Access management system

US 9,043,898 B2
Filed: 04/18/2011
Issued: 05/26/2015
Est. Priority Date: 04/29/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing access rights for data held locally in an internal memory of a mobile communications device and in a portable storage device connected to the mobile communications device, the mobile communications device connected to a network, the data having a first set of access rights, the method comprising:

detecting disconnection of the mobile communications device from the network; and

the mobile communications device adjusting the access rights from the first set of access rights to a second set of access rights for the data stored in a secure memory area of the internal memory and the portable storage upon detection of the disconnection;

wherein the first set of access rights is different from said second set of access rights;

wherein said adjusting said access rights to said second set of access rights comprises granting access rights which vary in dependence on;

an identity of a file comprising the data;

a file type of the file comprising the data;

a rights access level assigned to the file comprising the data;

membership of the file comprising the data in a predefined group; and

an identity of a directory in which the file comprising the data is located; and

wherein detecting disconnection of the mobile communications device from the network comprises detecting disconnection of said mobile device from predefined server apparatus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access rights management system is presented in which a mobile device may be allowed to access corporately held data in a flexible manner but in which the security and integrity of the data is maintained. The mobile device is provided with a rights adjustment module which modifies the access rights for locally stored corporate data in dependence on the connectivity of the mobile device with a corporate server.

41 Citations

View as Search Results

20 Claims

1. A method of managing access rights for data held locally in an internal memory of a mobile communications device and in a portable storage device connected to the mobile communications device, the mobile communications device connected to a network, the data having a first set of access rights, the method comprising:
- detecting disconnection of the mobile communications device from the network; and
  
  the mobile communications device adjusting the access rights from the first set of access rights to a second set of access rights for the data stored in a secure memory area of the internal memory and the portable storage upon detection of the disconnection;
  
  wherein the first set of access rights is different from said second set of access rights;
  
  wherein said adjusting said access rights to said second set of access rights comprises granting access rights which vary in dependence on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located; and
  
  wherein detecting disconnection of the mobile communications device from the network comprises detecting disconnection of said mobile device from predefined server apparatus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1 wherein the second set of access rights comprises at least one access right which is more restrictive than a corresponding access right of the first set of access rights.
  - 3. A method according to claim 1 wherein the first and second set of access rights each comprises at least one of read permissions, write permissions, and execute permissions.
  - 4. A method according to claim 1 wherein said adjusting said access rights to said second set of access rights comprises granting access rights which vary in dependence on at least one of an identity of a user of the mobile device and membership of the user of the mobile device in a predefined user group.
  - 5. A method according to claim 1 wherein said method further comprises:
    - determining that the mobile communications device is connected to server apparatus;
      
      obtaining information representing the identity of the server apparatus to which the mobile device is connected;
      
      obtaining information representing the identity of the predefined server apparatus; and
      
      comparing the identity of the server apparatus to which the mobile device is connected with the identity of the predefined server apparatus, whereby to determine connectivity of said mobile device to said predefined server apparatus.
  - 6. A method according to claim 5 wherein said method is performed by a rights management module operating on said mobile device and wherein said information representing the identity of the predefined server apparatus is obtained from configuration parameters provided for configuring said rights management module.
  - 7. A method according to claim 5 wherein said information representing the identity of the predefined server apparatus is obtained by retrieving it from the data held locally relative to the mobile communications device.
  - 8. A method according to claim 5 wherein said information representing the identity of the predefined server apparatus is obtained by receiving it from an application running locally on the mobile communications device.
  - 9. A method according to claim 1 wherein the data is encrypted and wherein the method comprises decrypting the data for which the access rights are granted on the mobile communications device when the mobile communications device is not connected to the network.
  - 10. A method according to claim 1 wherein the data is encrypted and wherein the method comprises receiving a decrypted version of the data for which the access rights are granted, from server apparatus, when the mobile communications device is connected to the network.
  - 11. A method according to claim 1 wherein the method comprises detecting an attempt to mount a portable storage device on which said data is stored on the mobile communications device, requesting entry of secure input information from a user of the mobile communications device, receiving the secure input information from the user, verifying the received secure input information, allowing successful mounting of the portable storage device if the secure input information is successfully verified, and inhibiting mounting of the portable storage device if the secure input information is not successfully verified.
  - 12. A method according to claim 1 wherein the method further comprises detecting a change in the connectivity of the mobile communications device to a network from disconnected to connected and adjusting the access rights from the second set of access rights to the first set of access rights on detection of the change.

13. A method of provisioning a mobile communications device for managing access rights for data held locally in an internal memory of the mobile communications device and in a portable storage device connected to the mobile communications device, the method comprising:
- providing the mobile communications device with configuration parameters defining a first set of access rights for the data for use when the mobile communications device is connected to a network; and
  
  providing the mobile communications device with configuration parameters defining a second set of access rights for data stored in a secure memory area of the internal memory and in the portable storage device for use when the mobile communications device is not connected to the network;
  
  wherein the first set of access rights is different from said second set of access rights; and
  
  the mobile communications device adjusting access rights from the first set of access rights to the second set of access rights upon detection of a disconnection;
  
  wherein said providing said configuration parameters comprises providing configuration parameters which define access rights which are dependent on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located.
- View Dependent Claims (14)
- - 14. A method as claimed in claim 13 wherein the method comprises determining that updated configuration parameters are available, and providing said updated configuration parameters to said mobile communications device in response to said determination.

15. A mobile communications device havingan access rights managing unit that manages access rights for data held locally in an internal memory of a mobile communications device and in a portable storage device connected to the mobile communications device, relative to the mobile communications device,the access rights managing unit comprising:
- a first receiving unit that receives, at the mobile communications device, configuration parameters defining a first set of access rights for the data for use when the mobile communications device is connected to a network;
  
  a second receiving unit that receives, at the mobile communications device, configuration parameters defining a second set of access rights for data stored in a secure memory area of the internal memory and in the portable storage device for use when the mobile communications device is not connected to the network; and
  
  a storing unit that stores said configuration parameters for use in managing said access rights for the data held locally relative to the mobile communications device;
  
  wherein the first set of access rights is different from said second set of access rights;
  
  wherein said configuration parameters define access rights which are dependent on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located.
- View Dependent Claims (16, 17)
- - 16. A mobile communication device as claimed in claim 15 wherein said access rights managing unit comprises a rights management module operable to run on said mobile communications device.
  - 17. A mobile communications device as claimed in claim 16 wherein said rights management module is operable to initiate upon boot-up of the mobile device.

18. A non-transitory computer readable medium storing a program for causing a computer to carry out a method of managing access rights for data held locally in an internal memory of a mobile communications device and in a portable storage device connected to the mobile communications device, the mobile communications device connected to a network, the data having a first set of access rights, the method comprising:
- detecting disconnection of the mobile communications device from the network; and
  
  the mobile communications device adjusting the access rights from the first set of access rights to a second set of access rights for the data stored in a secure memory area of the internal memory and the portable storage upon detection of the disconnection;
  
  wherein the first set of access rights is different from said second set of access rights;
  
  wherein said adjusting said access rights to said second set of access rights comprises granting access rights which vary in dependence on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located; and
  
  wherein detecting disconnection of the mobile communications device from the network comprises detecting disconnection of said mobile device from predefined server apparatus.

19. A mobile communications device having a module for managing access rights for data held locally in an internal memory of the mobile communications device and in a portable storage device connected to the mobile communication device, the access rights managing module being operable to:
- (i) receive configuration parameters defining a first set of access rights for the data for use when the mobile communications device is connected to a network;
  
  (ii) receive configuration parameters defining a second set of access rights for data stored in a secure memory area of the internal memory and in the portable storage device for use when the mobile communications device is not connected to the network; and
  
  (iii) store said configuration parameters for use in managing said access rights for the data held locally relative to the mobile communications device;
  
  wherein the first set of access rights is different from said second set of access rights;
  
  wherein said configuration parameters which define access rights which are dependent on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located.

20. A server apparatus having a provisioning module for provisioning a mobile communications device to manage access rights for data held locally in an internal memory of the mobile communications device and in a portable storage device connected to the mobile communications device, the provisioning module being operable to provide the mobile communications device with:
- (i) configuration parameters defining a first set of access rights for the data for use when the mobile communications device is connected to a network, and (ii) configuration parameters defining a second set of access rights for data stored in a secure memory area of the internal memory and in the portable storage device for use when the mobile communications device is not connected to the network;
  
  wherein the first set of access rights is different from said second set of access rights;
  
  wherein said configuration parameters which define access rights which are dependent on;
  
  an identity of a file comprising the data;
  
  a file type of the file comprising the data;
  
  a rights access level assigned to the file comprising the data;
  
  membership of the file comprising the data in a predefined group; and
  
  an identity of a directory in which the file comprising the data is located.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo Innovations Ltd Hong Kong (Lenovo Group Ltd.)
Original Assignee
Lenovo Innovations Ltd Hong Kong (Lenovo Group Ltd.)
Inventors
Fok Ah Chuen, Frederic, Lecroart, Benoit, Perron, Olivier
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/642,679
Publication Number

US 20130067564A1
Time in Patent Office

1,499 Days
Field of Search

726/1, 726/4, 726/17, 726/21, 726/27, 713/151, 713176-177, 380/282, 455/410
US Class Current

726/17
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04W 12/084   using delegated authorisati...

H04W 12/086   using security domains

H04W 88/02   Terminal devices

Access management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links