Abstract: A method for generating a system specific security-definition for a heterogeneous subsystem of a computing system is provided. A natural-language security-definition is stored in a rule-repository. A machine-readable security-definition is stored and a first mapping of a natural-language security-definition onto a machine-readable security-definition is stored in the rule-repository. A system-specific security-definition is generated from a machine-readable security-definition by a rule-converter that corresponds to a heterogeneous subsystem. The generation is based on a second mapping of each machine-readable security definition onto indications of system-specific security-definitions.

Abstract: Method of authenticating a user in a heterogeneous computer environment. The method may include defining a set of unique prefixes, each prefix identifying a type of user repository; defining a set of abstract repository names, each abstract repository name identifying an address of a user repository; and authenticating the user in the heterogeneous computer environment by assigning a sequence comprising a unique prefix, a reference to an abstract repository name and a unique identifier for the user within the user repository indicated by the reference to the abstract repository name.

Abstract: Certain example embodiments relate to a system for secure complex event processing (CEP). The system includes an input adaptor configured to receive at least one input event from at least one external source system. The at least one input event comprises at least one event-specific disclosure permission concerning data of the input event. A CEP engine is configured to process the at least one input event and to produce at least one corresponding complex output event. A security enforcer is configured to remove data from the at least one output event that is not in accordance with the at least one event-specific disclosure permission defined in the corresponding at least one input event. An output adaptor is configured to send the at least one output event to at least one external target system.

Abstract: Certain example embodiments relate to a system for secure complex event processing (CEP). The system includes an input adaptor configured to receive at least one input event from at least one external source system. The at least one input event comprises at least one event-specific disclosure permission concerning data of the input event. A CEP engine is configured to process the at least one input event and to produce at least one corresponding complex output event. A security enforcer is configured to remove data from the at least one output event that is not in accordance with the at least one event-specific disclosure permission defined in the corresponding at least one input event. An output adaptor is configured to send the at least one output event to at least one external target system.

Abstract: The present invention concerns an XML data base management system (XDBMS, 10) for an XML database (20) comprising XML documents (30), each XML document (30) comprising one or more structural elements (35) and adhering to an XML schema (40), wherein at least one of the structural elements (35) is protected against access of a user (60), the XDBMS (10) comprising: a. an optimizer (300) adapted to process an XQuery (50) of the user (60) comprising one or more XQuery expressions (55) and further adapted to generate an optimized XQuery execution plan (70); b. an execution engine (400) adapted to execute the optimized XQuery execution plan (70) to retrieve XML data (80) from the XML database (20), characterized in that c. the optimizer (300) is adapted to generate the optimized XQuery execution plan (70), so that all XQuery expressions (55) relating to one or more of the structural elements (35) which are protected against access of the user (60) are ignored by the optimizer (300).

Abstract: The present invention concerns an XML data base management system (XDBMS, 10) for an XML database (20) comprising XML documents (30), each XML document (30) comprising one or more structural elements (35) and adhering to an XML schema (40), wherein at least one of the structural elements (35) is protected against access of a user (60), the XDBMS (10) comprising: a. an optimizer (300) adapted to process an XQuery (50) of the user (60) comprising one or more XQuery expressions (55) and further adapted to generate an optimized XQuery execution plan (70); b. an execution engine (400) adapted to execute the optimized XQuery execution plan (70) to retrieve XML data (80) from the XML database (20), characterized in that c. the optimizer (300) is adapted to generate the optimized XQuery execution plan (70), so that all XQuery expressions (55) relating to one or more of the structural elements (35) which are protected against access of the user (60) are ignored by the optimizer (300).

Abstract: The present invention relates to a method for granting a user (U1) secure access to one or more resources (D1, D2, D3) accessed by a process (P1), the process (P1) being defined in a SOA registry (100) and comprising one or more process-steps (S1, S2, S3), each process-step (S1, S2, S3) accessing one or more resources (D1, D2, D3) stored in a SOA repository (200), the method comprising the following steps: a. during an execution of the process (P1), for each resource (D1, D2, D3) accessed by at least one of the process-steps (S1, S2, S3), creating an entry (E1, E2) in the SOA registry (100) determining the accessed resource (D1, D2, D3); b. creating a process-instance-role (R1) in the SOA registry; c. for each resource (D1, D2, D3) accessed by at least one of the process-steps (S1, S2, S3), creating an access privilege (AP1) in the SOA repository (200) that grants access to the respective resource (D1, D2, D3) for the process-instance-role (R1); and d.

Abstract: The present invention concerns a method for generating one or more system-specific security-definitions (310, 311, 320, 321) for one or more heterogeneous subsystems (S1, S2) of a software system, the method comprising the following steps: a. storing one or more natural-language security-definitions (100) in a rule-repository; b. storing one or more machine-readable security-definitions (200) and a first mapping of each natural-language security-definition (100) onto one or more of the machine-readable security-definitions (200) in the rule-repository; and c. generating the one or more system-specific security-definitions (310, 311, 320, 321) from the one or more machine-readable security-definitions (200) by one or more rule-converters (RC1, RC2) corresponding to the one or more heterogeneous subsystems (S1, S2), wherein the generating is based on a second mapping of each machine-readable security definition (200) onto one or more of the system-specific security-definitions (310, 311, 320, 321).

Abstract: Method of authenticating a user in a heterogeneous computer environment. The method may include defining a set of unique prefixes, each prefix identifying a type of user repository; defining a set of abstract repository names, each abstract repository name identifying an address of a user repository; and authenticating the user in the heterogeneous computer environment by assigning a sequence comprising a unique prefix, a reference to an abstract repository name and a unique identifier for the user within the user repository indicated by the reference to the abstract repository name.