Relationship-based authorization

US 10,038,684 B2
Filed: 03/23/2017
Issued: 07/31/2018
Est. Priority Date: 04/11/2006
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:

receiving data characterizing a request for authorization to access a computer-based resource by a principal;

determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;

determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource; and

determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;

otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and

providing authorization for the requesting principal to the computer-based resource;

wherein the requesting principle is a component of a computer system including a data processor executing a process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, related to relationship-based authorization. In general, data characterizing a request for authorization to a computer-based resource is received, and the authorization may be provided based on one or more relationships of a requesting principal. A determination may be made as to whether a requesting principal is authorized, which may include determining whether the requesting user has a relationship with a principal that has management rights of the computer-based resource and determining whether the relationship allows for an access, such as a use of the computer-based resource, if the requesting principal has a relationship with the other principal. If there is no such relationship, a determination may be made as to whether an organization of the requesting principal has a relationship with the other principal that allows for the access.

20 Citations

20 Claims

1. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
  
  determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource; and
  
  determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
  
  otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
  
  providing authorization for the requesting principal to the computer-based resource;
  
  wherein the requesting principle is a component of a computer system including a data processor executing a process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein the principal that has management rights is a user, organization, computer system, or component of a computer system.
  - 3. The computer program product of claim 1, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 4. The computer program product of claim 1, wherein the determining whether the requesting principal has a relationship with a principal and determining whether an organization of the requesting principal has a relationship with the principal that has management rights are performed with reference to one or more data structures describing relationships between users and users, users and organizations, organizations and users, and organizations and organizations.
  - 5. The computer program product of claim 1, wherein the principal having management rights is a data content subject about whom the computer-based resource relates.
  - 6. The computer program product of claim 1, wherein the requesting principal has a relationship with the principal having management rights at a first time to authorize the access but the relationship at a second time being later than the first time does not authorize the access based on a modification of the relationship or associated attributes.
  - 7. The computer program product of claim 1, wherein relationships are associated with one or more attributes.
  - 8. The computer program product of claim 7, wherein at least one of the attributes describes one or more of a time interval of a relationship, types of computer-based resources authorized for a relationship, or types of authorized access.
  - 9. The computer program product of claim 1, wherein the receiving data and the determining whether the requesting principal is authorized are performed at a server and the operations further comprise performing the access at a client.
  - 10. The computer program product of claim 1, wherein the request is a request for access to clinical or administrative health information in a health care environment.
  - 11. The computer program product of claim 1, wherein the requesting principal is authorized for types of access to the computer-based resources different from types of access authorized for another principal.

12. A computer-implemented method comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
  
  determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the requesting principal has an explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource; and
  
  determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
  
  otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
  
  providing authorization for the requesting principal to the computer-based resource;
  
  wherein the requesting principle is a component of a computer system including a data processor executing a process.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 14. The method of claim 12, wherein the determining whether the requesting principal has a relationship with a principal and determining whether an organization of the requesting principal has a relationship with the principal that has management rights are performed with reference to one or more data structures describing relationships between users and users, users and organizations, organizations and users, and organizations and organizations.
  - 15. The method of claim 12, wherein relationships are associated with one or more attributes describing one or more of a time interval of a relationship, types of computer-based resources authorized for a relationship, or types of authorized access.
  - 16. The method of claim 12, wherein the request is a request for access to health information in a health care environment.

17. A non-transitory computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions configured to cause at least one data processor forming part of at least one computing system to perform operations comprising:
- receiving data characterizing a request for access to a computer-based resource by a first principal;
  
  determining whether the first principal is authorized for the access to the computer-based resource, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the first principal has a first relationship at the time of the request with a second principal that has management rights of access to the computer-based resource, the determining whether the first principal has the first relationship with the second principal based on a query of one or more data structures comprising user to user relationships between principals being users; and
  
  determining whether the first relationship allows for the access to the computer-based resource based on properties of the first relationship if the first principal has the first relationship;
  
  otherwise, determining whether an organization of the first principal has a second relationship, with the second principal, that allows for the access, the determining whether the organization has the second relationship based on user to organization relationships and organization to user relationships of the data structures; and
  
  providing authorization for the requesting principal to the computer-based resource;
  
  wherein the requesting principle is a component of a computer system including a data processor executing a process.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 19. The computer program product of claim 17, wherein the request is a request for access to health information in a health care environment.
  - 20. The computer program product of claim 17, wherein the data structures are one or more tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Medox Technologies, Inc.
Original Assignee
Medox Technologies, Inc.
Inventors
Beck, Michael
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US15/467,767
Publication Number

US 20170201508A1
Time in Patent Office

495 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6272   by registering files or doc...

G16H 10/60   for patient-specific data, ...

G16H 50/20   for computer-aided diagnosi...

G16H 70/20   relating to practices or gu...

G16H 80/00   ICT specially adapted for f...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

Relationship-based authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Relationship-based authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others