SECURITY SENSITIVE DATA FLOW ANALYSIS
First Claim
1. A computer readable storage medium having computer readable instructions tangibly stored thereon which when executed by the computer, cause the computer to perform a method for security-aware data flow analysis, the method comprising:
- receiving a delegation request from a first user to delegate a task to a second user;
allocating permission to the second user to perform the task if no organizational policies are violated;
retrieving data used in the task via a data to task association;
retrieving one or more data to role mappings of the data used in the task and one or more permissions associated with the one or more data to role mappings of the data used in the task; and
determining if access to the data used in the task can be granted to the second user based on the one or more data to role mappings of the data used in the task and the one or more permissions associated with the one or more data role to mappings of the data used in the task; and
granting access to the data used in the task to the second user.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for security-aware data flow analysis are described. In various embodiments, a system analyses relationships between users, roles, tasks, and data objects, and permissions set thereon and grants access to users to specific data objects or data fields. In various embodiments, a method for creating an authorization matrix for data used in business processes is described. The method includes analyzing organizational policies associated with functional requirements and granting access to data to users if organizational policies are complied with.
23 Citations
20 Claims
-
1. A computer readable storage medium having computer readable instructions tangibly stored thereon which when executed by the computer, cause the computer to perform a method for security-aware data flow analysis, the method comprising:
-
receiving a delegation request from a first user to delegate a task to a second user; allocating permission to the second user to perform the task if no organizational policies are violated; retrieving data used in the task via a data to task association; retrieving one or more data to role mappings of the data used in the task and one or more permissions associated with the one or more data to role mappings of the data used in the task; and determining if access to the data used in the task can be granted to the second user based on the one or more data to role mappings of the data used in the task and the one or more permissions associated with the one or more data role to mappings of the data used in the task; and granting access to the data used in the task to the second user. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computerized system including a processor, the processor communicating with one or more memory devices storing instructions, the instructions comprising:
-
an authorization control module operable to create an authorization matrix for one or more data fields of one or more data objects; a user engine operable to send user data to the authorization control module; a data engine operable to send the one or more data objects to the authorization control module; and a workflow engine operable to send authorization information to the authorization control module. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computerized method, comprising:
-
retrieving one or more user data of a business process; retrieving one or more roles mapped to the one or more user data; retrieving one or more data objects mapped to the one or more roles; and analyzing one or more mappings between the one or more user data, the one or more roles, and the one or more data objects to determine if a first user can be granted access to the one or more data objects. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification