Controlling access to computer resources

US 10,255,415 B1
Filed: 06/29/2018
Issued: 04/09/2019
Est. Priority Date: 04/03/2018
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more computer readable storage devices configured to store;

a first qualification object specifying a first qualification;

a first use case object indicating a first purpose, the first use case object being associated with the first qualification object;

a first resource object representing a first computer resource, the first resource object linked with at least the first use case object;

a first user object representing a first user, the first user object indicating one or more qualifications of the first user; and

a plurality of computer readable instructions; and

one or more processors configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising;

receiving an authentication credential provided by the first user;

authenticating the first user based at least in part on the authentication credential;

receiving, from the first user, an indication of the first purpose of the first use case object, wherein the first use case object is linked with one or more resource objects and is associated with one or more user actions that the first user can take, wherein the linked one or more resource objects include the first resource object;

determining authorizations of the first user to the linked one or more resource objects that are linked to the first use case object;

determining that the qualifications of the first user satisfy the first qualification of the first qualifications object that is associated with the first use case object; and

based at least in part on receiving the indication of the first purpose of the first use case object, and based at least in part on the first use case object being linked to the first resource object, and further based at least in part on the determined authorizations of the first user, providing the first user with access to the first computer resource represented by the first resource object.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is described for controlling access to resources using an object model. Users can specify use cases for accessing resources. The user may be granted access if the user satisfies qualifications required for accessing the resource, selected a use case permissible for accessing the resource, and satisfies qualifications required for the use case. Use cases, qualifications, resources, and/or links between them can be implemented using an object model. The system can be used in addition to authentication and authorization.

107 Citations

View as Search Results

19 Claims

1. A computer system comprising:
- one or more computer readable storage devices configured to store;
  
  a first qualification object specifying a first qualification;
  
  a first use case object indicating a first purpose, the first use case object being associated with the first qualification object;
  
  a first resource object representing a first computer resource, the first resource object linked with at least the first use case object;
  
  a first user object representing a first user, the first user object indicating one or more qualifications of the first user; and
  
  a plurality of computer readable instructions; and
  
  one or more processors configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising;
  
  receiving an authentication credential provided by the first user;
  
  authenticating the first user based at least in part on the authentication credential;
  
  receiving, from the first user, an indication of the first purpose of the first use case object, wherein the first use case object is linked with one or more resource objects and is associated with one or more user actions that the first user can take, wherein the linked one or more resource objects include the first resource object;
  
  determining authorizations of the first user to the linked one or more resource objects that are linked to the first use case object;
  
  determining that the qualifications of the first user satisfy the first qualification of the first qualifications object that is associated with the first use case object; and
  
  based at least in part on receiving the indication of the first purpose of the first use case object, and based at least in part on the first use case object being linked to the first resource object, and further based at least in part on the determined authorizations of the first user, providing the first user with access to the first computer resource represented by the first resource object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer system of claim 1, wherein the first computer resource is one of:
    - a file, a folder, a database, a memory, a processor, a drive, a storage device, a computer, a laptop, or a phone.
  - 3. The computer system of claim 1, wherein the authentication credential includes a username and password.
  - 4. The computer system of claim 1, wherein determining authorizations of the first user to the linked one or more resource objects that are linked to the first use case object includes:
    - determining that the first user has at least one of a read authorization, a write authorization, or a modify authorization for the first computer resource.
  - 5. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - logging, in an audit log on the one or more computer readable storage devices, an entry for an access of the first computer resource by the first user, wherein the entry includes at least two of;
      
      a time stamp for the access;
      
      an identity of the first user;
      
      an identity of the first computer resource;
      
      an indication of the first purpose of the first use case object;
      
      the qualifications of the first user;
      
      orqualifications required for accessing the first computer resource, the qualifications including the first qualification.
  - 6. The computer system of claim 5, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - receive log filter criteria;
      
      filter the audit log according to the log filter criteria; and
      
      generate a report based on the audit log and the log filter criteria, the report including at least one visualization of data in the audit log.
  - 7. The computer system of claim 1, wherein:
    - the one or more computer readable storage devices are further configured to store;
      
      a second use case object indicating a second purpose, wherein the first user object is not linked to the second use case object; and
      
      a second resource object representing a second computer resource, the second resource object linked with at least the second use case object;
      
      the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising;
      
      determining that the first user object is not linked to the second use case object; and
      
      denying access to the second computer resource based at least in part on the determination that the first user has object is not linked to the second use case object.
  - 8. The computer system of claim 1, wherein:
    - the one or more computer readable storage devices are further configured to store;
      
      a second use case object indicating a second purpose, wherein the first user object is linked to the second use case object; and
      
      a second qualification object specifying a second qualification, wherein the second qualification object linked to the second use case object, and wherein the qualifications of the first user do not include the second qualification; and
      
      a second resource object representing a second computer resource, the second resource object linked with at least the second use case object;
      
      the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising;
      
      determining that the qualifications of the first user do not include the second qualification; and
      
      denying the first user access to the second computer resource based at least in part on the determination that the qualifications of the first user do not include the second qualification.
  - 9. The computer system of claim 1, wherein:
    - the one or more computer readable storage devices are further configured to store;
      
      a second qualification object specifying a second qualification, wherein the first user object is not linked to the second qualification object; and
      
      a second resource object representing a second computer resource, the second resource object linked with at least the second qualification object;
      
      the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising;
      
      determining that the qualifications of the first user do not satisfy the second qualification; and
      
      denying access to the second computer resource based at least in part on the determination that the qualifications of the first user do not satisfy the second qualification.
  - 10. The computer system of claim 9, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - transmitting data indicating how to obtain the second qualification.
  - 11. The computer system of claim 10, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - receiving an indication that the first user obtained the second qualification; and
      
      creating a link between the first user object and the second qualification object to indicate that the qualifications of the first user satisfy the second qualification.
  - 12. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - receiving a selection, from the first user, of a second use case; and
      
      based at least in part on receiving the selection of the second use case from the first user, revoking the access to the first computer resource.
  - 13. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - receiving a selection, from the first user, of a second use case object, wherein the first resource object is linked with the second use case object; and
      
      determining that the qualifications of the first user satisfy second qualifications of a second qualification object linked to the second use case object; and
      
      based at least in part on the determination that the qualifications of the first user satisfy the second qualifications of the second qualification object linked to the second use case object, providing the first user with access to the first computer resource.
  - 14. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - receiving a selection, from the first user, of a second use case object, wherein the first resource object is linked with the second use case object; and
      
      determining that the qualifications of the first user do not satisfy second qualifications of a second qualification object linked to the second use case object; and
      
      based at least in part on the determination that the qualifications of the first user do not satisfy the second qualifications of the second qualification object linked to the second use case object, revoking, from the first user, the access to the first computer resource.
  - 15. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - based on inputs received from an administrator, changing at least one link between two of;
      
      a user object, resource object, qualification object, or a use case object.
  - 16. The computer system of claim 1, wherein:
    - a tag object is linked to the first resource object;
      
      a second qualification object is linked to the tag object, wherein the second qualifications object specifies a second qualification; and
      
      the qualifications of the first user satisfy the second qualification of the second qualifications object that is linked to the tag object.
  - 17. The computer system of claim 1, wherein:
    - a tag object is linked to the first use case object;
      
      a second qualification object is linked to the tag object, wherein the second qualifications object specifies a second qualification; and
      
      the qualifications of the first user satisfy the second qualification of the second qualifications object that is linked to the tag object.
  - 18. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - based on inputs received from an administrator, linking a second qualification object to a tag object; and
      
      determining user accesses to resources represented by resource objects that are linked to the tag object based at least in part on qualifications specified by the second qualification object.
  - 19. The computer system of claim 1, wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising:
    - based on inputs received from an administrator, linking a second qualification object to a tag object, wherein the tag object is linked to the first use case object; and
      
      determining that the qualifications of the first user satisfy a second qualification specified by the second qualifications object that is associated with the first use case object; and
      
      wherein the first user is provided the access to the first computer resource based at least in part on the determination that the qualifications of the first user satisfy the second qualification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Siavoshy, Babak, Owens, Kyle, Edwards, Nathaniel
Primary Examiner(s)
Gee, Jason K

Application Number

US16/023,397
Time in Patent Office

284 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

Controlling access to computer resources

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to computer resources

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links