METHOD AND SYSTEM FOR CONTROLLING DATA ACCESS TO ORGANIZATIONAL DATA MAINTAINED IN HIERARCHICAL
First Claim
Patent Images
1. A method of controlling access to information in an organization in response to requests for information, comprising:
- structuring organizational data of the organization into domains, wherein the domains contain charts, metadata, security roles, and role assignment rules, and wherein the charts comprise containers for subsets of the organizational data;
structuring the organizational data within a chart in accordance with a hierarchical relationship of entities in the organization, wherein each entity of the organization is represented as a box in the chart, and other related entities are linked to the box;
defining users identified by authentication credentials through one of;
a static definition, and user information received from an external source with each request;
mapping user records to corresponding principal boxes in the charts using chart user ID values that are defined in user records;
defining roles using structural and box-level conditions, wherein a role defines a record-level and field-level data access control configuration;
statically granting the roles to the users by explicitly configuring a link between a user record and a corresponding role; and
defining role assignment rules to dynamically grant roles to a requesting user by identifying principal boxes for the users within a chart, and running the role assignment rules on the identified principal boxes.
12 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are described for a system and method of controlling access to information in an organization by defining a hierarchical organizational structure of boxes, and security configuration comprising user records, security roles, rules to map users to boxes, and rules to grant roles to users via mapped boxes. Access control is applied in the context of a defined organizational structure using the effective set of access control policies computed in real time per each data access request from any given user.
59 Citations
16 Claims
-
1. A method of controlling access to information in an organization in response to requests for information, comprising:
-
structuring organizational data of the organization into domains, wherein the domains contain charts, metadata, security roles, and role assignment rules, and wherein the charts comprise containers for subsets of the organizational data; structuring the organizational data within a chart in accordance with a hierarchical relationship of entities in the organization, wherein each entity of the organization is represented as a box in the chart, and other related entities are linked to the box; defining users identified by authentication credentials through one of;
a static definition, and user information received from an external source with each request;mapping user records to corresponding principal boxes in the charts using chart user ID values that are defined in user records; defining roles using structural and box-level conditions, wherein a role defines a record-level and field-level data access control configuration; statically granting the roles to the users by explicitly configuring a link between a user record and a corresponding role; and defining role assignment rules to dynamically grant roles to a requesting user by identifying principal boxes for the users within a chart, and running the role assignment rules on the identified principal boxes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system to manage access to information in an organization, comprising:
-
a component storing data records relating to resources in the organization; a graphical user interface (GUI) component defining and displaying a hierarchical relationship of the resources, wherein each resource is represented as a box in an organization chart of the organization; a configuration component defining users and other security configurations for the organization; and a data access component capable of recomputing effective policies and plurality of available boxes and fields in real time in response to a request by a requesting user. - View Dependent Claims (13, 14, 15, 16)
-
Specification