AUTHORIZED DATA ACCESS BASED ON THE RIGHTS OF A USER AND A LOCATION

US 20120266239A1
Filed: 04/18/2011
Published: 10/18/2012
Est. Priority Date: 04/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a session login request by a user from a computer;

determining user access rights of the user;

determining computer access rights of the computer;

determining session access rights as an intersection of the user access rights and the computer access rights; and

authorizing access for the session to one or more files in a repository based on applying the session access rights to file permissions of the one or more files.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to files is properly granted regardless of whether an accessing user is located at their primary location or at any “roaming” location. In particular, the techniques herein consider the user rights, rights of any computer from which the user is accessing files, and the rights associated with the files themselves, such as by determining the User ∩ Computer intersection of access rights (an overlap between rights of the user and rights of the computer), and applying these access rights to file rights (e.g., file metadata) to determine what access the user has to the files (e.g., viewing, modifying, etc.).

17 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving a session login request by a user from a computer;
  
  determining user access rights of the user;
  
  determining computer access rights of the computer;
  
  determining session access rights as an intersection of the user access rights and the computer access rights; and
  
  authorizing access for the session to one or more files in a repository based on applying the session access rights to file permissions of the one or more files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18)
- - 2. The method as in claim 1, further including storing the file permissions in metadata of the corresponding files.
  - 3. The method as in claim 1, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain each of the plurality of file permission requirements.
  - 4. The method as in claim 1, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain one or more of the plurality of file permission requirements.
  - 5. The method as in claim 1, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain at least one particular requirement of the plurality of file permission requirements and one or more other requirements of the plurality of file permission requirements.
  - 6. The method as in claim 1, wherein determining computer access rights of the computer comprises:
    - identifying the computer based on a unique address and/or PKI signature of the computer used for the session login request; and
      
      performing a lookup operation into a database to determine the computer access rights of the computer based on the unique address and/or PKI signature.
  - 7. The method according to claim 6, wherein determining access rights of the user further comprises identifying the user based upon a user session and/or PKI signature.
  - 8. The method as in claim 1, further comprising:
    - converting the intersection of the user access rights and the computer access rights into session access rights; and
      
      converting the session access rights into access claims; and
      
      relaying the access claims to the computer, wherein the access claims are used by the computer to request authorized access for the session to the one or more files in the repository.
  - 9. The method as in claim 1, wherein user access rights, computer access rights, and session access rights comprise security classification.
  - 10. The method as in claim 1, wherein user access rights, computer access rights, and session access rights comprise security caveats.
  - 11. The method as in claim 1, wherein the file permissions are defined at a system level, a file level, and/or a logic structure.
  - 12. The method as in claim 1, wherein the file permissions are represented as singletons.
  - 14. The computer-readable medium as in claim 11, wherein the file permissions are stored in metadata of the corresponding files.
  - 15. The computer-readable medium as in claim 11, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain each of the plurality of file permission requirements.
  - 16. The computer-readable medium as in claim 11, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain one or more of the plurality of file permission requirements.
  - 17. The computer-readable medium as in claim 11, wherein there are a plurality of file permission requirements within the file permissions, and wherein applying the session access rights to file permissions comprises confirming that the session access rights contain at least one particular requirement of the plurality of file permission requirements and one or more other requirements of the plurality of file permission requirements.
  - 18. The computer-readable medium as in claim 11, wherein the software when executed is further operable to:
    - convert the session access rights into access claims; and
      
      relay the access claims to the computer, wherein the access claims are used by the computer to request authorized access for the session to the one or more files in the repository.

13. A tangible, non-transitory computer-readable medium having software encoded thereon, the software when executed by a processor operable to:
- receive a session login request by a user from a computer;
  
  determine user access rights of the user;
  
  determine computer access rights of the computer;
  
  determine session access rights as an intersection of the user access rights and the computer access rights; and
  
  authorize access for the session to one or more files in a repository based on applying the session access rights to file permissions of the one or more files.

19. An apparatus, comprising:
- one or more network interfaces;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a session login request by a user from a computer;
  
  determine user access rights of the user;
  
  determine computer access rights of the computer;
  
  determine session access rights as an intersection of the user access rights and the computer access rights; and
  
  authorize access for the session to one or more files in a repository based on applying the session access rights to file permissions of the one or more files.
- View Dependent Claims (20)
- - 20. The apparatus as in claim 19, wherein the file permissions are stored in metadata of the corresponding files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Bradley, Charles B. II

Granted Patent

US 9,081,982 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

AUTHORIZED DATA ACCESS BASED ON THE RIGHTS OF A USER AND A LOCATION

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

AUTHORIZED DATA ACCESS BASED ON THE RIGHTS OF A USER AND A LOCATION

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others