Authorized data access based on the rights of a user and a location

US 9,081,982 B2
Filed: 04/18/2011
Issued: 07/14/2015
Est. Priority Date: 04/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method operable within a computer network, the method comprising:

receiving, at a server in operable communication with the computer network, a session login request by a user using a computer in operable communication with the computer network;

determining a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat;

determining, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings;

receiving at least one unique identifier associated only with the computer from which the login request was received;

determining, based the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings;

determining, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises;

(a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes;

(b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and

(c) defining, if there is no intersection, the set of session access rights to be an empty set;

permitting the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer;

independent of the determination of the content of the set of session access rights, generating, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes;

if the user has successfully logged into the session on the computer and the set of session rights is defined, and if generation of the first subset of file permissions is complete, then before any information about the file or its existence is made available to the user, first apply the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions;

if the set of file access rights contains no members, generating information usable to prevent the user from access to or having knowledge of the existence of the file; and

if the set of file access rights includes one or more members, then generating information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to files is properly granted regardless of whether an accessing user is located at their primary location or at any “roaming” location. In particular, the techniques herein consider the user rights, rights of any computer from which the user is accessing files, and the rights associated with the files themselves, such as by determining the User ∩ Computer intersection of access rights (an overlap between rights of the user and rights of the computer), and applying these access rights to file rights (e.g., file metadata) to determine what access the user has to the files (e.g., viewing, modifying, etc.).

28 Citations

View as Search Results

19 Claims

1. A method operable within a computer network, the method comprising:
- receiving, at a server in operable communication with the computer network, a session login request by a user using a computer in operable communication with the computer network;
  
  determining a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat;
  
  determining, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings;
  
  receiving at least one unique identifier associated only with the computer from which the login request was received;
  
  determining, based the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings;
  
  determining, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises;
  
  (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes;
  
  (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and
  
  (c) defining, if there is no intersection, the set of session access rights to be an empty set;
  
  permitting the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer;
  
  independent of the determination of the content of the set of session access rights, generating, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes;
  
  if the user has successfully logged into the session on the computer and the set of session rights is defined, and if generation of the first subset of file permissions is complete, then before any information about the file or its existence is made available to the user, first apply the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions;
  
  if the set of file access rights contains no members, generating information usable to prevent the user from access to or having knowledge of the existence of the file; and
  
  if the set of file access rights includes one or more members, then generating information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contains each of the first subset of file permissions.
  - 3. The method as in claim 1, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contains one or more of the first subset of file permissions.
  - 4. The method as in claim 1, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contain at least one particular file permission from the first subset of file permissions and one or more other file permissions from the first subset of file permissions.
  - 5. The method as in claim 1, wherein determining the set of computer access rights of the computer comprises:
    - uniquely identifying the computer used for session login based on at least one unique identifier selected from the group comprising computer name, IP address, MAC address, unique network address, and a public key infrastructure (PKI) PKI signature of the computer; and
      
      performing, based on the unique identification of the computer, a lookup operation into a database to determine the corresponding set of computer access rights of the computer, the database being in operable communication with the server.
  - 6. The method according to claim 5, wherein determining the set of user access rights further comprises uniquely identifying the user based at least in part upon a user session, biometric information associated with the user, and a user PKI signature.
  - 7. The method as in claim 1, further comprising:
    - determining a set of custom access claims based on the set of session access rights; and
      
      generating information usable to relay the set of custom access claims to the computer, wherein the set of custom access claims are usable by the computer to request access to the file in accordance with the set of file access rights.
  - 8. The method as in claim 1, wherein the set of user access rights, the set of computer access rights, the set of session access rights, the first subset set of file permissions, and the set of file access rights each comprise at least one of a security classification, a security clearance, and a security caveat.
  - 9. The method as in claim 1, wherein the first subset of file permissions are determined, at the server, to be configured at a system level, a file level, and/or in a logic structure.
  - 10. The method as in claim 1, wherein at least one file permission in the first subset of file permissions is represented as a singleton, the singleton corresponding to a unique combination of two or more file permissions from the set of file permissions.
  - 11. The method of claim 1, further comprising:
    - receiving, if permitted in accordance with the set of file access rights, a request from the user to change at least a portion of a set of file permissions associated with the file;
      
      generating information usable to change the at least a portion of the set of file permissions in accordance with the request to change; and
      
      generating information usable to dynamically adjust a session-specific dynamic view of the file in accordance with the at least a portion of the set of file permissions that was changed.

12. A tangible, non-transitory computer-readable medium having software encoded thereon, the software, when executed by a processor coupled to a computer network that is in operable communication with at least one file, operable to:
- determine a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat;
  
  receive a session login request by a user from a computer;
  
  determine, based at least in part on the received login request and on a corresponding unique identification of the user, a set of individual user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings;
  
  receive at least one unique identifier associated only with the computer from which the login request was received;
  
  determine, based on the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings;
  
  determine, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises;
  
  (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes;
  
  (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and
  
  (c) defining, if there is no intersection, the set of session access rights to be an empty set;
  
  permit the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer;
  
  generate, independently to the determination of the content of the set of session access rights, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes;
  
  apply, if the user has successfully logged into the session on the computer, and if generation of the first subset of file permissions is complete, before any information about the file or its existence is made available to the user, the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions;
  
  generate, if the set of file access rights contains no members, information usable to prevent the user from access to or having knowledge of the existence of the file; and
  
  generate, if the set of file access rights includes one or more members, information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-readable medium as in claim 12, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contains each of the first subset of file permissions.
  - 14. The computer-readable medium as in claim 12, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contains one or more of the first subset of file permission requirements.
  - 15. The computer-readable medium as in claim 12, wherein the first predetermined subset of security attributes corresponds to a condition wherein the set of session access rights contain at least one particular file permission from the first subset and one or more other file permissions from the first subset of file permissions.
  - 16. The computer-readable medium as in claim 12, wherein the software when executed is further operable to:
    - determine a set of custom access claims based on the set of session access rights; and
      
      generate information usable to relay the set of custom access claims to the computer, wherein the set of custom access claims are usable by the computer to request access to the file in accordance with the set of file access rights.
  - 17. The computer-readable medium of claim 12, wherein the software is further operable to:
    - receive, if permitted in accordance with the set of file access rights, a request from the user to change at least a portion of a set of file permissions associated with the file;
      
      generate information usable to change the at least a portion of the set of file permissions in accordance with the request to change; and
      
      generate information usable to dynamically adjust a session-specific dynamic view of the file in accordance with the at least a portion of the set of file permissions that was changed.

18. An apparatus, comprising:
- one or more network interfaces, at least one of the network interfaces being in operable communication with at least one file;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  determine a set of security settings applicable to the process, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat;
  
  receive a session login request by a user from a computer;
  
  determine, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings;
  
  receive at least one unique identifier associated only with the computer from which the login request was received;
  
  determine, based on the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings;
  
  determine, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises;
  
  (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes;
  
  (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and
  
  (c) defining, if there is no intersection, the set of session access rights to be an empty set;
  
  permit the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer;
  
  generate, independently to the determination of the content of the set of session access rights, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, the at least one file comprising data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributesapply, if the user has successfully logged into the session on the computer, and if generation of the first subset of file permissions is complete, before any information about the file or its existence is made available to the user, the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions;
  
  generate, if the set of file access rights contains no members, information usable to prevent the user from access to or having knowledge of the existence of the file; and
  
  generate, if the set of file access rights includes one or more members, information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18, wherein the process is further operable to:
    - receive, if permitted in accordance with the set of file access rights, a request from the user to change at least a portion of a set of file permissions associated with the file;
      
      generate information usable to change the at least a portion of the set of file permissions in accordance with the request to change;
      
      generate information usable to dynamically adjust a session-specific dynamic view of the file in accordance with the at least a portion of the set of file permissions that was changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Bradley, Charles B. II
Primary Examiner(s)
CHAO, MICHAEL W

Application Number

US13/088,799
Publication Number

US 20120266239A1
Time in Patent Office

1,548 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

Authorized data access based on the rights of a user and a location

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Authorized data access based on the rights of a user and a location

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links