-
公开(公告)号:US09916461B2
公开(公告)日:2018-03-13
申请号:US13608125
申请日:2012-09-10
申请人: Kaushal Kiran Kapadia , Rahul Prabhakar Kulkarni , Nataraj Nagaratnam , Anindya Neogi , Magesh Rajamani
发明人: Kaushal Kiran Kapadia , Rahul Prabhakar Kulkarni , Nataraj Nagaratnam , Anindya Neogi , Magesh Rajamani
CPC分类号: G06F21/604 , H04L63/102
摘要: Identity context-based access control is implemented by generating an identity context expression from user identity data. In particular, users are clustered based on combinations of one or more attributes. These clusters comprise one or more identity context(s). Preferably, an intersection of attribute sets of each user in the cluster is formed. In addition, an intersection of attribute sets of each user not in the cluster also is formed. If the attribute set that is common across the cluster of users is not a subset of the attribute set that is common across the rest of the users, then the attribute set forms a unique identity context expression. To reduce the number of roles used in role-based access control (RBAC), at least one role is replaced with an identity context expression. Run-time access control is then enabled.
-
公开(公告)号:US20140075492A1
公开(公告)日:2014-03-13
申请号:US13608125
申请日:2012-09-10
申请人: Kaushal Kiran Kapadia , Rahul Prabhakar Kulkarni , Nataraj Nagaratnam , Anindya Neogi , Magesh Rajamani
发明人: Kaushal Kiran Kapadia , Rahul Prabhakar Kulkarni , Nataraj Nagaratnam , Anindya Neogi , Magesh Rajamani
IPC分类号: G06F21/00
CPC分类号: G06F21/604 , H04L63/102
摘要: Identity context-based access control is implemented by generating an identity context expression from user identity data. In particular, users are clustered based on combinations of one or more attributes. These clusters comprise one or more identity context(s). Preferably, an intersection of attribute sets of each user in the cluster is formed. In addition, an intersection of attribute sets of each user not in the cluster also is formed. If the attribute set that is common across the cluster of users is not a subset of the attribute set that is common across the rest of the users, then the attribute set forms a unique identity context expression. To reduce the number of roles used in role-based access control (RBAC), at least one role is replaced with an identity context expression. Run-time access control is then enabled.
摘要翻译: 通过从用户身份数据生成身份上下文表达式来实现基于身份上下文的访问控制。 特别地,基于一个或多个属性的组合来聚类用户。 这些集群包括一个或多个身份上下文。 优选地,形成群集中的每个用户的属性集的交集。 另外,也不形成不在群集中的每个用户的属性集合的交集。 如果在用户集群中通用的属性集不是其余用户常用的属性集的子集,则属性集将形成唯一的身份上下文表达式。 为了减少基于角色的访问控制(RBAC)中使用的角色数量,至少有一个角色被替换为身份上下文表达式。 然后启用运行时访问控制。
-
公开(公告)号:US10984457B2
公开(公告)日:2021-04-20
申请号:US11849210
申请日:2007-08-31
摘要: Embodiments of the present invention address deficiencies of the art in respect to privacy data management and provide a novel and non-obvious method, system and computer program product for trusted statement verification for data privacy. In one embodiment of the invention, a method for trusted statement verification for data privacy can be provided. The method can include deducing a claim from an attribute for personal data for an end user, receiving a request from a personal data consumer to vouch for an assertion based upon the attribute, comparing the assertion to the claim, and providing a voucher for the assertion to the personal data consumer on behalf of the end user if the claim supports the assertion without revealing the attribute to the personal data consumer.
-
公开(公告)号:US09727899B2
公开(公告)日:2017-08-08
申请号:US12791938
申请日:2010-06-02
CPC分类号: G06Q30/06 , G06Q30/018 , G06Q30/0185
摘要: A method, system, and computer usable program product for improved manufacturing and distribution to avoid counterfeit products in a supply chain are provided in the illustrative embodiments. For manufacturing to avoid a counterfeit product, a product to be manufactured is selected. Production volume information is determined, the production volume information including a number of units of the product to be produced. An identifier of a manufacturer of the product, an identifier of the product, and the production volume information are sent and several sets of identifiers are received. Each set of identifiers include identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). One set of identifiers is uniquely associated with one unit of the product being produced. A unit of the product is manufactured such that the unit includes a corresponding set of identifiers.
-
公开(公告)号:US09665577B2
公开(公告)日:2017-05-30
申请号:US13471541
申请日:2012-05-15
申请人: Shalini Kapoor , Palanivel A. Kodeswaran , Sridhar R. Muppidi , Nataraj Nagaratnam , Vikrant Nandakumar
发明人: Shalini Kapoor , Palanivel A. Kodeswaran , Sridhar R. Muppidi , Nataraj Nagaratnam , Vikrant Nandakumar
CPC分类号: G06F17/3007 , H04W12/08
摘要: A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer.
-
6.发明授权Security management for an integrated console for applications associated with multiple user registries 有权用于与多个用户注册表关联的应用程序的集成控制台的安全管理公开(公告)号:US08745387B2
公开(公告)日:2014-06-03
申请号:US13453543
申请日:2012-04-23
CPC分类号: H04L29/08864 , G06F21/6227 , G06F2221/2141 , H04L29/08765 , H04L29/08936 , H04L63/102 , H04L63/20
摘要: A system for security management for applications associated with multiple user registries can include an integrated console configured to host a one or more applications or resource objects in corresponding realms. The system also can include one or more roles mapped to different ones of the resource objects and also to different users permitted to access the integrated console. The system yet further can include a user relationship system having associations with multiple different ones of the roles. Finally, the system can include console security management logic programmed to manage authentication for the users using realm of the resource object while not requiring a separate user registry for the integrated console.
摘要翻译: 用于与多个用户注册表相关联的应用的安全管理的系统可以包括被配置为托管相应领域中的一个或多个应用或资源对象的集成控制台。 系统还可以包括映射到不同资源对象的一个或多个角色,还可以包括允许访问集成控制台的不同用户。 该系统还可以包括具有与多个不同角色的关联的用户关系系统。 最后,该系统可以包括控制台安全管理逻辑,其被编程为使用资源对象的领域来管理用户的认证,而不需要用于集成控制台的单独的用户注册。
-
公开(公告)号:US08683545B2
公开(公告)日:2014-03-25
申请号:US12192769
申请日:2008-08-15
IPC分类号: G06F21/00
CPC分类号: H04L63/102 , H04L63/20
摘要: One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response.
摘要翻译: 本发明的一个方面可以包括系统,方法,计算机程序产品和用于从多个策略提供者联合策略的装置。 该方面可以识别一组不同的策略提供者,每个策略提供者保持至少一个与服务或资源相关的策略。 可以建立联合的策略交换服务,其具有针对每个不同策略提供者的策略提供者插件。 联合策略交换服务可以从一组策略请求者接收到策略请求。 每个请求可以包括用于唯一标识服务或资源的resource_id或service_id。 联合策略交换服务可以动态地连接到一组策略提供者,以确定适用于每个请求的策略。 对于每个请求,可以接收和处理策略提供者的结果以产生响应。 联合策略交换服务可以响应于每个响应来响应每个策略请求者。
-
公开(公告)号:US08112370B2
公开(公告)日:2012-02-07
申请号:US12235900
申请日:2008-09-23
IPC分类号: G06N5/00
CPC分类号: G06F21/604
摘要: A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.
摘要翻译: 在说明性实施例中提供了用于软件组件的分类和策略管理的方法,系统和计算机可用程序产品。 识别与应用或组件相关联的元数据。 做出映射确定是否元数据映射到一组分类中的分类。 识别适用于分类的策略并与分类相关联。 如果映射确定是确定性的,则将组件分配给分类,并且与分类相关联的策略与组件相关联。 如果映射确定不是确定性的,则可能需要用户干预,该组件可以被分类为默认分类,或者两者。 由于与分类相关联的策略,将策略与组件相关联可以基于应用或组件的元数据及其合成分类而发生。
-
9.发明申请DECLARATIVE INSTANCE BASED ACCESS CONTROL FOR APPLICATION RESOURCES WITH PERSISTED ATTRIBUTES AND STATE 有权具有相关属性和状态的应用资源的基于事件的基于实例的访问控制公开(公告)号:US20090183184A1
公开(公告)日:2009-07-16
申请号:US12013867
申请日:2008-01-14
IPC分类号: G06F9/54
CPC分类号: G06F9/4435 , G06F9/4493
摘要: Embodiments of the present invention provide a method, system and computer program product for declarative instance based access control for persistent application resources in a multi-tier application. In one embodiment of the invention, a method for instance based access control in a persistent application resource can be provided. The method can include creating one or more instances of an persistent application resource for a particular user or based on attributes of the user, coupling the instance(s) of the persistent application resource to a database implementing row-level access control, initializing access to the database according to a role or attribute for the particular user, and accessing a restricted set of data in the database through the instance(s) of the persistent application resource.
摘要翻译: 本发明的实施例提供了一种用于在多层应用中用于持久应用资源的基于声明性实例的访问控制的方法,系统和计算机程序产品。 在本发明的一个实施例中,可以提供用于持久应用资源中的基于实例的访问控制的方法。 该方法可以包括为特定用户创建持久性应用资源的一个或多个实例,或者基于用户的属性,将持久应用资源的实例耦合到实现行级访问控制的数据库,初始化对 数据库根据特定用户的角色或属性,以及通过持久性应用程序资源的实例访问数据库中受限制的一组数据。
-
公开(公告)号:US20090063289A1
公开(公告)日:2009-03-05
申请号:US11849210
申请日:2007-08-31
CPC分类号: G06Q30/06 , G06Q30/0601
摘要: Embodiments of the present invention address deficiencies of the art in respect to privacy data management and provide a novel and non-obvious method, system and computer program product for trusted statement verification for data privacy. In one embodiment of the invention, a method for trusted statement verification for data privacy can be provided. The method can include deducing a claim from an attribute for personal data for an end user, receiving a request from a personal data consumer to vouch for an assertion based upon the attribute, comparing the assertion to the claim, and providing a voucher for the assertion to the personal data consumer on behalf of the end user if the claim supports the assertion without revealing the attribute to the personal data consumer.
摘要翻译: 本发明的实施例解决了隐私数据管理方面的技术缺陷,并提供了一种用于数据隐私的可信语句验证的新颖且非显而易见的方法,系统和计算机程序产品。 在本发明的一个实施例中,可以提供用于数据隐私的可信语句验证的方法。 该方法可以包括从用于最终用户的个人数据的属性中推定权利要求,接收来自个人数据消费者的请求,以基于该属性来证明断言,将该断言与权利要求进行比较,以及为该断言提供凭证 如果索赔支持声明而不向个人数据消费者显示属性,则代表最终用户向个人数据消费者发送。
-
-
-
-
-
-
-
-
-
搜索结果
54 条记录 (耗时 0.027 秒)
