Dynamic evaluation of access rights

US 10,033,700 B2
Filed: 04/22/2002
Issued: 07/24/2018
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating an access right of a user to an encrypted data portion of a secured electronic file, the method comprising:

obtaining a system rule set stored separate from the secured electronic file and an access rule set specific to the secured electronic file, wherein the system and access rule sets comprise a plurality of access rules applicable to the user that control access to the secured electronic file in an enterprise environment and that regulate at least a duration of access to the secured electronic file, wherein each access rule includes;

a rule type defining whether the rule is an authorization rule or a restriction rule;

a right attribute indicating a set of rights controlled by the access rule;

a resource attribute indicating a system or set of electronic files on which the access rule operates; and

a principal attribute indicating a user or group of users to which the access rule applies,wherein each access rule is obtained based on matching at least one of the right attribute to the access right of the user, the resource attribute to the secured electronic file, and the principal attribute to the user;

evaluating the plurality of access rules of the system rule set to determine whether the user is allowed to access a protected system containing the secured electronic file, wherein the evaluation of the plurality of access rules of the system rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the system rule set;

evaluating the plurality of access rules of the access rule set, in response to determining that the user is allowed to access the protected system, to determine whether the user has a type of access required to access the secured electronic file for the duration, wherein the evaluation of the plurality of access rules of the access rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the access rule set;

decrypting the encrypted data portion of the secured electronic file in response to determining that the user has permission to access the secured electronic file; and

providing the decrypted data portion to the user.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To grant or deny access rights to a user attempting to access a protected system or secured electronic data, an access right evaluation process is carried out among all applicable policies including those embedded in the secured electronic data. In a preferred embodiment, the access right evaluation process is invoked only when a system being accessed is protected or a file being accessed is detected to be in a secured format. Further, the access right evaluation process is configured preferably to operate transparently to the user. The access right evaluation may be advantageously used in systems or applications in which devices, mediums or electronic data are secured and can be restrictively accessed by those who are authenticated and have proper access privilege.

719 Citations

27 Claims

1. A method for evaluating an access right of a user to an encrypted data portion of a secured electronic file, the method comprising:
- obtaining a system rule set stored separate from the secured electronic file and an access rule set specific to the secured electronic file, wherein the system and access rule sets comprise a plurality of access rules applicable to the user that control access to the secured electronic file in an enterprise environment and that regulate at least a duration of access to the secured electronic file, wherein each access rule includes;
  
  a rule type defining whether the rule is an authorization rule or a restriction rule;
  
  a right attribute indicating a set of rights controlled by the access rule;
  
  a resource attribute indicating a system or set of electronic files on which the access rule operates; and
  
  a principal attribute indicating a user or group of users to which the access rule applies,wherein each access rule is obtained based on matching at least one of the right attribute to the access right of the user, the resource attribute to the secured electronic file, and the principal attribute to the user;
  
  evaluating the plurality of access rules of the system rule set to determine whether the user is allowed to access a protected system containing the secured electronic file, wherein the evaluation of the plurality of access rules of the system rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the system rule set;
  
  evaluating the plurality of access rules of the access rule set, in response to determining that the user is allowed to access the protected system, to determine whether the user has a type of access required to access the secured electronic file for the duration, wherein the evaluation of the plurality of access rules of the access rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the access rule set;
  
  decrypting the encrypted data portion of the secured electronic file in response to determining that the user has permission to access the secured electronic file; and
  
  providing the decrypted data portion to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the system rule set is obtained from a server.
  - 3. The method of claim 1, wherein obtaining the access rule set comprises:
    - activating a user key associated with a user attempting to access the secured electronic file after the user has been authenticated; and
      
      decrypting the access rule set with the user key.
  - 4. The method of claim 1, wherein the plurality of access rules are expressed in a markup language.
  - 5. The method of claim 4, wherein the markup language is selected from a group consisting of XACML, HTML, XML, SGML.
  - 6. The method of claim 1, wherein an access rule of the access rule set defines how the secured electronic file is permitted to be accessed.
  - 7. The method of claim 1, wherein an access rule of the access rule set defines when the secured electronic file is permitted to be accessed.
  - 8. The method of claim 1, wherein an access rule of the access rule set defines an application or type of application the secured electronic file is permitted to be accessed with.
  - 9. The method of claim 1, wherein an access rule of the system rule set defines a group the secured electronic file is permitted to be accessed by.
  - 10. The method of claim 1, wherein the plurality of access rules are evaluated using parameters.
  - 11. The method of claim 10, wherein the parameters include a user identifier, an application identifier, a group identifier, and a current time.
  - 12. The method of claim 1, further comprising:
    - obtaining a super system rule set that is distinct from the system rule set in response to determining that the user is not allowed to access the protected system containing the secured electronic file, wherein the super system rule set comprises access rules that override the access rules of the system rule set; and
      
      evaluating the super system rule set to determine whether the user is allowed to access the protected system containing the secured electronic file.
  - 13. The method of claim 1, wherein the access rule set is obtained from a header portion of the secured electronic file.
  - 14. The method of claim 1, wherein each access rule further includes:
    - a condition expression defining evaluation criteria for the access rule.
  - 15. The method of claim 1, wherein evaluating each access rule further comprises:
    - determining whether each access rule is an authorization rule or a restriction rule;
      
      evaluating each access rule to determine whether the user meets evaluation criteria defined by the rule; and
      
      determining that the user has permission to access the secured electronic file when the user meets the evaluation criteria defined by each restriction rule and at least one authorization rule.

16. An article of manufacture including a computer-readable medium having computer-executable instructions stored thereon that, in response to execution by a computing device, cause the computing device to perform operations to evaluate access rights of a user to an encrypted data portion of a secured electronic file, the operations comprising:
- obtaining a system rule set stored separate from the secured electronic file and an access rule set specific to the secured file, wherein the system and access rule sets comprise a plurality of access rules applicable to the user that control access to the secured electronic file in an enterprise environment and that regulate at least a duration of access to the secured electronic file, wherein each access rule includes;
  
  a rule type defining whether the rule is an authorization rule or a restriction rule;
  
  a right attribute indicating a set of rights controlled by the access rule;
  
  a resource attribute indicating a system or set of electronic files on which the access rule operates; and
  
  a principal attribute indicating a user or group of users to which the access rule applies,wherein each access rule is obtained based on matching at least one of the right attribute to the access right of the user, the resource attribute to the secured electronic file, and the principal attribute to the user;
  
  evaluating the plurality of access rules of the system rule set to determine whether the user is allowed to access a protected system containing the secured electronic file, wherein the evaluation of the plurality of access rules of the system rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the system rule set;
  
  evaluating the plurality of access rules of the access rule set, in response to detei mining that the user is allowed to access the protected system, to determine whether the user has a type of access required to access the secured electronic file for the duration, wherein the evaluation of the plurality of access rules of the access rule set is halted upon determining that the user does not meet evaluation criteria defined by a restriction rule of the plurality of access rules of the access rule set;
  
  decrypting the encrypted data portion of the secured electronic file in response to determining that the user has permission to access the secured electronic file; and
  
  providing the decrypted data portion to the user.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The article of manufacture of claim 16, wherein the system rule set is obtained from a server.
  - 18. The article of manufacture of claim 16, wherein obtaining the access rule set comprises:
    - activating a user key associated with a user attempting to access the secured electronic file; and
      
      decrypting the access rule set with the user key.
  - 19. The article of manufacture of claim 16, wherein the plurality of access rules are expressed in a markup language.
  - 20. The article of manufacture of claim 19, wherein the markup language is selected from a group consisting of XACML, HTML, XML, SGML.
  - 21. The article of manufacture of claim 16, wherein an access rule of the access rule set defines how the secured electronic file is permitted to be accessed.
  - 22. The article of manufacture of claim 16, wherein an access rule of the access rule set defines when the secured electronic file is permitted to be accessed.
  - 23. The article of manufacture of claim 16, wherein an access rule of the access rule set defines what application or type of application the secured electronic file is permitted to be accessed with.
  - 24. The article of manufacture of claim 16, wherein an access rule of the system rule set defines a group the secured electronic file is permitted to be accessed by.
  - 25. The article of manufacture of claim 16, wherein the plurality of access rules are evaluated using parameters.
  - 26. The article of manufacture of claim 25, wherein the parameters include a user identifier, an application identifier, a group identifier, and a current time.
  - 27. The article of manufacture of claim 16, the operations further comprising:
    - obtaining a super system rule set that is distinct from the system rule set in response to determining that the user is not allowed to access the protected system containing the secured electronic file, wherein the super system rule set comprises access rules that override the access rules of the system rule set; and
      
      evaluating the super system rule set to determine whether the user is allowed to access the protected system containing the secured electronic file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Inventors
Ouye, Michael Michio, Crocker, Steven Toye
Primary Examiner(s)
Reagan, James A

Application Number

US10/127,109
Publication Number

US 20030120601A1
Time in Patent Office

5,937 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/01   Protocols

Dynamic evaluation of access rights

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

719 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic evaluation of access rights

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

719 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links