SECURITY SENSITIVE DATA FLOW ANALYSIS

US 20110231317A1
Filed: 03/19/2010
Published: 09/22/2011
Est. Priority Date: 03/19/2010
Status: Abandoned Application

First Claim

Patent Images

1. A computer readable storage medium having computer readable instructions tangibly stored thereon which when executed by the computer, cause the computer to perform a method for security-aware data flow analysis, the method comprising:

receiving a delegation request from a first user to delegate a task to a second user;

allocating permission to the second user to perform the task if no organizational policies are violated;

retrieving data used in the task via a data to task association;

retrieving one or more data to role mappings of the data used in the task and one or more permissions associated with the one or more data to role mappings of the data used in the task; and

determining if access to the data used in the task can be granted to the second user based on the one or more data to role mappings of the data used in the task and the one or more permissions associated with the one or more data role to mappings of the data used in the task; and

granting access to the data used in the task to the second user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for security-aware data flow analysis are described. In various embodiments, a system analyses relationships between users, roles, tasks, and data objects, and permissions set thereon and grants access to users to specific data objects or data fields. In various embodiments, a method for creating an authorization matrix for data used in business processes is described. The method includes analyzing organizational policies associated with functional requirements and granting access to data to users if organizational policies are complied with.

23 Citations

View as Search Results

20 Claims

1. A computer readable storage medium having computer readable instructions tangibly stored thereon which when executed by the computer, cause the computer to perform a method for security-aware data flow analysis, the method comprising:
- receiving a delegation request from a first user to delegate a task to a second user;
  
  allocating permission to the second user to perform the task if no organizational policies are violated;
  
  retrieving data used in the task via a data to task association;
  
  retrieving one or more data to role mappings of the data used in the task and one or more permissions associated with the one or more data to role mappings of the data used in the task; and
  
  determining if access to the data used in the task can be granted to the second user based on the one or more data to role mappings of the data used in the task and the one or more permissions associated with the one or more data role to mappings of the data used in the task; and
  
  granting access to the data used in the task to the second user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer readable storage medium of claim 1, wherein allocating permission to the second user to perform the task comprises:
    - retrieving one or more user to role mappings and one or more task to role assignments for the task;
      
      determining if the first user has permission to delegate the task to the second user; and
      
      determining if the delegation request can be granted based on permissions associated with the one or more user to role mappings and the task to role assignments.
  - 3. The computer readable storage medium of claim 2, wherein the method further comprises notifying the second user that the task is available.
  - 4. The computer readable storage medium of claim 1, wherein determining if access to the data used in the task can be granted to the second user comprises:
    - determining a role the second user is a member of via one or more user to role mappings; and
      
      determining if the role the second used is a member of is in the one or more data to role mappings of the data used in the task.
  - 5. The computer readable storage medium of claim 1, wherein granting access to the data used in the task to the second user comprises determining access rights for the second user for one or more data fields of the data used in the task.
  - 6. The computer readable storage medium of claim 5, wherein determining access rights for the second user for the one or more data fields of the data used in the task comprises:
    - determining one or more permissions associated with the one or more data fields of the data used in the task;
      
      determining one or more roles associated with the one or more permissions associated with the one or more data fields of the data used in the task; and
      
      granting access to the one or more data fields of the data used in the task to the second user if a role the second user is a member of is in the one or more roles associated with the one or more permissions associated with the one or more data fields.

7. A computerized system including a processor, the processor communicating with one or more memory devices storing instructions, the instructions comprising:
- an authorization control module operable to create an authorization matrix for one or more data fields of one or more data objects;
  
  a user engine operable to send user data to the authorization control module;
  
  a data engine operable to send the one or more data objects to the authorization control module; and
  
  a workflow engine operable to send authorization information to the authorization control module.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computerized system of claim 7, wherein the data engine is further operable to retrieve the one or more data objects from one or more databases.
  - 9. The computerized system of claim 7, wherein the user engine is further operable to retrieve user data from one or more databases.
  - 10. The computerized system of claim 7, wherein the user engine is further operable to maintain one or more user to role assignments.
  - 11. The computerized system of claim 7, wherein the workflow engine is further operable to maintain one or more data access rules and one or more task to role assignments.
  - 12. The computerized system of claim 7, wherein the authorization control module is further operable to grant access to the one or more data objects to one or more users based on one or more organizational policies received from the workflow engine.
  - 13. The computerized system of claim 7, further comprising a user interface operable to render graphical representations of the user data, the one or more data objects, and one or more business process elements the user data and the one or more data objects are associated with.

14. A computerized method, comprising:
- retrieving one or more user data of a business process;
  
  retrieving one or more roles mapped to the one or more user data;
  
  retrieving one or more data objects mapped to the one or more roles; and
  
  analyzing one or more mappings between the one or more user data, the one or more roles, and the one or more data objects to determine if a first user can be granted access to the one or more data objects.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computerized method of claim 14, further comprising determining if the first user can delegate one or more tasks to a second user.
  - 16. The computerized method of claim 14, wherein retrieving the one or more user data comprises:
    - retrieving one or more user to role mappings associated with the business process; and
      
      retrieving one or more task to role mappings associated with the business process;
      
      retrieving one or more permissions associated with the one or more user to role mappings and the one or more task to role mappings; and
      
      determining one or more users to be able to perform one or more tasks based on the one or more permissions associated with the one or more user to role mappings and the one or more task to role mappings.
  - 17. The computerized method of claim 14, wherein retrieving the one or more data objects comprises:
    - receiving one or more tasks mapped to the one or more roles;
      
      receiving a mapping of the one or more tasks to the one or more data objects; and
      
      identifying the one or more data objects via the mapping of the one or more tasks to the one or more data objects.
  - 18. The computerized method of claim 14, further comprising:
    - receiving a mapping of the first user to the one or more roles;
      
      determining if the first user is a member of a role mapped to one or more tasks associated with the one or more data objects.
  - 19. The computerized method of claim 14, wherein analyzing the one or more mappings between the one or more user data, the one or more roles, and the one or more data objects to determine if the first user can be granted access to the one or more data objects comprises analyzing one or more permissions associated with the one or more user data, the one or more roles, and the one or more data objects.
  - 20. The computerized method of claim 15, further comprising determining if the second user is a member of a role mapped to one or more tasks associated with the one or more data objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
ARSAC, WIHEM

Application Number

US12/727,270
Publication Number

US 20110231317A1
Time in Patent Office

Days
Field of Search
US Class Current

705/50
CPC Class Codes

G06F 21/556   involving covert channels, ...

G06F 21/6218   to a system of files or obj...

G06Q 10/06311   Scheduling, planning or tas...

SECURITY SENSITIVE DATA FLOW ANALYSIS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY SENSITIVE DATA FLOW ANALYSIS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links