Method and system for controlling data access to organizational data maintained in hierarchical

摘要

Embodiments are described for a system and method of controlling access to information in an organization by defining a hierarchical organizational structure of boxes, and security configuration comprising user records, security roles, rules to map users to boxes, and rules to grant roles to users via mapped boxes. Access control is applied in the context of a defined organizational structure using the effective set of access control policies computed in real time per each data access request from any given user.

主权项

1. A computer-implemented method of controlling access to information in an organization, in response to a user request for information to a server having access to the information, comprising:
storing organizational data of the organization onto a non-transient computer readable medium that is accessible by the server, wherein the organization data is structured into domains that contain one or more charts each containing boxes representing data entities having a hierarchical relationship to other boxes, wherein each domain represents different subsets of data entities, and each domain includes a chart user ID parameter that defines which field to use to match boxes; copying original organizational data of the chart to random access memory accessible to the server to generate an optimized data structure representing a current state of that chart; defining one or more principal boxes per user within a chart to perform rule-based assignment of security roles and to compute structural conditions for data access by the user, wherein a principal box for the user in the chart is identified by a chart user ID value, and wherein the user has a unique chart user ID value for each domain; statically granting security roles to the user by explicitly configuring a link between a user record and a role within the organization; defining users identified by authentication credentials through at least one of: the statically granted security role, and user information received from an external source with each request for information; using one or more role assignment rules to dynamically grant a role to the user upon the user making a request for information through a server executed process, the process including re-computing in real-time by the server, effective data access rights of the requesting user, upon a data access request from the requesting user for one or more boxes in a specific chart; and upon receiving the user request and in real time, executing a server process mapping user records to corresponding principal boxes in the charts of the organizational data using chart user ID values that are defined in user records to determine if a principal box that is responsive to the user request satisfies any role in the effective set of policies, and generating a response containing the principal boxes to which the user is authorized access and omitting principal boxes to which the user is not authorized access, wherein the mapping user records to corresponding principal boxes in the charts includes: re-computing in real-time by the server, a plurality of available boxes and their respective attributes based on the effective data access rights, upon the data access request; and selecting all boxes from a chart of a domain having a chart user ID parameter value that matches the user's unique chart user ID value for the domain.