System and method for access control and identity management

US 8,826,407 B2
Filed: 11/23/2011
Issued: 09/02/2014
Est. Priority Date: 11/24/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for decomposing functions having computer code stored in a non-transitory tangible storage medium that when read and executed by a computer causes the following steps to be performed in a computer system:

creating a first function, a second function, and a third function;

creating a first identity object with a first associated identifier for the first function, a second identity object with a second associated identifier for the second function, and a third identity object with a third associated identifier for the third function, wherein each of the first, second and third identity objects has a separately evolving information set in the computer system;

joining in a membership object the first identity object, the second identity object, and the third function, wherein the first identity object is a membership provider, the second identity object is a membership recipient, and the third function is a membership target, so that the second identity object is a member of the third function,creating a fourth identity object with an associated fourth identifier that derives from the second identity object, so that the third function is decomposable into a collection of member functions through the creation of new membership objects, accomplishing decomposition of the membership target through the creation of new membership objects, wherein the fourth identity object is a member function of the membership target, whereby the creation of any member functions generates new membership objects, creating an expanding program structure and a collaborative means for interpreting the functional structure of a computer program wherein all of the member functions participate in the interpretation, performing interpretation dynamically at system runtime;

creating separately evolving information sets for the identity objects associated with any of the member functions;

providing immediate access for the member functions to the information set of the membership target so that the member functions can immediately access and operate on the information set of the membership target;

wherein the member functions are distributable within a single system, throughout a multi-node system, or throughout a distributed graph database system on one or a plurality of machines so that work of any of the member functions is also distributable; and

applying specific access rights controlling how each of the member functions accesses or operates on the information set of the membership target so that the information set-or a subset of the information set of the membership target is made accessible to any one of the member functions of the membership target, whereby different subsets of information are accessible to each member function;

wherein membership recipients and derived identity objects that license the membership recipients are functions that interpret the membership target, the interpreters configured to further decompose the work of the membership target into at least one additional member function so that membership in a membership object propagates a self-generating and dynamically expanding functional system through the creation of additional member functions by the interpreters of the membership target function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for the flow of access by derivation is provided. An access point may be any object, such as files or functions, to which the access recipient is granted access rights by the access provider. Access is typically represented by a relationship object referencing the access provider function, the access recipient function, and the access point object, and a set of access rights. This membership access relationship object is typically represented as a subtype of the access relationship. When a membership access relationship is created, typically a new associated persona function is generated, representing the new identity created for the access recipient function while serving as a member of the access point function. When a persona function is invited to be a member in another function, that in turn generates a membership and a second persona that is derived from the first persona, resulting in identity derivation.

45 Citations

View as Search Results

11 Claims

1. A computer program product for decomposing functions having computer code stored in a non-transitory tangible storage medium that when read and executed by a computer causes the following steps to be performed in a computer system:
- creating a first function, a second function, and a third function;
  
  creating a first identity object with a first associated identifier for the first function, a second identity object with a second associated identifier for the second function, and a third identity object with a third associated identifier for the third function, wherein each of the first, second and third identity objects has a separately evolving information set in the computer system;
  
  joining in a membership object the first identity object, the second identity object, and the third function, wherein the first identity object is a membership provider, the second identity object is a membership recipient, and the third function is a membership target, so that the second identity object is a member of the third function,creating a fourth identity object with an associated fourth identifier that derives from the second identity object, so that the third function is decomposable into a collection of member functions through the creation of new membership objects, accomplishing decomposition of the membership target through the creation of new membership objects, wherein the fourth identity object is a member function of the membership target, whereby the creation of any member functions generates new membership objects, creating an expanding program structure and a collaborative means for interpreting the functional structure of a computer program wherein all of the member functions participate in the interpretation, performing interpretation dynamically at system runtime;
  
  creating separately evolving information sets for the identity objects associated with any of the member functions;
  
  providing immediate access for the member functions to the information set of the membership target so that the member functions can immediately access and operate on the information set of the membership target;
  
  wherein the member functions are distributable within a single system, throughout a multi-node system, or throughout a distributed graph database system on one or a plurality of machines so that work of any of the member functions is also distributable; and
  
  applying specific access rights controlling how each of the member functions accesses or operates on the information set of the membership target so that the information set-or a subset of the information set of the membership target is made accessible to any one of the member functions of the membership target, whereby different subsets of information are accessible to each member function;
  
  wherein membership recipients and derived identity objects that license the membership recipients are functions that interpret the membership target, the interpreters configured to further decompose the work of the membership target into at least one additional member function so that membership in a membership object propagates a self-generating and dynamically expanding functional system through the creation of additional member functions by the interpreters of the membership target function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein any one of the functions is any agent internal or external to a system that is capable of any one of the following:
    - providing one or more inputs, consuming one or more inputs, generating one or more outputs, submitting one or more requests, or operating in a system.
  - 3. The computer program product of claim 2, wherein any one of the functions is a user, a project, a task, a group, a computation, or a network.
  - 4. The computer program product of claim 1, wherein any identity object is a persona that specifies at least one of an access provider, access recipient, and access point, and access rights.
  - 5. The computer program product of claim 1, wherein in the providing immediate access step, the member functions immediately access and operate on the information set of the membership target includes accessing, reading, writing, modifying, evolving, extending, and deleting.
  - 6. The computer program product of claim 1, wherein the member functions are ordered so that the member functions are executable in a particular order.
  - 7. The computer program product of claim 1, wherein any one of the member functions may itself be decomposed into a second collection of member functions so that the work of the member functions can be further subdivided.
  - 8. The computer program product of claim 1, wherein information added to the information set for the membership target immediately flows to member functions of the membership target.
  - 9. The computer program product of claim 1, wherein the membership of any of the multiple member functions is modified or deleted independently of all other member functions so that the collection of member functions can be expanded or contracted as needed.
  - 10. The computer program product of claim 1, wherein the structure of a program as expressed by member functions dynamically changes at runtime and adapts to changing requirements through membership of the membership functions.
  - 11. The computer program product of claim 1, wherein the membership target is an outer function and the function that licenses the membership recipient is a first inner function so that the first inner function interprets the outer function and invites at least one new interpreter as second inner functions that through a membership object further interprets the first inner function or the outer function, wherein the inner function is a child function and the outer function is a parent function of the child function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skai, Incorporated
Original Assignee
Skai, Incorporated
Inventors
Henderson, Charles E.
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/304,161
Publication Number

US 20120137360A1
Time in Patent Office

1,014 Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

System and method for access control and identity management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

System and method for access control and identity management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others