WO2011124221A2 - Système, procédés et dispositifs pour la sécurisation de ressources - Google Patents

Système, procédés et dispositifs pour la sécurisation de ressources Download PDF

Info

Publication number
WO2011124221A2
WO2011124221A2 PCT/DE2011/075063 DE2011075063W WO2011124221A2 WO 2011124221 A2 WO2011124221 A2 WO 2011124221A2 DE 2011075063 W DE2011075063 W DE 2011075063W WO 2011124221 A2 WO2011124221 A2 WO 2011124221A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
decision
resources
systems
aggregate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/DE2011/075063
Other languages
German (de)
English (en)
Other versions
WO2011124221A3 (fr
Inventor
Tim Frey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2011124221A2 publication Critical patent/WO2011124221A2/fr
Publication of WO2011124221A3 publication Critical patent/WO2011124221A3/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy

Definitions

  • the present invention relates to systems, methods, and arrangements that can be used to secure resources, particularly in highly scalable scenarios, with computer networks.
  • the invention was made, in particular with consideration of the Internet and platforms occurring therein.
  • Spring Security An example of a modern security system is Spring Security. It has resources that make it possible to secure a Java program via annotations.
  • access control lists for individual objects created by classes can be stored in Spring Security.
  • the system has a central access control (ACL) filing system in which the access control lists are stored in a database. These are then used when accessing resources to check access to permission.
  • the individual access control lists can refer to further access control lists in the central repository, from which they inherit the contents. Because of this, an access check will then include the access control lists inheriting rights.
  • ACL central access control
  • Spring Security One problem with Spring Security is that it has only one internal depot and can not use any other systems or access list types. Since different technologies are normally used in a system landscape, Spring Security can be considered isolated from the other systems, since they do not work together. Another problem is that access decisions that inherit rights from other access control lists must always load and evaluate the access control lists from which rights were inherited. These and other limitations make such a system inflexible and difficult to scale.
  • Apache Shiro http://cwiki.apache.org/confluence/display/SHIRO/Index
  • http://cwiki.apache.org/confluence/display/SHIRO/Index is a security system for various programming platforms, but does not support the integration of other security systems and their access control lists, which, for example, inherit rights from one another.
  • This invention is therefore based on the technical problem of making it possible to provide arrangements, methods and systems which make it possible to use as well as to distribute data that can be used for access control from different systems.
  • the challenge is that the different systems can follow different specifications and are actually incompatible.
  • the invention 100 solves the problems described above.
  • the invention 100 comprises:
  • At least one means of integration that allows access to at least one or more resources used to influence access decisions about access to at least one resource 111;
  • At least one means of aggregation which makes it possible to calculate aggregate access rights, wherein at least one means of access decision is used in the calculation.
  • the present invention 100 provides a system, method, and arrangement that allows a variety of systems 110, which may also include security functions or methods of protection, to integrate and combine together, by aggregates of rights, beyond the system boundaries of a system 110 away, can be calculated.
  • access rights can be understood as authorizations or refusals to carry out operations.
  • such rights may be the permissions to read, write, modify, delete or administer.
  • other more complex permissions or denials such as authorize, approve, execute, e.g. of services or functions, execute with constraints, execute with limited result set, depending on the user role and any other function that occurs in programs, especially in business management.
  • the means used for access decisions 112 may represent a variety of resources 111.
  • such means 112 may be access control lists or portions thereof. Or even complete security systems, other systems 110 or individual parts of them.
  • the various embodiments of the invention 100 or portions thereof themselves may constitute such means as to scale them, for example.
  • Aggregating here means aggregating rights for a particular resource 111.
  • a resource 111 may be, for example, a file or any other form of document or database, e.g. also a placeholder, in place of which the client 130 is allowed to store information.
  • Such documents may, for example, occur in a document base, also referred to as a database, in which the documents are stored.
  • a document base is a file system.
  • a document base may also be active, for example, the database / document base may be a web server or even multiple web servers, such as the Internet.
  • the term database also refers to several systems 110 or systems coupled via computer networks.
  • the term document is therefore a collective term for all possible outputs of a database or even a collection of data generated by a user.
  • a document may be dynamically generated from a database, which is why a database within the scope of the present invention 100 is to be viewed as a source or combination of sources or source systems 110 from which data may be requested, written, and / or altered.
  • a document is thus a logical unit, a partition, component and / or subdivision, and therefore also applies to parts of documents.
  • Embodiments of the present invention 100 may use the structure information of the database in order to improve and / or accelerate access to the database or documents occurring therein.
  • the following data and associated systems 110 or systems 110 can serve as a database and thus as documents: hypertext documents, Word documents, e-mails, web servers, program code such as classes or objects, or also other constructs that were compiled during programming or from those generated Source code, API calls or return values, accesses to program parts, business objects, such as receipts, or master data, application servers, SAP systems, data warehouses, text documents, images, audio files, social networks, videos, blogs, Twitter, social networks, mobile devices such as mobile phones, peer-to-peer networks, input devices , File systems, databases, search engines, servers, routers, machines, sensors, test systems, debuggers, people and / or automobiles.
  • a web page identifies a document that is accessible via the Internet and may include various content that occurs there, such as hypertext documents, videos, pictures, and other documents that may include hyperlinks.
  • the term website can also stand for several documents, eg all or part of the pages under a certain domain.
  • the term website is also a collective term for what is generally called website or website, ie a collective term for an entire Internet presence, eg an appearance of a company, an organization, a private person, an association, an interest group or to a specific website Purpose, eg sale, trade, information, discussion, exchange, pleasure, search, mediation, etc.
  • Such an Internet site can be transmitted via various protocols, eg TCP / IP, HTTP, HTTPS, FTP, POP3, SMTP and other protocols that are used for Communication in computer networks 50 are used.
  • Rights can be roles or access rights that specify which operations are performed with or on resource 111. This is very advantageous because roles can be linked to object instances and inherited. This makes it possible to perform Role Based Access Control on object and not just on the class level (Instance Role Based Access Control - IBC).
  • This IBAC makes it possible to make access decisions to particular resources 111 based on hierarchies of rights or roles that apply only to a particular resource 111 or resource hierarchy associated with at least one client 130.
  • the rights that were determined on the basis of aggregations can be stored. This makes it possible to use the aggregated rights in an access decision.
  • Aggregate formation itself can take place via rules or programs. It is also possible that queues with messages are used to further accelerate aggregate formation to further increase parallelism.
  • the inventive rights 100 allow the inherited rights to be calculated by at least one aggregation unit 102 and stored by the integration unit 101.
  • existing systems 110 or databases e.g. Image Server or Video Streaming Server
  • each resource such as images, videos, directories, or other documents may inherit rights from another system, such as program logic.
  • Particularly advantageous in forming the aggregates is the fact that not necessarily only one aggregation unit 102 is present, but there may be several of them. This enables distributable processing to take place, thus ensuring high scalability.
  • the invention 100 can, of course, also interact directly with one or more systems 110.
  • this part of a system 110 or a system 110 may also be a part of it.
  • the invention 100 itself could, for example, serve as a security system that is used in combination with other inventions 100 or systems 110.
  • the systems including access decision making means 112 may be provided by the invention 100 via at least one computer network, such as the Internet
  • the invention may have at least one inheritance tree. This makes it possible to map the inheritance structure or inheritance structures. This can be used, for example, in calculating the aggregates to determine which "access decision means 112" must be taken into account in aggregate formation. ⁇ br/> ⁇ br/> Particularly advantageous is such an inheritance tree, thus also inheriting across different systems 110 which themselves do not support inheritance For example, an inheritance function can thus also be added by aggregates into foreign non-inheritable systems 110. Another advantage of the inheritance tree is the possibility that several can also be used, as shown in Fig.
  • Systems 110 - 200, 210, 220 have different inheritance trees and are referenced from nodes in an inheritance tree to nodes in others, which makes it possible to scale aggregation in combination with inheritance trees, and another advantage of such trees is that in the trees existing Information can be used in the calculation of aggregates. For example, to detect dependencies and generate aggregate schedules.
  • means may be defined in programs that are taken into account in the access decision.
  • Such means may be, for example, annotations or aspects.
  • expressions may be given which have roles or permissions which accesses at least one resource 111.
  • methods of a class or the class itself can be restricted by means of annotations.
  • the ability to form aggregates also makes it possible to define "virtual resources" in the program source text, such as images found on an Image Server, such images may appear as "normal object-oriented objects" in the source code.
  • the physical image on the Image Server inherits the rights of the virtual object.
  • the image server inherits the rights in the image server from the "virtual object.”
  • additional means defined in the program source text such as the contents of annotations or aspects consider.
  • a variant of the invention 100 which is particularly preferably used in the dynamic Internet environment, such as Web.2.0, has the capability of dynamically integrating or removing integration means. This allows a particularly flexible adaptation without the need to adapt the invention itself 100, if a new system 110 is to be included, since thus only at runtime, the required integration means can be loaded.
  • invention 100 may have means for detecting updates to "access control means", which may be used, for example, to perform or update an aggregate-building process for objects inheriting from the affected object thus particularly dynamic and flexible means for accessing decision 112, since updates in foreign systems 110 can thus also be detected.
  • access control means may be used, for example, to perform or update an aggregate-building process for objects inheriting from the affected object thus particularly dynamic and flexible means for accessing decision 112, since updates in foreign systems 110 can thus also be detected.
  • Another capability that results from the capabilities of the invention 100 is the possibility that resources 111 do not need to be accessed via a central security system, as is the case nowadays with Spring Security, for example. Rather, a client 130 may directly access resources 111 present in a system 110 that may evaluate the access decision means 112, as shown, for example, in Figure le-g. In this case, the means for access decision 112 can be updated, for example, by the invention 100. This direct access avoids a detour of the data packets from the actual systems 110 via the invention 100 or another security system.
  • a preferred variant of the invention 100 may also have or use cryptographic means. These may be used, for example, to communicate to the client 130 a secret that serves to perform various accesses to at least one resource 111. This access could also be limited in time. This can be used to thus also use other third-party systems 110.
  • the client 130 could thus authenticate via OpenID in the invention 100 and obtain from the invention 100 a secret with which it can access the needed resources 111.
  • an application could be created that includes at least one existing security infrastructure, such as a security infrastructure.
  • a security infrastructure such as a security infrastructure.
  • At least direct resource access by the client 130 could be enabled by e.g. the cryptographic means of the platform are used to communicate to at least one client 130 a secret through which at least one resource 111 can be accessed directly.
  • the effectiveness of the secret could also be temporarily limited or / and coupled to various access operations.
  • the invention 100 could provide an inheritance structure for the resources 111 and / or the associated means for access control, such as ACLs on Amazon today. In conjunction with aggregates, this would then make it possible to extend the platform by an inheritance option by the invention 100.
  • individual parts or the complete invention 100 could be implemented as part of such a platform, and other parts could be provided to developers or users of the platform, for example, as an API or as a library or combination of API and library become. This would allow programs developed for such a platform to use a ready-made highly scalable security system that allows inheritance to be performed.
  • client information can be used in the access decision.
  • client information or even user information can be referred to here as information that is related to one or more users / clients 130 or also to one or more devices, arrangements or methods.
  • client information is, for example, data about or from users or devices, arrangements and methods themselves.
  • This can be, for example, passive data, which are for example in the profile of the user, such as eg. As hometown, group memberships, friends or even data that have been revealed, for example, by analysis.
  • Other types of user can be active data. Active can mean that these data only exist at runtime and change very frequently.
  • the current coordinates of the user such as GPS coordinates or access point, its IP, status message, connection speed, client type. Due to the characteristics of client information, further information can often be derived from such information. For example, in the location perimeter based on the access point, the GPS coordinates or / and an IP address. Such derivable information is itself also referred to as client information.
  • a client 130 because of its current location, may be told other secrets, such as when it is at a different location. Furthermore, thus the client information, together with other client information or other data together, can be considered. This ability to pay attention to client information in the access decision thus allows for a variety of novel use cases for backups, and thus new access decisions can be made. For example, it is thus possible to restrict access by clients 130 to information from other clients 130 that are in their vicinity.
  • Another variant of the invention 100 supports one or more roles or one or more hierarchies of access rights. For example, they may express which rights or roles contain other rights or roles. Thus, for example, roles and rights can be assigned and configured more easily, since it is no longer necessary to specify all rights and roles.
  • This variant is particularly advantageous in conjunction with associating rights to particular resources 111. In this case, access decisions to specific resources 111 are based on hierarchies and rights or roles associated with a client 130 only for a particular resource 111 or resource hierarchy to meet. This differs from the example of Spring Security where such hierarchies are not directly definable for resources 111.
  • the present invention 100 further relates to a method of securing resources, the method comprising the steps of: a. Accessing one or more means used to influence access decisions about access to at least one resource 111; and b. Calculation of at least one aggregate, wherein at least one means of access decision is used in the calculation. Further advantageous embodiments of the method according to the invention can be found in the further dependent claims.
  • the present invention 100 provides a computer program having instructions to execute each method described herein.
  • Fig. 2a-c Erbschaftsw according to embodiments of the present invention
  • FIGS. 3a-d illustrate methods and visualizations for aggregate formation according to embodiments of the present invention
  • FIG. 5 shows a method and an exemplary representation of the transformation between different means used for access decision according to an embodiment of the present invention
  • access decision means 112 make the decision about permission or even partial access permission and thus authorize it. These could also be called means access control.
  • means are used or / and also evaluated, which are considered by the means of access decision 112 to the cases of the decision.
  • this document refers to these two types of means, access decision-makers 114 and decision-making means 113.
  • Decision-making means 113, as well as access decision-makers 114 can also stand for a plurality of access decision-makers 114 as well as decision-making means 113.
  • access decision-maker 114 is the means that makes at least one access decision. This can also be referred to as "access decision means 112." Die
  • Decision-making means 113 are the means by which the decision is made, such as resources such as documents. These can also be referred to as "resources" used for access decisions. Access decisions can also mean a plurality of access decisions, for example, in that multiple smaller access decisions can result in a large access decision. Since often the boundary between these different means can not be clearly drawn and security systems 110 consist of mixing between decision-making means 113, access decision-makers 114 and access decisions, they can be generalized as access decision means 112 and all occurrences of the aforementioned terms in this document could be explained by The reason why, nevertheless, the words decider 113, access decision and access decider 114 are still partially used is that this subdivision promotes easier understanding of the invention 100. Therefore, in the further course, if it is the Comprehensibility is promoted, the terms access decision-makers 114 and decision-making means 113 used instead of means for access decision 112.
  • FIG. 1a shows an embodiment of the present invention 100.
  • the invention 100 has means, such as one or more integration units 101, that enable the invention 100 to be used with other security systems 110 or inventions 100 becomes.
  • the invention 100 may also be utilized by one or more means for forming at least one aggregate, also in cooperation with other constituents of the invention, such as e.g. an aggregation unit 102 may have.
  • One or more such aggregation means, such as aggregation units 102 may cooperate with integration means, such as at least one integration unit 101. This cooperation can take place, for example, when generating aggregates of decision-making means 113.
  • aggregation units 102 can be communicated information about updates by means of integration units 101, or aggregation units 102 can use integration units 101 in order to access decision-making means 113.
  • Such access may be, for example, reading, writing, updating or even analyzing means used for access control.
  • one or more clients 130 may directly access the individual parts of the invention 100, and thus all functions disclosed by this invention 100 may be directly utilized by a client 130.
  • Clients 130 are, for example, people or groups of people who use technical devices to communicate with machines, processes, other clients, arrangements or even via computer networks. Clients 130 do not necessarily have to be humans. Rather, clients 130 may be, for example, machines, apparatus and methods, including user groups. Often, clients 130 also associate information with the technical devices they use. Because a client 130 can represent a user or user groups who are using at least one technical device or the clients 130 themselves are one or more machines, therefore, in the further course, no distinction is made between user (human) and client and the word client 130 also needed as an equivalent for users and vice versa.
  • Aggregates are decision-making means 113, which consist of already existing decision-making means 113 or also resources, such as e.g. additional documents were calculated.
  • aggregates of access decision means may be seen as the sum of allowed privileges for clients 130 minus the denials for clients 130.
  • resources 111 e.g. Framework conditions, such as hierarchical permissions or hierarchical roles or other means that are considered for access decision in their generation or updating.
  • all of the features discussed in this document that are in aggregate formation or steps thereof are to be considered, serve to demarcate aggregates from "normal" arbitration means 113.
  • an aggregate may be transformed into at least one target system into a suitable format
  • further framework conditions such as rules, computer programs, systems 110 or information about clients 130 in various systems 110 can be used for a variety of use cases, as compared to the decision making means 113 or resources from which they were generated
  • an aggregate can also be additionally or alternatively ked by other features be. For example, a faster access decision may be possible with at least one access, in contrast to at least one access decision based on at least one previously existing decision-making means 113, which was considered for generating the aggregate.
  • resources 111 are required by at least one access decision-maker 114, in contrast to at least one access decision, due to at least one previously existing decision-making means 113, which was considered for generating the aggregate.
  • resources such as memory or processor load can be, but also documents or rules that are used in the access decision to decide the access question.
  • aggregates may also be used, e.g.
  • aggregates make it possible to make access decisions on or in resources, such as web servers, where they were previously not possible.
  • aggregates can also be transformations and thus, for example, a representation of decision-making means 113, which is distinguished at least in an expression from at least one previously existing decision-making means 113, which was considered for generating the aggregate.
  • Such an expression may be, for example, that instead of a user name, a user ID is specified in the aggregate.
  • security systems 110 As the security systems 110 described above or also often called systems 110, all devices, methods and arrangements are to be understood that use any means, to make access decisions about the access to at least one resource 111 or even represent the means or part of the means that is evaluated in an access. Because many systems 110 can often evaluate access control lists for accesses, they can also be seen as security systems 110 in the sense of the invention 100. Thus, the security system is any system 110 that supports security features. Thus, for example, programs, the security functions or even the invention 100 itself can be seen as a security system. The term security system is thus rather to be understood as a logical name for access-controllable systems 110 or units that are responsible for security, such as access control lists. Examples include Web servers such as Apache or IIS, Windows Server, ERP systems, Business Intelligence systems and many others.
  • the integration units 101 could detect updates and therefore start aggregation units 102 due to aggregation methods, and these have no direct access to the integrators and directly write the results of the aggregation methods.
  • access decision makers 114 and decision making means can all be in this one
  • Evaluate invention 100 decision means described and decide on accesses could be modeled on Spring Security or Apache Shiro, or existing resources could be modified to combine the advanced novel features of this invention 100 with existing ones.
  • Another possibility is to further develop this other existing security system to support the functions of this invention 100 in one or more apparatus, methods or arrangements.
  • this invention as well as the advancement is to be seen for each security system and may have means specialized for such cases to achieve optimal integration.
  • this invention 100 can not be implemented only for the Java platform or the Java Enterprise platform. Rather, the invention 100 can be realized on a variety of platforms. For example, on the Dotnet platform or in C ++. It is also conceivable that the invention 100 is implemented as a combination of different technologies.
  • the means used by security systems 110 or the invention 100 itself to make access decisions may be diverse.
  • Such means may be, for example, Access Control Lists (ACL), which are particularly common nowadays, such as by Security or an Apache web server.
  • ACL Access Control Lists
  • programs or tables in databases or web pages or all documents can be such means.
  • Another example of such means may also be annotations or security aspects of aspect oriented programming.
  • expressions can be given in the program source text, which roles or permissions, which have accesses to at least one resource 111. It may also be, e.g. by such expressions, directly or indirectly by system logic, further means, such as access control lists, are used which are used in the access decision.
  • Another example of such access decision means 112 may be client information.
  • Client information is information related to one or more users or to one or more clients 130, devices or methods. Client information is thus data about or from users or devices and procedures themselves. This can be, for example, passive data, for example, in the profile of the user, such. As hometown, group memberships, friends or even data that have been revealed, for example, by analysis. Other types of user data may be active data. Active can mean that these data only exist at runtime and change very frequently. For example, the current coordinates of the user, their IP, status message, connection speed, client type. Due to the properties of previously shown
  • Client information is often derivable from such information further information. For example, in the location perimeter due to an IP address. Such derivable information is itself also referred to as client information.
  • a combination of the various possibilities of the access decision means 112 can also be used for at least one access decision.
  • the invention 100 can also be able to support "location-based access control.”
  • the data can be combined with other means for access decision, whereby it is particularly advantageous for the client information itself to be incorporated into aggregates as access decision means 112 or can be evaluated together with aggregates
  • Access control lists may be further associated with a variety of resources 111. For example, with classes, objects, and any kind of documents. As a result, the rights at the level of the most diverse resources 111 can be assigned. For example, it is possible to use roles, object instances in a program in an object-oriented programming language, such Java or Visual Basic.
  • Resources 111 or ACLs may additionally, in a preferred embodiment, have relationships with one another, such as inheritance.
  • inheritance may mean, for example, that the rights of an access control list include the rights of one or more other access control lists or other means.
  • an image of a directory may inherit rights.
  • hierarchies of business objects such as master data or master data groups or documents and / or other objects in business systems, such as. in Erp systems or data warehouses, thereby inheriting rights.
  • These relationships can be defined, for example, by specifying the parent object, for example its type or / and identity. For example, about class and object ID of the parent objects or about the identity of the parent decision-making means 113. This can be found, for example, in the
  • access control lists helps to define denials and permissions for users or user groups for data and functions. For example, by denying users from groups can be excluded.
  • access control lists may contain rules or programs, or refer to rules or programs, as their evaluation is used in at least one access decision.
  • rules or programs can also include other resources 111, which should be taken into account in the access decision.
  • the invention 100 may have additionally specialized means for calculating aggregates for rules or programs. This can e.g. be used to increase the access control list evaluation speed, or systems that do not themselves support the ability to use rules in combination with access control lists, to allow interaction with other systems 110, or with rules or programs.
  • access control lists can also only be rules or programs as to how to use or transform another resource 111 as an access control list.
  • rules may also include checks on what rights a user may change during an access. Or complex checks can be made as to what different rights a user must possess. Also, such rules or programs may be used to comply with other information such as the pure access control lists in the access check.
  • access control lists also have different formats. For example, in an access control list, the rights for a client 130 are defined based on a bitmask. Elsewhere, only pure lists are defined. Or, instead of defining the client 130 or group directly in the access control list, a proxy identification is deposited. Others allow LDAP or OpenID references to be deposited. For this reason, for such or similar cases, the invention 100 may have specialized means for dealing with a variety of access control lists. In this case, other apparatus or methods can be used, which are then part of the invention 100. For example, to access OpenID Provider or aggregate the access control lists from the various formats and transform them into other formats.
  • the invention 100 also provides means for making it easy to manage the access control lists, for example, by at least one model of an access control list 500, uniformly around the heterogeneous access control lists from different systems 110 to edit.
  • an interface for easy editing or the unified access or the like is meant.
  • Fig. Lc can be used here.
  • different types of access control lists could be found in the various systems 110, which can be accessed homogenized by the invention 100.
  • An embodiment of the model 500 or access control lists that can be used together with the invention 100 also has rights that can be marked as not inheritable. Furthermore, an access control list of the model 500 is furthermore preferably structured in such a way that rights or roles are permitted and denied to a group or a client.
  • a particularly preferred further ability is not only to be able to specify rights in access control lists, but also to be able to define roles in them. This allows roles to be defined resource-specific or in a resource hierarchy. Thus, role-based access control is also possible at the object level and not just at the class level in programming, such as Spring Security.
  • Hierarchies of rights or roles in access control lists could also be defined. These can then be used for access decisions or aggregation.
  • the big advantage here is that it reduces the complexity of assigning rights.
  • the invention 100 also has the ability to store information in one or more embodiments of the invention 100.
  • information for example genetic information
  • the model 500 may have an access control list.
  • Such information can then be stored in the invention itself, or it has, for example, means to store the required information via detours in the relevant system. For example, an aggregate could be calculated, and the additional information could be stored in the comments of an access control list.
  • Fig. 1b shows the invention 100 in a larger environment. It can be seen that the invention 100 may itself include or may be directly connected to a security system 110. Furthermore, it can be seen that it can also be directly connected to a further instance or variant of the invention 100. For example, a higher scalability can be made possible by these possibilities.
  • invention 100 may be coupled to other systems 110 and instances or variants of the invention 100 via at least one computer network 50, such as the Internet.
  • a connection can be a stateless or stateful connection.
  • FIG. 1b shows that all communication of the invention 100 can take place over at least one computer network 50. But it is also possible that a variety of computer networks 50 is used.
  • a client 130 or other parts may also communicate with the invention 100 over a wireless network, such as WLAN or cellular networks.
  • the various systems 110 in FIG. 1 b further illustrate that a plurality of different methods and systems 110 having a plurality of instances of the invention 100 or a plurality number of components can play together. This allows a particularly good
  • the client who is also connected to the computer network 50, shows that this can access the systems 110, as well as the invention 100 directly via the network. However, this client can be seen as a representative for a large number of clients 130.
  • the invention 100 does not necessarily have to be used in a computer network 50. Rather, it can also be used in a variety of computer networks. For example, in peer-to-peer networks. Or it is possible that the client is connected to the Internet via a mobile network.
  • FIG. 1c shows how the invention 100 can be used as an intermediary for communication with a plurality of systems 110.
  • This has the advantage that, homogenized by the invention 100, the various systems 110 can be accessed. It is also possible for an instance of the invention 100 to be accessed, and to communicate this with other instances, e.g. Allowing clients 130 to make settings centrally and then distributing them. In this case, the client 130 can also access various systems 110 through the individual components of the invention 100 or these can be used in an access.
  • arbitration means 113 may be implemented by the invention, e.g. also be addressed and manipulated with the help of a model 500 or / and integrators.
  • inheritance information is deposited by the response of the individual systems 110 in the invention or inventions.
  • an access can specify which resources 111 inherit rights from which resources 111.
  • the inheritance structure is changed by accessing one or more inventions or systems 110.
  • a client 130 in Fig. Lc does not necessarily have to be a user. Rather, as described, such a client 130 may also be a system or invention 100, as indicated by the various identifiers 100/110/130.
  • FIG. 1 d illustrates this once again more clearly. The whole is represented in two stages.
  • a client 100/110/130 communicates with a system or invention 100/110, which in turn may communicate with an invention 100. In doing so, by such communication or direct communication with a client 130 e.g. an action 150, such as a procedure being triggered.
  • such action 150 may be a method of aggregate formation.
  • decision-making means 113 could be regularly checked for updates, thereby triggering the corresponding aggregate formation. This could be done, for example, in one or more integrators or in specially designed means. It could also be possible for a client 130, an invention 100 or the system of an invention 100 to communicate that decision-making means 113 be updated. For example, via special means designed for this case, such as an extension of the systems used together with the invention 100.
  • the invention 100 may include means for recognizing updates of arbitration means 113. This can be used to automate, for example, a process for aggregate formation, for objects that inherit rights.
  • FIG. 11 shows a further system structure with clients 130 and inventions 100 and systems 110.
  • clients 130 can also be systems 110 or inventions 100.
  • the client 130 can directly access a resource 111 which can be found in an invention 100 or a conventional security system 110/100. When accessing means for access decision are evaluated and to make at least one access decision.
  • the client can also access the resource 111 via the invention 100.
  • the client receives means for accessing the resource 111 of the invention 100 through which it can gain access to the resource 111.
  • these means may be for authenticating, by which it can authenticate itself to the system 100/110 managing the resource 111, or by which it can gain access.
  • the invention 100 may further include cryptographic means. These can be used, for example, in such scenarios.
  • the client 130 for example, a secret can be transmitted through which he can gain access.
  • the client 130 may authenticate or authorize one or more inventions, and then notify the individual systems 110 or inventions which client has access to the resource 111.
  • further time windows may be set as to how long a client has access to a resource 111. For example, by secrets get a period of validity and this example, the individual systems 110 or inventions is communicated.
  • resources 111 do not need to be accessed via a central security system, but resources can be directly accessed by resources 111 in further systems 110.
  • these capabilities allow file uploads to not be sent over a file stream through a security server / system 110. Rather, it is thus possible for clients 130 to gain direct access to resources 111 and thus directly transfer resources 111 from client 130 into a system.
  • This capability allows the invention 100 to be most conveniently deployed with cloud computing services, such as Amazon Web Services, Google App Engine, or the like and related other services.
  • cloud computing services such as Amazon Web Services, Google App Engine, or the like and related other services.
  • direct uploads can be offered for them.
  • all other capabilities of the invention 100 can be used in such a cloud or grid computing environment.
  • the security mechanisms that already exist there can thus be used and supplemented by the invention 100.
  • access control lists can thus be supplemented by inheritance.
  • identity providers 140 for example Ldap authentication (described in:
  • FIG. 1f shows an example of such a scenario.
  • an identity provider itself may be a system 110.
  • the invention may calculate 100 aggregates for the system 100/110 in which references to an identity provider 140 are set. This allows, for example, client 130 to authenticate directly through identity provider 140, and invention 100 is not needed even in the specific access.
  • Another capability that the invention 100 may have in one embodiment is also the integration of various identity providers 140 or similar authentication means. It may have the ability to associate clients 130 of one identity provider 140 with clients 130 in another identity provider 140. Such associations can be made, for example, by rules or simple or complex mappings, e.g. in a memory unit which the invention 100 can access or which is integrated into it.
  • aggregates and inheritances can not only be made possible across aggregates in aggregate formation, but additional framework factors can be taken into account and different systems 110 can often also designate clients 130 differently.
  • resources 111 in systems 110 having different systems 110 can also be used by the invention 100 relations such. Have inheritance.
  • a general system 110 has been represented by a social network 160 to better visualize the scenario.
  • a second system 110 has been deliberately added which is at least e.g. represents the image server 110 of the social network and thus symbolize that it can be accessed without the social network 160.
  • the invention 100 generates from the data in the social network 160
  • Decision-making means 113 and stores them in the image server 110. This can happen, for example, by accessing databases or the like of the social network 160 and creating access control lists therefrom. In this case, users / clients 130 who have access to different images can also be specified therein. In this case, for example, references of images to the user data / client information / user identities could be deposited.
  • the client 130 can now access the social network 160 and the image server 110.
  • the image server 110 can then perform the access control of the access decision using the decision means 113, which were generated or updated by the invention 100.
  • means previously or subsequently specified in this document can be used.
  • client 130 could be kept secret by social network 160.
  • the client 130 could authenticate itself to the social network 160, thus assuming the role of an identity provider 140.
  • identity providers 140 could be used.
  • similar methods or devices could be used, such as an Apache Web server, for which modules are available to authenticate against a variety of sources or to refer to a variety of sources.
  • Web platform 160 can be used
  • this embodiment of the invention 100 provides a way to benefit the systems that deliver resources 111, such as images or the like, in addition to the access decisions. This thus makes it possible to better secure these resources 111 and represents them better, wherein the invention 100 can be used in an application.
  • resources 111 such as images or the like
  • the invention 100 may also have the property of adding new functions at runtime. For example, by reloading source code or compiled programs. This makes it possible to adapt the invention 100 particularly flexibly.
  • FIG. 2 a shows an example of the inheritance of decision-making means 113 or of resources 111.
  • the quadrangles mark the individual different systems 110, designated 200, 210 and 220, in which the resource 111 or else the decision-making means 113 can occur.
  • the circles show arrangements of the inheritance between means used for access decision, for example, by virtue of a resource 111 referencing one or more parent resources 111 or placing it in the
  • FIG. 2b shows a further example of an inheritance. This is inherited from multiple parent objects. Multiple inheritance can have any number of ancestors from whom rights are inherited. This example of multiple interleaving is shown in Fig. 2c in a larger frame. It is shown that multiple inheritance can also happen over different systems 110 230, 240 and 250. As before, the arrowheads are to be seen as a parent-child assignment.
  • a variant of the invention 100 may further have capabilities that make it possible to rearrange elements in the inheritance tree and to change the inheritance structure or to turn off the inheritance for individual elements as well as off. Turning on and off means that, on the one hand, elements that have one or more ancestors will have no or fewer ancestors in the future and thus inherit no or fewer rights or, conversely, elements that have no ancestors, will be assigned one or more ancestors. Likewise, elements can be assigned to new ancestors or ancestors. For such cases, the invention 100 may also have other means, specialized for this purpose, which, for example, trigger new aggregate operations that respect the new inheritance structure and the associated access decision means 112.
  • the invention 100 may also have a cycle checker in the case of inheritance.
  • a cycle checker in the case of inheritance.
  • such can reveal cycles in inheritance hierarchies. This can be used for single as well as for multiple inheritance.
  • An example of a cycle is shown in Fig. 2c.
  • 242 inherits from 241 and 231 from 242.
  • link 260 could be added by 241 through which 241 of 231 would inherit.
  • Such and similar cases can be detected by a cycle checker.
  • Such a cycle checker could be realized, for example, by checking, when adding a new inheritance connection, whether the inheritance tree of element A is to inherit from element B in the future, already contains element B at some point in the previous tree, and if element A and B are in different objects.
  • aggregates can be associated by the invention 100 with the respective resources 111 in the systems 110, another advantage of the invention 100 becomes apparent. It is thus possible for requests to be made to the respective systems 110 which, even at the request itself, use the aggregates to determine elements belonging to the result set. This makes it possible, for example, to exclude inappropriate elements already in a query, since all access information through aggregates is directly available. For example, objects of a class could be queried for which the requester has a specific role. Without aggregates, the ancestors would have to be interviewed as well, and this would be slow, especially in foreign systems, if at all technically possible. With aggregates, these can now be used to determine only applicable objects.
  • the integration unit may be used. Because the invention 100 also has the aggregating means, it is possible to enable inheritance across systems. In doing so, the aggregation unit 102 uses e.g. the integration unit to access the various systems 110. Because this has the opportunity, the
  • Decider 113 from the various systems 110 can read from these aggregates. For example, it can read 201 and write 211 the absolute rights for 211 with the current content of 211, so that this in turn can be used in further accesses as decision-making means 113. Therefore, for example, 222 and 212 may be calculated thereafter. Likewise this is so similarly for the further rights and for the inheritance of several ancestors implementable.
  • aggregation may also include other steps, such as transforming the access decision means into the correct format.
  • the aggregation can also be used to obtain e.g. to simplify long access control lists by, for example, duplicating entries, e.g. when inheritance comes to filter.
  • Such transformations can be realized in the respective application by means of specially adapted transformation means.
  • Aggregation can also be accelerated using mechanisms from functional programming and / or the use of queuing theory.
  • the aggregation can be defined by declarative programming to achieve high parallelism. It is also possible that the aggregation techniques, such as Map Reduce, for example, US7650331, Amazon Elastic MapReduce
  • Fig. 3a shows the process by which aggregates are formed.
  • the required resources needed for aggregate formation are determined 301.
  • Such required means may be, for example, the elements of which an element for which an aggregate is to be formed, inherits.
  • the determination of the required means may also include the loading of the required funds.
  • the determination or loading of the necessary means can also be performed by the integration unit, as well as the writing. It is also possible that these are transmitted via at least one computer network 50. It is also possible that the aggregation unit (s) and the integration unit (s) are created as a common unit. Thus, an aggregation unit 102 can have all the features of the integration unit 101 and vice versa.
  • FIG. 3b shows that aggregate formations can also trigger new aggregate formations 303.
  • an inheritance hierarchy could exist. The fact that an aggregate of ol is formed or the associated means used for access control are generated or updated could be recognized by the invention 100 and aggregates for o2 and o3 could be calculated. Likewise for o4, o5 and 06. In Fig. 3d this is shown. In this case, aggregates which are at the same hierarchical level, e.g. can also be calculated in parallel.
  • the invention 100 for such cases may have specialized means, e.g. enable aggregates to be created in parallel. For example, with each new hierarchy level, new processes can be created for each element.
  • the actual forming of the aggregates can be specified by rules or computer programs.
  • rules or computer programs could be loaded dynamically at runtime.
  • Such rules or computer programs may be optimized especially for the various means used for access decision.
  • an aggregate scheduling may be part of the invention 100 and the aggregate creation process.
  • Such a flowchart may serve as how and / or in which order aggregates should be determined for different access decision means. In doing so, this generation of a schedule may be done on the basis of the resource for which an aggregate uses the access decision means. It is also possible that the means or several means themselves are used to determine how the aggregate is to be formed. In addition, it is also possible that further means of the invention 100 will be used to generate such a flowchart.
  • invention 100 may also have one or more inheritance trees, e.g. in several variants or instances, in which information is deposited, which inheritances exist between resources 111 or their means of access decision.
  • a data structure e.g. a specially adapted Patricia Trie, HAS Trie or House Trie or a similar data structure (see “HAT-trie: A Cache-aware Trie-based Data Structure for Strings", http://crpit.com/confpapers/CRPITV62Askitis.
  • HAT-trie A Cache-aware Trie-based Data Structure for Strings" http://crpit.com/confpapers/CRPITV62Askitis.
  • FIG. 4 shows an integration unit 101 of the present invention 100. It has an access executor 401 that performs access to various systems 110 via at least one integrator 402.
  • the integrators 402 contain means for accessing different systems 110.
  • Such integrators 402 can be created programmatically, for example, as a collection of functions or even classes.
  • the access executor eg the various operations described in this document, to perform the means used for access control.
  • the access executor 401 or in one or more integrators 402 or elsewhere in the integration unit 101 previously discussed means for transformation can be used.
  • a model 500 of access control means 112 previously discussed may also be available. This may serve, for example, as a transformation model 500 or for access by clients 130, as shown in FIG.
  • the access decision means following the model of system A 501 are first transformed into the model of invention 500 and from there into the model of system B 504 or also C 503 or D 502. This allows, for example, not all different types of transformations of different systems 110 to each other must be described.
  • the invention 100 may, as mentioned, also have a memory unit. These can also be accessed, for example, by the components of the invention, such as, for example, the integration unit 101 or the aggregation unit 102 or components thereof.
  • the data on inheritance relationships or other data can be stored.
  • a system might not support storing aggregate decider and original decider.
  • the original arbitrator could remain 100 prior to the aggregate process in the invention and only the aggregate arbitrator could be written to the system 110. If the original decision-making means were changed via the invention 100, this would produce a new aggregate decision-making means. Or it would be possible that if the aggregate decider in the system 110 were changed, as compared to the original decider, in the invention 100, the change would be detectable and the original decider would be adjusted accordingly.
  • the integration unit 101 may also have a cache / cache 404.
  • the cache 404 can be used at various points in the invention 100. It is also conceivable to use caches 404 in several places.
  • a cache 404 may be used by the integrators 402 and the access executor.
  • charged arbitrators 113 may be stored in the cache 404 by integrators 402 or by the access executor 401. This or the integrators 402 may first check the cache 404 for the contents of the resources needed before accesses to avoid lengthy network latency accesses.
  • the invention 100 may have a system directory 403. In this example, it can be deposited to which resources 111 which decision-making means 113 and / or systems 110 belong. It can be deposited in which systems 110 these means can be retrieved, or / and by which integrators 402 they are to be found.
  • This information can be stored, for example, via simple mappings or via rules.
  • rules may also specify how at least one or more associated integrators 402 may be determined based on at least one identification feature of a resource 111.
  • a request to the system directory 403 may be made via a resource 111, which may then be answered with at least one associated integrator 402 or a reference thereto.
  • system directory 403 provides means that enable it to be managed by the integrators 402 and other related information.
  • the access executor 401 can determine at least one associated integrator 402 and thus accessing their system and thus their means used for access decision 112.
  • a variant of the invention 100 which is particularly preferably used in the dynamic Internet environment, such as Web.2.0, has the capability of dynamically integrating or removing integration means.
  • Such integrating means may be, for example, integrators or groups of integrators 402.
  • integrators 402 can be added to the system directory 403, for example, during dynamic addition.
  • additional information such as the aforementioned rules, mappings or computer programs, be defined as the associated resources 111 can be seen.
  • This could then also be included in the system directory 403.
  • This makes it possible at runtime, also due to resources 111 or their identification features, to determine the new integrator 402 as belonging and thus weave it seamlessly into the previous functionality of a system. Similar to the addition, the removal could be realized.
  • the information of the recognition of the associated resources 111 from the system directory 403, together with the integrator 402, would be removed.
  • Another variation of the invention 100 may use means for dynamically adding components.
  • OSGI on the Java platform.
  • this could realize the dynamic addition / registration and removal of integrators 402.
  • the present invention 100, method, arrangement and apparatus can be particularly preferably used to be used for video platforms. Especially to connect with social networks.
  • a particularly preferred application of this security system is the combination with a video platform or a live streaming video platform, such.
  • a video platform or a live streaming video platform such.
  • DPMA Video Platform
  • This news reporter system by combining with the invention, may, for example, interact with other systems 110 and inherit rights, and security functions based on client information may be realized, for example location-dependent security functions.
  • Another, particularly preferred, application is the combination of the invention 100 with a hyper adapter (EP09180953).
  • the invention in particular the Yourweb variant, can be secured.
  • Another particularly preferred application is the combination of the invention 100 with a So-ad-tec system (EP10001967).
  • a So-ad-tec system EP10001967
  • This can be used to protect the Nexusnodes system, for example. It is also possible to protect a So-ad-tec system with it.
  • the illustrated invention 100 may also have or cooperate with a SCAPTCHA system or its functions described therein. This makes it possible, for example, to offer such a SCAPTCHA system as an infrastructure service, along with the other features described, in a cloud computing infrastructure.
  • Another use case is the hedging of business systems.
  • ERP systems For example, ERP systems, CRM systems, portals and the like.
  • this invention or group of inventions can be realized as computer-implemented systems or as computer programs. Due to the nature of this invention 100, all the facts presented can be implemented in different programming languages on different platforms. In addition, all procedures can be represented in declarative programs and thus in declarative situations and vice versa. Likewise, the processes can be converted as apparatuses or arrangements and vice versa. In addition, because of the flexible nature of the invention, many individually discussed parts of the invention can be combined or rearranged to provide better solutions, or better, solutions. Therefore, the description of the invention 100 is to be understood as an exemplary embodiment, features of which may also occur in other arrangements.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention (100) concerne un système, des procédés et/ou des dispositifs pour la sécurisation d'accès à des ressources (111), notamment pour des accès au moyen d'un réseau informatique (50). Le système ou un dispositif comportant : a. au moins un élément d'intégration permettant d'accéder à au moins un élément employé pour influencer des décisions d'accès concernant l'accès à au moins une ressource (111); et b. au moins un élément d'agrégation permettant de calculer des droits d'accès agrégés, au moins un élément de décision d'accès étant employé lors du calcul.
PCT/DE2011/075063 2010-04-05 2011-04-03 Système, procédés et dispositifs pour la sécurisation de ressources Ceased WO2011124221A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102010016324.4 2010-04-05
DE102010016324A DE102010016324A1 (de) 2010-04-05 2010-04-05 System, Verfahren und Anordnungen zum Absichern von Ressourcen

Publications (2)

Publication Number Publication Date
WO2011124221A2 true WO2011124221A2 (fr) 2011-10-13
WO2011124221A3 WO2011124221A3 (fr) 2012-01-05

Family

ID=44515178

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE2011/075063 Ceased WO2011124221A2 (fr) 2010-04-05 2011-04-03 Système, procédés et dispositifs pour la sécurisation de ressources

Country Status (2)

Country Link
DE (1) DE102010016324A1 (fr)
WO (1) WO2011124221A2 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0918095A1 (fr) 1997-11-20 1999-05-26 Alusuisse Technology & Management AG Elément de structure en alliage d'aluminium moulé sous pression
EP1000196A1 (fr) 1997-07-30 2000-05-17 SCA Hygiene Products GmbH Toile multicouche pour la region humide d'une machine a papier et produit fabrique avec celle-ci
US7650331B1 (en) 2004-06-18 2010-01-19 Google Inc. System and method for efficient large-scale data processing

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7461395B2 (en) * 2003-05-06 2008-12-02 Oracle International Corporation Distributed capability-based authorization architecture using roles
US20080034438A1 (en) * 2006-08-07 2008-02-07 International Business Machines Corporation Multiple hierarchy access control method
US7890531B2 (en) * 2007-06-29 2011-02-15 Oracle International Corporation Method for resolving permission for role activation operators

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1000196A1 (fr) 1997-07-30 2000-05-17 SCA Hygiene Products GmbH Toile multicouche pour la region humide d'une machine a papier et produit fabrique avec celle-ci
EP0918095A1 (fr) 1997-11-20 1999-05-26 Alusuisse Technology & Management AG Elément de structure en alliage d'aluminium moulé sous pression
US7650331B1 (en) 2004-06-18 2010-01-19 Google Inc. System and method for efficient large-scale data processing

Also Published As

Publication number Publication date
WO2011124221A3 (fr) 2012-01-05
DE102010016324A1 (de) 2011-10-06

Similar Documents

Publication Publication Date Title
DE112013002542B4 (de) Cloud-basierte Anwendungsressourcendateien
DE112010004651B4 (de) Dynamische Zugangskontrolle für Dokumente in elektronischen Datenübertragungsvorgängen in einer Cloud-Computing-Umgebung
DE202020005715U1 (de) Dynamische Maskierung geteilter Datenobjekte
DE102012203561B4 (de) Die Personifikation/Bevollmächtigung eines Benutzers in einem Token-basierenden Authentifizierungssystem
DE202023101653U1 (de) Organisations- und cloudübergreifende automatisierte Datenpipelines
DE112011102073B4 (de) Dienstimplementierung von einem Dienstverzeichnis
DE112013000865B4 (de) Konsolidieren von unterschiedlichen Cloud-Dienst-Daten und -Verhaltensweisen auf der Grundlage von Vertrauensbeziehungen zwischen Cloud-Diensten
DE102011077218B4 (de) Zugriff auf in einer Cloud gespeicherte Daten
DE202012013609U1 (de) System zur Verteilung der Verarbeitung von Computer-Sicherheitsaufgaben
DE112016004896T5 (de) Bereitstellung von Remote-Befehlsausführung mit fein abgestimmtem Zugriff für Instanzen von virtuellen Maschinen in einer verteilten Datenverarbeitungsumgebung
DE112021002797T5 (de) Datenschutzerhaltende architektur für genehmigungspflichtige blockchains
DE202020005693U1 (de) Externe berechtigungsnachweisfreie Stufen für Datenbankintegrationen
DE112013002544T5 (de) Cloudbasiertes Teilen von Datenpunkten und Zusammenarbeit unter Benutzergruppen
DE202011110377U1 (de) System eines hierarchischen Metadaten Managements und Anwendung
DE112011101357T5 (de) Dynamisches Token für den vorübergehenden Datenzugriff
DE112011100620T5 (de) Verfahren und system zum verwalten der lebensdauer von semantisch gekennzeichneten daten
DE102010023691A1 (de) Gemeinsame Nutzung von dynamischen Inhaltsvoreinstellungen und Verhalten von EDV-Geräten
DE202014011541U1 (de) System zum Herstellen einer Vertrauensverknüpfung
DE112010003464T5 (de) Modifikation von Zugangskontrolllisten
DE112021002201T5 (de) Datenschutzorientierte Datensicherheit in einer Cloud-Umgebung
DE112021004613T5 (de) Redigierbare blockchain
DE202017105834U1 (de) Verwaltung von Anwendungsaktualisierungen
DE112011101293T5 (de) Dynamische Echtzeit-Berichte basierend auf sozialen Netzwerken
EP3669285A1 (fr) Procédé et système de commande pour commander et/ou surveiller des appareils
DE112022003699T5 (de) Übersetzen zwischen versionen von datenobjektschemata für datenproduzenten und datenkonsumenten

Legal Events

Date Code Title Description
122 Ep: pct app. not ent. europ. phase

Ref document number: 11727909

Country of ref document: EP

Kind code of ref document: A2