Access control via organization charts

US 8,479,302 B1
Filed: 02/28/2011
Issued: 07/02/2013
Est. Priority Date: 02/28/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling access to a resource, the method comprising:

receiving at a computer having a processor, from a requesting user, a request to access the resource, the request having a requesting identifier which identifies the requesting user among a set of organization users;

locating, by the processor, a security classification associated with the requesting identifier of the request in response to receiving the request from the requesting user; and

performing, by the processor, an access control operation which;

provides, to the requesting user, access to the resource when the security classification satisfies a security class requirement; and

denies, to the requesting user, access to the resource when the security classification does not satisfy the security class requirement, the security class requirement being derived from access information defined by prior accesses to the resource by other organization users of the set of organization users;

wherein the security classification associated with the requesting identifier is based upon an organization chart, the organization chart including a set of hierarchal levels and a set of organization identifiers, each organization identifier of the set of organization identifiers being associated with an organization user of the set of organization users, each organization identifier being associated with a hierarchal level of the set of hierarchal levels;

wherein the requesting identifier includes a value of a requesting hierarchal level; and

wherein locating the security classification includes;

matching the requesting identifier to an organization identifier of the set of organization identifiers; and

setting the value of the requesting hierarchal level equal to a value of the hierarchal level with which the matched organization identifier is associated.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved techniques involve controlling access to data based on who has previously accessed the data. For example, when a user submits a request to access a resource, a list of those users who have accessed the resource is generated. Identifiers associated with the requesting user and the accessing users from the list of users are located within an organization chart which contains information about the hierarchal level and department to which users within the organization belong. As an example, if the requesting user is an executive-level employee and the accessing users are also executive-level users, then access to the resource is granted. If, on the other hand, the requesting user is on the level of an individual contributor, or a contractor, then access to the resource is denied. Further, access requests can be recorded in the access log for tracking.

51 Citations

View as Search Results

20 Claims

1. A computer-implemented method of controlling access to a resource, the method comprising:
- receiving at a computer having a processor, from a requesting user, a request to access the resource, the request having a requesting identifier which identifies the requesting user among a set of organization users;
  
  locating, by the processor, a security classification associated with the requesting identifier of the request in response to receiving the request from the requesting user; and
  
  performing, by the processor, an access control operation which;
  
  provides, to the requesting user, access to the resource when the security classification satisfies a security class requirement; and
  
  denies, to the requesting user, access to the resource when the security classification does not satisfy the security class requirement, the security class requirement being derived from access information defined by prior accesses to the resource by other organization users of the set of organization users;
  
  wherein the security classification associated with the requesting identifier is based upon an organization chart, the organization chart including a set of hierarchal levels and a set of organization identifiers, each organization identifier of the set of organization identifiers being associated with an organization user of the set of organization users, each organization identifier being associated with a hierarchal level of the set of hierarchal levels;
  
  wherein the requesting identifier includes a value of a requesting hierarchal level; and
  
  wherein locating the security classification includes;
  
  matching the requesting identifier to an organization identifier of the set of organization identifiers; and
  
  setting the value of the requesting hierarchal level equal to a value of the hierarchal level with which the matched organization identifier is associated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 20)
- - 2. A method as in claim 1, wherein the resource is associated with an access log, the access log including a set of access log entries, each access log entry of the set of access log entries including an accessing identifier of a set of accessing identifiers, each accessing identifier corresponding to an accessing user of a set of accessing users, each accessing user belonging to the set of organization users each access log entry associated with a prior access to the resource by the accessing user with which the accessing identifier in the access log entry is associated;
    - wherein the method further comprises;
      
      prior to performing the access control operation;
      
      collecting the set of access log entries from the access log associated with the resource; and
      
      deriving the security class requirement based on the set of access log entries.
  - 3. A method as in claim 2, wherein deriving the security class requirement includes:
    - defining an accessing hierarchal level array having elements, the accessing hierarchal level array associated with the access log, each element associated with an accessing identifier of an access log entry of the set of access log entries;
      
      for each accessing identifier;
      
      matching the accessing identifier to an organization identifier; and
      
      setting a value of the element of the accessing hierarchal level array associated with the accessing identifier to a value of the hierarchal level with which the matched organization identifier is associated.
  - 4. A method as in claim 3, wherein performing the access control operation includes:
    - comparing the value of the requesting hierarchal level with the value of each element of the accessing hierarchal level array; and
      
      generating a risk score based on the comparing, a higher value of the risk score indicative of a greater security risk associated with providing, to the requesting user, access to the resource.
  - 5. A method as in claim 3, wherein the organization chart further includes a set of department identifiers, each organization identifier being further associated with a department identifier of the set of department identifier;
    - wherein the requesting identifier further includes a requesting department identifier;
      
      wherein locating the security classification further includes;
      
      setting the requesting department identifier equal to the department identifier with which the matched organization identifier is associated.
  - 6. A method as in claim 5, wherein deriving the security class requirement further includes:
    - defining an accessing department identifier array having elements, the accessing department identifier array associated with the access log, each element associated with an accessing identifier of an access log entry of the set of access log entries;
      
      for each accessing identifier;
      
      matching the accessing identifier to an organization identifier; and
      
      setting the element of the accessing department identifier array associated with the accessing identifier to the department identifier with which the matched organization identifier is associated.
  - 7. A method as in claim 6, wherein performing the access control operation includes:
    - comparing the value of the requesting hierarchal level with the value of each element of the accessing hierarchal level array and the requesting department identifier with each element of the accessing department identifier array; and
      
      generating a risk score based on the comparing, a higher value of the risk score indicative of a greater security risk associated with providing, to the requesting user, access to the resource.
  - 8. A method as in claim 7, wherein a result of a request to access the resource from a user from the set of organization users is selected from the group which includes success and failure, success being defined as the user being provided access to the resource and failure being defined as the user being denied access to the resource;
    - wherein the method further comprises;
      
      recording, in the access log associated with the resource, the result of the request to access the resource from the requesting user.
  - 9. A method as in claim 8, wherein parameters associated with the requests to access the resource recorded in the access log are used as training data for an artificial neural network (ANN) model, the ANN model used to develop rules for deciding whether to grant or deny access to arbitrary requests to access the resource.
  - 10. A method as in claim 8, wherein each access log entry of the set of access log entries further includes a recording of a result of a request to access the resource from the accessing user of the access log entry;
    - wherein generating the risk score based on the comparing includes;
      
      decreasing the risk score based on a proximity measure of the requesting user to users from the set of accessing users with a recording of a success in the access log entry which includes the accessing identifier of the accessing user; and
      
      increasing the risk score based on a proximity measure of the requesting user to users from the set of accessing users with a recording of a failure in the access log entry which includes the accessing identifier of the accessing user.
  - 11. A method as in claim 10, wherein performing an access control operation further includes:
    - challenging, to the user, access to the resource when the generated risk scores falls below a score above which request to the resource is granted and above a score below which access to the resource is denied.
  - 19. A method as in claim 4, wherein setting the value of the element of the accessing hierarchal level array associated with the accessing identifier to a value of the hierarchal level with which the matched organization identifier is associated includes:
    - generating a flag having a value that indicates whether the accessing user to which the accessing identifier corresponds is a full-time employee or a consultant to the organization, the flag corresponding to the element of the accessing hierarchal level array;
      
      wherein performing the access control operation includes;
      
      for each other element of the accessing hierarchal level array, comparing the value of the flag corresponding to the element of the accessing hierarchal level array with the value of flag corresponding to the other element of the accessing hierarchal level array.
  - 20. A method as in claim 19, wherein generating the risk score includes:
    - increasing the risk score when the value of the flag corresponding to the element of the accessing hierarchal level array indicates that the accessing user is a consultant, anddecreasing the risk score when the value of the flag corresponding to the element of the accessing hierarchal level array indicates that the accessing user is a full-time employee.

12. A system for controlling access to a resource, the system comprising:
- a network interface connected to a network;
  
  a memory; and
  
  a processor coupled to the memory, the processor constructed and arranged to;
  
  receive, from a requesting user, a request to access the resource, the request having a requesting identifier which identifies the requesting user among a set of organization users;
  
  locate a security classification associated with the requesting identifier of the request in response to receiving the request from the requesting user; and
  
  perform an access control operation which;
  
  provides, to the requesting user, access to the resource when the security classification satisfies a security class requirement; and
  
  denies, to the requesting user, access to the resource when the security classification does not satisfy the security class requirement, the security class requirement being derived from access information defined by prior accesses to the resource by other organization users of the set of organization users;
  
  wherein the security classification associated with the requesting identifier is based upon an organization chart, the organization chart including a set of hierarchal levels and a set of organization identifiers, each organization identifier of the set of organization identifiers being associated with an organization user of the set of organization users, each organization identifier being associated with a hierarchal level of the set of hierarchal levels;
  
  wherein the requesting identifier includes a value of a requesting hierarchal level; and
  
  wherein locating the security classification includes;
  
  matching the requesting identifier to an organization identifier of the set of organization identifiers; and
  
  setting the value of the requesting hierarchal level equal to a value of the hierarchal level with which the matched organization identifier is associated.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A system as in claim 12, wherein the resource is associated with an access log, the access log including a set of access log entries, each access log entry of the set of access log entries including an accessing identifier of a set of accessing identifiers, each accessing identifier corresponding to an accessing user of a set of accessing users, each accessing user belonging to the set of organization users, each access log entry associated with a prior access to the resource by the accessing user with which the accessing identifier in the access log entry is associated;
    - wherein the processor is further configured to;
      
      prior to performing the access control operation;
      
      collect the set of access log entries from the access log associated with the resource; and
      
      derive the security class requirement based on the set of access log entries.
  - 14. A system as in claim 13, wherein deriving the security class requirement includes:
    - defining an accessing hierarchal level array having elements, the accessing hierarchal level array associated with the access log, each element associated with an accessing identifier of an access log entry of the set of access log entries;
      
      for each accessing identifier;
      
      matching the accessing identifier to an organization identifier; and
      
      setting a value of the element of the accessing hierarchal level array associated with the accessing identifier to a value of the hierarchal level with which the matched organization identifier is associated.
  - 15. A system as in claim 13, wherein the organization chart further includes a set of department identifiers, each organization identifier being further associated with a department identifier of the set of department identifier;
    - wherein the requesting identifier further includes a requesting department identifier;
      
      wherein locating the security classification further includes;
      
      setting the requesting department identifier equal to the department identifier with which the matched organization identifier is associated.
  - 16. A system as in claim 15, wherein deriving the security class requirement further includes:
    - defining an accessing department identifier array having elements, the accessing department identifier array associated with the access log, each element associated with an accessing identifier of an access log entry of the set of access log entries;
      
      for each accessing identifier;
      
      matching the accessing identifier to an organization identifier; and
      
      setting the element of the accessing department identifier array associated with the accessing identifier to the department identifier with which the matched organization identifier is associated.

17. A computer program product having a non-transitory computer readable storage medium which stores code to control access to a resource within an organization, the code including instructions to:
- receive, from a requesting user, a request to access the resource, the request having a requesting identifier which identifies the requesting user among a set of organization users;
  
  locate a security classification associated with the requesting identifier of the request in response to receiving the request from the requesting user; and
  
  perform an access control operation which;
  
  provides, to the requesting user, access to the resource when the security classification satisfies a security class requirement; and
  
  denies, to the requesting user, access to the resource when the security classification does not satisfy the security class requirement, the security class requirement being derived from access information defined by prior accesses to the resource by other organization users of the set of organization users;
  
  wherein the security classification associated with the requesting identifier is based upon an organization chart, the organization chart including a set of hierarchal levels and a set of organization identifiers, each organization identifier of the set of organization identifiers being associated with an organization user of the set of organization users, each organization identifier being associated with a hierarchal level of the set of hierarchal levels;
  
  wherein the requesting identifier includes a value of a requesting hierarchal level; and
  
  wherein locating the security classification includes;
  
  matching the requesting identifier to an organization identifier of the set of organization identifiers; and
  
  setting the value of the requesting hierarchal level equal to a value of the hierarchal level with which the matched organization identifier is associated.
- View Dependent Claims (18)
- - 18. A computer program product as in claim 17,wherein the resource is associated with an access log, the access log including a set of access log entries, each access log entry of the set of access log entries including an accessing identifier of a set of accessing identifiers, each accessing identifier corresponding to an accessing user of a set of accessing users, each accessing user belonging to the set of organization users each access log entry is associated with a prior access to the resource by the accessing user with which the accessing identifier in the access log entry is associated;
    - wherein the code includes further instructions to;
      
      prior to performing the access control operation;
      
      collect the set of access log entries from the access log associated with the resource; and
      
      derive the security class requirement based on the set of access log entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Lin, Derek
Primary Examiner(s)
Mehedi, Morshed

Application Number

US13/036,174
Time in Patent Office

855 Days
Field of Search

726/3, 726/28
US Class Current

726/28
CPC Class Codes

G06F 21/62 Protecting access to data v...

Access control via organization charts

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Access control via organization charts

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others