Security data redaction

US 20060277220A1
Filed: 01/27/2006
Published: 12/07/2006
Est. Priority Date: 03/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for securing access to data, the method comprising:

accessing at least one service on behalf of a requestor;

receiving a result set including results from accessing the at least one service; and

providing to the requestor only that portion of the result set that the requester is permitted to access;

wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requester.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment of the present invention, there are provided mechanisms and methods for securing access to data. These mechanisms and methods for securing access to data make it possible for systems to have improved control over accesses to information by redacting responses made by services based upon access policies. Requestors may be users, proxies or automated entities. This ability of a system to redact responses to queries or requests for services in accordance with access policies makes it possible to attain improved security in computing systems over conventional access control mechanisms that control based upon privileges for accessing a file, an account, a storage device or a machine upon which the information is stored.

167 Citations

View as Search Results

19 Claims

1. A method for securing access to data, the method comprising:
- accessing at least one service on behalf of a requestor;
  
  receiving a result set including results from accessing the at least one service; and
  
  providing to the requestor only that portion of the result set that the requester is permitted to access;
  
  wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requester.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein providing to the requestor only that portion of the result set that the requester is permitted to access further comprises:
    - redacting the result set according to access policies if the requester is permitted by the access policies to access only a portion of the result set.
  - 3. The method of claim 1, wherein providing to the requester only that portion of the result set that the requester is permitted to access further comprises:
    - providing the result set according to access policies if the requester is permitted by the access policies to access only a portion of the result set.
  - 4. The method of claim 1, wherein providing to the requestor only that portion of the result set that the requester is permitted to access further comprises:
    - providing an empty result set according to access policies if the requestor is not permitted by the access policies to access any of the result set.
  - 5. The method of claim 1, wherein accessing a service on behalf of a requestor further comprises:
    - accessing the at least one service according to a request received from the requester.
  - 6. The method of claim 1, further comprising:
    - determining whether the requestor is making an authorized request to access the at least one service.
  - 7. The method of claim 1, further comprising:
    - determining whether the requestor is making an authorized request to access datasets that the at least one service accesses.
  - 8. The method of claim 1, wherein service includes at least one of a network based application, a web server resident application, a web portal, a search engine, a photographic, audio or video information storage application, an e-Commerce application, a backup application, a storage application, a sales/revenue planning, marketing, forecasting, accounting, inventory management application.

9. A computer-readable medium carrying one or more sequences of instructions for securing access to data, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- accessing at least one service on behalf of a requester;
  
  receiving a result set including results from accessing the at least one service; and
  
  providing to the requester only that portion of the result set that the requestor is permitted to access;
  
  wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requester.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium as recited in claim 9, wherein the instructions for carrying out the step of providing to the requestor only that portion of the result set which the requestor is permitted to access include instructions for carrying out the steps of:
    - redacting the result set according to access policies if the requester is permitted by the access policies to access only a portion of the result set.
  - 11. The computer-readable medium as recited in claim 9, wherein the instructions for carrying out the step of providing to the requester only that portion of the result set which the requestor is permitted to access include instructions for carrying out the steps of:
    - providing the result set according to access policies if the requestor is permitted by the access policies to access only a portion of the result set.
  - 12. The computer-readable medium as recited in claim 9, wherein the instructions for carrying out the step of providing to the requestor only that portion of the result set which the requestor is permitted to access include instructions for carrying out the steps of:
    - providing an empty result set according to access policies if the requestor is not permitted by the access policies to access any of the result set.
  - 13. The computer-readable medium as recited in claim 12, wherein the instructions for carrying out the step of accessing a service on behalf of a requestor include instructions for carrying out the steps of:
    - accessing the service according to a request received from the requester.
  - 14. The computer-readable medium as recited in claim 9, further comprising instructions, which when executed by the one or more processors cause the one or more processors to carry out the steps of:
    - determining whether the requester is making an authorized request to access the at least one service.
  - 15. The computer-readable medium as recited in claim 9, further comprising instructions, which when executed by the one or more processors cause the one or more processors to carry out the steps of:
    - determining whether the requestor is making an authorized request to access datasets that the at least one service accesses.
  - 16. The computer-readable medium as recited in claim 9, wherein service includes at least one of a network based application, a web server resident application, a web portal, a search engine, a photographic, audio or video information storage application, an e-Commerce application, a backup application, a storage application, a sales/revenue planning, marketing, forecasting, accounting, inventory management application.

17. An apparatus for securing access to data, the apparatus comprising:
- a processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  accessing at least one service on behalf of a requester;
  
  receiving a result set including results from accessing the at least one service; and
  
  providing to the requestor only that portion of the result set that the requestor is permitted to access;
  
  wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requester.

18. A method for receiving data under a controlled environment, the method comprising:
- sending a request to access a service to a server; and
  
  receiving a portion of a result set of the service from the server, wherein the server has prepared the portion of the result set of the service according to a determination of a subset of the result set which is permitted to be provided responsive to the request.

19. A computer-readable medium carrying one or more sequences of instructions for receiving data under a controlled environment, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- sending a request to access a service to a server; and
  
  receiving a portion of a result set of the service from the server, wherein the server has prepared the portion of the result set of the service according to a determination of a subset of the result set which is permitted to be provided responsive to the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Gupta, Naveen, Patrick, Paul B.

Granted Patent

US 8,086,615 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 21/6227 where protection concerns t...

Security data redaction

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security data redaction

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links