Managing provenance information for data processing pipelines
US-2023004322-A1 · Jan 5, 2023 · US
Preventing illicit data transfer and storage
US12339981B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12339981-B2 |
| Application number | US-202217654326-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 10, 2022 |
| Priority date | Mar 10, 2022 |
| Publication date | Jun 24, 2025 |
| Grant date | Jun 24, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for preventing illicit data transfer and storage. In aspects, a computing platform may receive a data request from a caller system, device, or service. The computing platform may identify data items/properties associated with the data request and retrieve one or more rules relevant to the caller and/or caller location. The retrieved rule(s) may be used to evaluate the data item(s) such that data items, data item content, and/or data item properties that are prohibited by the retrieved rule(s) from being manipulated (e.g., accessed, transferred, stored) are removed from the identified data item(s). Based on the evaluation of the identified data item(s), one or more relevant status codes may be set. The computing platform may then manipulate the identified data item(s) in accordance with the data request and provide a processing response to the caller.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a processor; and memory coupled to the processor, the memory comprising computer executable instructions that, when executed by the processor, performs operations comprising: receiving, by a storage application programming interface (API) of a computing environment, a data read request from a caller, the data read request comprising one or more data properties of a data item and a call context, wherein the call context indicates at least one of an identifier of the caller or a type of the caller; processing the data read request, wherein the processing comprises: retrieving, by the storage API, the one or more data properties from a tenant data storage system of the computing environment; identifying, by the storage API, classification data for each of the one or more data properties, wherein the classification data is identified in a data provenance provider of the computing environment; retrieving, by the storage API, a provenance record associated with the one or more data properties from the data provenance provider, wherein the provenance record indicates an origin location of the one or more data properties; accessing a policy governor comprising a tenant rule instance repository and a computing environment rule instance repository, wherein: the tenant rule instance repository comprises rules for transferring data items by a tenant environment within the computing environment; and the computing environment rule instance repository comprises rules for transferring data items across or within boundaries of the computing environment; and based on the call context, retrieving: a first rule relevant to the data read request from at least one of the tenant rule instance repository or the computing environment rule instance repository; and a second rule relevant to the data read request from at least one decentralized rules repository external to the system, wherein relevancy of the retrieved rules are based on whether the retrieved rules are to govern data transfers relating to at least one of the identifier of the caller or the type of the caller; evaluating, by the storage API, the one or more data properties, the provenance record, and the classification data using the retrieved rules; based on evaluating the one or more data properties, the provenance record, and the classification data, determining, by the storage API, that at least one of the retrieved rules, the provenance record, or the classification data prohibit a first data property in the one or more data properties from being transferred to the caller; creating, by the storage API, an ineligibility indication specifying that the first data property is prohibited from being transferred to the caller; generating, by the storage API and in response to the data read request, a payload: comprising the provenance record, the classification data, the ineligibility indication, and a second data property in the one or more data properties, wherein the retrieved rules do not prohibit the second data property from being transferred to the caller; and not comprising the first data property; and providing, by the storage API, the payload to the caller in response to the data read request. 2. The system of claim 1 , wherein the call context further indicates an initiation type for the data read request. 3. The system of claim 1 , wherein the storage API: provides the call context to the policy governor. 4. The system of claim 3 , wherein the data provenance provider attaches a corresponding provenance record to each of the one or more data properties. 5. The system of claim 1 , wherein evaluating the one or more data properties comprises using a validation mechanism to compare each of the one or more data properties to each of the retrieved rules. 6. The system of claim 5 , wherein evaluating the one or more data properties further comprises using the validation mechanism to compare each of the retrieved rules to the classification data. 7. The system of claim 6 , wherein the classification data indicates whether the one or more data properties relate to sensitive or private data. 8. The system of claim 1 , wherein the ineligibility indicator corresponds to at least one of: a status code; a status flag; or a status message. 9. A method comprising: receiving, by a storage application programming interface (API) of a computing environment, a data read request from a caller, the data read request comprising one or more data properties of a data item and a call context, wherein the call context indicates an initiation type for the data read request; processing the data read request, wherein the processing comprises: retrieving, by the storage API, the one or more data properties from a tenant data storage system of the computing environment; identifying, by the storage API, classification data for each of the one or more data properties, wherein the classification data is identified in a data provenance provider of the computing environment; retrieving, by the storage API, a first provenance record associated with the one or more data properties from the data provenance provider, wherein the first provenance record indicates an origin location of the one or more data properties; accessing a policy governor comprising a tenant rule instance repository and a computing environment rule instance repository, wherein: the tenant rule instance repository comprises rules for transferring data items by a tenant environment within the computing environment; and the computing environment rule instance repository comprises rules for transferring data items across or within boundaries of the computing environment; and based on the call context, retrieving: a first rule relevant to the data read request from at least one of the tenant rule instance repository or the computing environment rule instance repository; and a second rule relevant to the data read request from at least one decentralized rules repository external to the system, wherein relevancy of the retrieved rules is based on whether the retrieved rules are to govern data transfers relating to the initiation type for the data read request; and cryptographically signing the one or more data properties, the first provenance record, and the classification data; evaluating, by the storage API, the one or more data properties, the provenance record, and the classification data using the retrieved rules; based on evaluating the one or more data properties, the first provenance record, and the classification data, determining, by the storage API, that at least one of the retrieved rules, the first provenance record, or the classification data prohibit a first data property in the one or more data properties from being transferred to the caller; creating, by the storage API, an ineligibility indication specifying that the first data property is prohibited from being transferred to the caller; generating, by the storage API in response to the data read request, a payload: comprising the first provenance record, the classification data, the ineligibility indication, and a second data property in the one or more data properties, wherein the retrieved rules do not prohibit the second data property from being transferred to the caller; and not comprising the first data property; and providing, by the storage API, the payload to the caller in response to the data read request. 10. The method of claim 9 , wherein the call context further indicates a call initiator access list that indicates at least one of resources or data sources to which the caller has access. 11. The method of claim 9 , wherein the one or
Assignees
Inventors
Classifications
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Location-sensitive, e.g. geographical location, GPS · CPC title
Protecting personal data, e.g. for financial or medical purposes · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12339981B2 cover?
- Examples of the present disclosure describe systems and methods for preventing illicit data transfer and storage. In aspects, a computing platform may receive a data request from a caller system, device, or service. The computing platform may identify data items/properties associated with the data request and retrieve one or more rules relevant to the caller and/or caller location. The retrieve…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jun 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).