash memory or even a virtual memory.
  • the at least one memory comprises at least one internal memory and/or at least one memory external to the Servi server.
  • An external memory can for example be a memory contained in a device connected to the Servi server by a wired connection, or a memory located in a server located on the same network as the Servi server, for example a central server.
  • access to at least one memory can be done via an internal connection to the Servi server, or a secure external connection to the device comprising the memory.
  • Figure 1 represents two resources Res1, Res2. This number is of course provided as a non-limiting example only, and the invention is applicable to a set of resources comprising at least one resource.
  • the resources can also be duplicated on several memories, in order to guarantee their access in the event of failure of one of the memories. They can be stored directly in memories, but also encrypted, stored in databases, etc.
  • the servicing server also includes access to a Structl structure defining access rights for the set of resources.
  • the Structl structure can for example be stored on at least one Mem memory.
  • the resources Res1 and Res2 are located in the same memory as the Structl structure.
  • This example is provided as a non-limiting example only, and resources and structures may be stored on different memories.
  • the Structl structure can also be duplicated on several memories to guarantee its access in the event of failure of one of the memories, and/or be stored in parts on several memories.
  • the Servi server includes at least one Cale calculation unit.
  • the calculation unit is configured to receive requests from clients, and provide or not access to resources, for example by implementing the P5 method represented in Figure 5, or by participating in the implementation of the scenarios represented in Figure 6 and 7.
  • Managing access to resources by Clt1, Clt2 clients can be implemented at the hypervisor level (shown in Figure 2) or at the level of a container or virtual machine (shown in Figure 4).
  • Figure 2 shows an example of modules implemented by a server according to a set of embodiments of the invention, in which the management of access to resources is implemented by a hypervisor.
  • the server Serv2 represented in figure 2 can for example be the server Servi represented in figure 1.
  • the Serv2 server implements several modules.
  • the server includes an OS2 operating system capable of implementing a Hypvsr2 hypervisor capable of reading and writing a Struct2 structure defining the access rights to the set of resources.
  • management of access to resources is therefore carried out at the level of the Hypvsr2 hypervisor which is configured to read and write the Struct2 structure and determine the access rights.
  • the Hypvsr2 hypervisor is also capable of controlling and managing one or more Cont12, Cont22, ... Contn2 containers or one or more virtual machines.
  • a virtual machine is a virtualization of hardware and software resources including an operating system, allowing a client request to be executed by running on the hypervisor.
  • a container is a virtualization of hardware and software resources without instantiation of the operating system. Indeed, a container shares the same operating system with other containers.
  • This architecture makes it possible to reinforce the security of access rights. Indeed, if the hypervisor can control and manage the Cont12, Cont22, ... Contn2 containers executing third-party code, the management access rights is carried out at the level of the hypervisor itself, and can therefore be fully controlled.
  • the hypervisor can not only manage access to resources, but also perform electronic notarization of each request relating to a resource.
  • notarization makes it possible to archive the date, origin and destination of each request relating to a resource, for example requests for resource creation, modification of access rights, editing of a resource, access to a resource, etc.
  • Access to a resource can also be provided by a first client to a second for a defined number of accesses.
  • This defined number can be a total number of accesses, or a number of accesses per unit of time (per day, per week, per month, etc.). Notarization of requests then makes it possible to check whether or not the number of access limits to a resource has been exceeded, and to provide access to the resource or not accordingly.
  • Figure 3 shows an example of a network of servers in which the management of access to resources is implemented by a hypervisor according to one embodiment.
  • a Res3 network of servers includes three servers servicing 3, Serv23 and Serv33.
  • Each of the three servers servicing 3, Serv23 and Serv33 is similar to the Serv2 server, having access to shared resources and including a hypervisor capable of managing access rights to resources and running containers.
  • the servers servicing 3, Serv23 and Serv33 are respectively capable of running the Hypvsr13, Hpyvsr23 and Hypvsr33 hypervisors.
  • the servicing 3 server includes an OS3 operating system, the Hypvsr13 hypervisor capable of reading and writing the Struct13 structure defining access rights for a set of resources, and of executing the containers Contl 13, Cont213 and Contn13.
  • the Hypvsr23 and Hypvsr33 hypervisors are respectively capable of reading and writing the Struct23 and Struct33 structures defining access rights for the same set of resources.
  • the servers servicing 3, Serv23 and Serv33 are servers remote from each other, that is to say they are located in different physical locations.
  • the servers servicing 3, Serv23 and Serv33 are in communication via a network, for example an internal Intnt network.
  • the servers servicing 3, Serv23 and Serv33 are configured to provide access to the same set of resources, but can be in communication with different clients.
  • the resources can thus be shared on memory areas accessible to the three servers and/or duplicated on memory areas accessible to each of the servers.
  • the hypervisors Hypvsr13, Hypvsr23 and Hypvsr33 are configured to synchronize access rights to the set of resources, as defined in the respective structures Struct13, Struct23 and Struct33.
  • access rights can be shared and updated between the clients of several servers, which makes it possible to increase the number of clients and resources that can participate in resource sharing, since the clients of several servers , and the resources provided by these clients, can be involved in the sharing.
  • Figure 3 represents an example in which a server network includes three servers. This example is, however, provided as a non-limiting example only, and the invention is applicable to any number of network servers greater than or equal to two.
  • distributed synchronization algorithms can be implemented.
  • servers can maintain synchronization of access rights via a blockchain.
  • all servers can communicate with a central server configured to maintain a reference permissions structure.
  • the central server can be one of the servers, or another server dedicated to maintaining the reference structure.
  • Figure 4 shows an example of modules implemented by a server according to a set of embodiments of the invention, in which management of access to resources is carried out by a container.
  • the server Serv4 represented in figure 4 can for example be the server servicing represented in figure 1.
  • the Serv4 server implements several modules.
  • the server includes an OS4 operating system capable of implementing a Hypvsr4 hypervisor.
  • the Hypvsr4 hypervisor is able to execute one or more Cont14, Cont24, ... Contn4 containers.
  • one of the containers is able to read and write a Struct4 structure defining the access rights to the set of resources.
  • management of access to resources is therefore carried out at the level of the Contn4 container which is configured to read and write the Struct4 structure and determine access rights.
  • This example is provided as a limiting example, and the same principle can be applied to other types of virtualizations at the operating system level, such as virtual machines.
  • the management of access rights to resources can therefore be carried out within containers, or other virtualizations at the operating system level, executed by hypervisors already deployed, which allows great flexibility in the deployment of access rights to resources.
  • access rights management can be updated by modifying a container, without having to modify the hypervisor.
  • Figure 5 shows an example of method P5 for managing at least one resource from a set of resources according to a set of embodiments of the invention.
  • Method P5 can for example be implemented by one of the servers Servi, Serv2, Servi 3, Serv4 to manage at least one resource such as the resources Res1 and Res2.
  • the method P5 comprises a first step S51 of definition by the at least one server, in a structure defining access rights for a set of resources provided by a plurality of clients, and upon receipt of a first request from a first client of said plurality of clients, access rights to at least one resource provided by said first client.
  • step S51 can for example be carried out: upon receipt of a request to add the resource, accompanied by access rights to the resource; upon receipt of a request to modify the access rights of an already existing resource provided by the first client.
  • the access rights can be of different types.
  • the rights can for example be “CRUD” type rights (from the English Create, Read, Update, Delete”, in French “Creation, Reading, Update, Delete”).
  • Rights can be provided, for example, to specific customers or groups of customers.
  • the rights can also be accompanied by spatial, temporal conditions, number of uses, etc.
  • Access rights can be provided to other clients, but also to the servers themselves.
  • the method P3 then comprises a second step S52 of reception, by the at least one server, of a request from a second client of said plurality of clients, requesting access to at least one resource provided by the first customer.
  • a request for access to the resource can be of different types, depending on the type of resource concerned.
  • the request for access to the resource can be a request to read or modify a file, a request to access the training databases of a machine learning model, a request to use a federated model of a digital twin, etc.
  • the method P3 then comprises, upon receipt of the access request, a third step S53 of verification by the at least one server of whether the access rights allow access to the at least one resource by the second customer.
  • the at least one server provides in the fourth step S54 access to the at least one resource to said second client.
  • the at least one server rejects the access request in step S55.
  • the access rights defined by the first client are taken into account for the provision or not of access to the resources.
  • the steps of method P5 can be implemented by a single server, or a plurality of servers, for example a network of servers as shown in Figure 3.
  • step S51 can be carried out by a first server which receives a resource from a first client
  • steps S52 to S54 by a second server which receives a request for access to the resource from a second client.
  • Figure 6 shows an example of sharing resources relating to a machine learning model according to a set of embodiments of the invention.
  • the example in Figure 6 represents access to a resource, which is a Modi 6 machine learning model trained with data provided by the first client Clt1.
  • the trained model is in this example stored on the Serv6 server, in connection with a ServCtr6 server, which centralizes machine learning models shared between several servers.
  • the Mod16 model is a model making it possible to detect people in an image, and to count the number of people in an image.
  • This example is provided as a non-limiting example, and the example in Figure 6 can be extended to other types of machine learning models.
  • Figure 6 describes a scenario P6 of use of the Mod16 model by a second client. In this scenario, the access rights of the Mod16 model defined by the first client Clt1 allow the second client Clt2 to use and update the Mod16 model.
  • the second client Clt2 sends to the server Serv6 a request Rq6 for use of the Mod16 model on the basis of an image that it provides.
  • the server Serv6 uses UtMod16 the Mod16 model on the image provided by the second client to count the number of people in the image, then returns the result Res6 to the second client Clt2.
  • the second client Clt2 then provides a Ret6 return to the server on said result.
  • the return can for example consist of a validation of the number of people, or on the contrary an indication that the number of people counted is inaccurate, of an exact number of people, or of a precise location of the people actually present in the photo.
  • the return Ret6 triggers a phase of improvement of the model by the server from the return, to obtain an improved model Mod26 .
  • the improvement phase can in practice be carried out by the Serv6 server itself, or a remote server, such as for example the central server ServCtr6.
  • the central server ServCtr6 can thus centralize the learning of the models.
  • the Serv6 server can receive the Modi 6 model from the ServCtr6 central server, return the Ret6 feedback to the ServCtr6 central server, and receive the Mod26 enhanced model from the central server.
  • the central server can also centralize the models, without doing the learning itself.
  • the central server ServCtr6 can store the Mod16 model, send it in a TransMod16 step to the Serv6 server before use on the Serv6 server, the Serv6 server can do the update then send the updated Mod26 model back to the central server ServCtr6 in a TransMod26 step.
  • the improved model Mod26 is trained in part with data provided by the second client, the feedback Ret6 and the improvement of the model also result in an association with the improved model Mod26 of access rights granted by said second client.
  • the improved model Mod26 can only be used by a third client if the access rights provided by both the first client and the second client allow it. If only the access rights provided by the first client allow access to the model by the third client, then the latter could use the Mod16 model, but not the improved Mod26 model for example.
  • This principle can more generally be applied to any model trained from data provided by several clients.
  • a resource is a model trained with data provided by a plurality of initial clients
  • access to the model cannot be provided to a final client, whether or not part of the plurality of initial clients, only if the access rights provided by each of the initial clients of said plurality allow it.
  • Figure 7 shows an example of sharing resources relating to federated models of a digital twin according to a set of embodiments of the invention.
  • the example in Figure 7 represents access to a set of resources, which is a plurality of ModFedl 7 federated models of a digital twin of an element of the Elt7 physical world.
  • the physical world element Elt7 is a factory
  • ModFedl 7 federated models are stored on a central ServCtr7 server, and include a Mod7 model of a factory sub-item provided by the Clt7 client.
  • a plurality of clients participate in the federation of models by providing models of sub-elements of the Elt7 element.
  • the plurality of clients have mutually provided each other with rights to execute and update the federated models, such that each client can perform a simulation of the federated model, and update the models if the simulation does not match to observations from the physical world.
  • Customers can here correspond to different entities participating in the management of the factory.
  • client Clt7 may be a factory operator, and other clients providing federated models are suppliers of various factory equipment, and/or operators of identical factories.
  • Figure 7 more specifically represents a scenario P7, in which an incident has occurred in the factory.
  • the factory is equipped with sensors to monitor the operation of the factory, and sends Sens17 measurements taken by the sensors during the incident, supplemented if necessary by measurements taken before the incident to the Clt7 client.
  • the client Clt7 sends to the server Serv7 a ReqSim7 request for simulation of the federation of models on the basis of the sensor measurements.
  • the Serv7 server performs a Sim7 simulation of the federated models including scenario evaluation and determination of a set of commands to terminate to the incident.
  • the Serv7 server sends back to the CI7 client a return of the simulation accompanied by the set of commands.
  • the client Clt7 then sends the set of Clt7 commands to the Elt7 factory, which will execute the Exec7 commands.
  • the Elt7 factory sends a new set of Sens27 sensor observations to the Clt7 client, which in turn sends a RetSim27 simulation return to the Serv7 server including the new set of observations Sens27.
  • the new set of Sens27 observations may be different from the predictions of the federated models.
  • the Serv7 server triggers Upd7 an update of the federated models based on the new set of observations.
  • the new observation set is transmitted to the central server ServCtr7, which will carry out the update.
  • the federated models are updated using data provided by the Clt7 client.
  • the update of the federated models is therefore accompanied by an association with the updated federated models ModFed27 of access rights granted by the Clt7 client.
  • This example demonstrates the capacity of the invention to allow the use of federated models of digital twins of elements of the physical world, while allowing each client to manage access rights to the models trained with the data that 'he gives.
  • This example is, however, provided solely as an example of a scenario of application of the invention to federated models.
  • the invention is more generally applicable to any scenario based on federated models, in which each client can define access rights to the models that it provides or helps to train, and in which a client cannot access a federation of models only if all the clients who contributed to providing or training the models give it permission.
  • Figure 8 shows an example of a structure defining access rights according to a set of embodiments.
  • the Tab8 structure is in the form of a two-dimensional table defining the access rights provided by each of the clients.
  • the clients are applications, represented by the letters "App 1", “App 2", “App n".
  • App 1 the access rights provided by each of the clients.
  • App 2 the access rights provided by each of the clients.
  • App n the access rights provided by each of the clients.
  • the letters “PCE” represent the server itself, which can also receive or provide access rights.
  • the rights granted can be of 4 types, depending on the name
  • Each box includes the letters corresponding to the rights among the 4 possible rights granted by the entity characterizing the row of the box to the entity characterizing the column of the box.
  • cell Cell 8 located on the 3rd line “App 2” and on the first column “PCE”, represents the rights granted by “App 2” to the server.
  • the 4 rights C, R, U and D are provided
  • cell Cel28 located on the 1st line “PCE” and the 3rd column “App 2”, represents the rights granted by the server to “App 2”.
  • only R reading permission is provided.
  • Rights are not necessarily granted symmetrically.
  • cells Cell 8 and Cel28 show that “App2” grants more rights to the server than the server grants to “App2”.
  • Table Tab8 provides an illustrative and non-limiting example of a structure defining access rights according to the invention. According to other embodiments of the invention, other types of structures can be implemented. Likewise, access rights may use a different formalism and/or include a greater number of types of access rights. Access rights can also be associated with additional characteristics such as geographic zones, periods of time, a limited number of accesses, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)
EP24700230.6A 2023-01-09 2024-01-08 Verfahren und server zur verwaltung von zugriffsrechten auf gemeinsame ressourcen Pending EP4649395A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR2300208A FR3144884A1 (fr) 2023-01-09 2023-01-09 Methode et serveur de gestion de droits d’acces a des ressources partagees
PCT/EP2024/050272 WO2024149701A1 (fr) 2023-01-09 2024-01-08 Methode et serveur de gestion de droits d'acces a des ressources partagees

Publications (1)

Publication Number Publication Date
EP4649395A1 true EP4649395A1 (de) 2025-11-19

Family

ID=86604121

Family Applications (1)

Application Number Title Priority Date Filing Date
EP24700230.6A Pending EP4649395A1 (de) 2023-01-09 2024-01-08 Verfahren und server zur verwaltung von zugriffsrechten auf gemeinsame ressourcen

Country Status (3)

Country Link
EP (1) EP4649395A1 (de)
FR (1) FR3144884A1 (de)
WO (1) WO2024149701A1 (de)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3851984B1 (de) * 2020-01-15 2023-12-20 IDENTOS Inc. Computer-implementierte systeme für verteilte autorisierung und föderierten privaten austausch

Also Published As

Publication number Publication date
WO2024149701A1 (fr) 2024-07-18
FR3144884A1 (fr) 2024-07-12

Similar Documents

Publication Publication Date Title
Solaiman et al. Implementation and evaluation of smart contracts using a hybrid on‐and off‐blockchain architecture
US11861200B2 (en) Data block-based system and methods for predictive models
US20200051069A1 (en) Upgradeable security token
US11870847B2 (en) Decentralized data flow valuation and deployment
US20230080927A1 (en) Database system public trust ledger token creation and exchange
WO2022072862A1 (en) Peer-to-peer (p2p) distributed data management system
US11816069B2 (en) Data deduplication in blockchain platforms
US12095924B2 (en) System and method for generating blockchain token support from a set of declarations
US20240104653A1 (en) Method for digital asset transactions
WO2019106186A1 (fr) Plate-forme de tracabilite securisee de donnees
Drąsutis IOTA smart contracts
Ahmed et al. Big Data Analytics and Cloud Computing: A Beginner's Guide
Waddington et al. Cloud repositories for research data–addressing the needs of researchers
Khan et al. Big data provenance using blockchain for qualitative analytics via machine learning
US10956363B2 (en) Automated data management via machine-readable data definition files
Bhagavan et al. A primer on smart contracts and blockchains for smart cities
Austria Analysis of blockchain-based storage systems
US20210232703A1 (en) Systems and methods for domain-based smart contract execution governance in a dlt network
EP4649395A1 (de) Verfahren und server zur verwaltung von zugriffsrechten auf gemeinsame ressourcen
Di Francesco et al. Kryptosafe: managing and trading data sets using blockchain and IPFS
Hatamian Technological barriers of (non) blockchain enabled IoT data marketplaces
Maxwell Azure Arc Systems Management
US12566747B2 (en) Recursive endorsements for database entries
Teng et al. A smart contract-based service platform for trustworthy crowd funding and crowd innovation
Ghosh Primer on Web3 and Distributed Systems

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20250701

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)