3D Printing – Dhryl Anton, Michael McFall, Vescel LLC

Abstract for “Control over data resource usage through a security policy control policy evaluated in context of an authorization request.”

“Disclosed” is a method, device, or system for controlling data resource usage through a security policy. This policy is evaluated in the context an authorization request. One embodiment of a method involves receiving authorization requests from a device for the use of a protected resource within an datastore. A security node control policy defines the authorized context in which the protected resource can be used. A control policy contains a control algorithm that compares context values with control ranges. To create a context dataset, context values are retrieved. The authorization to use the protected resource occurs when the control algorithm determines that the context dataset is compatible with the authorized context. A security node can organize data into a domain structure, which may include a unique identification, an identity element, and a content element.

Background for “Control over data resource usage through a security policy control policy evaluated in context of an authorization request.”

“The datastore could contain data resources that are proprietary or confidential and/or private. These data resources could include financial information, confidential communications, electronic medical records, trade secrets, and/or private communications. Protected resources are data resources that have been secured by a security system. A security system might require that a user be authenticated before they can access the datastore, and/or authorise them before they can use one or more protected resources in the datastore. An authentication process is used to validate that the user is real (e.g., verify the user’s identity), and the authorization process is used to verify that the user has the right to access the datastore. You can access a protected resource (e.g. download a video, view user information, or download a document). The computing processes of the security systems may have to interact directly with the data structure in order to control the datastore’s data resources.

The security system’s characteristics and/or architecture may be determined by the particular data structure that was used to implement the datastore. An example of a traditional hierarchical data structure that could be used to implement a datastore is the classic hierarchical file system. A hierarchical file system could include a hierarchical structure, which may be stored at a particular location (e.g. a first server or section of a hard disk) and an access list, which may be stored at a different location (e.g. a different data structure in another sever, or section of the hard disk). Access control lists may be used to specify who and/or what devices can access which data resources. Without looking at the access control list from the outside location, it might be difficult to see how each piece is protected when referencing the data structure. It may also be difficult to see the contents of protected resources when you examine the access control list.

“As your datastore grows in size, it can become more difficult to use an external system to determine which protected data resources and/or permissions are associated with each protected resource. There may be mistakes in the security measures defined within the datastore. The external system may require additional computing resources to be managed and used. The external system may not be able to be updated automatically or programmatically, which could prevent the security system’s ability to scale to meet the high demand of datastore users.

The organization may grant permissions to groups due to the complexity and/or overhead involved in maintaining and establishing associations between the external system (such the access control list), and protected resources in the datastructure of the datastore. The security system can be used to create a group of users to whom permissions for a particular set of data resources will be granted. A user in the group might be granted access to data that is not necessary for their purpose. This could increase security risks to the organization, such as if they lose their identity credentials or take actions that are against the interests of the organization. The user could also feel inconvenienced if they have to use a protected resource that is in another group.

The security system may not have the necessary capabilities to protect and control the confidential and private data stored in the datastore. An authorization process might provide access control that is based on user identity and access time. It may also include a limited set of permissions, such as read, write and delete permissions. To define permissions over data resources within the databasestore, the security system might also use systems that are external and separate from the datastore. This system can be complicated and difficult to scale.

“Disclosed” are a method and a device, as well as a system for controlling data resource usage through a security policy. This information is evaluated in the context a authorization request.

“In one embodiment, computer-implemented methods for controlling data resources of datastores include traversing a referent attribute a first node in a non-hierarchical structure that references a security node. A security node contains a protected resource that is either a protected primitive or a protected referent that refers to a second non-hierarchical node. A device sends an authorization request for the use of the protected resource. The authorization request includes a state dataset, which contains one or more state attributes and each of their state values.

Refer to “A control policy that defines an authorization context in which the device can use the protected resource from the security node.” This control policy contains one or more conditionals that compare a control range to a context that is the state attribute of one or more states and/or an external value associated in some other way than the authorization request.

“The control range for each one or more conditionals specifies the location of a computing devices, the number of uses of protected resource, the type of use and/or the duration of use data of protected primitive. Each of the one or two conditionals’ context values specifies the location of a computing device, the number and type of uses of protected resource, as well as the duration of data use.

“The control algorithm for the control policy is extracted form the security node. Each context value specified by the control algorithm are retrieved from a contextual dataset that is the state data set including every instance of the state value, and/or an external dataset including every instance of each external value. Each condition of the control algorithm is evaluated to determine if the context dataset conforms with the authorized context. When the device determines that the context dataset is compatible with the authorized context, authorization is granted for the security node to use it.

The security node in the non-hierarchical structure may contain the control policy. An external value may be retrieved either from a memory address or a function call. A value retrieved via an application programming interface (API), one or more datastore nodes, or a second state dataset from another device.

The security node can organize data according to a domain that includes an unique identifier (UID), which allows the security node to be uniquely addressed within the datastore. It also contains an identity element (TY) element. The identity element contains one or more attribute value pairs. These pair include identification data that can be used to identify the security node as well as distinguish it from other nodes within the datastore. A security node can also organize data according a domain structure. This includes a content element, (NT element), that contains one or more attributes-value pairs and contained data. Additionally, a context element (XT elements) has one or more attributes-value pairs that contain contextual data that further characterizes security node.

“Another embodiment includes a plurality nodes within a nonhierarchical information structure. The non-hierarchical structure is defined by at least one node and includes a nonhierarchical reference for another node. Each node in the plurality is defined by a node schema that includes an identifier, (ID), which allows the node to be referenced by at most one of the plurality or nodes. A referent attribute also references at least one other node from the plurality.

“The plurality includes a security Node of the non-hierarchical Data Structure, the security Node defined by node structure, and further includes a protected resource secured under a control Policy. The control policy defines an authorized context in which the protected resource can be used. It also allows for the evaluation of a context dataset that is associated with an authorization request for a device.

The context dataset is located at a state dataset that contains a state value of each one or more of the state attributes associated to a device’s state at the time of authorization request generation. An external dataset also includes an external value for each one or more external attribute associated with the source other than the authorization request. One or more conditionals of the control policy include a control algorithm that compares a first input, which is the state value one or two state attributes and/or an external value one or several external attributes, with a second input, which is a different state attribute, an external value of one/more external attributes, and/or control value range.

“Another embodiment of a system includes both a datastore, and a server. The datastore contains a plurality nodes of a nonhierarchical structure. At least one of these plurality nodes defines the non-hierarchical structure. It also includes a nonhierarchical reference for another of the plurality. Each node in the plurality is identified by a node schema that contains an identifier of a particular Node, which can be referenced by at most one of the plurality or nodes. A referent attribute also references at least one other Node from the plurality.

“The datastore contains a security node from the non-hierarchical structure of data, as defined by the node structures. A protected resource that is protected by a control policy establishes an authorized context in which the protected resource can be used. The control policy can be used to evaluate the context dataset associated to an authorization request for a device in relation with the authorized context. The context dataset includes at least one of two types of state datasets: one that includes a state attribute for each state attribute associated with the state of the device at the generation of the authorization requests and one that contains an external dataset with an external value for each one or more attributes associated with the source other than the authorization request.

“An instance from the control value range for each of one or more conditionals specifies the location of a computing devices, the number of uses of protected resources, the type of protected resource use, and/or the duration of use. One or more conditionals in a control algorithm of the control policies compare a first input which is either an instance or the state value of any one or many state attributes or an instance or the external value one of one or several external attributes with a second input that’s a control value range.

A server is composed of a processor and computer-readable memory. Instructions are included in the computer-readable memory to: (i), receive the authorization request from the device; and (ii), evaluate the context dataset associated to the authorization request with control algorithm to determine authorization for the protected resource.”

“Disclosed is a method, device, system, and/or a manufacturing of control over data resources utilization through a security policy control policy evaluated in context of an authorization request. While the examples of embodiments in the present inventions are specific, it is obvious that many modifications and changes can be made without departing from their wider spirit and scope.

“FIG. “FIG. Specifically, FIG. FIG. 1 contains a set 100A through 100C, an identifier 101A through 101C for each set of 100, a security 102B that instantiates node 100B, and a security 102C that instantiates node 100C, two node reference 103.1A, 103.2A, and two security node references 105A and 100C, two instances of protected resource, the protected node 10102B, and two control algorithms 110B, 108C and 102C respectively, two control data 114; two sets of conditionals 112B, 112B and 112B, and 112B, and 112B, and 112B, and 112C and 112B, and 112B, and 112B, and 112B, and 112C context dataset 114 Additionally, FIG. FIG. 1 also includes: a device 200, a network 200, a state dataset 200, an application program 200, and an authorization request 206 of the device 200. A server 208 comprises one or more processors, one or two physical memories 212, and datastore 214. An external source 218 and an external dataset 220 are both non-hierarchical data structures 216.

“FIG. 1. shows a system network with a data structure that can control a resource (e.g. the protected primitive 11C, a protected referent107B pointing at node 100C containing protected primitive 11C), using one or more security nos 102. A data resource is an individual piece of data or a portion thereof that can be used as a resource in an application program. A data resource could include a file or a record, as well as a message, a message and/or other media, such music and video. A data resource could include a user profile, which may contain a list of attributes and values that hold information about a person. A data resource could also include a section of the user profile, such as an attribute-value pair that specifies a person’s social security number. Another example is an audio file. This could be an MP3 or AAC file and/or a section of the audio file. The data resource can also include a streamed portion, such as a 30-second-long section, to a device. The protected resource 104 is a data resource that is protected by a security program, such as one that requires authentication and/or authorization prior to usage.

“The device 200 contains a processor and a memory that runs the application program 204. It is stored in the memory 200. Device 200 could be a computer or smartphone, tablet, or piece of hardware that is Internet-enabled (e.g. an ‘internet of everything?). device), a computer-aided manufacturing device (e.g. a 3D printer or CNC mill, a laser cutter, and/or another server. The device 200 is not shown but includes one or more processors and one to several memories. Through the network 201, the device 200 can be communicatively connected to the server 208. The network 201 can be either a wide-area network (WAN), local area network, or the Internet. Any software or set of computer-readable instructions can be used by the application program 204. This includes protected primitive 111C. The application program 204 could be, for example, a social media app. On a 200-inch smartphone, the application program 204 can be a social media?app? The application program 204 can also use protected resource104 without actually using it. For example, the program may transfer control of protected resource104 to another use in the datastore 214. The server may periodically send the device 200 data, such as images, music, and/or text files to be used by its application program 204. This could include data that can be used to populate the device’s graphical user interface 200, or to use resources from the datastore 214. Each request can be in the form of an authorization request 206. This request is generated by the device 200, and sent over the network 201 directly to the server. 208

“The authorization request (206) may contain a variety data, including a credential or other data that identifies a user of a device. The authorization request (206) may also contain the state dataset (202) associated with the state of device 200 at generation. This data could include a time, date, type of device 200 and/or location of device 200. FIG. 2 illustrates an example of the state dataset 202. 7 may be used as a source for data in the context dataset (114) and could therefore be used to determine authorization requests.”

“In general, datastore 214 consists of a plurality stored nodes of data (e.g. the nodes 100), that may each act in a resource role by one or several application programs (e.g. the application program 204) and located on one or two devices 200. Each node 100 can contain one or more attribute/value pairs. Additionally, each node 100 could model a real-world?thing? Or a?object. A number of nodes 100 can even model relationships among or between other nodes 100. FIG. 100A is an example of this. One may be used to represent a relationship between two nodes 100. This is done by referencing each other node using the node references 103.1A or 103.2A. Node reference 103.1A could point to node 100C. However, node reference 102A may point at a different node (not shown here). 1). Referential attribute value (e.g., node reference 103.1A or 105A, protected referent 107B etc.). The ID 101 of the referenced nude. The nodes 100 could be found in a non-hierarchical structure, which includes non-hierarchical reference between nodes 100. 5. Some nodes 100 can return data resources to the device 200 free of charge, while other nodes are security nodes (e.g. the security node 102) that may trigger an evaluation (e.g. the control policies 106B or 106C). This will determine if the 200 is authorized to use the protected resource 104B from the node 100.

This article will describe a specific set of authorization requests 206 from the device 200 to access data of multiple nodes 100 of datastore 214. The ID 101A may be used by the device 200 to request data from the node 100A. The device 200 might receive the first data, the node number 103.2A. This may allow the device 200 to request the node 100D (not illustrated) that is identified by the 103.2A. The node 100D could include an image or a sound file representing data in node 100 (e.g. the node100C) reached via the node number 103.1A. Node 100C may be referenced by node 103.1A. Node reference 103.1A can be controlled and therefore secured, unlike node 103.2A. associated with security reference 103.2A. Instead of returning the value of 103.1A to device 200, the server 208 will return the value 105A pointing at the security node 101B.

“Each instance triggering the security node 102 may trigger the control policy 106. A security node is an instance of protected resource 104, and one or more components from the control policy. The protected resource 104 can be stored at a particular location, such as a security element 109. Even a single attribute/value pair or an entity in a block may be covered by the control policy 106. According to one or more embodiments, either of these could be protected resources 104. Protected resource 104 could be a protected reference 107B, which includes data that can be used to refer to another node 100 in the datastore. 214 Protected resource 104 could also include the protected primitive (?BLOB?) 111, which is, for instance, a binary large objects (?BLOB?) It is used to store primitive data, and/or files of any MIME type within the node 100. An instance of the securitydomain 102 may have one or more protected referenceents 107B, one, or more protected primitives 112 and/or an additional protected resource104 stored in the attributes and values of security domain102 (e.g. any attribute-value pair within a data node can be designated as protected resource by control algorithm 108). FIG. 2 shows additional examples of protected resource 104. 17- FIG. 19.”

“In FIG. 1. The security node 102B includes the protected resource 104B, which is the protected referent of 107B, and the component of control policy 106B, which is the control algorithm number 108B. Security node 102B also contains an ID 101B that allows other nodes to reference the security node 2102B (e.g. the node 101A). The protected referent (108B) is data that can be used to refer to another 100 in the datastore 214, and more specifically, FIG. 1 The protected referent is a security security reference 105B to security number 102C. Security node 2B protects data that is required by application program 204 to reach the protected primitive 111C security node 102C. Security node 2B can also be called a “shield node”. This hides from 200 a path that leads to one or more of the 100 nodes 100 that security node102B refers to using the protected reference 107B. “Shielded node” may refer to a node 100 that has been referenced by an instance 107B of protected referent.

The authorization request for protected resource104B by application program 204 is evaluated by control policy 106B at the security node 102B. The protected resource may be used for both server-side and device-side purposes. This could include traversal of a referent attribute by the server, transfer or sharing the protected resources 104 with another user, or access to the protected resources 104 so that the device 200 receives a data stream. A control algorithm 108 is the first component of control policy 106. It consists of one or more conditionals 112 which each compare at most two values. When evaluating control policy 106, the control algorithm 108 can be written in Turing-complete code and/or written in Turing-complete language. You may?hard-code? the values of one or more conditionals 112. The control algorithm 108 may be called using the context dataset 112 or 110. In either case, the control dataset 110 can be used to define the range of values that can be used as inputs for the control algorithm. When the control dataset 110 is used, it may form a second component to the control policy. A first conditional could compare geospatial coordinates (e.g. Las Vegas) to determine if the device 200 can be used in a specific location. The second conditional may be a comparison of two stock indexes that were inputs to the external dataset 220.

“A security node 102 instance generally stores control algorithm 108, control dataset 110 or both. The control algorithm 108 can be called?conditions? The control algorithm 108 may also be called?conditions?. the specific control policy 106. In some cases, however, the control algorithm may be used in isolation with all input ranges defined in the control algorithm.108 and not through separate definitions in the control dataset 110. The control algorithm 108 could be called both the “terms and conditions?” Control policy 106. FIG. 2 shows some possible configurations. 2, FIG. 2, FIG. 4.”

“The security node (102B) of FIG. 1 contains the control algorithm (108B) with one or more conditionals 112B. The authorization request 206 to use the protected resource104B is received by server 208. The server 208 extracts control algorithm108 from security node 102B and executes each conditional 112 of control algorithm108 to determine if the authorized context exists (e.g. client 200 uses protected resource104B in accordance with the?terms?conditions?). The control policy 106B. The one or more conditionals 112 inputs may include (1) the values of the context data 114, including the external and state datasets 220; (2) the values hard-coded in the control algorithm 110B and (3) the ranges of control dataset 110. The control policy 106B could be used to create an authorized context. It may require that the 200 device is located at the corporate headquarters of a company, (2) the values of the context dataset 114, and (3) the ranges of the control dataset 110. Therefore, the control policy 104 can be used to create arbitrarily complex control rules. These rules are stored in the datastore 214 and/or associated each piece of secure data. Any inputs to one or more conditionals 112 which require information that is not contained within the state dataset 200 may be obtained from the appropriate location in the control algorithm 110. An external value can be obtained from, for example, a memory address or function call. It may also be available from one or more datastores 214. A second state dataset may also be used to retrieve the value of the external dataset 220-, which is not the device 200 that issued the authorization request 206. As an example, the external API may be called from the external server 218, which is shown in FIG. 1. Before completing authorization, the control algorithm 108 or one or more conditionals 112 might wait for inputs like the electronic permission or an external value. The waiting periods for inputs may be as long or short as necessary, such as a second, one week, or one year.

The server 200 can determine whether the authorization program 204 for the device 200 authorizes the use of the protected reference 107B. In this case, the server 200 could return a value of protected referent (e.g., ID 101C) to device 200, and/or traverse protected referents 107B to node 100C, without sharing the value to device 200. This could result in the server 200 granting access to and/or using data from the referenced domain 100 to device 200, either as part of an authorization request 206 or as an additional instance of authorization request206.

“In FIG. “In FIG. Security node 101C contains the ID 101C, security sub-elements 109C, and an instance protected resource 104 which is the protected primitive 112C. The security node102C can trigger the second instance of control policy 106 or control policy 106C. The control dataset 110C is stored in the security node. This control policy forms the second component of control strategy 106C. Contrary to the control policy, 106B, control policy, 106C may store control algorithm 108C elsewhere than the security node. (e.g. in a different node 100, in the memory 221 of the server 200 and/or in another server that is accessible by the 200). The control algorithm, 108C, may be as flexible as the control algorithms 108B. However in some embodiments, the control policy 106C may store the control algorithm 110C outside the security node 100 of the datastore 214. 1. This standard algorithm, for example, can determine if each value in the context dataset 112 falls within any of the ranges stored in security node 102C. This may result in a relatively standard control policy that may only have minor variations from the control dataset 110. In FIG. FIG. 1 shows that each one or more conditionals 112C in the control algorithm 108C can determine whether each context dataset 114 is within a control range of one or several attributes of control dataset 110C. FIG. shows an example of such a range checking instance of the control algorithm 110C. 13. The control policy 106C can be defined using the control data 110C stored in security node 102C. A standard instance of control algorithm 108C may also be stored outside security node 101C. This will allow the owner of security node 2102C or protected primitive 111C, to quickly and easily determine the authorized context and modify it without having to change the control algorithm.

The server 208 extracts protected primitive 112C from the device 200. This allows the 200 and/or 200-specific application programs 204 to use the protected primitive 112. The protected primitive 111C could be transmitted over the network 201 to device 200 (e.g. a music file that can be played on a smartphone), the protected prima 111C may then be transferred to a new owner within datastore 214 (e.g. a private key associated to a cryptographic currency value), and/or the protected primitive 111C delivered to a specific application program of device 200 that can monitor the use of protected primitive 111C via the application program 204. The control policy 106C may also be used to monitor the use of the protected primitive 112C. This policy includes data that can be used to define?use terms. The use policy can be described and shown in conjunction with other patent applications filed by a similar inventive entity or common assignee. The server 208 can also make changes to datastore 214 when the protected resource is utilized by device 200. This may include incrementing a use statistic, changing control algorithm 108C or changing an attribute of the security node 2C, creating auditing logs and/or updating the analytics processes.

“A single authorization request (206) is shown that requests both the protected resources 104B, and 104C. However, these requests can be distinct (e.g. an authorization request of 206A and request 206B). “In such cases, one or more conditionals 112B and one or more conditions 112C could use different instances of context dataset 112 (e.g., context datasets 114A and 112B generated for each authorization request 206A and206B).

“FIG. 2. illustrates a first instance of a security network that stores a protected resource. It includes a file, a control policy, and a first component, which is a control algorithm stored in another location. A second component, which is a control data set stored within the security network, provides inputs for a set conditionals for the control algorithm according to one or several embodiments. FIG. FIG. There may be different instances of control algorithms 108A to 108N depending on the application program 204A to 204N that generates the authorization request 206.

“In FIG. 2. Security node 102 includes the ID 101 and a contained data 116, which include the protected primitive 110 and security element 109 that comprises the control dataset 110. The authorization request 206 may be generated by device 200 using one of the applications programs 204A through204N. The authorization request 206 could include the node ID 101 and the state dataset 022. The server 208 could retrieve the security node 101 from the datastore214 (not shown at FIG. 2), and extracts control data 110 from security node 102.

“In FIG. 2. Each application program 204 may be able to generate a separate instance 106 of security node 101. The control dataset 110 may remain the same for authorizations 206 of any application program 204A to 204N, but each authorization request from an application program 204A to 204N may trigger analysis using another control algorithm.108 (e.g. the control algorithm 110A through 110N). The security node may contain a description of a specific control algorithm (108) that is applicable to a specific application program 204A through204N. One or more conditionals 112A in the control algorithm 110A might check that each context value of the context dataset114 is within the control range of each control value range of control dataset 110. The control algorithm 108B, however, may only require two of six context values from the context dataset 112A to fall within the control ranges of control dataset 110. FIG. FIG. 2. Application program 204A generates authorization request 206. Security node 102 then calls control algorithm 102A. This is stored outside of security node 101. The control policy 106 to authorize request 206 from application programme 204A consists of two components: the control dataset 110 and the control algorithm 108A.

“In one preferred embodiment the security node (102) of FIG. 2, may be used to create a default data structure or system for protecting data resources in the datastore 214. The shield nodes can provide flexible controls for accessing and/or using the security node (102C) of FIG. 2 (or security nude 102C in FIG. 1). The control policy 106, which was formed from the control dataset 110 and a relatively static control algorithm of 108, may be a baseline or default control that secures the protected primitive 111, regardless of any control policies 106.

“Additionally as shown in FIG. 2. The protected resource 104 can be stored in a discrete component of the security node102, such as contained data 116. One or more embodiments may contain an instance of the contained information 116 at each node 100, which could include the protected resource, protected referent, 107, protected primitive 111 and/or any other unprotected resource.

“FIG. “FIG. The shield node stores several instances of protected resource 104 (e.g. the protected resources 104.1A through 10.4n). These protected referents are 107 that refers to?shielded nosdes. FIG. 208 is the server 208. 1. Extracting the control dataset 110B as well as the control algorithm 108B from the shield node according to one or several embodiments. FIG. FIG. 3 shows a further set of control algorithms, 108A through108N, stored in the security node (102B).

“The shield node is an instance security node 102 that contains one or more protected referents107 referring to one of many different nodes 100, which are referred to here as?shielded nosdes. FIG. 2 shows the security node, 102B. 3. may be used to provide flexible control policy106 for controlling and/or regulating data within any node 100 that is referenced by the shield notde. The node 101B can be used as an intermediate 100 between the node 100A, the shielded 100C and the node 100A that may contain protected primitive 111. The shield node can trigger the examination of the context data 114 when it is called, and/or a refer to the security node102 is traversed in response one or more authorization requests 200. You can define shield nodes throughout the datastore 214. They may also be added to different configurations to achieve different functionality. You can place several shield nodes in succession (e.g. forming a reference-chain using protected referents 107) and each shield node must be owned by a different user. This ensures that each user has satisfied the control policy 106 to traverse to security node 101.

“FIG. “FIG. In FIG. FIG. 4 shows a security node 104.1C which contains a protected attribute 401, a protected resources 104.2C and 107.1C respectively, as well as a protected primitive 111C. While the security node 101A may shield the security node, 102C is also referenced by 100B which is not an instance security node. Security node 100B also refers to shielded node 101D and shielded 102E, which may be shield nodes. Protected referents 107.1C (107.2C) are also used. Security node 100C could be both a shield and shield node. Security node 102C could also contain a series of control algorithms 108A to 108N that may be applied to different instances of the application programs 204A through204N which generates the authorization request number 206. Control algorithms 108A through108N may not include any ranges that can be used to compare to the context dataset 114. They may not refer to an instance of context dataset 110. Protected attribute 401 can be any attribute-value pair, including the following: a time when the security notde 102C was created; a reference to the owner of security node 102C; a reference a user profile that owns security node 101C; a use statistic for security node 100C or any other nodes 100C shielded by security node 122C; etc.

“FIG. FIG. 5 shows some aspects of the non-hierarchical data structures stored in FIG. 1 includes several types of non-hierarchical reference and shows instances of the security nude within the nonhierarchical datastructure that can be used to store one or multiple components of the control policies, according to one or many embodiments. One non-hierarchical 502 reference is a feature of the non-hierarchical structure 216. Non-hierarchical references 502 are a type that point from one node toward another node in the data structure. This is non-hierarchical refer 502A. This happens when a node 100 is one number away from the root and a second 100 is another number away from the root. Non-hierarchical refer 502 also includes a reference in which a node 100 has been referred to by more than one other node, as illustrated by non-hierarchical refer 502C. Another type of non-hierarchical 502 is when a node 100 refers to another node 100 which is lateral in the data structure. Non-hierarchical 502C illustrates this. These lateral references can also occur when one node 100 refers to another node 100 that’s equidistant from the root node. The non-hierarchical data structures may also include multiple roots, which can each provide entry points into the data structure via the server 108. For example, the root node 500A or 500C.

“In one or more embodiments, a non-hierarchical graph data structure is a graph structure that includes the nodes 100 as verticles connected with directed edges. Directed edges can form a directed-acyclic graph architecture as illustrated and described in conjunction. 1.6. The non-hierarchical data structures 216 could still contain hierarchical elements. The non-hierarchical data structures 216, for example, may contain a single root with multiple levels of relationships. The non-hierarchical structure 216 can move from the root node through a number of nodes that represent relationships and/or category before reaching resources like files and documents.

“The non-hierarchical structure of the data may permit security nodes 102, such as shield nodes, modification and/or removal without affecting the architecture or rules of the data structures and the applications that interact with them. FIG. FIG. The protected resource (104B) of security node 102B is one example of protected referents107 that refer to nodes 100C and 100D. Security node 52H is a shield-node that includes protected referents 107H and security node 102J, as well as a non-secured reference, node reference 100H, which is also known by representation node 504K. A representation domain 504K could contain a data resource, such as an image that can be used to represent data within security node 102J. This may help a user of application program 204 make a selection. Security node 102J and representation node 504K may be part of a derivative-representation domain structure as shown and described in conjunction with FIG. 1.11. 1.11. Security node 102I, acting as a shield, may restrict access to data in node 100L. Any one of the 100 nodes in the non-hierarchical structure 216 (FIG. 5, may be converted to instances of the security nude 102 or converted back into nonsecurity nodes. Additional nodes can be added between any nodes 100 by changing a refer structure.

“FIG. FIG. 6 shows the control dataset for FIG. 2 (also known as a “terms”? 2 (also referred to as a?terms?) is a set control attributes that can be used to create an authorized context for the control policy. Each control attribute has a specific control value range that can be used to input the control algorithm according to one or more embodiments. Specifically, FIG. FIG. 6 shows an additional control attribute 600 and a control range 602. The control dataset 110 includes one or more control attributes 600, which can be called by an instance the control algorithm108 for one or multiple control value ranges 602. FIG. FIG. 6 shows the control dataset 110 being associated with a node 100 that stores a CAD data file that can be used by the 200-based 3D printer. To ensure that the CAD files are used within an organization, there may be restrictions. The?Email_domain could be an example. Attribut 600 could contain an array with email domains, as one instance in the control value range 602. The ‘Day? Attribut 600 could contain an array of every day of the week (here Monday through Friday), forming another instance in the control value range 602. Control algorithm 108 can use any one of the control ranges 602 for inputs. It may also include a?range-checking function. As discussed above, it determines whether each value in the context dataset 112 is within the corresponding control range 602 (e.g. whether the time in state dataset 202.2 is within the control range 602). The security sub-element 110 could contain the control dataset 110. The security sub-element 109, the attributes 600, and the control value range 602 may be in the form of an entity-attribute-value triplet which may allow for efficient query or retrieval of all data relevant to the control policy 106. Similar to the above, a security node 100 and/or 102 can be implemented in FIG. 1.1, the security sub-element may form a sub-entity within the NT element 1.103 and/or the XT element 1.104 of the domain 1.100, which may for an entity-sub-entity-attribute-value quadruplet.”

“FIG. FIG. 7 shows two components of FIG. 1 is evaluated by the control policy. It includes the state dataset for a device’s state at the time of the authentication request. 2 contains an external dataset from another source, according to one or several embodiments. FIG. FIG. 7.7 further illustrates a state attribute 700 and a state value 702, as well as an external attribute 704 and an external value 706. The state attribute 700 and the external attribute 704 can be called context attributes, while the state value 702 and the external value 706 could be called context values.

“The state dataset 202 values 706 may be used in one or more conditionals 112 to the control algorithm 108. The state dataset 200 includes one or more state attributes 700, and state values 702 which include data associated to a state of device 200 at the generation of the authorization request.206. The state dataset 202, for example, may be generated before (e.g. a few milliseconds or a second, or a minute) authorization request 206 is generated. One or more embodiments of the state dataset 200 are continuously and/or regularly updated in the device 200. A?snapshot?” is also available. The authorization request 208 transmits the state dataset 200 to the server. The device 200 may generate the state dataset 202 and transmit it to the server using a communication protocol (e.g. HTTP). The server 208 can also add data to state dataset 202 such as the time that authorization request 206 was received by server 208. It may also convert units (e.g. converting geospatial coordinates between a longitude/latitude and a Cartesian). FIG. FIG. 7 illustrates examples of state attributes 700, and state values 702 which may be part of the state dataset 202. Examples include an?Application Attribut 700 generated the authorization request206 (e.g. the application program 204) and an?Email. attribute 700 containing an email address and a?User ID? of a user of application program 204. Attribut 700 indicating a User ID?, a Time? attribute 700 – a ‘User ID?, a?Time? Attribut 700, a device ID. A?device ID? (e.g., the operating system of device 200) and geospatial coordinates. Security features like the 700 hash state attribute and/or veracity of state datasets 202 could also be included in the state dataset. Each instance of the program 204 and each type of device 200 may have their own state datasets 202. These are sent with authorization request 206. Each state dataset 202 contains a different set 700 of state attributes and 702. A 3D printer might send data about the current configuration of materials loaded into it, while an autonomous vehicle instance 200 of the device 200 could send data about its current velocity.

“FIG. 8 is an example of a Turing Complete Expression 850 of control algorithm 108. 2 that allows flexibility in the control policy, 106 for securing protected resource 104. This is the Turing complete expression from FIG. 8 that includes an if operation 800 and a then operation 802, as well as an else operation 804, depending on one or more embodiments. Specifically, FIG. FIG. 8 illustrates two if operations 800A, 800B, and three then operations 802A, 802C, as well as an else operation 804. Each operation is written in pseudocode. This may be a notation that resembles a simplified programming language and used in program design. The if and else operations 800 may contain one or more conditionals 112 from the control algorithm 108.

“In FIG. 8. The if operation 800A first determines if geospatial data from the state dataset 200 fall within a specified range for x and y values. The if operation 800A also compares device_type (e.g. the type of device 200) with the os_type state values 702 in order to determine if they are included in the control value range 602 from the control dataset 110. The if operation 802A also determines whether an authorized user is an executive. This can be done by retrieving an external value 706 from the user’s profile, which may be stored in the datastore 214. Alternately, the user could have the executive range but a permission token issued by the server208 or another system. The then operation 802A authorizes the use of protected resource 104 in the security domain 102 via the application program 200 of the device 200. If operation 800B can be used if the requirements of if operations 800A are not met. Executives may receive an error message from the then operation 802B asking them to use the protected resource 104 at their location. If the requirements for if operation 800A or 800B are not satisfied, then the else operation 804 might return a message saying?Sorry? not authorized. Turing-complete expression of control algorithm 108 could be used to describe complex control. It is part of control policy 106.

“FIG. “FIG. 2 (including the if, the then, and the else operations) according to one or several embodiments. FIG. 9 shows the embodiment. 9 may be used to define an authorized context for accessing and using a medical record. For example, an X-ray (or magnetic resonance image) (MRI), could be defined by control algorithm 108. Contrary to FIG. Contrary to FIG. 8., an instance of control dataset 110 is not called by or used in the control algorithm.108 of the embodiment. 9. A if operation 900A specifies a number conditionals 112, such as first requiring re-authorization by the requesting user (e.g. through the?user.reauth?? command). To return True, type if operation 900A. The if operation 900A can then be used to determine whether a user profile includes a?radiologist’. The state dataset 202 may extract the list of approved IP addresses from which the use request 206 is derived. This information will determine whether the classification is correct and whether the use-request 206 is valid. If both the IP address and the classification are available, the if operation 902A can request affirmative permission from the patient or their general practitioner. The then operation 902A will authorize authorization if all requirements are met. The then operation 902A can also specify data to be assembled?use terms. For example, the user may view the medical record for up to two hours. They can also take as many screenshots as they like (e.g. all screenshot capabilities are enabled with a value?1?). You may communicate the use terms to the device 200. A data stream may also be temporarily stored in the memory of device 200. Its use can be monitored by one or more of the processes on the device 200.

“If the conditions 112 of the then operation 900A are not satisfied, the if operations 900B may be executed to determine if permissions have been granted affirmatively by the patient and the general practitioner. The then operation 902B may specify more restrictive use controls. For example, the requesting user can only use the medical records for a quarter of an hour before they need to be re-authorized. Any screenshots taken during use will cause the medical record to be terminated as it is being monitored by an application program on the device 200. If neither the conditionals 112 or 200B of the if operations 900A are met, the else 904 returns an error message in the then 902C. The control policy 108 in FIG. 9 may provide a flexible access policy. This policy could either require that an authenticated medical specialist has access to the medical records or that the patient and a general physician of the patient agree to allow the requester access. This could improve the security of datastore 214 by ensuring that users are granted access to the appropriate information.

“FIG. “FIG. Operation 1000 traverses the referent attribute (e.g. the node-reference 103) of a first security node. This security node includes a protected resource (e.g. the protected resource 104) and/or a referent attributes node referring back to a second security node (e.g. a protected reference 107). Operation 1002 receives a authorization request (206) from a device 200 to utilize the protected resource 104. The authorization request (206) includes a state dataset (22) that contains one or more state attributes 700, each of which has a state value 702 and is associated with the state 200 at the time of the authorization request (206). Operation 1004 refers to a control policy (106), which defines the authorized context in the 200-device 200 can use the protected resource. Optionally, the control policy 106 could include a first component which is a control algorithm 110 and a second component which is a controlling dataset 110. FIG. 2 shows some configurations for the storage of control algorithm 108, control dataset 110. 2, through FIG. 3. Based on the authorization request 206 generated by an application program, Operation 1006 determines the applicable control algorithm 108. Sometimes the control algorithm 108 can be applied to multiple instances 204 of an application program. In other cases, multiple control algorithms may apply to a single application programme 204.

Operation 1008 extracts control algorithm108 from security node102. The control algorithm108 includes one or more conditionals 112. Each compares a first input which is a context with a second input that’s a different context and/or a control range 602 of control dataset 110. The control algorithm 108 can be extracted from another location than the security not 102. This is where the security not 102 contains the control policy 106 or the control dataset 110. Operation 1010 retrieves every context value specified by the control algorithm108 and assembles control policy 106 using the control dataset 110, and the control algorithm108. Operation 1010 can pause to collect all the context values before it continues. Operation 1012 determines if the context dataset conforms with the authorized context. It does this by evaluating each one or more conditions 112 of control algorithm 108 together with each context value in the context dataset and each control range 602 from the control dataset that were specified as inputs for the conditionals (e.g. the one or two conditionals 112). Operation 1014 allows the device 200 to use the protected resource104 of security node102 when it is determined (e.g. by an outcome from the one or more conditions 112) that the context data conforms with the authorized context (e.g. the authorized context as defined by control policy 106). The protected resource may be used to deliver data directly to the device 200 in certain cases, while in others the protected resource can be used in another process (e.g. server-side processes of the server 208) associated to the user of device 200. The protected resource 104 could be “utilized” in the following example. The device 200 can deliver the protected resource 104 to another user, or change the attributes and/or value of the data node 102.

“FIG. “FIG. 11” is a security policy and control policy flow that illustrates a process by which the security policy, protected resource and control policy can all be defined according to one or more embodiments. Operation 1100 selects the node 100 from a non-hierarchical database structure 216. The ID 101 may be used to identify the node 100. If the node 100 is part of a domain 1.100 then the UID 1.101 from the domain 1.100 may be used to select the node 100. As shown in FIG. 1.1. Operation 1102 denotes a portion of the contained data of the node 100 as a protected resource. 104 One or more of the attribute-value pairs that hold any type of data can be selected as the protected resource. 1.1) file of any MIME type that the node 100 has. This may be called the protected primitive 112. The protected resource 104 may also include an attribute-value pair, referred to here as the referent attribut 107 that contains a reference 100 to which the node selected for operation 1100 will protect. Operation 1104 is the first aspect of control dataset 110. It defines a control policy 110. This operation specifies one or more control attribute 600 that will be compared against the corresponding attributes in a context dataset (e.g. one or two state attributes 700, and/or one/more external attributes 704). Control attributes 600 could include attributes such as a geospatial coordinate and a user. They also may contain attributes about a stock price and/or the state of another device, such as the operational state of another server that is associated with server 208. Operation 1106 specifies a second aspect to the control dataset 110. Each control attribute 600 can be specified with a control range 602 that can be used as inputs for a control algorithm. 108 is a component of control policy 106. You can define specific geospatial coordinates, a set of users, a time of day and/or the functional state of different servers that are working with server 208. Operation 1108 deposits control dataset 110 in node 100. This can be done by, for instance, adding control dataset 110 to a sector of a hard drive and/or a memory adress associated with other sectors and/or addresses where data from the node 100 are stored. A database management system API may handle physical storage.

Operation 1110 is a first component of a control policy 106. It specifies one or more conditionals 112 to compare an input from the control data 110 with a second input from context data 114. Operation 1112 is a second aspect to a control algorithm 106. It specifies the first input for each one or multiple conditionals 112 and selects one or several control attributes 600 from the control dataset 202. As shown in FIG. 800A, an example of this is operation 800A. 8 A device_type attribute can be selected that corresponds to the 600 device_type attribute in the control dataset 110. Operation 1114 is a third aspect in a control algorithm 108. It specifies the second input for each conditional 112 by selecting one of the contextual attributes from the contextual dataset for each conditional 112. As shown in operation 800A FIG. 8 The device_type attribute could be chosen based on the 700 device_type attribute in the state dataset.202. As shown in FIG. 8 shows that a device_type in the state dataset 110 might need to be within control value range 602 (which specifies a range device types). The conditional may also require that the device_type in the state dataset 110 is not within the control range 602 (202 that specifies the range for device types). Opera 1112 could also specify a different value for the first input from the context data 110. The control algorithm 108 may also hard-code the first and/or second inputs. As shown in FIG. 800A, an example of this is the if operation 800A. 8 may define a conditional that requires that the geospatial_x coordinate of the state dataset 110 be greater or equal to a value in the control algorithm (108, such as?40.452000). Boolean logic, such as AND or OR, may be used to link the one or more conditionals 112 in operations 1110 and 11.12.

Operation 1116 deposits control algorithm 108 in node 100. Operation 1118 specifies a program 204 for whom the control algorithm 108 is applied as the second component to the control policy106 when an authorization request (206) generated by the program 204 has been evaluated. However, in one or more embodiments, the control algorithm 110 does not need to be specified for any application program 204. A different process on the server 200 could determine which control algorithm is applicable and/or the only control algorithms 108 may apply to all instances.

“FIG. “FIG. 12 is a flow diagram of a control policy execution. It shows a process through which the control policies of FIG. 1 can be used to determine if the authorization request is in compliance with the authorized context according to one or several embodiments. Operation 1200 removes the state data 110 from authorization request 206. The authorization request 206 can be transmitted to server 208 via the network 201 using a protocol that carries data from the state dataset 110. From which, the state dataset 110 could be extracted. Operation 1202 determines the applicable control algorithm (108) that will be used for determining the authorized context. Operation 1202 could determine, for example, that a particular control algorithm 108 can be used to run a given application programme 204. Other factors, such as the application program 204, may also be used to determine which control algorithm 108 is applicable. For example, a user’s location 200 or 200 could be used. Operation 1204 extracts all required external values 706 from the external dataset. The server 208 can retrieve external values 706 from another node 100 in the datastore 214 or from a third party API. Operation 1206 extracts a component of the control policy (106) from security node 102. The security node 102 may contain the control dataset 110, which acts as the ‘terms? The component may also contain the control dataset 110 acting as the ‘terms?. Both components can be extracted. The security node 102 includes a control algorithm 110 that acts as both the terms and conditions. The security node 102 may contain the control algorithm 108. If the security node does not contain the control data 110, the control dataset can be extracted. A standardized control algorithm (108) may then be used.

Operation 1208 is used to assemble the context dataset 112, which will be used as inputs for the one or more conditionals 112 of the control algorithm. 108. The context dataset 112 is assembled using any data required by the control algorithm 110 from the state dataset 200 and the external dataset 220. The context dataset 114 is assembled using any specified control values 602 and the control algorithm108. Operation 1210 then assembles control policy 106 to authorize request 206 for use of protected resource 104 by the security node.102 by the device 200. Operation 1212 executes one or more conditions 112 from the control policy (e.g. the one or two conditionals 112 in the control algorithm 108) to determine if the authorized context exists. Operation 1212 determines if the context dataset 112 and the device 200 are in the authorized context as defined by control policy 106. Opera 1216 creates an error message to determine if they are not in the authorized context and sends it back to 200. If so, the operation takes other actions that deny the use of protected resource 104 like logging a failed authorization request. Operation 1218 allows the device 200 to use the protected resource 104 if the authorized context has been found in the device 200. FIG. FIG. 18 shows that the control algorithm (108) and/or control policy (106) may also have additional outcomes, such as authorizing a portion of the protected resource 104 or authorizing a subset of nodes 100 that are shielded from the security node 102.

“FIG. “FIG. 13 is a control process flow 1350 that illustrates a basic process through which one or mode conditions may evaluate inputs from context dataset 114 or control dataset in order to authorize the use of protected resource according to one or more embodiments. Specifically, FIG. 13 shows a strait ?range checking function? Used to determine whether the values associated with four state attributes 700 are within the control value ranges 602 defined in control dataset 110. Operations 1212, 1216, and 1218 could operate in a similar way to those shown in FIG. 12. One or more of the conditionals 112 may be used to specify each of operations 1300-1306. 1300 is a conditional check to see if a device 200 is being used (e.g. as part of the state dataset 110). It is specified by a number of the one or more conditionals 112. Operation 1302 checks if a location, such as a geospatial address, is within the control value range 602 or coordinates of the control dataset 110. Operation 1306 also checks the time of the authorization request. 206. If one of the control algorithms 108 finds that the context dataset’s value is outside the appropriate control range 602, the control algorithm 110 proceeds to deny the use of protected resource 104 through operation 1216. If each of the 600 values in the state dataset 200 falls within the appropriate control value range 602, then operation 1218 authorizes the use of protected resource 104.

“FIG. 14 is a control process flow 1450 that illustrates a more complex process where one or more conditionals can evaluate inputs from both the context dataset or the control dataset in order to authorize the use of the protected resources, according to one or several embodiments. FIG. 108 shows the control algorithm. 14 can be used to create control policies 106 for protected primitives 111, which are auto tracks. Operation 1400 checks if the 200-year-old user has ever listened to the audio track (e.g., used the protected primitive 111). If the number of uses exceeds one, operation 1400 authorizes protected resource 104 through operation 1218. Any device 200, user 200 of the device 200, and/or application program 200 of the device 200 can be asked to purchase the song after a second authorization request (206) for the use of the audio track is sent to the server208. If the device is in Las Vegas, Nev., operation 1402 or operation 1404 can authorize the use of the audio track for up to five times. After submitting a sixth authorization request for the audio track, operation 1402 and 1404 will authorize the use of the audio tracks only if the 200-user is a fan. You can follow the artist on social media and/or provide additional support through social media. This information could be part of the context dataset 214, e.g., an exterior value 702, and can be drawn directly from the profile of the artist, fan and/or security node 102, any of which can be stored in the datastore 221 or another location accessible via the server 208. Additional processes can be performed after authorization of the protected resource. Opera 1208, for example, may increase a use statistic of an audio track.

“FIG. “FIG. FIG. 15 through FIG. 19 shows the security node in FIG. 1 in the semantic data structure described at FIG. 1.1A through FIG. 1.11. FIG. The domain structure 1.100 shown and described in FIG. Co-pending patent applications may disclose the domain structure 1.100 as well as the uses of the domain system 1.100. These applications could be filed by the same inventive entities or assignees to the current application. FIG. 199 shows a domain key 199 that can be used to illustrate domains using symbols. 1F. Referring to FIG. 1.1A to FIG. Before you review FIG. 15 to FIG. 15 through FIG.

“FIG. “FIG. 1. is a security domain, which is defined by FIG. 1.1A The security domain comprises a unique identification, a TY and NT elements, respectively. These elements contain the protected resource, one or more references from other domains, anXT element, the control data, and one or several control algorithms according to one or multiple embodiments. FIG. 1.500 is the security domain. 15. The security domain 1.500 of FIG. 1.3. The security domain 1.500, which is also a relationdomain 1.300, may be represented by a circle with three smaller circles. This circle is surrounded by a shield symbol according to key 1.199. 1.1E. FIG. 15 could function in the same way as FIG. 102B’s security node. 3. However, it may have additional features or the domain structure 1.100.

“The security domain 1.500 includes a unique identifier. This enables the security domain 1.500 to be uniquely addressed within the datastore 214. It also contains three primary elements. The identity element (TY) 1.502 contains one or more attribute value pairs. These pair can be used to identify the security domain 1.500, and/or distinguish it from any other node 100 or domain 1.100 in the datastore. The content element (NT elements) 1.502 contains one or more attribute value pairs that contain the 1.530 contained data that the security domain 1.500 has. The context element (XT) 1.504 contains one or more attribute value pairs. These include contextual data 1.540 which further defines the security domain 1.500. Important to remember that FIG. 15. is different from the context data 114 of FIG. 1. The TY element 1.502 could contain the hastory 1.524, which provides a block-chain security system. FIG. shows and describes the use of the 1.524 hastory. 1.1 and can be described in conjunction with FIG.

“The security domain 1.500 can be referred by one or more domains 1.100. For example, the unique identifier 1.501 may be used as a value for a referential attribute. The domain 1.100A refers to the FIG. security domain 1.500. 15. Another domain 1.100, such as the owner domain 1.400, could own security domain 1.500. Protected resource 104 may include one or more of the attribute value pairs or any other data from the security domain 1.500. FIG. FIG. 15. 15 shows an example of such an attribute-value pair. In the embodiment of FIG. 1) may be designated the protected referent.107 To effect the reference, the domain ref 1.534 could use the UID 1.101 from the domain 1.100B. FIG. 15. may be called a shield domain, and 1.100B as shielded.

“One or more components (e.g., control algorithms 108A-108N or control dataset 110) may be stored in security domain 1.500. The components of the control strategy 106 may be stored in a discrete element (e.g. the security sub-element 109 of the XT elements 504. FIG. 1.1E, the security sub-element 109 and included data may form a plurality of entity-sub-entity-attribute-value ?quadruplets? Similar to the 1.146 application sub-element.

“FIG. FIG. 16 is another example for the security domain. 15 includes a primitive data, which is the protected primitive, and a control dataset that will be used as a primary component of the control strategy along with the control algorithm stored at a location outside the security domain like the server. According to one or more embodiments. FIG. 16. may represent an instantiation not only of the domain structure 1.100, but also of the subject domain 1.200. This is shown and described in conjunction to FIG. 1.2. The security domain 1.500, which is also a subjectdomain 1.200, may be represented by a triangle enclosed by a shield symbol according to key 1.199. 1.1E. FIG. 16. may function in the same way as FIG. 102’s security node 102. 2, but with additional features and/or structures of the domain structure 1.100. FIG. 16 could function in the same way as FIG. 2. However, the domain structure 1.100 has additional features and structure.

“While it is similar to FIG. 1.500’s security domain, 15. The security domain 1.500 in FIG. 16 contains as protected resource 104, the protected primitive 112 rather than the protected reference 107. The primitive data 1.105 or 1.205 may be protected primitive 111, as shown in FIG. 1.1A and FIG. 1.2. 1.2. Another embodiment of security domain 1.500 includes a protected resource104, which contains both protected primitives 112 and protected referents 110.

“One of the advantages of the domain structure 1.100 (see FIG. 1.1A is an ability to define derivative-representation structures that enables efficient selection of domains 1.100 within a datastore (e.g., the datastore 214) as shown and described in conjunction with FIG. 1.11. 1.11. This derivative-representation data structure may also be used to effect increased security of the datastore 214 and control over data resources while still allowing the kinds of data and/or types of data resources that are within the datastore 214 to be represented and/or depicted to users (e.g., users of the device 200) without disrupting or disorganizing the underlying data organization. An application program 204 might be able to populate the GUI view with representation views for song art or album covers while also controlling audio track data (e.g. protected primitive 111). The node 100 and/or the domain 1.100, which contain data related to the album cover as well as the audio track, may also be closely linked and organized within datastore 214. This can include discrete security features.

“To this architecture, the security domain (e.g. the security domain 1.500 in FIG. FIG. 1.5) is also added to this architecture. 17. FIG. 17 is a derivative-representation-security structure illustrating use of the security domain 1.500 to establish different levels of control for different resources, including relatively lenient controls for utilization of a representation domain along with relative stringent controls for the derivative domains and a subject domain of FIG. 1.2 according to one or several embodiments. FIG. 17 shows that the stack domain 1.800, which is a relationship between one of more object domains 1.700, may be referred to as the derivative domain 1.1100A. The stack domain 1.800 could also refer to a subject domain 1.200C (e.g. the subject domain 1.200C containing data (e.g. an image as primitive 1.205C that represents or?depicts? The relationship between object domains 1.700. The subject domain 1.200C can also be called a representation domain (e.g. the representation domain 1.1101A).

“The application program204 may query datastore214 for the stack domain 1.800. The server 208 can traverse security domain 1.838.2 to security domain 1.500A, acting as a shield domain protecting the representation domain 1.1101A. The component of control policy 106A associated to the security domain 1.500A can be evaluated. If the authorization context is found to permit the use of subject ref.1.336 (e.g. protected referents 107 and 107), then the server 208 can traverse subject domain 1.200C to the primitive 1.205C. This primitive 1.205C may be used within the GUI of application program 204. The user can choose one of the objectdomains 1.700 after the primitive 1.1205C has been displayed by the user and/or application program 204. The server 208 can then traverse to the security domain 1.500B from the security ref 1.838.1. The application program 204 may then use the object ref.1.334 to traverse to the object domain 1.700B. FIG. 1.700 is the object domain. 17. is a relationship between data to be primarily processed by the application program (e.g. the subject domain 1.200A which is the derivative domain.1.1100C) or a representation of data to primarily be processed (e.g. the subject domain.200B which is the representation domain.1.1101A). The FIG. 1.700 object domain is different from the stack domain 1.800. 17. may have its representation domain (1.1101B) unprotected by an instance the security domain 1.500. The image and/or any other file depicting the derivativedomain 1.1100C can be returned without delay triggering the control policy.106C However, authorization request 206 may be made for the derivative domain.1.1100C. This authorization request will traverse security ref.1.738 to securitydomain 1.500C which shields the derivativedomain 1.1100C. Once the authorized referent 107 from the security domain 1.500C has been utilized by the application program204 that generated the authorization request206, subject ref.1.734 can be returned to 200 via the network 201 to form another authorization request206 and/or used by the server208 to traverse non-hierarchical data structures 216 to the derivativedomain 1.1100C.

“The subject domain 1.200A could be both the derivative 1.1100C (e.g. because it contains data that must be primarily processed by the application program 204) or the security domain 1.500D (e.g. the control policy 106) triggering a new instance 106 (e.g. the control policy 6106D not shown). This will secure the primitive data 1.205A and protect primitive 111. FIG. 17 is the protected primitive data 1.205A, which is the protected resource 110 that is protected by the control policy. 106D.”

“The data structure as defined by domain structure 1.100, and the embodiments shown in FIG. 1.1A to FIG. 1.11 can also be used to fine-tune control the type of data returned from each domain. For example, the control policy 106 may allow certain elements, sub-elements and/or attributes to be authorized for a domain. To illustrate, FIG. FIG. 18. illustrates a control algorithm process flow 1850. It shows how one or more conditionals may be used to define a fine-grain authorization, such as for a specific element in the domain structure of FIG. 1.1A according to one or several embodiments. FIG. FIG. 18 shows, for instance, how an internet service streaming 3D printing CAD files to businesses for on-site production can be controlled. Operation 1212 executes one or more conditions 112 of control policy 108 when an authorization request 206 is received at server 208. Operation 1800 can evaluate the state dataset 200 to determine if an email domain associated with an authorization request 206 of the user is within the control range 602 of control dataset 110. Operation 1802 will generate an error message if the authorization request 206 is not from an enterprise that has been approved or added to the control dataset 110. If the email domain falls within the control range 602 for the email domain attribute 600 then operation 1804 will determine if the requested email address is within the control range 602 for the email address attribute 600 in the control dataset 222. Operation 1806 may allow the use of a referent attitute 107 that specifically refers to the TY element 1.102 in an instantiation domain structure 1.100. The authorization of only the TY element 1.102 could allow a user identify the domain structure 1.100 and/or model without having to be authorized to use the primary protected resource 104.

Operation 1808 can determine if the authorization request 206 was made during business hours. This is to verify that any CAD files used are not for personal use but only when the user has an authorized email address. Operation 1806 can generate a new use key to authorize the data in the TY element 1.102 at the instantiation domain 1.100. Operation 1810 checks if a 3D printer that was associated with authorization request 206 is in the control range 602 for the 600 time attribute. Operation 1812 generates a key for the NT element 1.103 in the instantiation the domain structure 1.100. The NT element 1.103 could contain, for example, the CAD file that is protected primitive 111. FIG. 18. may be found in an instance of security domain 1.500, which is a shield domain, where the protected referent 107 contains a direct reference to the TY element 1.102. In one or more embodiments, particular references of this nature may be achieved by using certain values of the ordered value store as shown in FIG. 1.1C. The embodiment of FIG. 18. may occur in the same way as FIG.

“FIG. 19 shows secure CAD file storage 1950, which includes CAD files and the corresponding representation images. The data structure comprises the instantiations from the domain of FIG. 1.1A The CAD file datastore that is secured by the instantiations the security nodes from FIG. 1.1A, and more specifically the security domains described in FIG. 15, and FIG. 16 The data structure that can be used by a cloud computing platform in order to stream CAD files to a manufacturing device, such as a 3D Printer, according to one or several embodiments.”

“In FIG. FIG. 19 shows a datastore, e.g. one or more instances the datastore 214, which includes domains 1.100 owned and controlled by distinct users. The user 1.2601A is the owner domain 1.400A, the user.2601B is the owner domain 1.400B, the user.2601C is the owner domain 1.400C, the user.2601D is the owner domain 1.400D, and the user.2601D the owner domain 1.400D. The machine-user who owns multiple representation domains 1.300 organizing relationships among the 1.100 domains owned by others may be called the owner domain 1.400A. The epi-collection 1.1000 may have relationships to multiple categories of additive manufacturing 1.2600. The collection 1.900 might hold relationships to medical devices 1.2602, while the stack 1.800 could have relationships for prosthetics 1.2604. Each owner may decide their own security for each domain 1.100. A particular instance of control policy 106 might require payment verification to allow access to the 3D mod file 1.2614 and/or use thereof. Any of the relation domains 1.300 may also allow security domains 1.500 to be used. The security domains 1.500A or 1.500B can be used to create stack domain 1.800 that contains references to prosthetics 1.2604, and before the device 200 and/or application program 204 requests. Each trigger control policy 106A and106B may be applied. Two instances of security domain 1.500 can be used to logically seperate different types of authorization requests 206 (e.g. requests from web traffic and requests from an instance of the device 1.200 which is a 3D-printer). In some other embodiments, however, a single instance from the security domain 1.500A could handle both streams of authorization request 206. This may allow for the identification of which control algorithm (108) applies to which program 204.

“In FIG. 19. The stack 1.800 refers to a CAD file that contains a prosthetic leg 1.2606, which is owned by the owner domain 1.400B. The object domain 700A is a relationship between subject domain 1.200A and a 3D file 1.2608A (e.g. a primitive 1.205A). 2.260A subject domain containing a 2D representation 1.2608A. This may include, for instance, a rendered image from a fixed perspective of the 3D file. The 1.2601B user may create security domain 1.500C shielding topic domain 1.200A, and security domain 1.500D protecting subject domain 1.200B.

“Similarly, stack domain 1.800 could also include a reference to object 1.700B. The ornamental modification 1.2612 to the prosthetic leg 1.2606 may be 1.700B. To add ornamentation to the 3D file 1.2608, you can use the 3D mod file 1.2614. An application program could load the 3D file 1.2608 to apply the modifications specified in the 3D modfile 1.2614. Contrary to the prosthetic leg 1.2606, ornamental modification 1.2612 may include a 3D representation 1.2606. This may enable a user to rotate menu items to inspect ornamental features or an industrial design. While subject domain 1.200C can be protected by the user 1.2601C, security domain 1.500E may not be used. FIG. 19. may not protect the subject domain 1.200D, which is the 3D representation 1.2616 from the 3D modfile 1.2614 contained within the subject domain 1.200C. The application program 204 may be able to allow Subject domain 1.200D to be shielded. This will enable the program 204 to have more access and/or easier use of the 3D representation 1.2616.

“Shown by two vertically dashed lines, object domain 700A or 700B may contain contextual referents to one another (e.g. through the NT elements 704A, 704B). An application program may be able to identify a mod in the datastore to the prosthetic leg 2606 by using a first contextual reference. A second contextual reference may be found in object domain 700B-700A, which may enable an application program find the original file (e.g. 3D file 2608) that is modified by the 3D mod 2614 file. Moreover, the relation domains 1.300 and 1.200 of FIG. 19. may contain contextual references to any instance 1.500 of the securitydomain 1.700A, as shown between security domain 1.500E and object domain 1.700A.

“Stack domain 1.800 can refer to object domain 1.700C, which may contain an optimization path 1.2618 (as subject domain 1.200E for the 3D modfile 1.2614) and a photo representation (as subject domain 1.200F). This may be, for example, a photo of the 3D printing machine for which the optimization path 1.2620 is intended. An analogous to the context references between objectdomains 1.700A & 1.700B, contextual refers may be made between objectdomains 1.700B & 1.700C to give an application program instant access at related resources.

FIG. 2 shows the data structure that is associated with domain 1.100. It may contain the security node 100 or the control policy 106. 1.1A to FIG. 1.11. FIG. FIG. A datastore could be composed of data organized and stored in one or more instances within the domain 1.100. Each domain 1.100 can be used to model an object or?thing? in real life. Each domain 1.100 may be used to model a real-world object or?thing, such as a file (such a document, audio track, image or DNA sequence), a message (such a person or machine), or log file. The datastore could be made up of instantiations from the domain 1.100, which are used to model and/or store a particular kind of data. FIG. 1 shows a subject domain 1.200. 1.2 is a fundamental instantiation (domain 1.100) that may contain a bit of?subject? data that can be used by an application program to provide data resources. A subject domain 1.200 may contain an audio file, video file, piece of clinical data or a scientific dataset. It can also include a message or an architectural rendering. FIG. FIG. You can use the relation domain 1.300 to create relationships between domains 1.100. Similarly, FIG. FIG. 1.4 illustrates an instantiation for the domain 1.100, which can be used as a user of datastore 1.100. 1.5 illustrates an instantiation the domain 1.100, which can be used to store data from a control policy (such as a database) that limits access to or uses of data in the datastore. The present drawings might show an instance domain 1.100.

“The domain 1.100 could be composed of a unique identification 1.101 (also known as the UID 1.101), three primary elements: 1.102 (which can be referred as the T element 1.102), 1.103 (which can be referred as the NT element 1.103), 1.104 (which might be referred as the context element 1.104), and 1.104 (which can be referred as the XT element 1.104). The primary elements can be called?the elements? or?an element? individually. Each element organizes data in a specific arrangement according to properties and/or characteristics. For example, the data can be used to identify domain 1.100 or the domain 1.100. Or the data might help establish context for domain 1.100. Each element may contain data using one or more attributes-value pairs. Each pair is made up of an attribute 1.106, and a value 1.107. Each value 1.107 can have a field that is set to a common type of data, such as a float or integer, or a binary big object (BLOB). Attributes 1.106 can establish structure between the domains 1.100. This disclosure, including the accompanying figures, uses the abbreviation?ref? The abbreviation?ref? is used throughout this disclosure, including the accompanying figures. References are often drawn from one domain 1.100 or another domain 1.100. FIG. FIG. The figures do not include the associated values 1.107 for the attributes 1.106 in the present embodiments. Aspects of the various embodiments, which include attributes 1.106 or values 1.107, are obvious to those skilled in the art. These aspects, as well as other aspects, are not labeled in the drawings or accompanying text after FIG. 1.1A through FIG. 1.1E.”

“Each element in the domain 1.100 is composed of a particular set of data that can improve storage efficiency and query efficiency through uniform syntax, semantics. Unique identifier 1.101 makes it possible to address the domain 1.100 within the datastore. The UID 1.101 could be a value of 1.107 that has a very low chance of appearing twice in the same datastore. The UID 1.101 could be a string of random alphabetic characters that is thirty or more long. One preferred embodiment of the UID 1.101 is an internationally unique identifier that ensures each domain 1.100 will be unique in comparison to other domains 1.100 in any datastore. This includes datastores operated by different organizations. Another preferred embodiment may refer to an attribute 1.106 which references an instance from a different domain 1.100 (e.g. domain ref 1.22, owned ref 1.134), and have a value 1.107, which is the UID 1.101 for a different domain 1.100. An application program may be able to address the domain 1.100 by using the UID 1.101 value 1.107.

“The TY element 1.102 contains identification data 1.20 that can be used to identify a specific domain 1.100 and distinguish it from any other domain 1.100 in the datastore. An application program or the person running the program may use the identity element 1.102 data to identify the specific domain 1.100 and/or any data contained in the domain 1.100. The data usable to label domain 1.100 could be, for instance, the name of the specific domain 1.100, which can either be user-defined or automatically generated using an application program. Data usable to label domain 1.100 could be, for example, “Stairway To Heaven?” If the domain 1.100 has an audio track, or?IMG_00045 when the domain 1.100 contains a digital photo, or ?1.2015-June_ClinicalTrials? When the domain 1.100 contains clinical data.”

“Identification data 1.20 could also contain data that can be used to distinguish the specific domain 1.100 from other domains 1.100 in the datastore. This data is used to identify the domain 1.100 and a particular relation 1.100. If the domain 1.100 includes data about a periodic table element then the identification data 1.20 could include a number protons. (Remember that the unique number of protons determines the species of the chemical elements such as fluorine or tin. Another example is that the domain 1.100 may contain data about a chemical compound. The TY element 1.102 could include unique electromagnetic radiation absorption values. Radiation absorption values can be used as a signature by chemists to identify the model compound in the domain 1.100. Attributes that can be used as a “primary key” are generally accepted. In other data models, such as the relational model, for a group related data, they may also be used in identification data 1.20.

“The distinguishing information may also include data that isn’t unique in the datastore, but has a low expected incidence. The distinguishing data could be, for example, a time stamp indicating the date at which domain 1.100 was created or modified. For example, domain 1.100 may store a daily report on oceanographic activity. Domain 1.100 may store a stock trade statistic that generates a real-time statistic with a millisecond accuracy. The distinguishing data may also include attributes 1.106. If combined, the distinguishing data can include attributes 1.106 that are usable to identify the domain 1.100 from all other domains 1.100 in the datastore. The identification data 1.20 could contain attributes 1.106, even though the 1.107 value of an attribute 1.106 is unlikely to be unique within the datastore. However, the 1.20 identification data may include attributes 1.106 that when combined (e.g. two, three) can be used for the specific domain 1.100. It is possible, for example, that the application program does not use the owner or the time stamp to label the domain 1.100. However, the combination of owner and time stamp is used by the application program to identify the domain 1.100. A property or relation that has a low frequency within the datastore may be used to distinguish data. A domain 1.100 that models a person might have a unique relationship to a domain 1.100 that models a biological father (perhaps via a?bio_father?) Attribute 1.106 in the identification data 1.20. FIG. 1.1E.”

“The hastory 1.124 contains a hashed history transaction records. Each transaction record refers to one or more transactions in the which the domain and/or data of a participant (e.g. the primitive 1.131). A?controlled identity’ may be created by the hastory 1.124. The domain 1.100 is located within the datastore. It is based on an immutable chain block (the chain block is shown in FIG. 1.1, five illustrative transaction record T1 through T5. A sequence of blocks may be included in the hastory 1.124. Each block contains a transaction record from a previous transaction. A hash function can generate a block’s hash value using inputs that include a prior hash value from a block and a transaction record for a block. The root hash is unique within the datastore results. It depends on the order of sequential chains and the data contained in each block. A hash function can be a cryptographic function or algorithm that converts data into a string of other data, such as alphanumeric characters. The hash function can also be used to map digital information of any size to digital data with fixed sizes. A small change in input data results in a significant difference in output digital data. You can implement the hastory 1.124 as a Merkle tree or a hash chain and/or a list.

“A genesis block that initiates the hastory 1.124 may be the first block in the sequential chain. The transaction record may include data one or more of the attribute-value pairs for the TY element. For example, the transaction record 2.1.303A could contain data such as an email address or biometric information. A new transaction record can be generated if the domain 1.100 with the hastory 1.124 takes part in an interaction. This could include an interaction with an application program or a different domain 1.100 in the datastore. The transaction record can be deposited in a new block of the sequential chain of blocks for the hastory 1.124. The root hash from the hastory 1.124 can then be recalculated using a hash function (e.g. SHA256 algorithm). This hash function uses inputs which include the new block in the hastory.124 of the specific domain 1.100. The domain 1.100’s controlled identity evolves, and can be distinguished from the copy of domain 1.100 which contains similar data, but has different transaction histories. The evolved domain 1.100 could be unique in the datastore and may also have an auditing record of all transactions it participated in.

A data storage system may be able to retain uniqueness in a datastore, which could allow it to identify processes that can distinguish domains 1.100 from others. A method could then be used to control the copying of domain 1.100 so that an original and a copy are identified. In the same way, ownership can be determined and transferred in a separate set of bits that make up an instance of domain 1.100. The hastory 1.124 can be used in conjunction with patent applications and/or co-pending patents by similar inventive entities and/or common assignees.

“The NT element 1.103 contains contained data 1.130 which the particular domain 1.100 includes. The contained data 1.130 could contain data that is physically or logically contained. Relationship (e.g. domain 1.100 which specifies an industrial component that is an assembly in which each. Data that is physically contained (also known as embedded data? Data that is directly or proximate to the specific domain 1.100 may be stored in a physical storage device. Data that is contained in the domain 1.100 might be stored at a memory address near other memory addresses that contain the data structure of the domain 1.100. Both the contained data 1.130 and the domain 1.100 could be stored on the same sector of the hard disk. However, data that is physically contained by the domain.100 could include a reference (e.g. domain ref 1.134 to a physical location like a memory address that holds the data that is technically contained by the domain.100).

“Where the domain 1.100 contains a fundamental data piece within the datastore the contained data 1.130 could be primitive data 1.105. FIG. 1.1A is the primitive 1.131 attribute 1.106. The primitive 1.131 attribute 1.106 value 1.107 may be a string if the domain 1.100 has a message, or a BLOB if the domain 1.100 has an image file. The contained data 1.130 could also refer to a memory address that contains the primitive data 1.105 (the memory address in FIG. 1.1A is the primitive ref 1.132 attribute. A pointer may also refer to the reference to the memory address. One or more embodiments embed a small amount of primitive data 1.105 in the domain 1.100 (e.g. 1.140 alphanumeric character, a sequence of 1.3000 base pair DNA sequences), while a larger instance of primitive data 1.105 can be referenced through primitive ref 1.132, (e.g. a genome).

“Rather than containing a primitive, the particular Domain 1.100 could also contain a reference (shown in FIG. 1.1A is the domain ref 1.134. One or more references may be subject to an architectural constraint so that data structures constructed from instances of domain 1.100 refer to each other according to a specific arrangement. These architectural constraints can be used to create data structures that reflect or enforce certain types relationships (e.g. a container), modeled using a directed-acyclic graph architecture 1.600 (see FIG. 1.6. FIG. 1.7 to FIG. 1.11.”

“In addition to referring an instance of domain 1.100 through domain ref 1.134 the particular domain.100 could refer to another instance of domain 1.100 that represents or depicts the specific domain 1.100 (shown at FIG. 1.1A is the representation ref 1.136. This representation can be used to help the user select the specific domain 1.100 or another instance from the domain 1.100 that this particular domain 1.100 contains. FIG. will show and describe representation domains that are instantiations from the domain 1.100. 1.11 and other embodiments.”

“The content element 1.103 may include multiple instances of the primitive 1.131 or primitive ref 1.132, domain refer 1.134 and/or representation rep 1.136. In one or more preferred embodiments, the real-world objects that are modeled by the domain.100 are reduced to relatively simple units. The instantiations from the domain 1.100 assume specialized roles, reflecting the nature of these basic unit. FIG. 1.200 shows the subject domain. FIG. 1.2 contains, in one or several preferred embodiments, a single primitive (referred to in FIG. 1.2 as primitive data 1.205). Similar to FIG. According to some preferred embodiments, 1.9 contains within the NT element 1.903 reference to two or more stackdomains 1.800. The collection domain 1.900 may reflect the real-world relationship between the two or three stack domains 1.800. This allows the data structure to express the relationship rather than the software code which may try to create relationships.

“The XT element 1.104 contains contextual data 1.140 which further characterizes the specific domain 1.100. The context data 1.140 could include data about how the specific domain 1.100 is used and/or examples of the domain 1.100. The XT element 1.104 could be a repository for any additional data that isn’t used to identify domain 1.100 via the TY element 1.102. It may also contain any data that the domain 1.100 doesn’t contain within the NT elements 1.103. Attributes 1.106 with values 1.107 may be included in the XT element 1.104. These attributes have a high probability of appearing more than once in the datastore. An example is the attribute 1.106 ‘color? The value 1.107 ‘green? could be an attribute. The value 1.107 green could be an indication that many domains 1.100 are part of the datastore. The XT element 1.104 could contain statistical data, such as the number of times data from domain 1.100 have been accessed or used.

“The XT element 1.104 can also contain one or more context-sub-elements. The legacy sub-element 1.144 can be used to store metadata and legacy information from an original file placed in the domain 1.100. A sub-element called an application may contain data about the use of domain 1.100 by one, or more, application programs. In conjunction with FIG. 1.1E.”

“The data structure according to domain 1.100 can be stored in the memory using physical storage technology, which may also be called a physical layer or an internal schema. FIG. FIG. 1.1B shows a representation for a linear memory storage in the domain of FIG. 1.1A may be stored directly in RAM or a memristor according to one or several embodiments. Each element in the domain 1.100 can have an element ID associated with one or more attribute/value pairs. The TY identifier 1.161 and the NT identifier 1.162 may indicate the start of the respective elements in the memory. The elements in an instance of domain 1.100 can occur in any order, regardless of which storage layer they are stored on. When referenced, the primitive data 1.105 may be stored at a memory location that is not in the domain 1.100. If embedded, the primitive data 1.105 may be stored in association with the primitive attribute 1.131 (not shown in FIG. 1.1B) after NT identifier 1.162. A solid-state drive (SSD), may also be used as a linear memory. A memristor (also known as a memory resistor) may be used in the linear memory. A linear memory could also be a physical storage device that stores quantum bits (also known as qubits).

Summary for “Control over data resource usage through a security policy control policy evaluated in context of an authorization request.”

“The datastore could contain data resources that are proprietary or confidential and/or private. These data resources could include financial information, confidential communications, electronic medical records, trade secrets, and/or private communications. Protected resources are data resources that have been secured by a security system. A security system might require that a user be authenticated before they can access the datastore, and/or authorise them before they can use one or more protected resources in the datastore. An authentication process is used to validate that the user is real (e.g., verify the user’s identity), and the authorization process is used to verify that the user has the right to access the datastore. You can access a protected resource (e.g. download a video, view user information, or download a document). The computing processes of the security systems may have to interact directly with the data structure in order to control the datastore’s data resources.

The security system’s characteristics and/or architecture may be determined by the particular data structure that was used to implement the datastore. An example of a traditional hierarchical data structure that could be used to implement a datastore is the classic hierarchical file system. A hierarchical file system could include a hierarchical structure, which may be stored at a particular location (e.g. a first server or section of a hard disk) and an access list, which may be stored at a different location (e.g. a different data structure in another sever, or section of the hard disk). Access control lists may be used to specify who and/or what devices can access which data resources. Without looking at the access control list from the outside location, it might be difficult to see how each piece is protected when referencing the data structure. It may also be difficult to see the contents of protected resources when you examine the access control list.

“As your datastore grows in size, it can become more difficult to use an external system to determine which protected data resources and/or permissions are associated with each protected resource. There may be mistakes in the security measures defined within the datastore. The external system may require additional computing resources to be managed and used. The external system may not be able to be updated automatically or programmatically, which could prevent the security system’s ability to scale to meet the high demand of datastore users.

The organization may grant permissions to groups due to the complexity and/or overhead involved in maintaining and establishing associations between the external system (such the access control list), and protected resources in the datastructure of the datastore. The security system can be used to create a group of users to whom permissions for a particular set of data resources will be granted. A user in the group might be granted access to data that is not necessary for their purpose. This could increase security risks to the organization, such as if they lose their identity credentials or take actions that are against the interests of the organization. The user could also feel inconvenienced if they have to use a protected resource that is in another group.

The security system may not have the necessary capabilities to protect and control the confidential and private data stored in the datastore. An authorization process might provide access control that is based on user identity and access time. It may also include a limited set of permissions, such as read, write and delete permissions. To define permissions over data resources within the databasestore, the security system might also use systems that are external and separate from the datastore. This system can be complicated and difficult to scale.

“Disclosed” are a method and a device, as well as a system for controlling data resource usage through a security policy. This information is evaluated in the context a authorization request.

“In one embodiment, computer-implemented methods for controlling data resources of datastores include traversing a referent attribute a first node in a non-hierarchical structure that references a security node. A security node contains a protected resource that is either a protected primitive or a protected referent that refers to a second non-hierarchical node. A device sends an authorization request for the use of the protected resource. The authorization request includes a state dataset, which contains one or more state attributes and each of their state values.

Refer to “A control policy that defines an authorization context in which the device can use the protected resource from the security node.” This control policy contains one or more conditionals that compare a control range to a context that is the state attribute of one or more states and/or an external value associated in some other way than the authorization request.

“The control range for each one or more conditionals specifies the location of a computing devices, the number of uses of protected resource, the type of use and/or the duration of use data of protected primitive. Each of the one or two conditionals’ context values specifies the location of a computing device, the number and type of uses of protected resource, as well as the duration of data use.

“The control algorithm for the control policy is extracted form the security node. Each context value specified by the control algorithm are retrieved from a contextual dataset that is the state data set including every instance of the state value, and/or an external dataset including every instance of each external value. Each condition of the control algorithm is evaluated to determine if the context dataset conforms with the authorized context. When the device determines that the context dataset is compatible with the authorized context, authorization is granted for the security node to use it.

The security node in the non-hierarchical structure may contain the control policy. An external value may be retrieved either from a memory address or a function call. A value retrieved via an application programming interface (API), one or more datastore nodes, or a second state dataset from another device.

The security node can organize data according to a domain that includes an unique identifier (UID), which allows the security node to be uniquely addressed within the datastore. It also contains an identity element (TY) element. The identity element contains one or more attribute value pairs. These pair include identification data that can be used to identify the security node as well as distinguish it from other nodes within the datastore. A security node can also organize data according a domain structure. This includes a content element, (NT element), that contains one or more attributes-value pairs and contained data. Additionally, a context element (XT elements) has one or more attributes-value pairs that contain contextual data that further characterizes security node.

“Another embodiment includes a plurality nodes within a nonhierarchical information structure. The non-hierarchical structure is defined by at least one node and includes a nonhierarchical reference for another node. Each node in the plurality is defined by a node schema that includes an identifier, (ID), which allows the node to be referenced by at most one of the plurality or nodes. A referent attribute also references at least one other node from the plurality.

“The plurality includes a security Node of the non-hierarchical Data Structure, the security Node defined by node structure, and further includes a protected resource secured under a control Policy. The control policy defines an authorized context in which the protected resource can be used. It also allows for the evaluation of a context dataset that is associated with an authorization request for a device.

The context dataset is located at a state dataset that contains a state value of each one or more of the state attributes associated to a device’s state at the time of authorization request generation. An external dataset also includes an external value for each one or more external attribute associated with the source other than the authorization request. One or more conditionals of the control policy include a control algorithm that compares a first input, which is the state value one or two state attributes and/or an external value one or several external attributes, with a second input, which is a different state attribute, an external value of one/more external attributes, and/or control value range.

“Another embodiment of a system includes both a datastore, and a server. The datastore contains a plurality nodes of a nonhierarchical structure. At least one of these plurality nodes defines the non-hierarchical structure. It also includes a nonhierarchical reference for another of the plurality. Each node in the plurality is identified by a node schema that contains an identifier of a particular Node, which can be referenced by at most one of the plurality or nodes. A referent attribute also references at least one other Node from the plurality.

“The datastore contains a security node from the non-hierarchical structure of data, as defined by the node structures. A protected resource that is protected by a control policy establishes an authorized context in which the protected resource can be used. The control policy can be used to evaluate the context dataset associated to an authorization request for a device in relation with the authorized context. The context dataset includes at least one of two types of state datasets: one that includes a state attribute for each state attribute associated with the state of the device at the generation of the authorization requests and one that contains an external dataset with an external value for each one or more attributes associated with the source other than the authorization request.

“An instance from the control value range for each of one or more conditionals specifies the location of a computing devices, the number of uses of protected resources, the type of protected resource use, and/or the duration of use. One or more conditionals in a control algorithm of the control policies compare a first input which is either an instance or the state value of any one or many state attributes or an instance or the external value one of one or several external attributes with a second input that’s a control value range.

A server is composed of a processor and computer-readable memory. Instructions are included in the computer-readable memory to: (i), receive the authorization request from the device; and (ii), evaluate the context dataset associated to the authorization request with control algorithm to determine authorization for the protected resource.”

“Disclosed is a method, device, system, and/or a manufacturing of control over data resources utilization through a security policy control policy evaluated in context of an authorization request. While the examples of embodiments in the present inventions are specific, it is obvious that many modifications and changes can be made without departing from their wider spirit and scope.

“FIG. “FIG. Specifically, FIG. FIG. 1 contains a set 100A through 100C, an identifier 101A through 101C for each set of 100, a security 102B that instantiates node 100B, and a security 102C that instantiates node 100C, two node reference 103.1A, 103.2A, and two security node references 105A and 100C, two instances of protected resource, the protected node 10102B, and two control algorithms 110B, 108C and 102C respectively, two control data 114; two sets of conditionals 112B, 112B and 112B, and 112B, and 112B, and 112B, and 112C and 112B, and 112B, and 112B, and 112B, and 112C context dataset 114 Additionally, FIG. FIG. 1 also includes: a device 200, a network 200, a state dataset 200, an application program 200, and an authorization request 206 of the device 200. A server 208 comprises one or more processors, one or two physical memories 212, and datastore 214. An external source 218 and an external dataset 220 are both non-hierarchical data structures 216.

“FIG. 1. shows a system network with a data structure that can control a resource (e.g. the protected primitive 11C, a protected referent107B pointing at node 100C containing protected primitive 11C), using one or more security nos 102. A data resource is an individual piece of data or a portion thereof that can be used as a resource in an application program. A data resource could include a file or a record, as well as a message, a message and/or other media, such music and video. A data resource could include a user profile, which may contain a list of attributes and values that hold information about a person. A data resource could also include a section of the user profile, such as an attribute-value pair that specifies a person’s social security number. Another example is an audio file. This could be an MP3 or AAC file and/or a section of the audio file. The data resource can also include a streamed portion, such as a 30-second-long section, to a device. The protected resource 104 is a data resource that is protected by a security program, such as one that requires authentication and/or authorization prior to usage.

“The device 200 contains a processor and a memory that runs the application program 204. It is stored in the memory 200. Device 200 could be a computer or smartphone, tablet, or piece of hardware that is Internet-enabled (e.g. an ‘internet of everything?). device), a computer-aided manufacturing device (e.g. a 3D printer or CNC mill, a laser cutter, and/or another server. The device 200 is not shown but includes one or more processors and one to several memories. Through the network 201, the device 200 can be communicatively connected to the server 208. The network 201 can be either a wide-area network (WAN), local area network, or the Internet. Any software or set of computer-readable instructions can be used by the application program 204. This includes protected primitive 111C. The application program 204 could be, for example, a social media app. On a 200-inch smartphone, the application program 204 can be a social media?app? The application program 204 can also use protected resource104 without actually using it. For example, the program may transfer control of protected resource104 to another use in the datastore 214. The server may periodically send the device 200 data, such as images, music, and/or text files to be used by its application program 204. This could include data that can be used to populate the device’s graphical user interface 200, or to use resources from the datastore 214. Each request can be in the form of an authorization request 206. This request is generated by the device 200, and sent over the network 201 directly to the server. 208

“The authorization request (206) may contain a variety data, including a credential or other data that identifies a user of a device. The authorization request (206) may also contain the state dataset (202) associated with the state of device 200 at generation. This data could include a time, date, type of device 200 and/or location of device 200. FIG. 2 illustrates an example of the state dataset 202. 7 may be used as a source for data in the context dataset (114) and could therefore be used to determine authorization requests.”

“In general, datastore 214 consists of a plurality stored nodes of data (e.g. the nodes 100), that may each act in a resource role by one or several application programs (e.g. the application program 204) and located on one or two devices 200. Each node 100 can contain one or more attribute/value pairs. Additionally, each node 100 could model a real-world?thing? Or a?object. A number of nodes 100 can even model relationships among or between other nodes 100. FIG. 100A is an example of this. One may be used to represent a relationship between two nodes 100. This is done by referencing each other node using the node references 103.1A or 103.2A. Node reference 103.1A could point to node 100C. However, node reference 102A may point at a different node (not shown here). 1). Referential attribute value (e.g., node reference 103.1A or 105A, protected referent 107B etc.). The ID 101 of the referenced nude. The nodes 100 could be found in a non-hierarchical structure, which includes non-hierarchical reference between nodes 100. 5. Some nodes 100 can return data resources to the device 200 free of charge, while other nodes are security nodes (e.g. the security node 102) that may trigger an evaluation (e.g. the control policies 106B or 106C). This will determine if the 200 is authorized to use the protected resource 104B from the node 100.

This article will describe a specific set of authorization requests 206 from the device 200 to access data of multiple nodes 100 of datastore 214. The ID 101A may be used by the device 200 to request data from the node 100A. The device 200 might receive the first data, the node number 103.2A. This may allow the device 200 to request the node 100D (not illustrated) that is identified by the 103.2A. The node 100D could include an image or a sound file representing data in node 100 (e.g. the node100C) reached via the node number 103.1A. Node 100C may be referenced by node 103.1A. Node reference 103.1A can be controlled and therefore secured, unlike node 103.2A. associated with security reference 103.2A. Instead of returning the value of 103.1A to device 200, the server 208 will return the value 105A pointing at the security node 101B.

“Each instance triggering the security node 102 may trigger the control policy 106. A security node is an instance of protected resource 104, and one or more components from the control policy. The protected resource 104 can be stored at a particular location, such as a security element 109. Even a single attribute/value pair or an entity in a block may be covered by the control policy 106. According to one or more embodiments, either of these could be protected resources 104. Protected resource 104 could be a protected reference 107B, which includes data that can be used to refer to another node 100 in the datastore. 214 Protected resource 104 could also include the protected primitive (?BLOB?) 111, which is, for instance, a binary large objects (?BLOB?) It is used to store primitive data, and/or files of any MIME type within the node 100. An instance of the securitydomain 102 may have one or more protected referenceents 107B, one, or more protected primitives 112 and/or an additional protected resource104 stored in the attributes and values of security domain102 (e.g. any attribute-value pair within a data node can be designated as protected resource by control algorithm 108). FIG. 2 shows additional examples of protected resource 104. 17- FIG. 19.”

“In FIG. 1. The security node 102B includes the protected resource 104B, which is the protected referent of 107B, and the component of control policy 106B, which is the control algorithm number 108B. Security node 102B also contains an ID 101B that allows other nodes to reference the security node 2102B (e.g. the node 101A). The protected referent (108B) is data that can be used to refer to another 100 in the datastore 214, and more specifically, FIG. 1 The protected referent is a security security reference 105B to security number 102C. Security node 2B protects data that is required by application program 204 to reach the protected primitive 111C security node 102C. Security node 2B can also be called a “shield node”. This hides from 200 a path that leads to one or more of the 100 nodes 100 that security node102B refers to using the protected reference 107B. “Shielded node” may refer to a node 100 that has been referenced by an instance 107B of protected referent.

The authorization request for protected resource104B by application program 204 is evaluated by control policy 106B at the security node 102B. The protected resource may be used for both server-side and device-side purposes. This could include traversal of a referent attribute by the server, transfer or sharing the protected resources 104 with another user, or access to the protected resources 104 so that the device 200 receives a data stream. A control algorithm 108 is the first component of control policy 106. It consists of one or more conditionals 112 which each compare at most two values. When evaluating control policy 106, the control algorithm 108 can be written in Turing-complete code and/or written in Turing-complete language. You may?hard-code? the values of one or more conditionals 112. The control algorithm 108 may be called using the context dataset 112 or 110. In either case, the control dataset 110 can be used to define the range of values that can be used as inputs for the control algorithm. When the control dataset 110 is used, it may form a second component to the control policy. A first conditional could compare geospatial coordinates (e.g. Las Vegas) to determine if the device 200 can be used in a specific location. The second conditional may be a comparison of two stock indexes that were inputs to the external dataset 220.

“A security node 102 instance generally stores control algorithm 108, control dataset 110 or both. The control algorithm 108 can be called?conditions? The control algorithm 108 may also be called?conditions?. the specific control policy 106. In some cases, however, the control algorithm may be used in isolation with all input ranges defined in the control algorithm.108 and not through separate definitions in the control dataset 110. The control algorithm 108 could be called both the “terms and conditions?” Control policy 106. FIG. 2 shows some possible configurations. 2, FIG. 2, FIG. 4.”

“The security node (102B) of FIG. 1 contains the control algorithm (108B) with one or more conditionals 112B. The authorization request 206 to use the protected resource104B is received by server 208. The server 208 extracts control algorithm108 from security node 102B and executes each conditional 112 of control algorithm108 to determine if the authorized context exists (e.g. client 200 uses protected resource104B in accordance with the?terms?conditions?). The control policy 106B. The one or more conditionals 112 inputs may include (1) the values of the context data 114, including the external and state datasets 220; (2) the values hard-coded in the control algorithm 110B and (3) the ranges of control dataset 110. The control policy 106B could be used to create an authorized context. It may require that the 200 device is located at the corporate headquarters of a company, (2) the values of the context dataset 114, and (3) the ranges of the control dataset 110. Therefore, the control policy 104 can be used to create arbitrarily complex control rules. These rules are stored in the datastore 214 and/or associated each piece of secure data. Any inputs to one or more conditionals 112 which require information that is not contained within the state dataset 200 may be obtained from the appropriate location in the control algorithm 110. An external value can be obtained from, for example, a memory address or function call. It may also be available from one or more datastores 214. A second state dataset may also be used to retrieve the value of the external dataset 220-, which is not the device 200 that issued the authorization request 206. As an example, the external API may be called from the external server 218, which is shown in FIG. 1. Before completing authorization, the control algorithm 108 or one or more conditionals 112 might wait for inputs like the electronic permission or an external value. The waiting periods for inputs may be as long or short as necessary, such as a second, one week, or one year.

The server 200 can determine whether the authorization program 204 for the device 200 authorizes the use of the protected reference 107B. In this case, the server 200 could return a value of protected referent (e.g., ID 101C) to device 200, and/or traverse protected referents 107B to node 100C, without sharing the value to device 200. This could result in the server 200 granting access to and/or using data from the referenced domain 100 to device 200, either as part of an authorization request 206 or as an additional instance of authorization request206.

“In FIG. “In FIG. Security node 101C contains the ID 101C, security sub-elements 109C, and an instance protected resource 104 which is the protected primitive 112C. The security node102C can trigger the second instance of control policy 106 or control policy 106C. The control dataset 110C is stored in the security node. This control policy forms the second component of control strategy 106C. Contrary to the control policy, 106B, control policy, 106C may store control algorithm 108C elsewhere than the security node. (e.g. in a different node 100, in the memory 221 of the server 200 and/or in another server that is accessible by the 200). The control algorithm, 108C, may be as flexible as the control algorithms 108B. However in some embodiments, the control policy 106C may store the control algorithm 110C outside the security node 100 of the datastore 214. 1. This standard algorithm, for example, can determine if each value in the context dataset 112 falls within any of the ranges stored in security node 102C. This may result in a relatively standard control policy that may only have minor variations from the control dataset 110. In FIG. FIG. 1 shows that each one or more conditionals 112C in the control algorithm 108C can determine whether each context dataset 114 is within a control range of one or several attributes of control dataset 110C. FIG. shows an example of such a range checking instance of the control algorithm 110C. 13. The control policy 106C can be defined using the control data 110C stored in security node 102C. A standard instance of control algorithm 108C may also be stored outside security node 101C. This will allow the owner of security node 2102C or protected primitive 111C, to quickly and easily determine the authorized context and modify it without having to change the control algorithm.

The server 208 extracts protected primitive 112C from the device 200. This allows the 200 and/or 200-specific application programs 204 to use the protected primitive 112. The protected primitive 111C could be transmitted over the network 201 to device 200 (e.g. a music file that can be played on a smartphone), the protected prima 111C may then be transferred to a new owner within datastore 214 (e.g. a private key associated to a cryptographic currency value), and/or the protected primitive 111C delivered to a specific application program of device 200 that can monitor the use of protected primitive 111C via the application program 204. The control policy 106C may also be used to monitor the use of the protected primitive 112C. This policy includes data that can be used to define?use terms. The use policy can be described and shown in conjunction with other patent applications filed by a similar inventive entity or common assignee. The server 208 can also make changes to datastore 214 when the protected resource is utilized by device 200. This may include incrementing a use statistic, changing control algorithm 108C or changing an attribute of the security node 2C, creating auditing logs and/or updating the analytics processes.

“A single authorization request (206) is shown that requests both the protected resources 104B, and 104C. However, these requests can be distinct (e.g. an authorization request of 206A and request 206B). “In such cases, one or more conditionals 112B and one or more conditions 112C could use different instances of context dataset 112 (e.g., context datasets 114A and 112B generated for each authorization request 206A and206B).

“FIG. 2. illustrates a first instance of a security network that stores a protected resource. It includes a file, a control policy, and a first component, which is a control algorithm stored in another location. A second component, which is a control data set stored within the security network, provides inputs for a set conditionals for the control algorithm according to one or several embodiments. FIG. FIG. There may be different instances of control algorithms 108A to 108N depending on the application program 204A to 204N that generates the authorization request 206.

“In FIG. 2. Security node 102 includes the ID 101 and a contained data 116, which include the protected primitive 110 and security element 109 that comprises the control dataset 110. The authorization request 206 may be generated by device 200 using one of the applications programs 204A through204N. The authorization request 206 could include the node ID 101 and the state dataset 022. The server 208 could retrieve the security node 101 from the datastore214 (not shown at FIG. 2), and extracts control data 110 from security node 102.

“In FIG. 2. Each application program 204 may be able to generate a separate instance 106 of security node 101. The control dataset 110 may remain the same for authorizations 206 of any application program 204A to 204N, but each authorization request from an application program 204A to 204N may trigger analysis using another control algorithm.108 (e.g. the control algorithm 110A through 110N). The security node may contain a description of a specific control algorithm (108) that is applicable to a specific application program 204A through204N. One or more conditionals 112A in the control algorithm 110A might check that each context value of the context dataset114 is within the control range of each control value range of control dataset 110. The control algorithm 108B, however, may only require two of six context values from the context dataset 112A to fall within the control ranges of control dataset 110. FIG. FIG. 2. Application program 204A generates authorization request 206. Security node 102 then calls control algorithm 102A. This is stored outside of security node 101. The control policy 106 to authorize request 206 from application programme 204A consists of two components: the control dataset 110 and the control algorithm 108A.

“In one preferred embodiment the security node (102) of FIG. 2, may be used to create a default data structure or system for protecting data resources in the datastore 214. The shield nodes can provide flexible controls for accessing and/or using the security node (102C) of FIG. 2 (or security nude 102C in FIG. 1). The control policy 106, which was formed from the control dataset 110 and a relatively static control algorithm of 108, may be a baseline or default control that secures the protected primitive 111, regardless of any control policies 106.

“Additionally as shown in FIG. 2. The protected resource 104 can be stored in a discrete component of the security node102, such as contained data 116. One or more embodiments may contain an instance of the contained information 116 at each node 100, which could include the protected resource, protected referent, 107, protected primitive 111 and/or any other unprotected resource.

“FIG. “FIG. The shield node stores several instances of protected resource 104 (e.g. the protected resources 104.1A through 10.4n). These protected referents are 107 that refers to?shielded nosdes. FIG. 208 is the server 208. 1. Extracting the control dataset 110B as well as the control algorithm 108B from the shield node according to one or several embodiments. FIG. FIG. 3 shows a further set of control algorithms, 108A through108N, stored in the security node (102B).

“The shield node is an instance security node 102 that contains one or more protected referents107 referring to one of many different nodes 100, which are referred to here as?shielded nosdes. FIG. 2 shows the security node, 102B. 3. may be used to provide flexible control policy106 for controlling and/or regulating data within any node 100 that is referenced by the shield notde. The node 101B can be used as an intermediate 100 between the node 100A, the shielded 100C and the node 100A that may contain protected primitive 111. The shield node can trigger the examination of the context data 114 when it is called, and/or a refer to the security node102 is traversed in response one or more authorization requests 200. You can define shield nodes throughout the datastore 214. They may also be added to different configurations to achieve different functionality. You can place several shield nodes in succession (e.g. forming a reference-chain using protected referents 107) and each shield node must be owned by a different user. This ensures that each user has satisfied the control policy 106 to traverse to security node 101.

“FIG. “FIG. In FIG. FIG. 4 shows a security node 104.1C which contains a protected attribute 401, a protected resources 104.2C and 107.1C respectively, as well as a protected primitive 111C. While the security node 101A may shield the security node, 102C is also referenced by 100B which is not an instance security node. Security node 100B also refers to shielded node 101D and shielded 102E, which may be shield nodes. Protected referents 107.1C (107.2C) are also used. Security node 100C could be both a shield and shield node. Security node 102C could also contain a series of control algorithms 108A to 108N that may be applied to different instances of the application programs 204A through204N which generates the authorization request number 206. Control algorithms 108A through108N may not include any ranges that can be used to compare to the context dataset 114. They may not refer to an instance of context dataset 110. Protected attribute 401 can be any attribute-value pair, including the following: a time when the security notde 102C was created; a reference to the owner of security node 102C; a reference a user profile that owns security node 101C; a use statistic for security node 100C or any other nodes 100C shielded by security node 122C; etc.

“FIG. FIG. 5 shows some aspects of the non-hierarchical data structures stored in FIG. 1 includes several types of non-hierarchical reference and shows instances of the security nude within the nonhierarchical datastructure that can be used to store one or multiple components of the control policies, according to one or many embodiments. One non-hierarchical 502 reference is a feature of the non-hierarchical structure 216. Non-hierarchical references 502 are a type that point from one node toward another node in the data structure. This is non-hierarchical refer 502A. This happens when a node 100 is one number away from the root and a second 100 is another number away from the root. Non-hierarchical refer 502 also includes a reference in which a node 100 has been referred to by more than one other node, as illustrated by non-hierarchical refer 502C. Another type of non-hierarchical 502 is when a node 100 refers to another node 100 which is lateral in the data structure. Non-hierarchical 502C illustrates this. These lateral references can also occur when one node 100 refers to another node 100 that’s equidistant from the root node. The non-hierarchical data structures may also include multiple roots, which can each provide entry points into the data structure via the server 108. For example, the root node 500A or 500C.

“In one or more embodiments, a non-hierarchical graph data structure is a graph structure that includes the nodes 100 as verticles connected with directed edges. Directed edges can form a directed-acyclic graph architecture as illustrated and described in conjunction. 1.6. The non-hierarchical data structures 216 could still contain hierarchical elements. The non-hierarchical data structures 216, for example, may contain a single root with multiple levels of relationships. The non-hierarchical structure 216 can move from the root node through a number of nodes that represent relationships and/or category before reaching resources like files and documents.

“The non-hierarchical structure of the data may permit security nodes 102, such as shield nodes, modification and/or removal without affecting the architecture or rules of the data structures and the applications that interact with them. FIG. FIG. The protected resource (104B) of security node 102B is one example of protected referents107 that refer to nodes 100C and 100D. Security node 52H is a shield-node that includes protected referents 107H and security node 102J, as well as a non-secured reference, node reference 100H, which is also known by representation node 504K. A representation domain 504K could contain a data resource, such as an image that can be used to represent data within security node 102J. This may help a user of application program 204 make a selection. Security node 102J and representation node 504K may be part of a derivative-representation domain structure as shown and described in conjunction with FIG. 1.11. 1.11. Security node 102I, acting as a shield, may restrict access to data in node 100L. Any one of the 100 nodes in the non-hierarchical structure 216 (FIG. 5, may be converted to instances of the security nude 102 or converted back into nonsecurity nodes. Additional nodes can be added between any nodes 100 by changing a refer structure.

“FIG. FIG. 6 shows the control dataset for FIG. 2 (also known as a “terms”? 2 (also referred to as a?terms?) is a set control attributes that can be used to create an authorized context for the control policy. Each control attribute has a specific control value range that can be used to input the control algorithm according to one or more embodiments. Specifically, FIG. FIG. 6 shows an additional control attribute 600 and a control range 602. The control dataset 110 includes one or more control attributes 600, which can be called by an instance the control algorithm108 for one or multiple control value ranges 602. FIG. FIG. 6 shows the control dataset 110 being associated with a node 100 that stores a CAD data file that can be used by the 200-based 3D printer. To ensure that the CAD files are used within an organization, there may be restrictions. The?Email_domain could be an example. Attribut 600 could contain an array with email domains, as one instance in the control value range 602. The ‘Day? Attribut 600 could contain an array of every day of the week (here Monday through Friday), forming another instance in the control value range 602. Control algorithm 108 can use any one of the control ranges 602 for inputs. It may also include a?range-checking function. As discussed above, it determines whether each value in the context dataset 112 is within the corresponding control range 602 (e.g. whether the time in state dataset 202.2 is within the control range 602). The security sub-element 110 could contain the control dataset 110. The security sub-element 109, the attributes 600, and the control value range 602 may be in the form of an entity-attribute-value triplet which may allow for efficient query or retrieval of all data relevant to the control policy 106. Similar to the above, a security node 100 and/or 102 can be implemented in FIG. 1.1, the security sub-element may form a sub-entity within the NT element 1.103 and/or the XT element 1.104 of the domain 1.100, which may for an entity-sub-entity-attribute-value quadruplet.”

“FIG. FIG. 7 shows two components of FIG. 1 is evaluated by the control policy. It includes the state dataset for a device’s state at the time of the authentication request. 2 contains an external dataset from another source, according to one or several embodiments. FIG. FIG. 7.7 further illustrates a state attribute 700 and a state value 702, as well as an external attribute 704 and an external value 706. The state attribute 700 and the external attribute 704 can be called context attributes, while the state value 702 and the external value 706 could be called context values.

“The state dataset 202 values 706 may be used in one or more conditionals 112 to the control algorithm 108. The state dataset 200 includes one or more state attributes 700, and state values 702 which include data associated to a state of device 200 at the generation of the authorization request.206. The state dataset 202, for example, may be generated before (e.g. a few milliseconds or a second, or a minute) authorization request 206 is generated. One or more embodiments of the state dataset 200 are continuously and/or regularly updated in the device 200. A?snapshot?” is also available. The authorization request 208 transmits the state dataset 200 to the server. The device 200 may generate the state dataset 202 and transmit it to the server using a communication protocol (e.g. HTTP). The server 208 can also add data to state dataset 202 such as the time that authorization request 206 was received by server 208. It may also convert units (e.g. converting geospatial coordinates between a longitude/latitude and a Cartesian). FIG. FIG. 7 illustrates examples of state attributes 700, and state values 702 which may be part of the state dataset 202. Examples include an?Application Attribut 700 generated the authorization request206 (e.g. the application program 204) and an?Email. attribute 700 containing an email address and a?User ID? of a user of application program 204. Attribut 700 indicating a User ID?, a Time? attribute 700 – a ‘User ID?, a?Time? Attribut 700, a device ID. A?device ID? (e.g., the operating system of device 200) and geospatial coordinates. Security features like the 700 hash state attribute and/or veracity of state datasets 202 could also be included in the state dataset. Each instance of the program 204 and each type of device 200 may have their own state datasets 202. These are sent with authorization request 206. Each state dataset 202 contains a different set 700 of state attributes and 702. A 3D printer might send data about the current configuration of materials loaded into it, while an autonomous vehicle instance 200 of the device 200 could send data about its current velocity.

“FIG. 8 is an example of a Turing Complete Expression 850 of control algorithm 108. 2 that allows flexibility in the control policy, 106 for securing protected resource 104. This is the Turing complete expression from FIG. 8 that includes an if operation 800 and a then operation 802, as well as an else operation 804, depending on one or more embodiments. Specifically, FIG. FIG. 8 illustrates two if operations 800A, 800B, and three then operations 802A, 802C, as well as an else operation 804. Each operation is written in pseudocode. This may be a notation that resembles a simplified programming language and used in program design. The if and else operations 800 may contain one or more conditionals 112 from the control algorithm 108.

“In FIG. 8. The if operation 800A first determines if geospatial data from the state dataset 200 fall within a specified range for x and y values. The if operation 800A also compares device_type (e.g. the type of device 200) with the os_type state values 702 in order to determine if they are included in the control value range 602 from the control dataset 110. The if operation 802A also determines whether an authorized user is an executive. This can be done by retrieving an external value 706 from the user’s profile, which may be stored in the datastore 214. Alternately, the user could have the executive range but a permission token issued by the server208 or another system. The then operation 802A authorizes the use of protected resource 104 in the security domain 102 via the application program 200 of the device 200. If operation 800B can be used if the requirements of if operations 800A are not met. Executives may receive an error message from the then operation 802B asking them to use the protected resource 104 at their location. If the requirements for if operation 800A or 800B are not satisfied, then the else operation 804 might return a message saying?Sorry? not authorized. Turing-complete expression of control algorithm 108 could be used to describe complex control. It is part of control policy 106.

“FIG. “FIG. 2 (including the if, the then, and the else operations) according to one or several embodiments. FIG. 9 shows the embodiment. 9 may be used to define an authorized context for accessing and using a medical record. For example, an X-ray (or magnetic resonance image) (MRI), could be defined by control algorithm 108. Contrary to FIG. Contrary to FIG. 8., an instance of control dataset 110 is not called by or used in the control algorithm.108 of the embodiment. 9. A if operation 900A specifies a number conditionals 112, such as first requiring re-authorization by the requesting user (e.g. through the?user.reauth?? command). To return True, type if operation 900A. The if operation 900A can then be used to determine whether a user profile includes a?radiologist’. The state dataset 202 may extract the list of approved IP addresses from which the use request 206 is derived. This information will determine whether the classification is correct and whether the use-request 206 is valid. If both the IP address and the classification are available, the if operation 902A can request affirmative permission from the patient or their general practitioner. The then operation 902A will authorize authorization if all requirements are met. The then operation 902A can also specify data to be assembled?use terms. For example, the user may view the medical record for up to two hours. They can also take as many screenshots as they like (e.g. all screenshot capabilities are enabled with a value?1?). You may communicate the use terms to the device 200. A data stream may also be temporarily stored in the memory of device 200. Its use can be monitored by one or more of the processes on the device 200.

“If the conditions 112 of the then operation 900A are not satisfied, the if operations 900B may be executed to determine if permissions have been granted affirmatively by the patient and the general practitioner. The then operation 902B may specify more restrictive use controls. For example, the requesting user can only use the medical records for a quarter of an hour before they need to be re-authorized. Any screenshots taken during use will cause the medical record to be terminated as it is being monitored by an application program on the device 200. If neither the conditionals 112 or 200B of the if operations 900A are met, the else 904 returns an error message in the then 902C. The control policy 108 in FIG. 9 may provide a flexible access policy. This policy could either require that an authenticated medical specialist has access to the medical records or that the patient and a general physician of the patient agree to allow the requester access. This could improve the security of datastore 214 by ensuring that users are granted access to the appropriate information.

“FIG. “FIG. Operation 1000 traverses the referent attribute (e.g. the node-reference 103) of a first security node. This security node includes a protected resource (e.g. the protected resource 104) and/or a referent attributes node referring back to a second security node (e.g. a protected reference 107). Operation 1002 receives a authorization request (206) from a device 200 to utilize the protected resource 104. The authorization request (206) includes a state dataset (22) that contains one or more state attributes 700, each of which has a state value 702 and is associated with the state 200 at the time of the authorization request (206). Operation 1004 refers to a control policy (106), which defines the authorized context in the 200-device 200 can use the protected resource. Optionally, the control policy 106 could include a first component which is a control algorithm 110 and a second component which is a controlling dataset 110. FIG. 2 shows some configurations for the storage of control algorithm 108, control dataset 110. 2, through FIG. 3. Based on the authorization request 206 generated by an application program, Operation 1006 determines the applicable control algorithm 108. Sometimes the control algorithm 108 can be applied to multiple instances 204 of an application program. In other cases, multiple control algorithms may apply to a single application programme 204.

Operation 1008 extracts control algorithm108 from security node102. The control algorithm108 includes one or more conditionals 112. Each compares a first input which is a context with a second input that’s a different context and/or a control range 602 of control dataset 110. The control algorithm 108 can be extracted from another location than the security not 102. This is where the security not 102 contains the control policy 106 or the control dataset 110. Operation 1010 retrieves every context value specified by the control algorithm108 and assembles control policy 106 using the control dataset 110, and the control algorithm108. Operation 1010 can pause to collect all the context values before it continues. Operation 1012 determines if the context dataset conforms with the authorized context. It does this by evaluating each one or more conditions 112 of control algorithm 108 together with each context value in the context dataset and each control range 602 from the control dataset that were specified as inputs for the conditionals (e.g. the one or two conditionals 112). Operation 1014 allows the device 200 to use the protected resource104 of security node102 when it is determined (e.g. by an outcome from the one or more conditions 112) that the context data conforms with the authorized context (e.g. the authorized context as defined by control policy 106). The protected resource may be used to deliver data directly to the device 200 in certain cases, while in others the protected resource can be used in another process (e.g. server-side processes of the server 208) associated to the user of device 200. The protected resource 104 could be “utilized” in the following example. The device 200 can deliver the protected resource 104 to another user, or change the attributes and/or value of the data node 102.

“FIG. “FIG. 11” is a security policy and control policy flow that illustrates a process by which the security policy, protected resource and control policy can all be defined according to one or more embodiments. Operation 1100 selects the node 100 from a non-hierarchical database structure 216. The ID 101 may be used to identify the node 100. If the node 100 is part of a domain 1.100 then the UID 1.101 from the domain 1.100 may be used to select the node 100. As shown in FIG. 1.1. Operation 1102 denotes a portion of the contained data of the node 100 as a protected resource. 104 One or more of the attribute-value pairs that hold any type of data can be selected as the protected resource. 1.1) file of any MIME type that the node 100 has. This may be called the protected primitive 112. The protected resource 104 may also include an attribute-value pair, referred to here as the referent attribut 107 that contains a reference 100 to which the node selected for operation 1100 will protect. Operation 1104 is the first aspect of control dataset 110. It defines a control policy 110. This operation specifies one or more control attribute 600 that will be compared against the corresponding attributes in a context dataset (e.g. one or two state attributes 700, and/or one/more external attributes 704). Control attributes 600 could include attributes such as a geospatial coordinate and a user. They also may contain attributes about a stock price and/or the state of another device, such as the operational state of another server that is associated with server 208. Operation 1106 specifies a second aspect to the control dataset 110. Each control attribute 600 can be specified with a control range 602 that can be used as inputs for a control algorithm. 108 is a component of control policy 106. You can define specific geospatial coordinates, a set of users, a time of day and/or the functional state of different servers that are working with server 208. Operation 1108 deposits control dataset 110 in node 100. This can be done by, for instance, adding control dataset 110 to a sector of a hard drive and/or a memory adress associated with other sectors and/or addresses where data from the node 100 are stored. A database management system API may handle physical storage.

Operation 1110 is a first component of a control policy 106. It specifies one or more conditionals 112 to compare an input from the control data 110 with a second input from context data 114. Operation 1112 is a second aspect to a control algorithm 106. It specifies the first input for each one or multiple conditionals 112 and selects one or several control attributes 600 from the control dataset 202. As shown in FIG. 800A, an example of this is operation 800A. 8 A device_type attribute can be selected that corresponds to the 600 device_type attribute in the control dataset 110. Operation 1114 is a third aspect in a control algorithm 108. It specifies the second input for each conditional 112 by selecting one of the contextual attributes from the contextual dataset for each conditional 112. As shown in operation 800A FIG. 8 The device_type attribute could be chosen based on the 700 device_type attribute in the state dataset.202. As shown in FIG. 8 shows that a device_type in the state dataset 110 might need to be within control value range 602 (which specifies a range device types). The conditional may also require that the device_type in the state dataset 110 is not within the control range 602 (202 that specifies the range for device types). Opera 1112 could also specify a different value for the first input from the context data 110. The control algorithm 108 may also hard-code the first and/or second inputs. As shown in FIG. 800A, an example of this is the if operation 800A. 8 may define a conditional that requires that the geospatial_x coordinate of the state dataset 110 be greater or equal to a value in the control algorithm (108, such as?40.452000). Boolean logic, such as AND or OR, may be used to link the one or more conditionals 112 in operations 1110 and 11.12.

Operation 1116 deposits control algorithm 108 in node 100. Operation 1118 specifies a program 204 for whom the control algorithm 108 is applied as the second component to the control policy106 when an authorization request (206) generated by the program 204 has been evaluated. However, in one or more embodiments, the control algorithm 110 does not need to be specified for any application program 204. A different process on the server 200 could determine which control algorithm is applicable and/or the only control algorithms 108 may apply to all instances.

“FIG. “FIG. 12 is a flow diagram of a control policy execution. It shows a process through which the control policies of FIG. 1 can be used to determine if the authorization request is in compliance with the authorized context according to one or several embodiments. Operation 1200 removes the state data 110 from authorization request 206. The authorization request 206 can be transmitted to server 208 via the network 201 using a protocol that carries data from the state dataset 110. From which, the state dataset 110 could be extracted. Operation 1202 determines the applicable control algorithm (108) that will be used for determining the authorized context. Operation 1202 could determine, for example, that a particular control algorithm 108 can be used to run a given application programme 204. Other factors, such as the application program 204, may also be used to determine which control algorithm 108 is applicable. For example, a user’s location 200 or 200 could be used. Operation 1204 extracts all required external values 706 from the external dataset. The server 208 can retrieve external values 706 from another node 100 in the datastore 214 or from a third party API. Operation 1206 extracts a component of the control policy (106) from security node 102. The security node 102 may contain the control dataset 110, which acts as the ‘terms? The component may also contain the control dataset 110 acting as the ‘terms?. Both components can be extracted. The security node 102 includes a control algorithm 110 that acts as both the terms and conditions. The security node 102 may contain the control algorithm 108. If the security node does not contain the control data 110, the control dataset can be extracted. A standardized control algorithm (108) may then be used.

Operation 1208 is used to assemble the context dataset 112, which will be used as inputs for the one or more conditionals 112 of the control algorithm. 108. The context dataset 112 is assembled using any data required by the control algorithm 110 from the state dataset 200 and the external dataset 220. The context dataset 114 is assembled using any specified control values 602 and the control algorithm108. Operation 1210 then assembles control policy 106 to authorize request 206 for use of protected resource 104 by the security node.102 by the device 200. Operation 1212 executes one or more conditions 112 from the control policy (e.g. the one or two conditionals 112 in the control algorithm 108) to determine if the authorized context exists. Operation 1212 determines if the context dataset 112 and the device 200 are in the authorized context as defined by control policy 106. Opera 1216 creates an error message to determine if they are not in the authorized context and sends it back to 200. If so, the operation takes other actions that deny the use of protected resource 104 like logging a failed authorization request. Operation 1218 allows the device 200 to use the protected resource 104 if the authorized context has been found in the device 200. FIG. FIG. 18 shows that the control algorithm (108) and/or control policy (106) may also have additional outcomes, such as authorizing a portion of the protected resource 104 or authorizing a subset of nodes 100 that are shielded from the security node 102.

“FIG. “FIG. 13 is a control process flow 1350 that illustrates a basic process through which one or mode conditions may evaluate inputs from context dataset 114 or control dataset in order to authorize the use of protected resource according to one or more embodiments. Specifically, FIG. 13 shows a strait ?range checking function? Used to determine whether the values associated with four state attributes 700 are within the control value ranges 602 defined in control dataset 110. Operations 1212, 1216, and 1218 could operate in a similar way to those shown in FIG. 12. One or more of the conditionals 112 may be used to specify each of operations 1300-1306. 1300 is a conditional check to see if a device 200 is being used (e.g. as part of the state dataset 110). It is specified by a number of the one or more conditionals 112. Operation 1302 checks if a location, such as a geospatial address, is within the control value range 602 or coordinates of the control dataset 110. Operation 1306 also checks the time of the authorization request. 206. If one of the control algorithms 108 finds that the context dataset’s value is outside the appropriate control range 602, the control algorithm 110 proceeds to deny the use of protected resource 104 through operation 1216. If each of the 600 values in the state dataset 200 falls within the appropriate control value range 602, then operation 1218 authorizes the use of protected resource 104.

“FIG. 14 is a control process flow 1450 that illustrates a more complex process where one or more conditionals can evaluate inputs from both the context dataset or the control dataset in order to authorize the use of the protected resources, according to one or several embodiments. FIG. 108 shows the control algorithm. 14 can be used to create control policies 106 for protected primitives 111, which are auto tracks. Operation 1400 checks if the 200-year-old user has ever listened to the audio track (e.g., used the protected primitive 111). If the number of uses exceeds one, operation 1400 authorizes protected resource 104 through operation 1218. Any device 200, user 200 of the device 200, and/or application program 200 of the device 200 can be asked to purchase the song after a second authorization request (206) for the use of the audio track is sent to the server208. If the device is in Las Vegas, Nev., operation 1402 or operation 1404 can authorize the use of the audio track for up to five times. After submitting a sixth authorization request for the audio track, operation 1402 and 1404 will authorize the use of the audio tracks only if the 200-user is a fan. You can follow the artist on social media and/or provide additional support through social media. This information could be part of the context dataset 214, e.g., an exterior value 702, and can be drawn directly from the profile of the artist, fan and/or security node 102, any of which can be stored in the datastore 221 or another location accessible via the server 208. Additional processes can be performed after authorization of the protected resource. Opera 1208, for example, may increase a use statistic of an audio track.

“FIG. “FIG. FIG. 15 through FIG. 19 shows the security node in FIG. 1 in the semantic data structure described at FIG. 1.1A through FIG. 1.11. FIG. The domain structure 1.100 shown and described in FIG. Co-pending patent applications may disclose the domain structure 1.100 as well as the uses of the domain system 1.100. These applications could be filed by the same inventive entities or assignees to the current application. FIG. 199 shows a domain key 199 that can be used to illustrate domains using symbols. 1F. Referring to FIG. 1.1A to FIG. Before you review FIG. 15 to FIG. 15 through FIG.

“FIG. “FIG. 1. is a security domain, which is defined by FIG. 1.1A The security domain comprises a unique identification, a TY and NT elements, respectively. These elements contain the protected resource, one or more references from other domains, anXT element, the control data, and one or several control algorithms according to one or multiple embodiments. FIG. 1.500 is the security domain. 15. The security domain 1.500 of FIG. 1.3. The security domain 1.500, which is also a relationdomain 1.300, may be represented by a circle with three smaller circles. This circle is surrounded by a shield symbol according to key 1.199. 1.1E. FIG. 15 could function in the same way as FIG. 102B’s security node. 3. However, it may have additional features or the domain structure 1.100.

“The security domain 1.500 includes a unique identifier. This enables the security domain 1.500 to be uniquely addressed within the datastore 214. It also contains three primary elements. The identity element (TY) 1.502 contains one or more attribute value pairs. These pair can be used to identify the security domain 1.500, and/or distinguish it from any other node 100 or domain 1.100 in the datastore. The content element (NT elements) 1.502 contains one or more attribute value pairs that contain the 1.530 contained data that the security domain 1.500 has. The context element (XT) 1.504 contains one or more attribute value pairs. These include contextual data 1.540 which further defines the security domain 1.500. Important to remember that FIG. 15. is different from the context data 114 of FIG. 1. The TY element 1.502 could contain the hastory 1.524, which provides a block-chain security system. FIG. shows and describes the use of the 1.524 hastory. 1.1 and can be described in conjunction with FIG.

“The security domain 1.500 can be referred by one or more domains 1.100. For example, the unique identifier 1.501 may be used as a value for a referential attribute. The domain 1.100A refers to the FIG. security domain 1.500. 15. Another domain 1.100, such as the owner domain 1.400, could own security domain 1.500. Protected resource 104 may include one or more of the attribute value pairs or any other data from the security domain 1.500. FIG. FIG. 15. 15 shows an example of such an attribute-value pair. In the embodiment of FIG. 1) may be designated the protected referent.107 To effect the reference, the domain ref 1.534 could use the UID 1.101 from the domain 1.100B. FIG. 15. may be called a shield domain, and 1.100B as shielded.

“One or more components (e.g., control algorithms 108A-108N or control dataset 110) may be stored in security domain 1.500. The components of the control strategy 106 may be stored in a discrete element (e.g. the security sub-element 109 of the XT elements 504. FIG. 1.1E, the security sub-element 109 and included data may form a plurality of entity-sub-entity-attribute-value ?quadruplets? Similar to the 1.146 application sub-element.

“FIG. FIG. 16 is another example for the security domain. 15 includes a primitive data, which is the protected primitive, and a control dataset that will be used as a primary component of the control strategy along with the control algorithm stored at a location outside the security domain like the server. According to one or more embodiments. FIG. 16. may represent an instantiation not only of the domain structure 1.100, but also of the subject domain 1.200. This is shown and described in conjunction to FIG. 1.2. The security domain 1.500, which is also a subjectdomain 1.200, may be represented by a triangle enclosed by a shield symbol according to key 1.199. 1.1E. FIG. 16. may function in the same way as FIG. 102’s security node 102. 2, but with additional features and/or structures of the domain structure 1.100. FIG. 16 could function in the same way as FIG. 2. However, the domain structure 1.100 has additional features and structure.

“While it is similar to FIG. 1.500’s security domain, 15. The security domain 1.500 in FIG. 16 contains as protected resource 104, the protected primitive 112 rather than the protected reference 107. The primitive data 1.105 or 1.205 may be protected primitive 111, as shown in FIG. 1.1A and FIG. 1.2. 1.2. Another embodiment of security domain 1.500 includes a protected resource104, which contains both protected primitives 112 and protected referents 110.

“One of the advantages of the domain structure 1.100 (see FIG. 1.1A is an ability to define derivative-representation structures that enables efficient selection of domains 1.100 within a datastore (e.g., the datastore 214) as shown and described in conjunction with FIG. 1.11. 1.11. This derivative-representation data structure may also be used to effect increased security of the datastore 214 and control over data resources while still allowing the kinds of data and/or types of data resources that are within the datastore 214 to be represented and/or depicted to users (e.g., users of the device 200) without disrupting or disorganizing the underlying data organization. An application program 204 might be able to populate the GUI view with representation views for song art or album covers while also controlling audio track data (e.g. protected primitive 111). The node 100 and/or the domain 1.100, which contain data related to the album cover as well as the audio track, may also be closely linked and organized within datastore 214. This can include discrete security features.

“To this architecture, the security domain (e.g. the security domain 1.500 in FIG. FIG. 1.5) is also added to this architecture. 17. FIG. 17 is a derivative-representation-security structure illustrating use of the security domain 1.500 to establish different levels of control for different resources, including relatively lenient controls for utilization of a representation domain along with relative stringent controls for the derivative domains and a subject domain of FIG. 1.2 according to one or several embodiments. FIG. 17 shows that the stack domain 1.800, which is a relationship between one of more object domains 1.700, may be referred to as the derivative domain 1.1100A. The stack domain 1.800 could also refer to a subject domain 1.200C (e.g. the subject domain 1.200C containing data (e.g. an image as primitive 1.205C that represents or?depicts? The relationship between object domains 1.700. The subject domain 1.200C can also be called a representation domain (e.g. the representation domain 1.1101A).

“The application program204 may query datastore214 for the stack domain 1.800. The server 208 can traverse security domain 1.838.2 to security domain 1.500A, acting as a shield domain protecting the representation domain 1.1101A. The component of control policy 106A associated to the security domain 1.500A can be evaluated. If the authorization context is found to permit the use of subject ref.1.336 (e.g. protected referents 107 and 107), then the server 208 can traverse subject domain 1.200C to the primitive 1.205C. This primitive 1.205C may be used within the GUI of application program 204. The user can choose one of the objectdomains 1.700 after the primitive 1.1205C has been displayed by the user and/or application program 204. The server 208 can then traverse to the security domain 1.500B from the security ref 1.838.1. The application program 204 may then use the object ref.1.334 to traverse to the object domain 1.700B. FIG. 1.700 is the object domain. 17. is a relationship between data to be primarily processed by the application program (e.g. the subject domain 1.200A which is the derivative domain.1.1100C) or a representation of data to primarily be processed (e.g. the subject domain.200B which is the representation domain.1.1101A). The FIG. 1.700 object domain is different from the stack domain 1.800. 17. may have its representation domain (1.1101B) unprotected by an instance the security domain 1.500. The image and/or any other file depicting the derivativedomain 1.1100C can be returned without delay triggering the control policy.106C However, authorization request 206 may be made for the derivative domain.1.1100C. This authorization request will traverse security ref.1.738 to securitydomain 1.500C which shields the derivativedomain 1.1100C. Once the authorized referent 107 from the security domain 1.500C has been utilized by the application program204 that generated the authorization request206, subject ref.1.734 can be returned to 200 via the network 201 to form another authorization request206 and/or used by the server208 to traverse non-hierarchical data structures 216 to the derivativedomain 1.1100C.

“The subject domain 1.200A could be both the derivative 1.1100C (e.g. because it contains data that must be primarily processed by the application program 204) or the security domain 1.500D (e.g. the control policy 106) triggering a new instance 106 (e.g. the control policy 6106D not shown). This will secure the primitive data 1.205A and protect primitive 111. FIG. 17 is the protected primitive data 1.205A, which is the protected resource 110 that is protected by the control policy. 106D.”

“The data structure as defined by domain structure 1.100, and the embodiments shown in FIG. 1.1A to FIG. 1.11 can also be used to fine-tune control the type of data returned from each domain. For example, the control policy 106 may allow certain elements, sub-elements and/or attributes to be authorized for a domain. To illustrate, FIG. FIG. 18. illustrates a control algorithm process flow 1850. It shows how one or more conditionals may be used to define a fine-grain authorization, such as for a specific element in the domain structure of FIG. 1.1A according to one or several embodiments. FIG. FIG. 18 shows, for instance, how an internet service streaming 3D printing CAD files to businesses for on-site production can be controlled. Operation 1212 executes one or more conditions 112 of control policy 108 when an authorization request 206 is received at server 208. Operation 1800 can evaluate the state dataset 200 to determine if an email domain associated with an authorization request 206 of the user is within the control range 602 of control dataset 110. Operation 1802 will generate an error message if the authorization request 206 is not from an enterprise that has been approved or added to the control dataset 110. If the email domain falls within the control range 602 for the email domain attribute 600 then operation 1804 will determine if the requested email address is within the control range 602 for the email address attribute 600 in the control dataset 222. Operation 1806 may allow the use of a referent attitute 107 that specifically refers to the TY element 1.102 in an instantiation domain structure 1.100. The authorization of only the TY element 1.102 could allow a user identify the domain structure 1.100 and/or model without having to be authorized to use the primary protected resource 104.

Operation 1808 can determine if the authorization request 206 was made during business hours. This is to verify that any CAD files used are not for personal use but only when the user has an authorized email address. Operation 1806 can generate a new use key to authorize the data in the TY element 1.102 at the instantiation domain 1.100. Operation 1810 checks if a 3D printer that was associated with authorization request 206 is in the control range 602 for the 600 time attribute. Operation 1812 generates a key for the NT element 1.103 in the instantiation the domain structure 1.100. The NT element 1.103 could contain, for example, the CAD file that is protected primitive 111. FIG. 18. may be found in an instance of security domain 1.500, which is a shield domain, where the protected referent 107 contains a direct reference to the TY element 1.102. In one or more embodiments, particular references of this nature may be achieved by using certain values of the ordered value store as shown in FIG. 1.1C. The embodiment of FIG. 18. may occur in the same way as FIG.

“FIG. 19 shows secure CAD file storage 1950, which includes CAD files and the corresponding representation images. The data structure comprises the instantiations from the domain of FIG. 1.1A The CAD file datastore that is secured by the instantiations the security nodes from FIG. 1.1A, and more specifically the security domains described in FIG. 15, and FIG. 16 The data structure that can be used by a cloud computing platform in order to stream CAD files to a manufacturing device, such as a 3D Printer, according to one or several embodiments.”

“In FIG. FIG. 19 shows a datastore, e.g. one or more instances the datastore 214, which includes domains 1.100 owned and controlled by distinct users. The user 1.2601A is the owner domain 1.400A, the user.2601B is the owner domain 1.400B, the user.2601C is the owner domain 1.400C, the user.2601D is the owner domain 1.400D, and the user.2601D the owner domain 1.400D. The machine-user who owns multiple representation domains 1.300 organizing relationships among the 1.100 domains owned by others may be called the owner domain 1.400A. The epi-collection 1.1000 may have relationships to multiple categories of additive manufacturing 1.2600. The collection 1.900 might hold relationships to medical devices 1.2602, while the stack 1.800 could have relationships for prosthetics 1.2604. Each owner may decide their own security for each domain 1.100. A particular instance of control policy 106 might require payment verification to allow access to the 3D mod file 1.2614 and/or use thereof. Any of the relation domains 1.300 may also allow security domains 1.500 to be used. The security domains 1.500A or 1.500B can be used to create stack domain 1.800 that contains references to prosthetics 1.2604, and before the device 200 and/or application program 204 requests. Each trigger control policy 106A and106B may be applied. Two instances of security domain 1.500 can be used to logically seperate different types of authorization requests 206 (e.g. requests from web traffic and requests from an instance of the device 1.200 which is a 3D-printer). In some other embodiments, however, a single instance from the security domain 1.500A could handle both streams of authorization request 206. This may allow for the identification of which control algorithm (108) applies to which program 204.

“In FIG. 19. The stack 1.800 refers to a CAD file that contains a prosthetic leg 1.2606, which is owned by the owner domain 1.400B. The object domain 700A is a relationship between subject domain 1.200A and a 3D file 1.2608A (e.g. a primitive 1.205A). 2.260A subject domain containing a 2D representation 1.2608A. This may include, for instance, a rendered image from a fixed perspective of the 3D file. The 1.2601B user may create security domain 1.500C shielding topic domain 1.200A, and security domain 1.500D protecting subject domain 1.200B.

“Similarly, stack domain 1.800 could also include a reference to object 1.700B. The ornamental modification 1.2612 to the prosthetic leg 1.2606 may be 1.700B. To add ornamentation to the 3D file 1.2608, you can use the 3D mod file 1.2614. An application program could load the 3D file 1.2608 to apply the modifications specified in the 3D modfile 1.2614. Contrary to the prosthetic leg 1.2606, ornamental modification 1.2612 may include a 3D representation 1.2606. This may enable a user to rotate menu items to inspect ornamental features or an industrial design. While subject domain 1.200C can be protected by the user 1.2601C, security domain 1.500E may not be used. FIG. 19. may not protect the subject domain 1.200D, which is the 3D representation 1.2616 from the 3D modfile 1.2614 contained within the subject domain 1.200C. The application program 204 may be able to allow Subject domain 1.200D to be shielded. This will enable the program 204 to have more access and/or easier use of the 3D representation 1.2616.

“Shown by two vertically dashed lines, object domain 700A or 700B may contain contextual referents to one another (e.g. through the NT elements 704A, 704B). An application program may be able to identify a mod in the datastore to the prosthetic leg 2606 by using a first contextual reference. A second contextual reference may be found in object domain 700B-700A, which may enable an application program find the original file (e.g. 3D file 2608) that is modified by the 3D mod 2614 file. Moreover, the relation domains 1.300 and 1.200 of FIG. 19. may contain contextual references to any instance 1.500 of the securitydomain 1.700A, as shown between security domain 1.500E and object domain 1.700A.

“Stack domain 1.800 can refer to object domain 1.700C, which may contain an optimization path 1.2618 (as subject domain 1.200E for the 3D modfile 1.2614) and a photo representation (as subject domain 1.200F). This may be, for example, a photo of the 3D printing machine for which the optimization path 1.2620 is intended. An analogous to the context references between objectdomains 1.700A & 1.700B, contextual refers may be made between objectdomains 1.700B & 1.700C to give an application program instant access at related resources.

FIG. 2 shows the data structure that is associated with domain 1.100. It may contain the security node 100 or the control policy 106. 1.1A to FIG. 1.11. FIG. FIG. A datastore could be composed of data organized and stored in one or more instances within the domain 1.100. Each domain 1.100 can be used to model an object or?thing? in real life. Each domain 1.100 may be used to model a real-world object or?thing, such as a file (such a document, audio track, image or DNA sequence), a message (such a person or machine), or log file. The datastore could be made up of instantiations from the domain 1.100, which are used to model and/or store a particular kind of data. FIG. 1 shows a subject domain 1.200. 1.2 is a fundamental instantiation (domain 1.100) that may contain a bit of?subject? data that can be used by an application program to provide data resources. A subject domain 1.200 may contain an audio file, video file, piece of clinical data or a scientific dataset. It can also include a message or an architectural rendering. FIG. FIG. You can use the relation domain 1.300 to create relationships between domains 1.100. Similarly, FIG. FIG. 1.4 illustrates an instantiation for the domain 1.100, which can be used as a user of datastore 1.100. 1.5 illustrates an instantiation the domain 1.100, which can be used to store data from a control policy (such as a database) that limits access to or uses of data in the datastore. The present drawings might show an instance domain 1.100.

“The domain 1.100 could be composed of a unique identification 1.101 (also known as the UID 1.101), three primary elements: 1.102 (which can be referred as the T element 1.102), 1.103 (which can be referred as the NT element 1.103), 1.104 (which might be referred as the context element 1.104), and 1.104 (which can be referred as the XT element 1.104). The primary elements can be called?the elements? or?an element? individually. Each element organizes data in a specific arrangement according to properties and/or characteristics. For example, the data can be used to identify domain 1.100 or the domain 1.100. Or the data might help establish context for domain 1.100. Each element may contain data using one or more attributes-value pairs. Each pair is made up of an attribute 1.106, and a value 1.107. Each value 1.107 can have a field that is set to a common type of data, such as a float or integer, or a binary big object (BLOB). Attributes 1.106 can establish structure between the domains 1.100. This disclosure, including the accompanying figures, uses the abbreviation?ref? The abbreviation?ref? is used throughout this disclosure, including the accompanying figures. References are often drawn from one domain 1.100 or another domain 1.100. FIG. FIG. The figures do not include the associated values 1.107 for the attributes 1.106 in the present embodiments. Aspects of the various embodiments, which include attributes 1.106 or values 1.107, are obvious to those skilled in the art. These aspects, as well as other aspects, are not labeled in the drawings or accompanying text after FIG. 1.1A through FIG. 1.1E.”

“Each element in the domain 1.100 is composed of a particular set of data that can improve storage efficiency and query efficiency through uniform syntax, semantics. Unique identifier 1.101 makes it possible to address the domain 1.100 within the datastore. The UID 1.101 could be a value of 1.107 that has a very low chance of appearing twice in the same datastore. The UID 1.101 could be a string of random alphabetic characters that is thirty or more long. One preferred embodiment of the UID 1.101 is an internationally unique identifier that ensures each domain 1.100 will be unique in comparison to other domains 1.100 in any datastore. This includes datastores operated by different organizations. Another preferred embodiment may refer to an attribute 1.106 which references an instance from a different domain 1.100 (e.g. domain ref 1.22, owned ref 1.134), and have a value 1.107, which is the UID 1.101 for a different domain 1.100. An application program may be able to address the domain 1.100 by using the UID 1.101 value 1.107.

“The TY element 1.102 contains identification data 1.20 that can be used to identify a specific domain 1.100 and distinguish it from any other domain 1.100 in the datastore. An application program or the person running the program may use the identity element 1.102 data to identify the specific domain 1.100 and/or any data contained in the domain 1.100. The data usable to label domain 1.100 could be, for instance, the name of the specific domain 1.100, which can either be user-defined or automatically generated using an application program. Data usable to label domain 1.100 could be, for example, “Stairway To Heaven?” If the domain 1.100 has an audio track, or?IMG_00045 when the domain 1.100 contains a digital photo, or ?1.2015-June_ClinicalTrials? When the domain 1.100 contains clinical data.”

“Identification data 1.20 could also contain data that can be used to distinguish the specific domain 1.100 from other domains 1.100 in the datastore. This data is used to identify the domain 1.100 and a particular relation 1.100. If the domain 1.100 includes data about a periodic table element then the identification data 1.20 could include a number protons. (Remember that the unique number of protons determines the species of the chemical elements such as fluorine or tin. Another example is that the domain 1.100 may contain data about a chemical compound. The TY element 1.102 could include unique electromagnetic radiation absorption values. Radiation absorption values can be used as a signature by chemists to identify the model compound in the domain 1.100. Attributes that can be used as a “primary key” are generally accepted. In other data models, such as the relational model, for a group related data, they may also be used in identification data 1.20.

“The distinguishing information may also include data that isn’t unique in the datastore, but has a low expected incidence. The distinguishing data could be, for example, a time stamp indicating the date at which domain 1.100 was created or modified. For example, domain 1.100 may store a daily report on oceanographic activity. Domain 1.100 may store a stock trade statistic that generates a real-time statistic with a millisecond accuracy. The distinguishing data may also include attributes 1.106. If combined, the distinguishing data can include attributes 1.106 that are usable to identify the domain 1.100 from all other domains 1.100 in the datastore. The identification data 1.20 could contain attributes 1.106, even though the 1.107 value of an attribute 1.106 is unlikely to be unique within the datastore. However, the 1.20 identification data may include attributes 1.106 that when combined (e.g. two, three) can be used for the specific domain 1.100. It is possible, for example, that the application program does not use the owner or the time stamp to label the domain 1.100. However, the combination of owner and time stamp is used by the application program to identify the domain 1.100. A property or relation that has a low frequency within the datastore may be used to distinguish data. A domain 1.100 that models a person might have a unique relationship to a domain 1.100 that models a biological father (perhaps via a?bio_father?) Attribute 1.106 in the identification data 1.20. FIG. 1.1E.”

“The hastory 1.124 contains a hashed history transaction records. Each transaction record refers to one or more transactions in the which the domain and/or data of a participant (e.g. the primitive 1.131). A?controlled identity’ may be created by the hastory 1.124. The domain 1.100 is located within the datastore. It is based on an immutable chain block (the chain block is shown in FIG. 1.1, five illustrative transaction record T1 through T5. A sequence of blocks may be included in the hastory 1.124. Each block contains a transaction record from a previous transaction. A hash function can generate a block’s hash value using inputs that include a prior hash value from a block and a transaction record for a block. The root hash is unique within the datastore results. It depends on the order of sequential chains and the data contained in each block. A hash function can be a cryptographic function or algorithm that converts data into a string of other data, such as alphanumeric characters. The hash function can also be used to map digital information of any size to digital data with fixed sizes. A small change in input data results in a significant difference in output digital data. You can implement the hastory 1.124 as a Merkle tree or a hash chain and/or a list.

“A genesis block that initiates the hastory 1.124 may be the first block in the sequential chain. The transaction record may include data one or more of the attribute-value pairs for the TY element. For example, the transaction record 2.1.303A could contain data such as an email address or biometric information. A new transaction record can be generated if the domain 1.100 with the hastory 1.124 takes part in an interaction. This could include an interaction with an application program or a different domain 1.100 in the datastore. The transaction record can be deposited in a new block of the sequential chain of blocks for the hastory 1.124. The root hash from the hastory 1.124 can then be recalculated using a hash function (e.g. SHA256 algorithm). This hash function uses inputs which include the new block in the hastory.124 of the specific domain 1.100. The domain 1.100’s controlled identity evolves, and can be distinguished from the copy of domain 1.100 which contains similar data, but has different transaction histories. The evolved domain 1.100 could be unique in the datastore and may also have an auditing record of all transactions it participated in.

A data storage system may be able to retain uniqueness in a datastore, which could allow it to identify processes that can distinguish domains 1.100 from others. A method could then be used to control the copying of domain 1.100 so that an original and a copy are identified. In the same way, ownership can be determined and transferred in a separate set of bits that make up an instance of domain 1.100. The hastory 1.124 can be used in conjunction with patent applications and/or co-pending patents by similar inventive entities and/or common assignees.

“The NT element 1.103 contains contained data 1.130 which the particular domain 1.100 includes. The contained data 1.130 could contain data that is physically or logically contained. Relationship (e.g. domain 1.100 which specifies an industrial component that is an assembly in which each. Data that is physically contained (also known as embedded data? Data that is directly or proximate to the specific domain 1.100 may be stored in a physical storage device. Data that is contained in the domain 1.100 might be stored at a memory address near other memory addresses that contain the data structure of the domain 1.100. Both the contained data 1.130 and the domain 1.100 could be stored on the same sector of the hard disk. However, data that is physically contained by the domain.100 could include a reference (e.g. domain ref 1.134 to a physical location like a memory address that holds the data that is technically contained by the domain.100).

“Where the domain 1.100 contains a fundamental data piece within the datastore the contained data 1.130 could be primitive data 1.105. FIG. 1.1A is the primitive 1.131 attribute 1.106. The primitive 1.131 attribute 1.106 value 1.107 may be a string if the domain 1.100 has a message, or a BLOB if the domain 1.100 has an image file. The contained data 1.130 could also refer to a memory address that contains the primitive data 1.105 (the memory address in FIG. 1.1A is the primitive ref 1.132 attribute. A pointer may also refer to the reference to the memory address. One or more embodiments embed a small amount of primitive data 1.105 in the domain 1.100 (e.g. 1.140 alphanumeric character, a sequence of 1.3000 base pair DNA sequences), while a larger instance of primitive data 1.105 can be referenced through primitive ref 1.132, (e.g. a genome).

“Rather than containing a primitive, the particular Domain 1.100 could also contain a reference (shown in FIG. 1.1A is the domain ref 1.134. One or more references may be subject to an architectural constraint so that data structures constructed from instances of domain 1.100 refer to each other according to a specific arrangement. These architectural constraints can be used to create data structures that reflect or enforce certain types relationships (e.g. a container), modeled using a directed-acyclic graph architecture 1.600 (see FIG. 1.6. FIG. 1.7 to FIG. 1.11.”

“In addition to referring an instance of domain 1.100 through domain ref 1.134 the particular domain.100 could refer to another instance of domain 1.100 that represents or depicts the specific domain 1.100 (shown at FIG. 1.1A is the representation ref 1.136. This representation can be used to help the user select the specific domain 1.100 or another instance from the domain 1.100 that this particular domain 1.100 contains. FIG. will show and describe representation domains that are instantiations from the domain 1.100. 1.11 and other embodiments.”

“The content element 1.103 may include multiple instances of the primitive 1.131 or primitive ref 1.132, domain refer 1.134 and/or representation rep 1.136. In one or more preferred embodiments, the real-world objects that are modeled by the domain.100 are reduced to relatively simple units. The instantiations from the domain 1.100 assume specialized roles, reflecting the nature of these basic unit. FIG. 1.200 shows the subject domain. FIG. 1.2 contains, in one or several preferred embodiments, a single primitive (referred to in FIG. 1.2 as primitive data 1.205). Similar to FIG. According to some preferred embodiments, 1.9 contains within the NT element 1.903 reference to two or more stackdomains 1.800. The collection domain 1.900 may reflect the real-world relationship between the two or three stack domains 1.800. This allows the data structure to express the relationship rather than the software code which may try to create relationships.

“The XT element 1.104 contains contextual data 1.140 which further characterizes the specific domain 1.100. The context data 1.140 could include data about how the specific domain 1.100 is used and/or examples of the domain 1.100. The XT element 1.104 could be a repository for any additional data that isn’t used to identify domain 1.100 via the TY element 1.102. It may also contain any data that the domain 1.100 doesn’t contain within the NT elements 1.103. Attributes 1.106 with values 1.107 may be included in the XT element 1.104. These attributes have a high probability of appearing more than once in the datastore. An example is the attribute 1.106 ‘color? The value 1.107 ‘green? could be an attribute. The value 1.107 green could be an indication that many domains 1.100 are part of the datastore. The XT element 1.104 could contain statistical data, such as the number of times data from domain 1.100 have been accessed or used.

“The XT element 1.104 can also contain one or more context-sub-elements. The legacy sub-element 1.144 can be used to store metadata and legacy information from an original file placed in the domain 1.100. A sub-element called an application may contain data about the use of domain 1.100 by one, or more, application programs. In conjunction with FIG. 1.1E.”

“The data structure according to domain 1.100 can be stored in the memory using physical storage technology, which may also be called a physical layer or an internal schema. FIG. FIG. 1.1B shows a representation for a linear memory storage in the domain of FIG. 1.1A may be stored directly in RAM or a memristor according to one or several embodiments. Each element in the domain 1.100 can have an element ID associated with one or more attribute/value pairs. The TY identifier 1.161 and the NT identifier 1.162 may indicate the start of the respective elements in the memory. The elements in an instance of domain 1.100 can occur in any order, regardless of which storage layer they are stored on. When referenced, the primitive data 1.105 may be stored at a memory location that is not in the domain 1.100. If embedded, the primitive data 1.105 may be stored in association with the primitive attribute 1.131 (not shown in FIG. 1.1B) after NT identifier 1.162. A solid-state drive (SSD), may also be used as a linear memory. A memristor (also known as a memory resistor) may be used in the linear memory. A linear memory could also be a physical storage device that stores quantum bits (also known as qubits).

Click here to view the patent on Google Patents.

How to Search for Patents

A patent search is the first step to getting your patent. You can do a google patent search or do a USPTO search. Patent-pending is the term for the product that has been covered by the patent application. You can search the public pair to find the patent application. After the patent office approves your application, you will be able to do a patent number look to locate the patent issued. Your product is now patentable. You can also use the USPTO search engine. See below for details. You can get help from a patent lawyer. Patents in the United States are granted by the US trademark and patent office or the United States Patent and Trademark office. This office also reviews trademark applications.

Are you interested in similar patents? These are the steps to follow:

1. Brainstorm terms to describe your invention, based on its purpose, composition, or use.

Write down a brief, but precise description of the invention. Don’t use generic terms such as “device”, “process,” or “system”. Consider synonyms for the terms you chose initially. Next, take note of important technical terms as well as keywords.

Use the questions below to help you identify keywords or concepts.

  • What is the purpose of the invention Is it a utilitarian device or an ornamental design?
  • Is invention a way to create something or perform a function? Is it a product?
  • What is the composition and function of the invention? What is the physical composition of the invention?
  • What’s the purpose of the invention
  • What are the technical terms and keywords used to describe an invention’s nature? A technical dictionary can help you locate the right terms.

2. These terms will allow you to search for relevant Cooperative Patent Classifications at Classification Search Tool. If you are unable to find the right classification for your invention, scan through the classification’s class Schemas (class schedules) and try again. If you don’t get any results from the Classification Text Search, you might consider substituting your words to describe your invention with synonyms.

3. Check the CPC Classification Definition for confirmation of the CPC classification you found. If the selected classification title has a blue box with a “D” at its left, the hyperlink will take you to a CPC classification description. CPC classification definitions will help you determine the applicable classification’s scope so that you can choose the most relevant. These definitions may also include search tips or other suggestions that could be helpful for further research.

4. The Patents Full-Text Database and the Image Database allow you to retrieve patent documents that include the CPC classification. By focusing on the abstracts and representative drawings, you can narrow down your search for the most relevant patent publications.

5. This selection of patent publications is the best to look at for any similarities to your invention. Pay attention to the claims and specification. Refer to the applicant and patent examiner for additional patents.

6. You can retrieve published patent applications that match the CPC classification you chose in Step 3. You can also use the same search strategy that you used in Step 4 to narrow your search results to only the most relevant patent applications by reviewing the abstracts and representative drawings for each page. Next, examine all published patent applications carefully, paying special attention to the claims, and other drawings.

7. You can search for additional US patent publications by keyword searching in AppFT or PatFT databases, as well as classification searching of patents not from the United States per below. Also, you can use web search engines to search non-patent literature disclosures about inventions. Here are some examples:

  • Add keywords to your search. Keyword searches may turn up documents that are not well-categorized or have missed classifications during Step 2. For example, US patent examiners often supplement their classification searches with keyword searches. Think about the use of technical engineering terminology rather than everyday words.
  • Search for foreign patents using the CPC classification. Then, re-run the search using international patent office search engines such as Espacenet, the European Patent Office’s worldwide patent publication database of over 130 million patent publications. Other national databases include:
  • Search non-patent literature. Inventions can be made public in many non-patent publications. It is recommended that you search journals, books, websites, technical catalogs, conference proceedings, and other print and electronic publications.

To review your search, you can hire a registered patent attorney to assist. A preliminary search will help one better prepare to talk about their invention and other related inventions with a professional patent attorney. In addition, the attorney will not spend too much time or money on patenting basics.

Download patent guide file – Click here