Dynamic evaluation of access rights

US 20030120601A1
Filed: 04/22/2002
Published: 06/26/2003
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating an access right, the method comprising:

receiving a set of access rules associated with a secured file;

obtaining respective rule items from the access rules;

obtaining respective parameters corresponding to the rule items;

comparing the parameters and the rule items, respectively;

granting the access right if the comparing of the parameters and the rule items is considered successful; and

denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To grant or deny access rights to a user attempting to access a protected system or secured electronic data, an access right evaluation process is carried out among all applicable policies including those embedded in the secured electronic data. In a preferred embodiment, the access right evaluation process is invoked only when a system being accessed is protected or a file being accessed is detected to be in a secured format. Further, the access right evaluation process is configured preferably to operate transparently to the user. The access right evaluation may be advantageously used in systems or applications in which devices, mediums or electronic data are secured and can be restrictively accessed by those who are authenticated and have proper access privilege.

337 Citations

46 Claims

1. A method for evaluating an access right, the method comprising:
- receiving a set of access rules associated with a secured file;
  
  obtaining respective rule items from the access rules;
  
  obtaining respective parameters corresponding to the rule items;
  
  comparing the parameters and the rule items, respectively;
  
  granting the access right if the comparing of the parameters and the rule items is considered successful; and
  
  denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method as recited in claim 1, wherein the receiving of the set of access rules associated with the secured file comprises:
    - activating a user key associated with a user attempting to access the secured file after the user has been authenticated; and
      
      decrypting, with the user key, security information that is encrypted and associated with the secured file, to retrieve the access rules.
  - 3. The method as recited in claim 2, wherein the set of access rules is expressed in a descriptive language.
  - 4. The method as recited in claim 3, wherein the descriptive language is a markup language.
  - 5. The method as recited in claim 3, wherein the markup language is selected from a group consisting of XACML, HTML, XML and SGML.
  - 6. The method as recited in claim 2, wherein the rule items in the access rules jointly define how the secured file can be accessed.
  - 7. The method as recited in claim 6, wherein one or more of the rule items in the access rules define when and by whom the secured file can be accessed.
  - 8. The method as recited in claim 6, wherein at least one of the rule items in the access rules defines what application or application type the secured file can be accessed with.
  - 9. The method as recited in claim 6, wherein at least one of the rule items in the access rules defines who or what group the secured file can be accessed by.
  - 10. The method as recited in claim 2, wherein each of the respective parameters corresponding to the rule items is associated with a system providing logic information to each of the respective parameters.
  - 11. The method as recited in claim 10, wherein at least one of the respective parameters is a user identifier identifying the user, another one of the respective parameters is an application identifier identifying what application being activated to access the secured file, and still another one of the respective parameters indicates a current time.
  - 12. The method as recited in claim 11, wherein the comparing of the parameters and the rule items comprises comparing each of the rule items logically with one of the respective parameters.
  - 13. The method as recited in claim 12, wherein the comparing of the each of the rule items logically with that one of the respective parameters comprises:
    - (a) producing a successful logic when the one of the respective parameters is within a definition defined by the each of the rule items;
      
      (b) producing a failure logic when the one of the respective parameters is not within or is beyond the definition defined by the each of the rule items; and
      
      (c) repeating, respectively, (a) and (b) till each of the rule items is respectively tested against one of the respective parameters.
  - 14. The method as recited in claim 13, wherein the comparing of the parameters and the rule items is considered successful when the successful logic is produced every time (a) is carried out.
  - 15. The method as recited in claim 13, wherein the comparing of the parameters and the rule items is considered unsuccessful when the failure logic is produced from (b).
  - 16. The method as recited in claim 10, wherein the system is one of (i) a client machine, (ii) a server machine and (iii) a combination of the client machine and the server machine.
  - 17. The method as recited in claim 1, wherein the parameters are imposed upon a user attempting to access the secured file by a system in which the secured file resides or is downloaded.

18. An apparatus for evaluating an access right, the apparatus comprising:
- a memory store for storing an executable module;
  
  a processor, coupled to the memory store and when executing the executable module, causing the processor to perform operations of;
  
  receiving a set of access rules originally embedded in a secured file;
  
  obtaining respective rule items from the access rules;
  
  obtaining respective parameters corresponding to the rule items;
  
  comparing the parameters and the rule items, respectively;
  
  granting the access right if the comparing of the parameters and the rule items is considered successful; and
  
  denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40)
- - 19. The apparatus as recited in claim 18 is a client machine operating an operating system.
  - 20. The apparatus as recited in claim 19, wherein the operating system is one of (i) Windows operating system, (ii) Mac OS, (iii) Linux and (iv) Unix.
  - 21. The apparatus as recited in claim 18, wherein the executable module is embedded in the operating system and executed by the processor only when the secured file is being accessed.
  - 22. The apparatus as recited in claim 18, wherein the executable module, when executed by the processor, operates in the operating system and intercepts the secured file when data representing the secured file is being loaded to an application executed by a user to access the secured file.
  - 23. The apparatus as recited in claim 19, wherein the executable module operates transparently to the user.
  - 24. The apparatus as recited in claim 22, wherein the executable module retrieves the set of access rules from security information encrypted and associated with the secured file.
  - 25. The apparatus as recited in claim 24, wherein the set of access rules is expressed in a descriptive language.
  - 26. The apparatus as recited in claim 25, wherein the descriptive language is a markup language.
  - 27. The apparatus as recited in claim 18, wherein the rule items in the access rules jointly define how the secured file can be accessed.
  - 28. The apparatus as recited in claim 27, wherein one or more of the rule items in the access rules define when and by whom the secured file can be accessed.
  - 29. The apparatus as recited in claim 27, wherein at least one of the rule items in the access rules defines what application or application type the secured file can be accessed with.
  - 30. The apparatus as recited in claim 27, wherein at least one of the rule items in the access rules defines who or what group the secured file can be accessed by.
  - 31. The apparatus as recited in claim 18, wherein at least one of the respective parameters is a user identifier identifying the user, one of the respective parameters is an application identifier identifying what application being activated to access the secured file, another one of the respective parameters indicates a current time.
  - 32. The apparatus as recited in claim 31, wherein the comparing of the parameters and the rule items comprises comparing each of the rule items logically with one of the respective parameters.
  - 33. The apparatus as recited in claim 32, wherein the comparing of the each of the rule items logically with that one of the respective parameters comprises:
    - (a) producing a successful logic when the one of the respective parameters is within a definition defined by the each of the rule items;
      
      (b) producing a fail logic when the one of the respective parameters is not within or is beyond the definition defined by the each of the rule items; and
      
      (c) repeating, respectively, (a) and (b) till each of the rule items is respectively tested against one of the respective parameters.
  - 34. The apparatus as recited in claim 33, wherein the comparing of the parameters and the rule items is considered successful when the success logic is produced every time (a) is carried out.
  - 35. The apparatus as recited in claim 33, wherein the comparing of the parameters and the rule items is considered unsuccessful when the fail logic is produced from (b).
  - 36. The apparatus as recited in claim 35, wherein the executable module retrieves a file key from the secured file and activates a cipher module to decrypt an encrypted data portion in the secured file with the file key.
  - 38. The method as recited in claim 35, wherein the secured file includes a header and an encrypted data portion;
    - and wherein the obtaining of the system rule set and the access rule set comprises decrypting security information in the header to obtain the access rule set therein.
  - 39. The method as recited in claim 38 further comprising:
    - intercepting a file being requested by a user; and
      
      determining if the file is secured or non-secured.
  - 40. The method as recited in claim 39 further comprising:
    - retrieving a file key from the header after the access right is granted; and
      
      decrypting the encrypted data portion with the file key.

37. A method for evaluating an access right, the method comprising:
- obtaining a system rule set and an access rule set, wherein the access rule set is associated with the secured file;
  
  evaluating, respectively, each of items in the system rule set and the access rule set;
  
  granting the access right if the evaluating of each of the items in the system rule set and the access rule set produces a logic pass; and
  
  denying the access right if the evaluating of one of the items in the system rule set or the access rule set produces a logic failure.

41. A method for evaluating an access right, the method comprising:
- obtaining a first system rule set and a second system rule set;
  
  determining if one of the first and second system rule sets has a property of overriding other system rule sets;
  
  if one of the first and second system rule sets has a property of overriding other system rule sets, obtaining rule items from the one of the first and second system rule;
  
  obtaining respective parameters corresponding to the rule items;
  
  comparing the parameters and the rule items, respectively;
  
  granting the access right if the comparing of the parameters and the rule items is considered successful; and
  
  denying the access right if the comparing of the parameters and the rule items is considered unsuccessful;
  
  if one of the first and second system rule sets does not have a property of overriding other system rule sets, obtaining respective rule items from the first and second system rule sets;
  
  obtaining respective parameters corresponding to the rule items of the first and second system rule sets;
  
  comparing the parameters and the rule items of the first and second system rule sets, respectively;
  
  granting the access right if the comparing of the parameters and the rule items is considered successful; and
  
  denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The method as recited in claim 41, wherein the first system rule set is deployed at a first level in a system and the second system rule set is deployed at a second level in the system.
  - 43. The method as recited in claim 42, wherein the first level is not identical to the second level.
  - 44. The method as recited in claim 43, wherein the first level is identical to the second level.
  - 45. The method as recited in claim 41, wherein the one of the first and second system rule sets that has a property of overriding other system rule sets is deployed by a system operate or a user with higher access privilege than that of other users.
  - 46. The method as recited in claim 41, wherein the first and second system rule sets are expressed either in binary data or a descriptive language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
SecretSeal Inc.
Inventors
Ouye, Michael Michio, Crocker, Steven Toye

Granted Patent

US 10,033,700 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/51
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/01   Protocols

Dynamic evaluation of access rights

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

337 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic evaluation of access rights

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

337 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links