Authorized data access based on the rights of a user and a location
First Claim
Patent Images
1. A method operable within a computer network, the method comprising:
- receiving, at a server in operable communication with the computer network, a session login request by a user using a computer in operable communication with the computer network;
determining a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat;
determining, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings;
receiving at least one unique identifier associated only with the computer from which the login request was received;
determining, based the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings;
determining, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises;
(a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes;
(b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and
(c) defining, if there is no intersection, the set of session access rights to be an empty set;
permitting the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer;
independent of the determination of the content of the set of session access rights, generating, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes;
if the user has successfully logged into the session on the computer and the set of session rights is defined, and if generation of the first subset of file permissions is complete, then before any information about the file or its existence is made available to the user, first apply the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions;
if the set of file access rights contains no members, generating information usable to prevent the user from access to or having knowledge of the existence of the file; and
if the set of file access rights includes one or more members, then generating information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights.
11 Assignments
0 Petitions
Accused Products
Abstract
Access to files is properly granted regardless of whether an accessing user is located at their primary location or at any “roaming” location. In particular, the techniques herein consider the user rights, rights of any computer from which the user is accessing files, and the rights associated with the files themselves, such as by determining the User ∩ Computer intersection of access rights (an overlap between rights of the user and rights of the computer), and applying these access rights to file rights (e.g., file metadata) to determine what access the user has to the files (e.g., viewing, modifying, etc.).
28 Citations
19 Claims
-
1. A method operable within a computer network, the method comprising:
-
receiving, at a server in operable communication with the computer network, a session login request by a user using a computer in operable communication with the computer network; determining a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat; determining, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings; receiving at least one unique identifier associated only with the computer from which the login request was received; determining, based the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings; determining, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises; (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes; (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and (c) defining, if there is no intersection, the set of session access rights to be an empty set; permitting the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer; independent of the determination of the content of the set of session access rights, generating, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes; if the user has successfully logged into the session on the computer and the set of session rights is defined, and if generation of the first subset of file permissions is complete, then before any information about the file or its existence is made available to the user, first apply the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions; if the set of file access rights contains no members, generating information usable to prevent the user from access to or having knowledge of the existence of the file; and if the set of file access rights includes one or more members, then generating information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A tangible, non-transitory computer-readable medium having software encoded thereon, the software, when executed by a processor coupled to a computer network that is in operable communication with at least one file, operable to:
-
determine a set of security settings for the computer network, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat; receive a session login request by a user from a computer; determine, based at least in part on the received login request and on a corresponding unique identification of the user, a set of individual user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings; receive at least one unique identifier associated only with the computer from which the login request was received; determine, based on the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings; determine, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises; (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes; (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and (c) defining, if there is no intersection, the set of session access rights to be an empty set; permit the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer; generate, independently to the determination of the content of the set of session access rights, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, wherein the at least one file comprises data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes; apply, if the user has successfully logged into the session on the computer, and if generation of the first subset of file permissions is complete, before any information about the file or its existence is made available to the user, the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions; generate, if the set of file access rights contains no members, information usable to prevent the user from access to or having knowledge of the existence of the file; and generate, if the set of file access rights includes one or more members, information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. An apparatus, comprising:
-
one or more network interfaces, at least one of the network interfaces being in operable communication with at least one file; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; determine a set of security settings applicable to the process, the set of security settings defining a plurality of security attributes, the security attributes comprising at least one of a security clearance, a security classification, and a security caveat; receive a session login request by a user from a computer; determine, based at least in part on the received login request and on a corresponding unique identification of the user, a set of user access rights of the user applicable during the session, the set of user access rights being individual to the user and comprising security attributes that are unrelated to the role of the user, wherein the set of user access rights comprises one or more security attributes selected from the set of security settings; receive at least one unique identifier associated only with the computer from which the login request was received; determine, based on the received at least one unique identifier, a corresponding set of computer access rights of the computer that are applicable during the session, the set of computer access rights being individual to the computer and independent of the set of user access rights and comprising one or more security attributes selected from the set of security settings; determine, for the session to which the user is attempting login to the computer, the content of a set of session access rights, wherein determining the content of the set of session access rights comprises; (a) determining whether the set of user access rights intersects with the set of computer access rights to result in one or more common security attributes; (b) defining, if there is an intersection, a set of session access rights comprising the one or more common security attributes; and (c) defining, if there is no intersection, the set of session access rights to be an empty set; permit the user to have access to the computer, during the session, in accordance with the content of the set of session access rights, wherein if the set of session access rights is empty, the user is denied permission to access the computer; generate, independently to the determination of the content of the set of session access rights, for at least one file accessible via the computer network, a first subset of file permissions required for a first predetermined type of authorized access to the at least one file, the at least one file comprising data for the file itself and file metadata, the file metadata storing therein a set of file permissions selected from the plurality of security attributes apply, if the user has successfully logged into the session on the computer, and if generation of the first subset of file permissions is complete, before any information about the file or its existence is made available to the user, the session rights to the first subset of file permission to determine whether a set of file access rights exists and includes any respective members, the respective members in the set of file access rights comprising a first predetermined subset of security attributes common to both the session access rights and the first subset of file permissions; generate, if the set of file access rights contains no members, information usable to prevent the user from access to or having knowledge of the existence of the file; and generate, if the set of file access rights includes one or more members, information usable to authorize the user, during the session, to have at least one of knowledge of the file and access to the file in accordance with the security attributes corresponding to the one or more members of the set of file access rights. - View Dependent Claims (19)
-
Specification