Dynamic rules-based secure data access system for business computer platforms

US 20030037263A1
Filed: 08/08/2002
Published: 02/20/2003
Est. Priority Date: 08/08/2001
Status: Abandoned Application

First Claim

Patent Images

1. A security system for permitting or denying access to a database comprising resources, the system comprising:

organizing the resources into at least two identified business functions to which access is controlled;

organizing resources within each business function into a hierarchical arrangement comprising levels at which access can be controlled to any accessor;

assigning at least one role to each accessor, the role determining the level of the hierarchical arrangement at which the accessor is allowed to access resources; and

defining the rights and privileges of an accessor to accessed resources based on a role of the accessor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a dynamic rules-based secure data access system that may be used in a variety of applications that include a requirement for controlled secure access to a database. The rules-based access system has several features. One of these is that each user be assigned a role, either as an individual or as part of the group. Access rights may be assigned based on roles, but these can be modified within the system by individual users, that have authority to do so. Further, the data resources that each user is allowed to access, based on his or her role, and the extent of viewing and of data manipulation allowed, is further controlled based on assigned “rights and privileges”.

Another feature is that the database may be viewed as structured and organized into “business functions”, which are useful in business enterprises, such as sales, marketing, customer supports, etc. Users may be restricted to only certain functions, based on their roles. Within the business function units, the resources may be regarded as are further subdivided into several hierarchy levels; such as business objects, and instances of these objects. Users may be allowed access to only a specific business function, and only specific levels within that functional unit, based on role. Further, data may be restricted within each of the hierarchy levels, so that a user with access may not be allowed to see or manipulate all resources on a particular level within the hierarchy.

139 Citations

40 Claims

1. A security system for permitting or denying access to a database comprising resources, the system comprising:
- organizing the resources into at least two identified business functions to which access is controlled;
  
  organizing resources within each business function into a hierarchical arrangement comprising levels at which access can be controlled to any accessor;
  
  assigning at least one role to each accessor, the role determining the level of the hierarchical arrangement at which the accessor is allowed to access resources; and
  
  defining the rights and privileges of an accessor to accessed resources based on a role of the accessor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the database is in communication with a messaging platform.
  - 3. The system of claim 1, wherein the organizing into a hierarchical arrangement comprises organizing into at least two levels of hierarchy.
  - 4. The system of claim 3, wherein the organizing identified business functions comprises organizing resources into sales, marketing and customer relations functions.
  - 5. The system of claim 3, wherein at least one screen displays resources of each identified business function, to an accessor who is granted access.
  - 6. The system of claim 3, wherein each identified business function comprises business objects, the business objects comprising resources about their respective business functions.
  - 7. The system of claim 6, wherein each business object is displayed on a screen, when access is granted to that business object.
  - 8. The system of claim 6, wherein each business object comprises instances of the business object, the instances each comprising resources about a specific item within their respective business objects.
  - 9. The system of claim 8, wherein individual instances are displayed on a screen, when access is granted to an accessor.
  - 10. The system of claim 1, wherein the assigning of roles comprise assigning of at least three separate roles, each separate role corresponding to access to a different level in the hierarchical arrangement.
  - 11. The system of claim 1, wherein at least one of the roles comprise groups of individual accessors.
  - 12. The system of claim 1, further comprising identifying an accessor, and identifying the role of the accessor.
  - 13. The system of claim 1, wherein defining the rights and privileges of an accessor comprises defining the accessor'"'"'s permission to read, write, create, and delete information on a level of the resource to which access is permitted.
  - 14. The system of claim 1, wherein the defining of rights and privileges is carried out by a creator of a resource.
  - 15. The system of claim 14, wherein the creator of the resource controls the rights and privileges based on accessor role.
  - 16. The system of claim 14, wherein the creator assigns rights and privileges to a designated assignee.
  - 17. The system of claim 16, wherein the assignee further delegates at most the rights and privileges assigned to it to a second level assignee.
  - 18. The system of claim 1, wherein an accessor has rights and privileges to interact with resources comprising at least one of the following activities :
    - to create resources, to view a portion of a resource content, to view all of a resource content, to modify a resource, to delete a resource, to view rights and privileges of other, to modify rights and privileges of others, to modify rights and privileges of the accessor.

19. A system comprising a secure data access protocol for controlling access to a database, the database comprising a hierarchy of information, and the access protocol comprising:
- decision criteria for allowing or denying access to the database, the criteria using roles assigned to potential accessors of the database to determine access to any one or more levels of hierarchy of the database; and
  
  rules defining rights and privileges of accessors of the one or more levels, the rules and privileges defining limits to viewing of accessed resources and defining limits to manipulation of the resources.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 20. The system of claim 19, wherein the hierarchy of the database comprises a first level wherein the resources are identified with two or more functional modules.
  - 21. The system of claim 20, wherein the functional modules comprise business objects.
  - 22. The system of claim, 21, wherein each business object comprises instances of the business object.
  - 23. The system of claim 22, wherein the business objects and the instances comprise attributes.
  - 24. The System of claim 23, wherein the decision criteria determines user access at least at the function, business object and instance level.
  - 25. The system of claim 24, wherein the access is limited to at least any one or more of the following activities by rules and privileges of the user:
    - full read, limited read, write, modify and delete.
  - 26. The system of claim 24, wherein the decision criteria comprises a sequence of steps to check whether access to resources is permitted to the user, at least one of these steps comprising determining access to the functional module to which access is sought, based on a role of the user.
  - 27. The system of claim 26, wherein the decision criteria further comprises determining, after a determination that the user has access to the functional module, what the rights and privileges of the user are with respect to the resources sought to be accessed.
  - 28. The system of claim 27, wherein the decision criteria permits user access to the functional module if access is permitted by user role, and sets limits on user access based on user rights and privileges.
  - 29. The system of claim 28, wherein the system identifies which business objects must be accessed to provide the user with resources sought to be accessed.
  - 30. The system of claim 28, wherein the decision criteria determine, for each instance of a business object sought to be accessed, whether the user is permitted access to the each instance.
  - 31. The system of claim 30, wherein the decision criteria selectively allows user access to an instance of a business object if permission based on the user'"'"'s role is unspecified, but the user is a member of at least one group role that is allowed access to the instance.
  - 32. The system of claim 30, wherein the decision criteria are set to allow user access to an instance of a business object if permission based on the user'"'"'s role is unspecified, and the user is a member of at least one group role that is denied access to the instance.
  - 33. The system of claim 30, wherein the decision criteria are set to deny user access to an instance of a business object if permission based on the user'"'"'s role is unspecified, and the user is a member of at least one group role that is denied access to the instance.
  - 34. The system of claim 30, wherein the decision criteria comprises the following steps to determine access, when the access to an instance is unspecified for the user'"'"'s role check whether system bias allows access when role based access is not specified for the user'"'"'s role, if so allow access, if not, then determine if any group role of which the user is a member is denied access, if not allow access, but otherwise check whether at least one group role of which user is a member is allowed access, if so then allow access.
  - 35. The system of claim 34, wherein the decision criteria further comprise determining whether the instance sought to accessed is consistent with rights and privileges of the user.
  - 36. The system of claim 30, wherein the decision criteria further comprise determining whether the instance sought to accessed is consistent with rights and privileges of the user.
  - 37. The system of claim 20, wherein the decision criteria further comprise determining whether the instance sought to accessed is consistent with rights and privileges of the user.
  - 38. The system of claim 19, further comprising a query builder functionality, the query builder comprising a query language for accessing resources from the database, queries using the query language comprising a business object sought to be accessed.
  - 39. The system of claim 38, wherein the decision criteria operate on the user'"'"'s role, any group role of the user, the named business object, and the user'"'"'s rights and privileges to determine the user'"'"'s access rights to the business object.
  - 40. The system of claim 39, wherein the decision criteria operate on the user'"'"'s role, any group role of the user, the user'"'"'s rights and privileges and each instance of which the sought business object is comprised, and the user'"'"'s rights and privileges to determine the user'"'"'s access rights to the instances.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TriVium Systems, Inc. (Provana LLC)
Original Assignee
TriVium Systems, Inc. (Provana LLC)
Inventors
Goradia, Tarak, Kamat, Nishad, Vishwanathan, Svn, Saran, Amitabh, Prabhakar, Bangalore S.

Application Number

US10/215,882
Publication Number

US 20030037263A1
Time in Patent Office

Days
Field of Search
US Class Current

713/202
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

Dynamic rules-based secure data access system for business computer platforms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

Dynamic rules-based secure data access system for business computer platforms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others