Access management in an off-premise environment

US 8,341,405 B2
Filed: 12/20/2006
Issued: 12/25/2012
Est. Priority Date: 09/28/2006
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates data management, the system comprising:

an interface component that receives a data request for data from a user;

a data auditing component that;

performs analysis of the data to determine at least one of a content, a type or a context of the data;

establishes an identity of the user;

automatically creates an access control list (ACL) based on at least one of the content, the type or the context of the data and the identity of the user;

selectively renders data in response to the data request as a function of the ACL;

establishes one or more identities of an owner of the data; and

maps the data to the one or more identities;

a sensor component to facilitate establishment of the identity of the user, wherein the sensor component is configured to gather information comprising;

a role of the user;

a location of the user; and

an organizational affiliation of the user; and

a machine learning and reasoning component to automatically establish a policy related to the data, the policy is employed to establish the ACL, the machine learning and reasoning component is trained using a data log, the data log includes user identities and information relating to access patterns pertaining to user access of data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that can assist users to manage a personal active directory for all of their information maintained within a cloud-based environment is provided. The identity of a client that accesses data is monitored and recorded in a log. In turn, this information can be made available to the owner of the information in order to develop a desired access control list (ACL). Additionally, the system can employ a heuristic component that can automatically establish the ACL on the owner'"'"'s behalf. As well, the system can track how information is being accessed (or attempted to be accessed) by other people therefore, giving the owner of the information the opportunity to restrict or allow access based upon any number of recorded factors (e.g., identity, context).

188 Citations

19 Claims

1. A system that facilitates data management, the system comprising:
- an interface component that receives a data request for data from a user;
  
  a data auditing component that;
  
  performs analysis of the data to determine at least one of a content, a type or a context of the data;
  
  establishes an identity of the user;
  
  automatically creates an access control list (ACL) based on at least one of the content, the type or the context of the data and the identity of the user;
  
  selectively renders data in response to the data request as a function of the ACL;
  
  establishes one or more identities of an owner of the data; and
  
  maps the data to the one or more identities;
  
  a sensor component to facilitate establishment of the identity of the user, wherein the sensor component is configured to gather information comprising;
  
  a role of the user;
  
  a location of the user; and
  
  an organizational affiliation of the user; and
  
  a machine learning and reasoning component to automatically establish a policy related to the data, the policy is employed to establish the ACL, the machine learning and reasoning component is trained using a data log, the data log includes user identities and information relating to access patterns pertaining to user access of data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, the data auditing component dynamically updates the ACL based upon a preference of the owner of the data.
  - 3. The system of claim 1, the data auditing component dynamically updates the ACL based upon a criterion of the data.
  - 4. The system of claim 3, the criterion is one of a data type, content, context, owner, privacy policy and security classification.
  - 5. The system of claim 1, the ACL is distributed between an on-premise and an off-premise environment.
  - 6. The system of claim 1, the data auditing component and the ACL are co-located remote from the user.
  - 7. The system of claim 1, further comprising an access log that maintains access request data as a function of the ACL.
  - 8. The system of claim 7, the access log maintains successful and unsuccessful attempts to access data as a function of the ACL.
  - 9. The system of claim 1, further comprising an ACL generator component that automatically maintains the ACL as a function of at least one of content of the data and a preference of the owner of the data.
  - 10. The system of claim 1, the data auditing component selectively renders the data based at least in part upon a context of the user.
  - 11. The system of claim 10, further comprising an identity analysis component that further establishes the identity of the user, the ACL limits access to the data based at least in part upon the established identity.
  - 12. The system of claim 11, the identity analysis component employs the sensor component that facilitates establishment of the identity of the user.
  - 13. The system of claim 1, wherein the sensor component is configured to gather information further comprisingbiometric information associated with the user.
  - 14. The system of claim 10, further comprising a monitoring component that tracks at least one of use and access attempts of the data.

15. A computer-implemented method of managing data, the computer-implemented method comprising:
- analyzing data items to determine at least one of a content, a type or a purpose of the data items;
  
  receiving a request for access to a data item from a requestor;
  
  employing machine learning and machine reasoning using a data log the includes user identities and information relating to access patterns pertaining to user access of data to establish a policy related to the data;
  
  automatically creating an access control list (ACL) based at least on the analyzing and the employing machine learning and machine reasoning;
  
  establishing an identity of the requestor, wherein the establishing includes sensing aspects of the requestor, the aspects including;
  
  a role of the requestor;
  
  a location of the requestor; and
  
  an organizational affiliation of the requestor;
  
  searching the ACL for the data item; and
  
  granting or denying access to the data item based upon the identity in view of the ACL.
- View Dependent Claims (16, 17)
- - 16. The computer-implemented method of claim 15, the automatically creating the access control list being further based at least in accordance with an owner policy.
  - 17. The computer-implemented method of claim 15, further comprising:
    - tracking access attempts and access denials of the data item; and
      
      reporting the access attempts and the access denials to an owner of the data item.

18. A computer-readable storage device comprising instructions stored thereon that, when executed by a processor, perform acts that facilitate managing access to a plurality of data items, the acts including:
- determining an access preference of an owner of a plurality of data items;
  
  generating an access control list (ACL) that controls access to a subset of the data items as a function of the access preference;
  
  monitoring access attempts and denials of the subset of data items;
  
  notifying the owner of unauthorized attempts to access at least one of the subset of data items;
  
  notifying the owner of an identity of a client or user that accesses or attempts access to at least one of the subset of data items;
  
  determining access patterns and denial patterns based on the monitoring;
  
  logging the access patterns and the denial patterns in a log;
  
  employing artificial intelligence (AI) and/or machine learning and reasoning (MLR) on the log and the subset of data items to infer at least one additional access preference of the owner; and
  
  updating the ACL based at least in part upon the at least one additional access preference.
- View Dependent Claims (19)
- - 19. The computer-readable storage device of claim 18, the acts further comprising:
    - determining, based on an analysis of the log and the subset of data items by the owner, another additional access preference; and
      
      updating the ACL based at least in part upon the another additional access preference.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Meijer, Henricus Johannes Maria, Gates, William H. III, Cheng, Lili, Glasser, Daniel S., Zaner-Godsey, Melora, Snyder, Ira L Jr.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/613,369
Publication Number

US 20080082538A1
Time in Patent Office

2,197 Days
Field of Search

714/38, 714/49, 714/48, 714/35, 714/37, 709/203, 709/217, 709/223, 709/237, 709/225, 709/229, 709/227, 726/22, 726/14, 726/13, 726/11, 726/34, 726/25, 726/26, 726/27, 380/42, 380/55, 380/58, 380/46
US Class Current

713/165
CPC Class Codes

G06F 16/27   Replication, distribution o...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

Access management in an off-premise environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Access management in an off-premise environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others