Query-time analytics on graph queries spanning subgraphs
US-2020026704-A1 · Jan 23, 2020 · US
Access controlled graph query spanning
US11347883B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11347883-B2 |
| Application number | US-202015931013-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 13, 2020 |
| Priority date | Feb 27, 2017 |
| Publication date | May 31, 2022 |
| Grant date | May 31, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Controlling access to nodes in a relational graph at query time by using an approximate membership query (AMQ) filter and ordered queries based on historic grants or denials of access according to security context enables a more efficient querying of the relational graph while preserving access controls. Security contexts that grant or deny access to a node are stored in an associated AMQ filter and are queried according to the subject's security context in an order based on the frequency at which the security contexts have previously granted or denied access to nodes in the relational graph.
First claim
Opening claim text (preview).
We claim: 1. A method for controlling access to one or more nodes in a relational graph, the method comprising: receiving a graph query including a subject security context; determining whether a node in the relational graph permits access to the node, the determining including determining at least one of (a) whether a permit Approximate Membership Query (AMQ) filter permits access to the node, or (b) whether a query permit list permits access to the node; and permitting access to the node if it is determined that the node permits the access. 2. The method of claim 1 , further comprising denying access to the node if it is determined that the node does not permit the access. 3. The method of claim 1 , wherein determining whether the permit Approximate Membership Query (AMQ) filter permits access to the node includes querying the permit AMQ filter with the subject security context, the permit AMQ filter including security contexts that grant access to the node. 4. The method of claim 1 , wherein determining whether the query permit list permits access to the node includes querying the query permit list with the subject security context, the query permit list including security contexts that grant access to the node. 5. The method of claim 1 , further comprising: determining whether the node in the relational graph denies access to the node, the determining including determining at least one of (a) whether a deny Approximate Membership Query (AMQ) filter denies access to the node, or (b) whether a query deny list denies access to the node; and denying access to the node if it is determined that the node denies the access. 6. The method of claim 5 , further comprising permitting access to the node if it is determined that the node does not deny the access. 7. The method of claim 5 , wherein determining whether the deny Approximate Membership Query (AMQ) filter denies access to the node includes querying the deny AMQ filter with the subject security context, the deny AMQ filter including security contexts that deny access to the node. 8. The method of claim 5 , wherein determining whether the query deny list denies access to the node includes querying the query deny list with the subject security context, the query deny list including security contexts that deny access to the node. 9. A method for controlling access to one or more nodes in a relational graph, the method comprising: receiving a graph query including a subject security context; determining whether a first node in the relational graph permits access to a second node in the relational graph, the determining including determining at least one of (a) whether a permit Approximate Membership Query (AMQ) filter permits access to the second node, or (b) whether a query permit list permits access to the second node; and permitting access to the second node if it is determined that the first node permits the access. 10. The method of claim 9 , further comprising denying access to the second node if it is determined that the first node does not permit the access. 11. The method of claim 9 , further comprising: determining whether the first node in the relational graph denies access to the second node, the determining including determining at least one of (a) whether a deny Approximate Membership Query (AMQ) filter denies access to the second node, or (b) whether a query deny list denies access to the second node; and denying access to the second node if it is determined that the first node denies the access. 12. The method of claim 11 , further comprising permitting access to the second node if it is determined that the first node does not deny the access. 13. The method of claim 11 , wherein: determining whether the permit Approximate Membership Query (AMQ) filter permits access to the second node includes querying the permit AMQ filter with the subject security context, the permit AMQ filter including a first set of security contexts that grant access to the second node; and determining whether the deny Approximate Membership Query (AMQ) filter denies access to the second node includes querying the deny AMQ filter with the subject security context, the deny AMQ filter including a second set of security contexts that deny access to the second node. 14. The method of claim 13 , wherein security contexts associated with a subject are arranged in at least one of the first set of security contexts or the second set of security contexts based on at least one of: a numerical sorting; or a hit frequency of the security contexts. 15. The method of claim 11 , wherein: determining whether the query deny list denies access to the second node includes querying the query deny list with the subject security context, the query deny list including security contexts that deny access to the second node; and determining whether the query permit list permits access to the second node includes querying the query permit list with the subject security context, the query permit list including security contexts that grant access to the second node. 16. A method for controlling access to one or more nodes in a relational graph, the method comprising: receiving a graph query including a subject security context; determining whether a first node in the relational graph denies access to a second node in the relational graph, the determining including determining at least one of (a) whether a deny Approximate Membership Query (AMQ) filter denies access to the second node, or (b) whether a query deny list denies access to the second node; and denying access to the second node if it is determined that the first node denies the access. 17. The method of claim 16 , further comprising permitting access to the second node if it is determined that the first node does not deny the access. 18. The method of claim 16 , wherein: determining whether the deny Approximate Membership Query (AMQ) filter denies access to the second node includes querying the deny AMQ filter with the subject security context, the deny AMQ filter including security contexts that deny access to the second node; and determining whether the query deny list denies access to the second node includes querying the query deny list with the subject security context, the query deny list including security contexts that deny access to the second node. 19. The method of claim 16 , further comprising: determining whether the first node in the relational graph permits access to the second node, the determining including determining at least one of (a) whether a permit Approximate Membership Query (AMQ) filter permits access to the second node, or (b) whether a query permit list permits access to the second node; and permitting access to the second node if it is determined that the first node permits the access. 20. The method of claim 19 , wherein: determining whether the permit Approximate Membership Query (AMQ) filter permits access to the second node includes querying the permit AMQ filter with the subject security context, the permit AMQ filter including security contexts that grant access to the second node; and determining whether the query permit list permits access to the second node includes querying the query permit list with the subject security context, the query permit list including security contexts that grant access to the second node.
Assignees
Inventors
Classifications
- G06F21/62Primary
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
Graphs; Linked lists (G06F16/9027 takes precedence) · CPC title
Search customisation based on user profiles and personalisation · CPC title
- G06F21/6227Primary
where protection concerns the structure of data, e.g. records, types, queries · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11347883B2 cover?
- Controlling access to nodes in a relational graph at query time by using an approximate membership query (AMQ) filter and ordered queries based on historic grants or denials of access according to security context enables a more efficient querying of the relational graph while preserving access controls. Security contexts that grant or deny access to a node are stored in an associated AMQ filte…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/62. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 31 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).