Relationship-based authorization

US 8,793,768 B2
Filed: 04/11/2007
Issued: 07/29/2014
Est. Priority Date: 04/11/2006
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:

receiving data characterizing a request for authorization to access a computer-based resource by a principal;

determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;

determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and

determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;

otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and

providing authorization for the requesting principal to the computer-based resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, related to relationship-based authorization. In general, data characterizing a request for authorization to a computer-based resource is received, and the authorization may be provided based on one or more relationships of a requesting principal. A determination may be made as to whether a requesting principal is authorized, which may include determining whether the requesting user has a relationship with a principal that has management rights of the computer-based resource and determining whether the relationship allows for an access, such as a use of the computer-based resource, if the requesting principal has a relationship with the other principal. If there is no such relationship, a determination may be made as to whether an organization of the requesting principal has a relationship with the other principal that allows for the access.

Citations

20 Claims

1. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
  
  determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and
  
  determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
  
  otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
  
  providing authorization for the requesting principal to the computer-based resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program device of claim 1, wherein the principal is a user, organization, computer system, or component of a computer system.
  - 3. The computer program device of claim 1, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 4. The computer program device of claim 1, wherein the determining whether the requesting principal has a relationship with a principal and determining whether an organization of the requesting principal has a relationship with the principal that has management rights are performed with reference to one or more data structures describing relationships between users and users, users and organizations, organizations and users, and organizations and organizations.
  - 5. The computer program device of claim 1, wherein the principal having management rights is a data content subject about whom the computer-based resource relates.
  - 6. The computer program device of claim 1, wherein the requesting principal has a relationship with the principal having management rights at a first time to authorize the access but the relationship at a second time being later than the first time does not authorize the access based on a modification of the relationship or associated attributes.
  - 7. The computer program device of claim 1, wherein relationships are associated with one or more attributes.
  - 8. The computer program device of claim 7, wherein at least one of the attributes describes one or more of a time interval of a relationship, types of computer-based resources authorized for a relationship, or types of authorized access.
  - 9. The computer program device of claim 1, wherein the receiving data and the determining whether the requesting principal is authorized are performed at a server and the operations further comprise performing the access at a client.
  - 10. The computer program device of claim 1, wherein the request is a request for access to clinical or administrative health information in a health care environment.
  - 11. The computer program device of claim 1, wherein the requesting principal is authorized for types of access to the computer-based resources different from types of access authorized for another principal.

12. A computer-implemented method comprising:
- receiving data characterizing a request for authorization to access a computer-based resource by a principal;
  
  determining whether the requesting principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the requesting principal has an implicit or explicit relationship at the time of the request with a principal that has management rights of access to the computer-based resource, wherein the explicit relationship includes at least one of a user to user relationship, a user to organization relationship, and an organization to organization relationship, wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and
  
  determining whether the relationship allows for the access to the computer-based resource if the requesting principal has a relationship with the principal that has management rights;
  
  otherwise, determining whether an organization of the requesting principal has a relationship, with the principal that has management rights, that allows for the access; and
  
  providing authorization for the requesting principal to the computer-based resource.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 14. The method of claim 12, wherein the determining whether the requesting principal has a relationship with a principal and determining whether an organization of the requesting principal has a relationship with the principal that has management rights are performed with reference to one or more data structures describing relationships between users and users, users and organizations, organizations and users, and organizations and organizations.
  - 15. The method of claim 12, wherein relationships are associated with one or more attributes describing one or more of a time interval of a relationship, types of computer-based resources authorized for a relationship, or types of authorized access.
  - 16. The method of claim 12, wherein the request is a request for access to health information in a health care environment.

17. A non-transitory computer readable storage medium comprising computer-readable instructions configured to cause a data processor coupled to one or more memory devices to perform operations comprising:
- receiving data characterizing a request for access to a computer-based resource by a first principal;
  
  determining whether the first principal is authorized for the access to the computer-based resource based on a context of the request, the determining occurring using a relationship repository comprising one or more data structures containing relationships, the data structures being separate and non-referential from the computer-based resource, the determining comprising;
  
  determining whether the first principal has a first implicit or explicit relationship with a second principal that has management rights of access to the computer-based resource, the determining whether the first principal has the first relationship with the second principal based on a query of one or more data structures comprising user to user relationships between principals being users, and wherein determining an implicit relationship includes inferring an implicit relationship based on a combination of explicit relationships; and
  
  determining whether the first relationship allows for the access to the computer-based resource based on properties of the first relationship if the first principal has the first relationship;
  
  otherwise, determining whether an organization of the first principal has a second relationship, with the second principal, that allows for the access, the determining whether the organization has the second relationship based on user to organization relationships and organization to user relationships of the data structures; and
  
  providing authorization for the requesting principal to the computer-based resource.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program device of claim 17, wherein the relationships are stored in a table such that a graph of relationships is described, the graph comprising at least one child node of relationships having a plurality of parent nodes.
  - 19. The computer program device of claim 17, wherein the request is a request for access to health information in a health care environment.
  - 20. The computer program device of claim 17, wherein the data structures are one or more tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Medox Technologies, Inc.
Original Assignee
Medox Exchange, Inc.
Inventors
Beck, Michael E.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/786,486
Publication Number

US 20070240203A1
Time in Patent Office

2,666 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6272   by registering files or doc...

G16H 10/60   for patient-specific data, ...

G16H 50/20   for computer-aided diagnosi...

G16H 70/20   relating to practices or gu...

G16H 80/00   ICT specially adapted for f...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

Relationship-based authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Relationship-based authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links