Secure compartmented mode knowledge management portal
First Claim
Patent Images
1. A layered defense-in-depth knowledge-based management system, comprising:
- a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone is further operable to;
determine a clearance level of a requested document;
determine a clearance level of the authenticated user;
compare the clearance level of the document with the clearance level of the authenticated user;
determine a number of document caveats associated with the requested document;
for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document;
determine a number of user caveats of the authenticated user;
for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat;
for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and
display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats;
an operations zone including a second one or more computers operable to adjudicate on a user level access to data objects stored in a system database;
a security zone including a third one or more computers operable to issue certificates of accessibility for defined users; and
wherein the system prevents any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document.
1 Assignment
0 Petitions
Accused Products
Abstract
A layered defense-in-depth knowledge-based data management comprises a reception zone for authenticating a user for access to the system and an operations zone for adjudicating on a user level access to data objects stored in the system database. In addition, the data management comprises a security zone for issuing certificates of accessibility for defined users and a screening zone to interrogate data packets during processing thereof. The first line of defense is firewall protection and packet filtering preceding the reception zone.
-
Citations
18 Claims
-
1. A layered defense-in-depth knowledge-based management system, comprising:
-
a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone is further operable to; determine a clearance level of a requested document; determine a clearance level of the authenticated user; compare the clearance level of the document with the clearance level of the authenticated user; determine a number of document caveats associated with the requested document; for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document; determine a number of user caveats of the authenticated user; for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat; for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats; an operations zone including a second one or more computers operable to adjudicate on a user level access to data objects stored in a system database; a security zone including a third one or more computers operable to issue certificates of accessibility for defined users; and wherein the system prevents any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of accessing an electronic support library for layered defense-in-depth knowledge-based management, comprising:
-
authenticating, using one or more computers in a reception zone a user in response to a request for data; conducting, using the one or more computers, document manipulation and administration in an operations zone of a request by an authenticated user; issuing, using the one or more computers, authorization certificates in a security zone for users to allow access to data managed in the operations zone; determining, using the one or more computers, a clearance level of a requested document; determining, using the one or more computers, a clearance level of the authenticated user; comparing, using the one or more computers, the clearance level of the document with the clearance level of the authenticated user; determining, using the one or more computers, a number of document caveats associated with the requested document; for each of the number of document caveats, obtaining, using the one or more computers, the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document; determining, using the one or more computers, a number of user caveats of the authenticated user; for each of the number of user caveats, obtaining, using the one or more computers, the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat; for all combinations of the user caveats and the document caveats, comparing, using the one or more computers, the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; displaying the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats; and preventing any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A layered defense-in-depth knowledge-based management system, comprising:
-
a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone comprises a public key infrastructure operable to authenticate users for accessing contents of the system, the reception zone further operable to; authenticate a server; determine a clearance level of a requested document; determine a clearance level of the authenticated user; compare the clearance level of the document with the clearance level of the authenticated user; determine a number of document caveats associated with the requested document; for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document; determine a number of user caveats of the authenticated user; for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat; for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats; a screening zone including a second one or more computers operable to interrogate data packets during processing thereof; an operations zone including a third one or more computers operable to adjudicate on a user level access to data objects stored in a system database, wherein the operations zone is further operable to packet filter incoming and outgoing messages, wherein the operations zone comprises a document management server operable to establish access to data stored in a library of the management system; and a security zone including a fourth one or more computers operable to; issue certificates of accessibility for defined users; revoke certificates for users no longer allowed access to the system; perform key recovery operations; and wherein the security zone comprises filters operable to control and limit access to a predefined set of user workstations, wherein the security zone is further operable to packet filter incoming and outgoing messages for access control.
-
Specification