Method for controlling access to information
First Claim
1. A method for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects, the steps comprising:
- providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, wherein at least one user has a plurality of relationships with one data object, wherein each access right comprises a security classification, wherein some of the data objects have a vertical relationship defined by a parent data object and a child data object, and wherein for each vertical relationship the child data object has a more restrictive security classification than the parent data object;
obtaining a request from a user for information about a data object;
finding at least one of the relationships between the user and the data object;
determining the security classification for each relationship found between the user and the data object;
determining a security classification of the data object;
granting the user access to the data object if a level of one of the security classifications for all the relationships is greater than a level of the security classification of the data object;
granting the user access to a parent data object if the user has been granted access to a corresponding child data object; and
denying the user access to the data object if the security classifications for all the relationships are less than a level of the security classifications of the data object.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling access to information, which includes a plurality of data objects, on a computer system being accessible to a plurality of users is provided which generally comprises providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, determining each relationship between the user and the data object when a user requests information about a data object, determining the security classification for each relationship between the user and the data object, and then granting the user access to the data object if one of the security classifications for all the relationships is equal to or greater than the security classification of the data object, and denying the user access to the data object if the security classifications for all the relationships is less than the security classification of the data object.
288 Citations
18 Claims
-
1. A method for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects, the steps comprising:
-
providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, wherein at least one user has a plurality of relationships with one data object, wherein each access right comprises a security classification, wherein some of the data objects have a vertical relationship defined by a parent data object and a child data object, and wherein for each vertical relationship the child data object has a more restrictive security classification than the parent data object;
obtaining a request from a user for information about a data object;
finding at least one of the relationships between the user and the data object;
determining the security classification for each relationship found between the user and the data object;
determining a security classification of the data object;
granting the user access to the data object if a level of one of the security classifications for all the relationships is greater than a level of the security classification of the data object;
granting the user access to a parent data object if the user has been granted access to a corresponding child data object; and
denying the user access to the data object if the security classifications for all the relationships are less than a level of the security classifications of the data object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects, the steps comprising:
-
providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, wherein at least one user has a plurality of relationships with one data object, wherein each access right comprises a security classification, wherein some of the data objects have a vertical relationship defined by a parent data object and a child data object, and wherein for each vertical relationship the child data object has a more restrictive security classification than the parent data object;
creating a data object folder for each vertical relationship;
obtaining a request from a user for information about a data object;
finding at least one of the relationships between the user and the data object;
determining the security classification for each relationship found between the user and the data object;
determining a security classification of the data object;
granting the user access to the data object if a level of one of the security classifications for all the relationships is greater than a level of the security classification of the data object;
granting the user access to a parent data object if the user has been granted access to a corresponding child data object; and
denying the user access to the data object if the security classifications for all the relationships are less than a level of the security classifications of the data object.
-
-
9. A method for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects, the steps comprising:
-
providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, wherein at least one user has a plurality of relationships with one data object, and wherein each access right comprises a security classification and a function classification for specifying one or more functions that may be performed on the data object, wherein the security classifications are arranged in a hierarchical structure and wherein some of the data objects can have a vertical relationship defined by a parent data object and a child data object, wherein for each vertical relationship the child data object has a more restrictive security classification than the parent data object;
obtaining access to the computer system;
providing an identification of a user;
providing a request from the user for information about a data object;
determining a security classification of the data object;
granting the user access to the data object and limiting functional access to the data object to the one or more functions specified by the function classification if a level of one of the security classifications for all the relationships is equal to or greater than a level of the security classification of the data object;
providing a data object folder for each vertical relationship;
granting the user access to a parent data object if the user has been granted access to a corresponding child data object;
denying the user access to the data object if no relationship exists between the user and the data object; and
denying the user access to the data object if the level of the security classification for all the relationships are less than the level of the security classification of the data object. - View Dependent Claims (10, 11, 12, 13)
determining each relationship between the user and the data object; and
comparing the security classification for each relationship with the security classification of the data object.
-
-
11. The method for controlling access to information according to claim 9, further comprising the step of applying at least one rule to determine the security classification for the relationship between the user and the data object.
-
12. The method for controlling access to information according to claim 9, wherein the computer system is a server and the user is a client of the server, and wherein the step of obtaining access to the computer system comprises obtaining access to the server.
-
13. The method for controlling access to information according to claim 9, wherein the computer system is a local area network server and the user is a client of the server, and wherein the step of obtaining access to the computer system comprises obtaining access to the local area network server.
-
14. A method for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects, wherein the security classifications are arranged in a hierarchical structure, wherein some of the data objects can have a vertical relationship defined by a parent data object and a child data object, wherein for each vertical relationship the child data object has a more restrictive security classification than the parent data object, the steps comprising:
-
providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, wherein at least one user has a plurality of relationships with one data object, and wherein each access right comprises a security classification and a function classification for specifying one or more functions that may be performed on the data object;
providing a data object folder for each vertical relationship;
allowing access to the computer system;
obtaining an identification of a user;
obtaining a request from the user for information about a data object;
determining each relationship between the user and the data object;
denying the user access to the data object if no relationship exists between the user and the data object;
comparing the security classification for each relationship with the security classification of the data object;
granting the user access to the data object and limiting functional access to the data object to the one or more functions specified by the function classification if a level of one of the security classifications for all the relationships is equal to or greater than a level of the security classification of the data object;
granting the user access to a parent data object if the user has been granted access to a corresponding child data object; and
denying the user access to the data object if the level of the security classification for all the relationships are less than the level of the security classification of the data object.
-
-
15. An article of manufacture, comprising:
-
a computer usable medium having computer readable program code means embodied therein for controlling access to information on a computer system being accessible to a plurality of users, wherein the computer system has information including a plurality of data objects wherein some of the data objects can have a vertical relationship defined by a parent data object and a child data object, wherein the child data object has a more restrictive security classification than the parent data object, the steps comprising;
computer readable program code means for causing the computer system to provide an access right for each relationship between a user and a data object, wherein each user can have one or more relationships to each data object, and wherein each access right comprises a security classification;
computer readable program code means for causing the computer system to provide a data object folder for each vertical relationship;
computer readable program code means for causing the computer system to grant the user access to a parent data object if the user has access to the child data object;
computer readable program code means for causing the computer system to accept a request from a user for information about an object;
computer readable program code means for causing the computer system to determine each relationship between the user and the data object;
computer readable program code means for causing the computer system to determine the security classification for each relationship between the user and the data object;
computer readable program code means for causing the computer system to determine a security classification of the data object;
computer readable program code means for causing the computer system to grant the user access to the data object if a level of one of the security classifications for all the relationships is equal to or greater than a level of the security classification of the data object; and
computer readable program code means for causing the computer system to deny the user access to the data object if the level of the security classification for all the relationships are less than the level of the security classification of the data object. - View Dependent Claims (16, 17, 18)
-
Specification