Method for controlling access to informational objects

US 8,645,422 B2
Filed: 08/12/2003
Issued: 02/04/2014
Est. Priority Date: 08/12/2002
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for controlling access to informational objects in a database system comprising:

allowing, by a processor, each user of a plurality of users to designate, in a memory device, relationship characteristics between that user and any other user, wherein the relationship characteristics include at least one condition such that the relationship characteristics are valid only if the at least one condition is met;

identifying, in the memory device, one of the plurality of users as an owner of a data object;

determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a first path between a first user of the plurality of users and the owner of the data object include a trusted relationship between each sequential pair of the users on the first path, wherein the first path comprises a first intermediate user beside said owner of the data object and the first user of the plurality of users;

allowing, by the processor, the first user electronic access to the data object based on a trusted relationship designated by the first intermediary user and a trusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes the trusted relationship with the first intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the first intermediary user includes the trusted relationship with the first user of the plurality of users;

determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a second path between a second user of the plurality of users and the owner of the computer data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the second path comprises a second intermediate user beside said owner of the data object and the second user of the plurality of users;

allowing, by the processor, the second user electronic access to the data object based on the trusted relationship designated by the second intermediary user and the terminal distrusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes a terminal distrusted relationship with the second intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the second intermediary user includes a trusted relationship with the second user of the plurality of users;

determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a third path between a third user of the plurality of users and the owner of the data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the third path comprises a third intermediate user beside said owner of the data object and the user of the plurality of users; and

defining, by the processor, one of the relationship characteristics designated by the owner includes an intermediary distrusted relationship with the third intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the third intermediary user includes a trusted relationship with the third user of the plurality of users, wherein the third user of the plurality of users is prohibited from electronic access to the data object based on the distrusted relationship designated by the owner.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The described embodiments of invention comprises a method and an apparatus for regulating access to objects by authorized entities. Authorized entities are entities authorized for access by either an owner entity of the regulated object or an entity authorized to authorize access to the regulated object. Each user, which may be a physical person or another information system, is identified using standard user validation techniques. When an object is first created or introduced to the system, that information is associated with an owner, who is one user on the system. The present embodiment allows the owner to define relationships with other users, either generally or regarding a particular object. The owner may or may not have trusted relationships with other users. A second user that has a trusted relationship with the owner automatically has access to the object without additional intervention by the owner. In addition, the second user may have a trusted relationship with another user. In the above example, the records administrator may have an assistant. This third user will also have access to the records. This Web of Trust may link users infinitely, but such a case would create an undue risk of compromise of the information. Thus, the present embodiment includes a facility for the owner to designate a maximum number of trusted links from the owner and other users.

Citations

21 Claims

1. A computer implemented method for controlling access to informational objects in a database system comprising:
- allowing, by a processor, each user of a plurality of users to designate, in a memory device, relationship characteristics between that user and any other user, wherein the relationship characteristics include at least one condition such that the relationship characteristics are valid only if the at least one condition is met;
  
  identifying, in the memory device, one of the plurality of users as an owner of a data object;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a first path between a first user of the plurality of users and the owner of the data object include a trusted relationship between each sequential pair of the users on the first path, wherein the first path comprises a first intermediate user beside said owner of the data object and the first user of the plurality of users;
  
  allowing, by the processor, the first user electronic access to the data object based on a trusted relationship designated by the first intermediary user and a trusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes the trusted relationship with the first intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the first intermediary user includes the trusted relationship with the first user of the plurality of users;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a second path between a second user of the plurality of users and the owner of the computer data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the second path comprises a second intermediate user beside said owner of the data object and the second user of the plurality of users;
  
  allowing, by the processor, the second user electronic access to the data object based on the trusted relationship designated by the second intermediary user and the terminal distrusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes a terminal distrusted relationship with the second intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the second intermediary user includes a trusted relationship with the second user of the plurality of users;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a third path between a third user of the plurality of users and the owner of the data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the third path comprises a third intermediate user beside said owner of the data object and the user of the plurality of users; and
  
  defining, by the processor, one of the relationship characteristics designated by the owner includes an intermediary distrusted relationship with the third intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the third intermediary user includes a trusted relationship with the third user of the plurality of users, wherein the third user of the plurality of users is prohibited from electronic access to the data object based on the distrusted relationship designated by the owner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 20)
- - 2. A computer implemented method as in claim 1 wherein the relationship characteristics include one or more methods of determining, by the processor, a condition such that the relationship is valid if and only if the one or more methods of determining a condition confirm validity of the relationships characteristic.
  - 3. A computer implemented method as in claim 1 wherein in the memory device the owner of the data object may designate another user as acting on behalf of the owner.
  - 4. A computer implemented method as in claim 1 wherein in the memory device the relationship characteristics include a trust relationship between a trusted user and a designating user.
  - 5. A computer implemented method as in claim 1 wherein in the memory device the relationship characteristics include a trust relationship between a trusted user and a designating user, wherein the trust relationship limits tasks the trusted user may perform.
  - 6. A computer implemented method as in claim 1 wherein in the memory device the relationship characteristics include a trust relationship between a trusted user and a designating user, wherein the trust relationship limits data objects the trusted user may access.
  - 7. A computer implemented method as in claim 6 wherein in the memory device the trust relationship is limited to types of data objects.
  - 8. A computer implemented method as in claim 6 wherein in the memory device the trust relationship is limited to selected data objects.
  - 9. A computer implemented method as in claim 1 wherein in the memory device the distrusted relationship has an intermediary scope.
  - 10. A computer implemented method as in claim 1 wherein in the memory device the relationship characteristics include a trust relationship between a trusted user and a designating user, wherein the trust relationship specifies a maximum number of relationships on a path.
  - 11. A computer implemented method as in claim 10 wherein in the memory device the maximum number of relationships is one.
  - 19. The computer implemented method of claim 5 wherein in the memory device one of the sequential pairs of users in the path includes the trusted user and the designating user.
  - 20. The computer implemented method of claim 6 wherein in the memory device one of the sequential pairs of users in the path includes the trusted user and the designating user.

12. A computer implemented method for controlling access to informational objects in a database system comprising:
- allowing, by a processor, each user of a plurality of users to designate, in a memory device, relationship characteristics between that user and any other user, wherein the relationship characteristics include at least one condition such that the relationship characteristics are valid only if the at least one condition is met;
  
  identifying, in the memory device, one of the plurality of users as an owner of a data object;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a first path between a first user of the plurality of users and the owner of the data object include a trusted relationship between each sequential pair of the users on the first path, wherein the first path comprises a first intermediate user beside said owner of the data object and the first user of the plurality of users;
  
  allowing, by the processor, the first user electronic access to the data object based on a trusted relationship designated by the first intermediary user and a trusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes the trusted relationship with the first intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the first intermediary user includes the trusted relationship with the first user of the plurality of users;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a second path between a second user of the plurality of users and the owner of the data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the second path comprises a second intermediate user beside said owner of the data object and the second user of the plurality of users;
  
  allowing, by the processor, the second user electronic access to the data object based on the trusted relationship designated by the second intermediary user and the terminal distrusted relationship designated by the owner, wherein one of the relationship characteristics designated by the owner includes a terminal distrusted relationship with the second intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the second intermediary user includes a trusted relationship with the second user of the plurality of users;
  
  determining, by the processor, electronic access to the data object by determining if the relationship characteristics on a third path between a third user of the plurality of users and the owner of the data object include a trusted relationship or a distrusted relationship between each sequential pair of the users on that path, wherein the third path comprises a third intermediate user beside said owner of the data object and the user of the plurality of users,defining, by the processor, one of the relationship characteristics designated by the owner includes an intermediary distrusted relationship with the third intermediary user of the plurality of users, wherein one of the relationship characteristics designated by the third intermediary user includes a trusted relationship with the third user of the plurality of users, wherein the third user of the plurality of users is prohibited from electronic access to the data object based on the distrusted relationship designated by the owner.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 21)
- - 13. A computer implemented method as in claim 12 wherein in the memory device the designated relationship characteristics between one of the users in the path and a sequential user in the path include one or more methods of determining, by the processor, a condition such that the designated relationship characteristics are valid if and only if the one or more methods of determining a condition confirm validity of the designated relationship characteristics.
  - 14. A computer implemented method as in claim 12 wherein in the memory device the owner of the data object may designate another user as acting on behalf of the owner.
  - 15. A computer implemented method as in claim 12 wherein in the memory device the designated relationship characteristics include a trust relationship between a trusted user and a designating user, wherein the trust relationship limits the tasks the trusted user may perform.
  - 16. A computer implemented method as in claim 12 wherein in the memory device the designated relationship characteristics include a trust relationship between a trusted user and a designating user, wherein the trust relationship limits data objects the trusted user may access.
  - 17. A computer implemented method as in claim 16 wherein in the memory device the trust relationship is limited to types of data objects.
  - 18. A computer implemented method as in claim 16 wherein in the memory device the trust relationship is limited to selected of data objects.
  - 21. The computer implemented method of claim 12 wherein in the memory device the owner has not designated relationship characteristics for any other user in the path besides a next sequential user relative to the owner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Optimization ZORN Corporation (Revvity, Inc.)
Original Assignee
Kenneth D. Pool
Inventors
Pool, Kenneth D.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/521,933
Publication Number

US 20060117389A1
Time in Patent Office

3,829 Days
Field of Search

713/168
US Class Current

707/781
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Method for controlling access to informational objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method for controlling access to informational objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links