Method and apparatus for providing secure access control for protected information

US 20070136603A1
Filed: 10/20/2006
Published: 06/14/2007
Est. Priority Date: 10/21/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of processing a request from a requester, comprising:

receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;

determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;

if said local domain contains all of said at least one element in said target;

(1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;

(a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requester a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent;

(2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;

(a) denying said request;

if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;

(1) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said at least one element in said target;

(a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and

(2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;

(a) denying said request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided methods and apparatuses for processing requests from requestors, methods and apparatuses for transmitting indicia representative of information from a first domain to a second domain, methods comprising, and apparatuses for, determining whether a requestor is authorized to perform a desired operation on a target comprising at least one element which comprises an information set of indicia and arrangements of stored data, as well as computer-readable media having computer-executable commands for performing the same. In some aspects of the present invention, there are provided high-assurance data security apparatuses and methods, in particular, user data protection via enforcement of policy-based access control.

250 Citations

238 Claims

1. A method of processing a request from a requester, comprising:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requester a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said at least one element in said target;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 226, 233, 236)
- - 2. A method as recited in claim 1, further comprising receiving at least one requestor set of indicia, said requestor set of indicia comprising indicia selected from the group consisting of indicia input by the requester and indicia derived from the requestor;
    - and comparing said requestor set of indicia with at least one set of stored requester indicia.
  - 3. A method as recited in claim 1, further comprising receiving at least one identification set of indicia, said identification set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor;
    - and comparing said identification set of indicia with at least one set of stored identification indicia.
  - 4. A method as recited in claim 1, further comprising receiving at least one authentication set of indicia, said authentication set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor;
    - and comparing said authentication set of indicia with at least one set of stored authentication indicia.
  - 5. A method as recited in claim 1, wherein said second request further comprises a credential set of indicia.
  - 6. A method as recited in claim 1, wherein said second request further comprises a request identification set of indicia comprising a set of indicia which is representative of said request.
  - 7. A method as recited in claim 1, further comprising determining whether said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element by performing at least one step selected from among the group of steps consisting of:
    - (1) comparing a stored clearance level for said requestor with a stored protection level for said element;
      
      (2) determining whether a stored NTK for said requestor includes performing said desired operation on said element;
      
      (3) determining whether a stored NTK for said element includes performance of said operation by said requestor;
      
      (4) receiving from said requestor at least one credential set of indicia, said credential set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requester, and comparing said credential set of indicia with at least one set of stored credential indicia;
      
      (5) determining whether a time of submission of said request falls within a stored time period in which submission of a request for said desired operation on said element is acceptable; and
      
      (6) determining whether a time at which performance of said operation is requested falls within a stored period of time which is acceptable for said desired operation on said element.
  - 8. A method as recited in claim 1, wherein said desired operation is selected from among the group consisting of a read operation, a write operation, a subscribe operation and a publish operation.
  - 9. A method as recited in claim 1, wherein if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element, said domain issues a token for said requestor, and said method further comprises receiving said token.
  - 10. A method as recited in claim 1, further comprising creating said first agent prior to said enabling said first agent.
  - 11. A method as recited in claim 1, wherein said method comprises making a single access control decision within said local domain, either granting or denying said request.
  - 12. A method as recited in claim 1, wherein no application which is not an agent can access protected data within said local domain.
  - 13. A method as recited in claim 1, wherein no application which is not an agent can perform any operation on protected data within said local domain.
  - 14. A method as recited in claim 1, wherein each application within said local domain can access location information regarding only other applications within said local domain, and only through a secure name server within said local domain.
  - 15. A method as recited in claim 1, wherein the only communication between any application in said local domain and any application in said second domains travels between an access request handling application within said first domain and an access request handling application within said second domain.
  - 16. A method as recited in claim 1, wherein said request must be completely granted before said requestor is given access to any of said elements within said target.
  - 17. A method as recited in claim 1, wherein no location information of any element is passed from said local domain to said second domain or from said second domain to said local domain.
  - 226. A method as recited in claim 1, wherein said method is computer-implemented.
  - 233. A computer-readable medium comprising computer instructions which, when executed by a computer, perform a method as recited in claim 1.
  - 236. A processor on which is stored software for carrying out a method as recited in claim 1.

18. A method of processing a request from a requestor, comprising:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said target;
  
  (a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent; and
  
  if said local domain does not contain all of said at least one element in said target;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain.
- View Dependent Claims (227, 234, 237)
- - 227. A method as recited in claim 18, wherein said method is computer-implemented.
  - 234. A computer-readable medium comprising computer instructions which, when executed by a computer, perform a method as recited in claim 18.
  - 237. A processor on which is stored software for carrying out a method as recited in claim 18.

19-34. -34. (canceled)

35. A method of processing a request from a requester, comprising:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said requested target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said at least one element;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain does not contain a rule for each element in said local domain indicating that said requestor is authorized to perform said desired operation on said at least one element contained in said local domain;
  
  (a) denying said request;
  
  (2) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said element contained in said local domain;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (b) transmitting said second request to a second domain;
  
  (c) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (d) if said second domain contains all of said at least one element in said secondary target;
  
  (1) if said second domain contains a rule for each said element in said secondary target indicating that said requestor is authorized to perform said desired operation on each said element in said secondary target;
  
  (a) enabling said second domain agent to access all elements which are both (i) contained in said requested target and (ii) contained in said second domain;
  
  (b) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (c) enabling said local domain agent to;
  
  (i) access any elements which are both contained in said requested target and contained in said local domain; and
  
  (ii) access, via said second domain agent, all elements which are both contained in said requested target and contained in said second domain; and
  
  (d) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains none of said at least one element in said target;
  
  (1) creating a second request, said second request comprising (a) said at least one desired operation set of indicia and (b) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are contained in said target; and
  
  (2) transmitting said second request to a second domain;
  
  (3) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (4) if said second domain contains all of said at least one element in said secondary target;
  
  (a) if said second domain contains a rule for each said element in said secondary target indicating that said requester is authorized to perform said desired operation on each said element in said secondary target;
  
  (1) enabling said second domain agent to access all elements which are contained in said requested target;
  
  (2) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (3) enabling said local domain agent to access, via said second domain agent, all elements which are contained in said second domain; and
  
  (4) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (b) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (1) denying said request.
- View Dependent Claims (228)
- - 228. A method as recited in claim 35, wherein said method is computer-implemented.

36-58. -58. (canceled)

59. A method of processing a request from a requester, comprising:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said requested target and said local domain contains a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  if said local domain contains all of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) denying said request;
  
  if said local domain does not contain all of said at least one element in said requested target;
  
  (a) if said local domain contains at least one of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  otherwise;
  
  (b) creating a current request, said current request comprising (1) said at least one desired operation set of indicia, and (2) a current target identification set of indicia comprising a set of indicia which is representative of a current target set, said current target set comprising all elements which are both (i) contained in said requested target and (ii) not contained in said local domain; and
  
  (c) transmitting said current request to a next domain, said next domain comprising at least one processor;
  
  if said request has not been denied, repeating a sub-routine comprising;
  
  (1) determining whether said next domain contains all elements in said current target set;
  
  (2) if said next domain contains all of said elements in said current target set and said next domain does not contain a rule for each element in said current target set indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  (3) if said next domain contains all of said elements in said current target set and said next domain contains a rule for each element in said current target set indicating that said requester is authorized to perform said desired operation on said element;
  
  (a) enabling a first non-local agent to access said elements in said current target set, (b) transmitting to a next prior domain a first non-local agent location set of indicia, said first non-local agent location set of indicia enabling a next prior domain agent to access said first non-local agent;
  
  (c) unless said next non-local agent location set of indicia has reached said local domain, repeating a step of;
  
  (i) enabling said next prior domain agent to access any elements which are both contained in said requested target and contained in said next prior domain; and
  
  (ii) transmitting to said next prior domain a next non-local agent location set of indicia, said next non-local agent location set of indicia enabling said next prior domain agent to access said next non-local agent;
  
  until said next non-local agent location set of indicia reaches said local domain; and
  
  (d) enabling said local domain agent to access any elements which are both contained in said requested target and contained in said local domain; and
  
  transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (4) if said next domain contains at least one of said elements in said current target set and said next domain does not contain a rule for each element in said next domain and in said current target set indicating that said requestor is authorized to perform said desired operation on said element in said next domain and in said current target set, denying said request;
  
  otherwise;
  
  (5) if said next domain does not contain all of said elements in said current target set;
  
  (a) creating a next request, said next request comprising (1) said at least one desired operation set of indicia, and (2) a new current target identification set of indicia comprising a set of indicia which is representative of a new current target set, said new current target set comprising all elements which were (i) contained in said requested target, (ii) not contained in said local domain, and (iii) not contained in any domain to which a current request has been transmitted; and
  
  (b) transmitting said next request to a next domain, until (1) a non-local agent location set of indicia is transmitted to said local domain agent, or (2) said repeating of said sub-routine is terminated.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 229)
- - 60. A method as recited in claim 59, further comprising:
    - determining whether policy rules in said local domain currently contain at least one rule which grants permission to said requester to perform said desired operation on any of said elements in said target and contained in said local domain; and
      
      for each next domain, determining whether policy rules in said next domain currently contain at least one rule which grants permission to said requestor to perform said desired operation on any of said elements in said target and contained in said next domain.
  - 61. A method as recited in claim 59, further comprising determining whether said local domain contains a rule for each element in said target which is contained in said local domain indicating that said requestor is authorized to perform said desired operation on said element in said target which is contained in said local domain by performing at least one step selected from among the group of steps consisting of:
    - (1) comparing a stored clearance level for said requestor with a stored protection level for said element in said target which is contained in said local domain;
      
      (2) determining whether a stored NTK for said requestor includes performing said operation on said element in said target which is contained in said local domain;
      
      (3) determining whether a stored NTK for said element in said target which is contained in said local domain includes performance of said desired operation by said requestor;
      
      (4) receiving at least one credential set of indicia, said credential set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor, and comparing said credential set of indicia with at least one set of stored credential indicia;
      
      (5) determining whether a time of submission of said request falls within a stored time period in which submission of a request for said desired operation on said element in said target which is contained in said local domain is acceptable;
      
      (6) determining whether a time at which performance of said operation is requested falls within a stored period of time which is acceptable for said desired operation on said element in said target which is contained in said local domain; and
      
      for each said next domain, determining whether said next domain contains a rule for each element in said target which is contained in said next domain indicating that said requestor is authorized to perform said desired operation on said element in said target which is contained in said next domain by performing at least one step selected from among the group of steps consisting of;
      
      (1) comparing a stored clearance level for said requestor with a stored protection level for said element in said target which is contained in said next domain;
      
      (2) determining whether a stored NTK for said requestor includes performing said desired operation on said element in said target which is contained in said next domain;
      
      (3) determining whether a stored NTK for said element in said target which is contained in said next domain includes performance of said desired operation by said requestor;
      
      (4) receiving at least one credential set of indicia, said credential set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor, and comparing said credential set of indicia with at least one set of stored credential indicia;
      
      (5) determining whether a time of submission of said request falls within a stored time period in which submission of a request for said desired operation on said element in said target which is contained in said next domain is acceptable; and
      
      (6) determining whether a time at which performance of said operation is requested falls within a stored period of time which is acceptable for said desired operation on said element in said target which is contained in said next domain.
  - 62. A method as recited in claim 59, wherein said method comprises making a single access control decision across said local and next domains, either granting or denying said request.
  - 63. A method as recited in claim 62, wherein said local domain has its own security policies pertaining to elements contained within said local domain, and each said next domain has its own security policies pertaining to elements contained within said second domain.
  - 64. A method as recited in claim 63, wherein policy decisions regarding elements in said local domain are made within said local domain, and policy decisions regarding elements in each said next domain are made within said next domain.
  - 65. A method as recited in claim 59, wherein no application which is not an agent can access protected data within any of said domains.
  - 66. A method as recited in claim 59, wherein no application which is not an agent can perform any operation on protected data within any of said domains.
  - 67. A method as recited in claim 59, wherein each application within said local domain can access location information regarding only other applications within said local domain, and only through a secure name server within said local domain, and each application within any said next domain can access location information regarding only other applications within said next domain, and only through a secure name server within said next domain.
  - 68. A method as recited in claim 59, wherein the only communication between any application in one of said domains and any application in any other one of said domains travels between an access request handling application within said one domain and an access request handling application within said other domain.
  - 69. A method as recited in claim 59, wherein said request must be completely granted before said requestor is given access to any of said elements within said target.
  - 70. A method as recited in claim 59, wherein no location information of any element is passed from any one of said domains to any other of said domains.
  - 71. A method as recited in claim 59, wherein said sub-routine is terminated when said local domain receives a current request.
  - 72. A method as recited in claim 59, wherein said desired operation is a pull operation, and wherein a plurality of current requests are transmitted in sequence to a plurality of domains, and wherein said method further comprises for each element contained in a domain other than said local domain, transmitting an element representation, from a non-local agent in a domain in which said element is contained, to an agent in a domain which is a next prior domain in said sequence, each said element representation comprising indicia representative of said element, until all of said element representations reach said local domain, and then transmitting from said local agent to said requestor all of said element representations and indicia representative of any elements contained in said local domain.
  - 73. A method as recited in claim 59, wherein said desired operation is a push operation, and wherein a plurality of current requests are transmitted in sequence to a plurality of domains, and wherein said method further comprises transferring element representations corresponding to each said element from said requestor to an agent in said local domain, performing said push operation on any elements in said local domain, transferring element representations for each said element other than any said element in said local domain through a sequence of at least one non-local agent, each said non-local agent being contained in a non-local domain, each said element representation being passed through at least a portion of said sequence of at least one non-local agent until it reaches a non-local agent in a non-local domain in which said corresponding element is contained and said push operation is performed on said element.
  - 229. A method as recited in claim 59, wherein said method is computer-implemented.

74-88. -88. (canceled)

89. A method of processing a request from a requester, comprising:
- receiving from a requestor a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request; and
  
  if said local domain does not contain all of said at least one element in said target;
  
  (a) denying said request.
- View Dependent Claims (230)
- - 230. A method as recited in claim 89, wherein said method is computer-implemented.

90-96. -96. (canceled)

97. A method of transmitting at least one set of indicia representative of information from a first domain to a second domain comprising:
- transmitting at least one set of indicia representative of information from a first virtual address in a first domain to a second virtual address in said first domain, said first domain comprising at least a first processor, and then transmitting said set of indicia representative of information from said second virtual address in said first domain to a second domain via a first physical address in said first domain, said second domain comprising at least a second processor.
- View Dependent Claims (98, 99, 100, 235, 238)
- - 98. A method as recited in claim 97, further comprising terminating said first virtual address and said second virtual address after said transmitting.
  - 99. A method as recited in claim 97, wherein said second domain receives said set of indicia representative of information at a first virtual address in said second domain via a first physical address in said second domain.
  - 100. A method as recited in claim 97, wherein said second domain receives said set of indicia representative of information at a first virtual address in said second domain via a first physical address in said second domain and passes said set of indicia representative of information from said first virtual address in said second domain to a second virtual address in said second domain.
  - 235. A computer-readable medium comprising computer instructions which, when executed by a computer, perform a method as recited in claim 97.
  - 238. A processor on which is stored software for carrying out a method as recited in claim 97.

101. A method comprising determining whether a requestor is authorized to perform a desired operation on a target comprising at least one element, said element comprising an information set of indicia, by:
- (1) comparing a stored clearance level for said requestor with a stored protection level for said element;
  
  (2) performing at least one step selected from among (a) determining whether a stored NTK for said requestor includes performing said desired operation on said at least one element and (b) determining whether a stored NTK for said element includes performance of said desired operation by said requester; and
  
  (3) receiving from said requestor at least one credential set of indicia, said credential set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor, and comparing said credential set of indicia with at least one set of stored credential indicia for said requestor.
- View Dependent Claims (231)
- - 231. A method as recited in claim 101, wherein said method is computer-implemented.

102-105. -105. (canceled)

106. A method of processing a request from a requestor, comprising:
- receiving from a requestor a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  enabling an agent in a first domain to access said at least one element in said first domain to perform said desired operation, and transmitting to said requestor a first domain agent location set of indicia, said first domain agent location set of indicia representing a location of said first domain agent;
  
  wherein no application which is not an agent can access protected data within said first domain.
- View Dependent Claims (232)
- - 232. A method as recited in claim 106, wherein said method is computer-implemented.

107-116. -116. (canceled)

117. An apparatus for processing a request from a requester, comprising:
- means for receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  means for carrying out the following;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said at least one element in said target;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request.

118-127. -127. (canceled)

128. An apparatus for processing a request from a requestor, comprising:
- means for receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  means for carrying out the following;
  
  if said local domain contains all of said at least one element in said target;
  
  (a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent; and
  
  if said local domain does not contain all of said at least one element in said target;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain.

129-138. -138. (canceled)

139. An apparatus for processing a request from a requestor, comprising:
- means for receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  means for carrying out the following;
  
  if said local domain contains all of said at least one element in said requested target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said at least one element;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain does not contain a rule for each element in said local domain indicating that said requestor is authorized to perform said desired operation on said at least one element contained in said local domain;
  
  (a) denying said request;
  
  (2) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said element contained in said local domain;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (b) transmitting said second request to a second domain;
  
  (c) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (d) if said second domain contains all of said at least one element in said secondary target;
  
  (1) if said second domain contains a rule for each said element in said secondary target indicating that said requestor is authorized to perform said desired operation on each said element in said secondary target;
  
  (a) enabling said second domain agent to access all elements which are both (i) contained in said requested target and (ii) contained in said second domain;
  
  10 (b) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (c) enabling said local domain agent to;
  
  (i) access any elements which are both contained in said requested target and contained in said local domain; and
  
  (ii) access, via said second domain agent, all elements which are both contained in said requested target and contained in said second domain; and
  
  (d) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains none of said at least one element in said target;
  
  (1) creating a second request, said second request comprising (a) said at least one desired operation set of indicia and (b) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are contained in said target; and
  
  (2) transmitting said second request to a second domain;
  
  (3) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (4) if said second domain contains all of said at least one element in said secondary target;
  
  (a) if said second domain contains a rule for each said element in said secondary target indicating that said requestor is authorized to perform said desired operation on each said element in said secondary target;
  
  (1) enabling said second domain agent to access all elements which are contained in said requested target;
  
  (2) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (3) enabling said local domain agent to access, via said second domain agent, all elements which are contained in said second domain; and
  
  (4) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (b) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (1) denying said request.

140-157. -157. (canceled)

158. An apparatus for processing a request from a requestor, comprising:
- means for receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  means for carrying out the following;
  
  if said local domain contains all of said at least one element in said requested target and said local domain contains a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  if said local domain contains all of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) denying said request;
  
  if said local domain does not contain all of said at least one element in said requested target;
  
  (a) if said local domain contains at least one of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  otherwise;
  
  (b) creating a current request, said current request comprising (1) said at least one desired operation set of indicia, and (2) a current target identification set of indicia comprising a set of indicia which is representative of a current target set, said current target set comprising all elements which are both (i) contained in said requested target and (ii) not contained in said local domain; and
  
  (c) transmitting said current request to a next domain, said next domain comprising at least one processor;
  
  if said request has not been denied, repeating a sub-routine comprising;
  
  (1) determining whether said next domain contains all elements in said current target set;
  
  (2) if said next domain contains all of said elements in said current target set and said next domain does not contain a rule for each element in said current target set indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  (3) if said next domain contains all of said elements in said current target set and said next domain contains a rule for each element in said current target set indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a first non-local agent to access said elements in said current target set, (b) transmitting to a next prior domain a first non-local agent location set of indicia, said first non-local agent location set of indicia enabling a next prior domain agent to access said first non-local agent;
  
  (c) unless said next non-local agent location set of indicia has reached said local domain, repeating a step of;
  
  (i) enabling said next prior domain agent to access any elements which are both contained in said requested target and contained in said next prior domain; and
  
  (ii) transmitting to said next prior domain a next non-local agent location set of indicia, said next non-local agent location set of indicia enabling said next prior domain agent to access said next non-local agent;
  
  until said next non-local agent location set of indicia reaches said local domain; and
  
  (d) enabling said local domain agent to access any elements which are both contained in said requested target and contained in said local domain; and
  
  transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (4) if said next domain contains at least one of said elements in said current target set and said next domain does not contain a rule for each element in said next domain and in said current target set indicating that said requestor is authorized to perform said desired operation on said element in said next domain and in said current target set, denying said request;
  
  otherwise;
  
  (5) if said next domain does not contain all of said elements in said current target set;
  
  (a) creating a next request, said next request comprising (1) said at least one desired operation set of indicia, and (2) a new current target identification set of indicia comprising a set of indicia which is representative of a new current target set, said new current target set comprising all elements which were (i) contained in said requested target, (ii) not contained in said local domain, and (iii) not contained in any domain to which a current request has been transmitted; and
  
  (b) transmitting said next request to a next domain, until (1) a non-local agent location set of indicia is transmitted to said local domain agent, or (2) said repeating of said sub-routine is terminated.

159-183. -183. (canceled)

184. An apparatus for processing a request from a requester, comprising:
- means for receiving from a requestor a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  means for carrying out the following;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request; and
  
  if said local domain does not contain all of said at least one element in said target;
  
  (a) denying said request.

185-190. -190. (canceled)

191. An apparatus for transmitting at least one set of indicia representative of information from a first domain to a second domain comprising:
- means for transmitting at least one set of indicia representative of information from a first virtual address in a first domain to a second virtual address in said first domain, said first domain comprising at least a first processor, and then transmitting said set of indicia representative of information from said second virtual address in said first domain to a second domain via a first physical address in said first domain, said second domain comprising at least a second processor.

192-194. -194. (canceled)

195. An apparatus for determining whether a requestor is authorized to perform a desired operation on a target comprising at least one element, said element comprising an information set of indicia, comprising:
- (1) means for comparing a stored clearance level for said requestor with a stored protection level for said element;
  
  (2) means for performing at least one step selected from among (a) determining whether a stored NTK for said requestor includes performing said desired operation on said at least one element and (b) determining whether a stored NTK for said element includes performance of said desired operation by said requester; and
  
  (3) means for receiving from said requestor at least one credential set of indicia, said credential set of indicia comprising indicia selected from the group consisting of indicia input by the requestor and indicia derived from the requestor, and comparing said credential set of indicia with at least one set of stored credential indicia for said requestor.

196-198. -198. (canceled)

199. An apparatus for processing a request from a requestor, comprising:
- means for receiving from a requester a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  means for enabling an agent in a first domain to access said at least one element in said first domain to perform said desired operation, and means for transmitting to said requestor a first domain agent location set of indicia, said first domain agent location set of indicia representing a location of said first domain agent;
  
  wherein no application which is not an agent can access protected data within said first domain.

200-208. -208. (canceled)

209. A computer-readable medium having computer-executable commands for performing the following:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requester is authorized to perform said desired operation on said element;
  
  (a) enabling a first agent to access said at least one element to perform said desired operation, and (b) transmitting to said requester a first agent location set of indicia, said first agent location set of indicia enabling said requestor to access said first agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each said element contained in said local domain indicating that said requester is authorized to perform said desired operation on said at least one element in said target;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request.

210. (canceled)

211. A computer-readable medium having computer-executable commands for performing the following:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said requested target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requester a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said at least one element;
  
  (a) denying said request;
  
  if said local domain contains at least one element in said target but does not contain all of said at least one element in said target;
  
  (1) if said local domain does not contain a rule for each element in said local domain indicating that said requester is authorized to perform said desired operation on said at least one element contained in said local domain;
  
  (a) denying said request;
  
  (2) if said local domain contains a rule for each said element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said element contained in said local domain;
  
  (a) creating a second request, said second request comprising (1) said at least one desired operation set of indicia and (2) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are both (i) contained in said target and (ii) not contained in said local domain; and
  
  (b) transmitting said second request to a second domain;
  
  (c) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (d) if said second domain contains all of said at least one element in said secondary target;
  
  (1) if said second domain contains a rule for each said element in said secondary target indicating that said requestor is authorized to perform said desired operation on each said element in said secondary target;
  
  (a) enabling said second domain agent to access all elements which are both (i) contained in said requested target and (ii) contained in said second domain;
  
  (b) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (c) enabling said local domain agent to;
  
  (i) access any elements which are both contained in said requested target and contained in said local domain; and
  
  (ii) access, via said second domain agent, all elements which are both contained in said requested target and contained in said second domain; and
  
  (d) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request;
  
  if said local domain contains none of said at least one element in said target;
  
  (1) creating a second request, said second request comprising (a) said at least one desired operation set of indicia and (b) a secondary target identification set of indicia comprising a set of indicia which is representative of all elements which are contained in said target; and
  
  (2) transmitting said second request to a second domain;
  
  (3) determining whether said second domain contains all of said at least one element in said secondary target, said second domain comprising at least one processor;
  
  (4) if said second domain contains all of said at least one element in said secondary target;
  
  (a) if said second domain contains a rule for each said element in said secondary target indicating that said requestor is authorized to perform said desired operation on each said element in said secondary target;
  
  (1) enabling said second domain agent to access all elements which are contained in said requested target;
  
  (2) transmitting to said local domain a second domain agent location set of indicia, said second domain agent location set of indicia enabling a local domain agent to access said second domain agent;
  
  (3) enabling said local domain agent to access, via said second domain agent, all elements which are contained in said second domain; and
  
  (4) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (b) if said local domain does not contain a rule for each element contained in said local domain indicating that said requestor is authorized to perform said desired operation on said target;
  
  (1) denying said request.

212. (canceled)

213. A computer-readable medium having computer-executable commands for performing the following:
- receiving from a requestor a first request comprising at least one desired operation set of indicia and a requested target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, said requested target identification set of indicia comprising a set of indicia which is representative of a requested target, said requested target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said requested target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said requested target and said local domain contains a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requester a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  if said local domain contains all of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) denying said request;
  
  if said local domain does not contain all of said at least one element in said requested target;
  
  (a) if said local domain contains at least one of said at least one element in said requested target and said local domain does not contain a rule for each element in said requested target indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  otherwise;
  
  (b) creating a current request, said current request comprising (1) said at least one desired operation set of indicia, and (2) a current target identification set of indicia comprising a set of indicia which is representative of a current target set, said current target set comprising all elements which are both (i) contained in said requested target and (ii) not contained in said local domain; and
  
  (c) transmitting said current request to a next domain, said next domain comprising at least one processor;
  
  if said request has not been denied, repeating a sub-routine comprising;
  
  (1) determining whether said next domain contains all elements in said current target set;
  
  (2) if said next domain contains all of said elements in said current target set and said next domain does not contain a rule for each element in said current target set indicating that said requestor is authorized to perform said desired operation on said element, denying said request;
  
  (3) if said next domain contains all of said elements in said current target set and said next domain contains a rule for each element in said current target set indicating that said requestor is authorized to perform said desired operation on said element;
  
  (a) enabling a first non-local agent to access said elements in said current target set, (b) transmitting to a next prior domain a first non-local agent location set of indicia, said first non-local agent location set of indicia enabling a next prior domain agent to access said first non-local agent;
  
  (c) unless said next non-local agent location set of indicia has reached said local domain, repeating a step of;
  
  (i) enabling said next prior domain agent to access any elements which are both contained in said requested target and contained in said next prior domain; and
  
  (ii) transmitting to said next prior domain a next non-local agent location set of indicia, said next non-local agent location set of indicia enabling said next prior domain agent to access said next non-local agent;
  
  until said next non-local agent location set of indicia reaches said local domain; and
  
  (d) enabling said local domain agent to access any elements which are both contained in said requested target and contained in said local domain; and
  
  transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requestor to access said local domain agent;
  
  (4) if said next domain contains at least one of said elements in said current target set and said next domain does not contain a rule for each element in said next domain and in said current target set indicating that said requester is authorized to perform said desired operation on said element in said next domain and in said current target set, denying said request;
  
  otherwise;
  
  (5) if said next domain does not contain all of said elements in said current target set;
  
  (a) creating a next request, said next request comprising (1) said at least one desired operation set of indicia, and (2) a new current target identification set of indicia comprising a set of indicia which is representative of a new current target set, said new current target set comprising all elements which were (i) contained in said requested target, (ii) not contained in said local domain, and (iii) not contained in any domain to which a current request has been transmitted; and
  
  (b) transmitting said next request to a next domain, until (1) a non-local agent location set of indicia is transmitted to said local domain agent, or (2) said repeating of said sub-routine is terminated.

214. (canceled)

215. A computer-readable medium having computer-executable commands for performing the following:
- receiving from a requestor a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, said target comprising at least one element, said element comprising an information set of indicia, said information set of indicia being representative of information;
  
  determining whether a local domain contains all of said at least one element in said target, said local domain comprising at least one processor;
  
  if said local domain contains all of said at least one element in said target;
  
  (1) if said local domain contains a rule for each element in said target indicating that said requester is authorized to perform said desired operation on said element;
  
  (a) enabling a local domain agent to access said at least one element to perform said desired operation, and (b) transmitting to said requestor a local domain agent location set of indicia, said local domain agent location set of indicia enabling said requester to access said local domain agent;
  
  (2) if said local domain does not contain a rule for each element in said target indicating that said requestor is authorized to perform said desired operation on said target;
  
  (a) denying said request; and
  
  if said local domain does not contain all of said at least one element in said target;
  
  (a) denying said request.

216. A computer-readable medium having computer-executable commands for performing the following:
- transmitting at least one set of indicia representative of information from a first virtual address in a first domain to a second virtual address in said first domain, said first domain comprising at least a first processor, and then transmitting said set of indicia representative of information from said second virtual address in said first domain to a second domain via a first physical address in said first domain, said second domain comprising at least a second processor.

217-220. -220. (canceled)

221. A method of processing a request from a requestor, comprising:
- receiving from a requestor a request comprising at least one desired operation set of indicia and at least one target identification set of indicia, said desired operation set of indicia comprising a set of indicia which is representative of at least one desired operation, each said target identification set of indicia comprising a set of indicia which is representative of a target, determining whether to deny said request by comparing combinations of indicia in said request with allowable combinations of indicia stored in at least one bitmap.
- View Dependent Claims (222)
- - 222. A method as recited in claim 221, wherein said bitmap contains indicia selected from among users, protection levels, operations, targets and NTK.

223. An arrangement of stored data, comprising:
- at least one data storage structure, said data storage structure comprising a bitmap containing allowable combinations of indicia for use in determining whether to deny a request for a user to perform an operation on a target.
- View Dependent Claims (224, 225)
- - 224. An arrangement of stored data as recited in claim 223, wherein said indicia is selected from among users, protection levels, operations, targets, NTK, roles, clearance levels and credentials.
  - 225. An arrangement of stored data as recited in claim 223, wherein said indicia correspond to at least one rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sensis Pty Limited (Telstra Group Ltd.)
Original Assignee
Sensis Pty Limited (Telstra Group Ltd.)
Inventors
Kuecuekyan, Horen

Application Number

US11/584,800
Publication Number

US 20070136603A1
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6236   between heterogeneous systems

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and apparatus for providing secure access control for protected information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

250 Citations

238 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing secure access control for protected information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

238 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links