Dynamic runtime field-level access control using a hierarchical permission context structure

US 10,032,045 B2
Filed: 10/30/2015
Issued: 07/24/2018
Est. Priority Date: 10/30/2015
Status: Active Grant

First Claim

Patent Images

1. A system for dynamically determining field-level access control using a hierarchical permission context structure, the system comprising:

a machine-readable medium storing computer-executable instructions; and

at least one hardware processor communicatively coupled to the machine-readable medium that, when the computer-executable instructions are executed, the at least one hardware processor is configured to;

receive one or more user credentials, the one or more user credentials corresponding to a user;

identify a plurality of fields in an electronic document to be communicated to a client device;

select a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and

determine whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by;

referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and

comparing one or more of the user roles assigned to the second user with one or more user roles assigned to the first user;

in response to a determination that the received one or more user credentials do not provide authorization, replace the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;

in response to a determination that the received one or more user credentials provide authorization, add the data to the data portion of the selected first field; and

communicate the electronic document to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides for a system, method, and machine-readable medium for performing dynamic runtime field-level access control using a hierarchical permission context structure. The hierarchical permission context structure includes various levels of roles, where each role is assigned one or more permissions. The one or more permissions assigned to the one or more roles indicate the amount of control a given user has over data displayable in an electronic document. The electronic document includes one or more fields having corresponding records in one or more databases. A record includes metadata about the data for a corresponding field. When an electronic document is requested, the fields of the electronic document are generated from the data stored in their corresponding records. An evaluation is performed that determines whether the user requesting the electronic document is authorized to view the data for one or more of the fields based on their corresponding metadata.

56 Citations

17 Claims

1. A system for dynamically determining field-level access control using a hierarchical permission context structure, the system comprising:
- a machine-readable medium storing computer-executable instructions; and
  
  at least one hardware processor communicatively coupled to the machine-readable medium that, when the computer-executable instructions are executed, the at least one hardware processor is configured to;
  
  receive one or more user credentials, the one or more user credentials corresponding to a user;
  
  identify a plurality of fields in an electronic document to be communicated to a client device;
  
  select a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and
  
  determine whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by;
  
  referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and
  
  comparing one or more of the user roles assigned to the second user with one or more user roles assigned to the first user;
  
  in response to a determination that the received one or more user credentials do not provide authorization, replace the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;
  
  in response to a determination that the received one or more user credentials provide authorization, add the data to the data portion of the selected first field; and
  
  communicate the electronic document to the client device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the hierarchical permission context structure includes a plurality of nodes, each node being associated with a corresponding user role.
  - 3. The system of claim 1, wherein the at least one hardware processor is further configured to:
    - add the first field to a redacted field list, the redacted field list identifying at least one field from the plurality of fields where the user was not authorized to view the data associated with the data portion of the at least one field; and
      
      communicate the redacted field list to the client device.
  - 4. The system of claim 1, wherein:
    - at least one assignable user role selected from the assignable user roles is associated with a permission that specifies that the first user is authorized to view the data of the data portion associated with the selected first field; and
      
      the determination of whether the first user of the client device is authorized to view the data associated with the data portion is further performed by determining whether the first user has been assigned the at least one assignable user role.
  - 5. The system of claim 1, wherein:
    - the electronic document is associated with a secured document identifier that specifies whether the electronic document is a secured electronic document; and
      
      the determination of whether the user of the client device is authorized to view the data associated with the data portion is further performed by determining that secured document identifier specifies that the electronic document is a secured electronic document.
  - 6. The system of claim 1, wherein:
    - a set of the plurality of fields are each associated with a label portion and a data portion; and
      
      the at least one hardware processor is further configured to determine, for each field of the set of the plurality of fields, whether a user of the client device is authorized to view data associated with the data portion of a given field.

7. A method for dynamically determining field-level access control using a hierarchical permission context structure, the method comprising:
- receiving, by at least one hardware processor, one or more user credentials, the one or more user credentials corresponding to a user;
  
  identifying, by the at least one hardware processor, a plurality of fields in an electronic document to be communicated to a client device;
  
  selecting, by the at least one hardware processor, a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user;
  
  determining, by the at least one hardware processor, whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by;
  
  referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and
  
  comparing one or more user roles assigned to the second user with one or more user roles assigned to the first user;
  
  in response to a determination that the received one or more user credentials do not provide authorization;
  
  replacing, by the at least one hardware processor, the data of the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;
  
  in response to a determination that the received one or more user credentials provide authorization;
  
  adding;
  
  by the at least one hardware processor, the data to the data portion of the selected first field; and
  
  communicating, by the at least one hardware processor, the electronic document to the client device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the hierarchical permission context structure includes a plurality of nodes, each node being associated with a corresponding user role.
  - 9. The method of claim 7, further comprising:
    - adding the first field to a redacted field list, the redacted field list identifying at least one field from the plurality of fields where the user was not authorized to view the data associated with the data portion of the at least one field; and
      
      communicating the redacted field list to the client device.
  - 10. The method of claim 7, wherein:
    - at least one assignable user role selected from the assignable user roles is associated with a permission that specifies that the first user is authorized to view the data of the data portion associated with the selected first field; and
      
      the determination of whether the first user of the client device is authorized to view the data associated with the data portion is further performed by determining whether the first user has been assigned the at least one assignable user role.
  - 11. The method of claim 7, wherein:
    - the electronic document is associated with a secured document identifier that specifies whether the electronic document is a secured electronic document; and
      
      the determination of whether the user of the client device is authorized to view the data associated with the data portion is further performed by determining that secured document identifier specifies that the electronic document is a secured electronic document.
  - 12. The method of claim 7, wherein:
    - a set of the plurality of fields are each associated with a label portion and a data portion; and
      
      the method further comprises determining;
      
      for each field of the set of the plurality of fields, whether a user of the client device is authorized to view data associated with the data portion of a given field.

13. A non-transitory;
- machine-readable medium having computer-executable instructions stored thereon that, when executed by at least one hardware processor, configure the at least one hardware processor to perform a plurality of operations for dynamically determining field-level access control using a hierarchical permission context structure, the operations comprising;
  
  receiving one or more user credentials;
  
  the one or more user credentials corresponding to a user;
  
  identifying a plurality of fields in an electronic document to be communicated to a client device;
  
  selecting a first field from the plurality of fields, the first field having a label portion and a data portion, wherein the selected first field is associated with a second user, the second user being different than the first user; and
  
  determining whether the one or more user credentials provide authorization for viewing data associated with the data portion of the selected first field by;
  
  referencing a hierarchical permission context structure, the hierarchical permission context structure defining a hierarchy of assignable user roles; and
  
  comparing one or more user roles assigned to the second user with one or more user roles assigned to the first user;
  
  in response to a determination that the received one or more user credentials do not provide authorization, replacing the data portion of the selected first field with a predetermined restriction identifier prior to communicating the electronic document to the client device, the predetermined restriction identifier informing the user that the user is not authorized to view the data;
  
  in response to a determination that the received one or more user credentials provide authorization, adding the data to the data portion of the selected first field; and
  
  communicating the electronic document to the client device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory, machine-readable medium of claim 13, wherein the hierarchical permission context structure includes a plurality of nodes, each node being associated with a corresponding user role.
  - 15. The non-transitory, machine-readable medium of claim 13, wherein plurality of operations further comprise:
    - adding the first field to a redacted field list, the redacted field list identifying at least one field from the plurality of fields where the user was not authorized to view the data associated with the data portion of the at least one field; and
      
      communicating the redacted field list to the client device.
  - 16. The non-transitory;
    - machine-readable medium of claim 13, wherein;
      
      at least one assignable user role selected from the assignable user roles is associated with a permission that specifies that the first user is authorized to view the data of the data portion associated with the selected first field; and
      
      the determination of whether the first user of the client device is authorized to view the data associated with the data portion is further performed by determining whether the first user has been assigned the at least one assignable user role.
  - 17. The non-transitory, machine-readable medium of claim 13, wherein:
    - the electronic document is associated with a secured document identifier that specifies whether the electronic document is a secured electronic document; and
      
      the determination of whether the user of the client device is authorized to view the data associated with the data portion is further performed by determining that secured document identifier specifies that the electronic document is a secured electronic document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Barrett, Nicholas Wayne, Kovell, Aaron M.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/928,585
Publication Number

US 20170126681A1
Time in Patent Office

998 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6245   Protecting personal data, e...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0836   using tree structure or hie...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

Dynamic runtime field-level access control using a hierarchical permission context structure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic runtime field-level access control using a hierarchical permission context structure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links