Enforcing data sharing policy through shared data management

US 8,595,798 B2
Filed: 06/17/2011
Issued: 11/26/2013
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method of managing shared data for one or more applications hosted on one or more Software-as-a-Service platforms, comprising:

receiving one or more data policy specifications from a policy specification engine;

extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification;

extracting a data domain from the one or more data policies based on the data purpose and the object set;

associating the data access rights and the data domain with data attributes of the shared data;

automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights;

identifying based on the data domain, one or more applications as an authoritative source for attribute-level data sharing within a Software-as-a-Service platform;

enforcing data sharing constraints between multiple Software-as-a-Service platforms based on the data rights and the data domain;

appending policy details, the policy details including the data domain and the data access rights associated with the data attributes of the shared data, to a shared data packet;

propagating the shared data packet to one or more applicable applications within a single Software-as-a-Service platform; and

propagating the shared data packet to one or more applicable external Software-as-a-Service platforms.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enforcing data sharing policy through shared data management, in one aspect, may include extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification; extracting a data domain from the one or more data policies based on the data purpose and the object set; associating the data access rights and the data domain with data attributes of the shared data; automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights.

Citations

24 Claims

1. A method of managing shared data for one or more applications hosted on one or more Software-as-a-Service platforms, comprising:
- receiving one or more data policy specifications from a policy specification engine;
  
  extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification;
  
  extracting a data domain from the one or more data policies based on the data purpose and the object set;
  
  associating the data access rights and the data domain with data attributes of the shared data;
  
  automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights;
  
  identifying based on the data domain, one or more applications as an authoritative source for attribute-level data sharing within a Software-as-a-Service platform;
  
  enforcing data sharing constraints between multiple Software-as-a-Service platforms based on the data rights and the data domain;
  
  appending policy details, the policy details including the data domain and the data access rights associated with the data attributes of the shared data, to a shared data packet;
  
  propagating the shared data packet to one or more applicable applications within a single Software-as-a-Service platform; and
  
  propagating the shared data packet to one or more applicable external Software-as-a-Service platforms.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further including globally enforcing data sharing policies based on the propagated shared data packet including the policy details.
  - 3. The method of claim 1, wherein the data domain includes data access rights categorized by a domain.
  - 4. The method of claim 3, wherein domain categories include application and user role.
  - 5. The method of claim 1, wherein the data attributes include individual attributes within one or more data objects.
  - 6. The method of claim 1, wherein the object set includes one or more data objects.
  - 7. The method of claim 1, wherein said one or more policy specifications change dynamically.
  - 8. The method of claim 7, wherein said one or more policy specifications include temporal constraint on data.

9. A system for managing shared data for one or more applications hosted on one or more Software-as-a-Service platforms, comprising:
- a processor;
  
  a shared data management module operable to execute on the processor, and further operable to receive one or more data policy specifications from a policy specification engine, the shared data management module further operable to extract data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification, the shared data management module further operable to extract a data domain from the one or more data policies based on the data purpose and the object set, the shared data management module further operable to associate the data access rights and the data domain with data attributes of the shared data, the shared data management module further operable to automatically respond to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights, the shared data management module further operable to identify based on the data domain, one or more applications as an authoritative source for attribute-level data sharing within a Software-as-a-Service platform, the shared data management module further operable to enforce data sharing constraints between multiple Software-as-a-Service platforms based on the data rights and the data domain, the shared data management module further operable to append policy details, the policy details including the data domain and the data access rights associated with the data attributes of the shared data, to a shared data packet, the shared data management module further operable to propagate the shared data packet to one or more applicable applications within a single Software-as-a-Service platform, and propagate the shared data packet to one or more applicable external Software-as-a-Service platforms.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein data sharing policies are globally enforced based on the propagated shared data packet including the policy details.
  - 11. The system of claim 9, wherein the data domain includes data access rights categorized by a domain.
  - 12. The system of claim 11, wherein domain categories include application and user role.
  - 13. The system of claim 9, wherein the data attributes include individual attributes within one or more data objects.
  - 14. The system of claim 9, wherein the object set includes one or more data objects.
  - 15. The system of claim 9, wherein said one or more policy specifications change dynamically.
  - 16. The system of claim 15, wherein said one or more policy specifications include temporal constraint on data.

17. A computer readable storage medium, excluding a signal per se storing a program of instructions executable by a machine to perform a method of managing shared data for one or more applications hosted on one or more Software-as-a-Service platforms, comprising:
- receiving one or more data policy specifications from a policy specification engine;
  
  extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification;
  
  extracting a data domain from the one or more data policies based on the data purpose and the object set;
  
  associating the data access rights and the data domain with data attributes of the shared data;
  
  automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights;
  
  identifying based on the data domain, one or more applications as an authoritative source for attribute-level data sharing within a Software-as-a-Service platform;
  
  enforcing data sharing constraints between multiple Software-as-a-Service platforms based on the data rights and the data domain;
  
  appending policy details, the policy details including the data domain and the data access rights associated with the data attributes of the shared data, to a shared data packet;
  
  propagating the shared data packet to one or more applicable applications within a single Software-as-a-Service platform; and
  
  propagating the shared data packet to one or more applicable external Software-as-a-Service platforms.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer readable storage medium of claim 17, further including globally enforcing data sharing policies based on the propagated shared data packet including the policy details.
  - 19. The computer readable storage medium of claim 17, wherein the data domain includes data access rights categorized by a domain.
  - 20. The computer readable storage medium of claim 19, wherein domain categories include application and user role.
  - 21. The computer readable storage medium of claim 17, wherein the data attributes include individual attributes within one or more data objects.
  - 22. The computer readable storage medium of claim 17, wherein the object set includes one or more data objects.
  - 23. The computer readable storage medium of claim 17, wherein said one or more policy specifications change dynamically.
  - 24. The computer readable storage medium of claim 17, wherein said one or more policy specifications include temporal constraint on data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation, ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Anand, Rangachari, Hobson, Stacy F., Lee, Juhnyoung, Yang, Jeaha
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/163,373
Publication Number

US 20120324529A1
Time in Patent Office

893 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Enforcing data sharing policy through shared data management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing data sharing policy through shared data management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links