METHOD AND SYSTEM FOR CONTROLLING DATA ACCESS TO ORGANIZATIONAL DATA MAINTAINED IN HIERARCHICAL

US 20130232539A1
Filed: 03/01/2012
Published: 09/05/2013
Est. Priority Date: 03/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to information in an organization in response to requests for information, comprising:

structuring organizational data of the organization into domains, wherein the domains contain charts, metadata, security roles, and role assignment rules, and wherein the charts comprise containers for subsets of the organizational data;

structuring the organizational data within a chart in accordance with a hierarchical relationship of entities in the organization, wherein each entity of the organization is represented as a box in the chart, and other related entities are linked to the box;

defining users identified by authentication credentials through one of;

a static definition, and user information received from an external source with each request;

mapping user records to corresponding principal boxes in the charts using chart user ID values that are defined in user records;

defining roles using structural and box-level conditions, wherein a role defines a record-level and field-level data access control configuration;

statically granting the roles to the users by explicitly configuring a link between a user record and a corresponding role; and

defining role assignment rules to dynamically grant roles to a requesting user by identifying principal boxes for the users within a chart, and running the role assignment rules on the identified principal boxes.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are described for a system and method of controlling access to information in an organization by defining a hierarchical organizational structure of boxes, and security configuration comprising user records, security roles, rules to map users to boxes, and rules to grant roles to users via mapped boxes. Access control is applied in the context of a defined organizational structure using the effective set of access control policies computed in real time per each data access request from any given user.

59 Citations

View as Search Results

16 Claims

1. A method of controlling access to information in an organization in response to requests for information, comprising:
- structuring organizational data of the organization into domains, wherein the domains contain charts, metadata, security roles, and role assignment rules, and wherein the charts comprise containers for subsets of the organizational data;
  
  structuring the organizational data within a chart in accordance with a hierarchical relationship of entities in the organization, wherein each entity of the organization is represented as a box in the chart, and other related entities are linked to the box;
  
  defining users identified by authentication credentials through one of;
  
  a static definition, and user information received from an external source with each request;
  
  mapping user records to corresponding principal boxes in the charts using chart user ID values that are defined in user records;
  
  defining roles using structural and box-level conditions, wherein a role defines a record-level and field-level data access control configuration;
  
  statically granting the roles to the users by explicitly configuring a link between a user record and a corresponding role; and
  
  defining role assignment rules to dynamically grant roles to a requesting user by identifying principal boxes for the users within a chart, and running the role assignment rules on the identified principal boxes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the requests for information include a request by the requesting user to access a requested box within the chart.
  - 3. The method of claim 2 wherein the data access control configuration defines a structural condition that compares the relative hierarchical position of the requested box and the principal boxes within the chart for the purposes of record-level and field-level data access control.
  - 4. The method of claim 2 wherein the data access control configuration defines a box-level condition that defines a Boolean condition to be evaluated against field values and other properties of the requested box for the purposes of record-level and field-level data access control.
  - 5. The method of claim 2 wherein the data access control configuration combines structural conditions and box-level conditions for the purposes of record-level and field-level data access control.
  - 6. The method of claim 2 further comprising:
    - copying original organizational data of the chart to random access memory to generate an optimized data structure representing a current state of that chart;
      
      recomputing in real-time, effective data access rights of the requesting user, upon a data access request from the requesting user for one or more boxes in a specific chart; and
      
      recomputing in real-time, a plurality of available boxes and their respective attributes based on the effective data access rights, upon the data access request.
  - 7. The method of claim 6 further comprising receiving and executing requests to re-organize the data in the organization chart constrained by the recomputed current access rights of the requesting user, wherein any resulting change takes immediate effect on data access rights for subsequent requests from any user.
  - 8. The method of claim 6 further comprising receiving and executing requests to change a security configuration constrained by the recomputed current access rights of the requesting user, wherein any resulting change takes immediate effect on data access rights for subsequent requests from any user, and wherein the security configuration comprises at least one of:
    - users, roles, role assignment rules, chart user IDs for a user, and a field chosen to match a chart user ID value.
  - 9. The method of claim 6 further comprising:
    - executing record-level and field-level data access control on one or more requested boxes to determine if the requested boxes as a whole and data in each of the plurality of fields of the requested boxes is allowed to be accessed by the requesting user; and
      
      returning data related to the allowed boxes and allowed fields.
  - 10. The method of claim 9, further comprising assuming values of prohibited fields to be empty for the purposes of searching, filtering and sorting, in order to prevent or reduce an ability of users to estimate prohibited field values using defined operations.
  - 11. The method of claim 1 wherein the entities of the organization comprise one of a person, position, or assignment, and wherein the organizational data comprises personnel data records used in a data management application.

12. A system to manage access to information in an organization, comprising:
- a component storing data records relating to resources in the organization;
  
  a graphical user interface (GUI) component defining and displaying a hierarchical relationship of the resources, wherein each resource is represented as a box in an organization chart of the organization;
  
  a configuration component defining users and other security configurations for the organization; and
  
  a data access component capable of recomputing effective policies and plurality of available boxes and fields in real time in response to a request by a requesting user.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 wherein the data records are used in a data management application, and wherein the resources are selected from the group consisting of:
    - people, positions, departments, and organizational entities.
  - 14. The system of claim 13 wherein each data record comprises a plurality of fields, each field of the plurality of fields containing data regarding a specific characteristic of the resource represented by a respective box in the organization chart.
  - 15. The system of claim 14 wherein the request comprises a request to access a requested box within the organization chart, the system further comprising:
    - a processing component executing field-level policies on the fields of the requested box to determine if data in each of the plurality of fields is allowed to be accessed by the requesting user; and
      
      a data transfer of the GUI returning data related to one or more fields of the requested box to the requesting user if access to the requested box is allowed, and if access is allowed to the one or more fields.
  - 16. The system of claim 15 wherein the role of each resource is associated with a data access condition specifying a range of boxes hierarchically relative to a user'"'"'s box that are allowed data access through the user'"'"'s box, and wherein the range of boxes comprises one of:
    - the box itself only, and a hierarchical level in the organization chart relative to one of the box itself or a supervisor box in the organization chart.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Saba Software Incorporated
Original Assignee
HumanConcepts LLC (Saba Software Incorporated)
Inventors
Polunin, Roman, Cirlig, Bogdan, Bansal, Amit

Granted Patent

US 8,793,489 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06Q 10/047   Optimisation of routes or p...

G06Q 10/067   Enterprise or organisation ...

G06Q 10/101   Collaborative creation, e.g...

G06Q 10/105   Human resources

H04L 63/104   Grouping of entities

METHOD AND SYSTEM FOR CONTROLLING DATA ACCESS TO ORGANIZATIONAL DATA MAINTAINED IN HIERARCHICAL

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR CONTROLLING DATA ACCESS TO ORGANIZATIONAL DATA MAINTAINED IN HIERARCHICAL

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links