150 results about "Role base access control" patented technology

Apparatus and methods are described for accessing redacted material based on user roles. An author designates portions of content as to-be-redacted. The author establishes various users roles able to access it and defines attributes or time constraints affecting the viewing/using. Upon electronically saving the content, the to-be-redacted portion is encrypted. An intermediary, such as a keytable service, mediates access between later users and the content. Upon identification of a role of a user attempting to interact with the content, and matching the role to one of the author-established roles, the encrypted redacted portion is decrypted. In this manner, users gain access to content based only on their role. The surrounding events are also loggable, traceable, and verifiable. A monitored connection between the user and the content, as well as various user interface options, are other noteworthy features. Computer program products and computing network interaction are also defined.

Role-based hierarchical access control system and method. A computer system having a data storage capacity and a central processing unit and at least one resource has an access control data structure defining role-based access control lists for the resource, wherein the access control list defines based on the role of a user the types of access that the user may have to the at least one resource. A hierarchy of roles having at least a first role and a second role wherein the second role inherits the permissions granted to the first role for the at least one resource. Access to the resource is determined by comparing roles defined to have access privileges to the resource and the permissions granted to such roles to the role of an entity seeking access to the resource.

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Systems and methods are disclosed for receiving an access request from a user device, the access request including an identity claim for a user; evaluating a risk of access based on matching an attribute of the user device with attributes stored in a user information database; authenticating the access request based on the identity claim and the risk evaluation to determine an authentication confidence level; generating a token based on the confidence level and the attribute matched; producing an authorization response based on inputs from the token, a risk based access control, a role based access control, and an attribute based access control, in which the authorization response determines whether to allow access to a system, deny access to the system, or request additional input from the user device.

The invention relates to a role-based access control system, including a role definition system for defining roles to be sets of permissions on individual resources thus forming role instances, respectively; and a super role definition system for defining at least one super role by grouping a set of role instances into one super role, wherein the one super role contains all permissions contained in the grouped resource instances. Furthermore, the present invention deals with an appropriate method, a computer program and a computer program product.

The present disclosure discloses a system and method for dynamically modifying role based access control for a client based on the activity. Generally, a client device is granted access to a network resource based on a first reputation score assigned to the client device. The activity of the client device is monitored. Responsive to monitoring the activity of the client device, a second reputation score is determined for the client device based on the activity. The access by the client device to the network resource is then modified to be granted based on the second reputation score.

The invention discloses a cloud security access control model. The model is characterized in that: aiming at the multi-tenant architecture characteristic of cloud computing, by combining a role-based access control (RBAC) model, a tenant concept and a cloud service provider concept are introduced to an access control model, and a uniform tenant access control model and a user access control model are formed by defining model elements and formally describing model functions. The cloud security access control model can adapt to the characteristic of multi-tenant of the cloud computing, improves the flexibility of user authority management in a cloud computing environment, can reduce the complexity of authorization management and management overhead, and can effectively ensure the security and integrity of user data in the cloud computing environment.

Access to a privileged account is managed by first requiring authentication of a user logging into the account and then performing a policy evaluation to determine whether the identified user is allowed to log in using the privileged identity. Preferably, the authentication is a two factor authentication. The policy evaluation preferably enforces a policy, such as a role-based access control, and a context-based access control, a combination of such access controls, or the like. Thus, according to this approach, the entity is provided access to the privileged account if the user's identity is verified and a policy is met. In the alternative, the entity is denied access to the privileged account if either the authentication fails, or (assuming authentication does not fail) policy criteria for the user is not met.

An Organizational Role-based Access Controlled Management System capable of controlling role-based access within an organization allows system analysts or managers to build and control access roles for the various application systems within an organization. This system can also allow an end-user to choose the functions of the application systems and logon rights associated with the role. The system includes one or more personal computers and a server based on an event-driven mechanism. System analysts and end-users access synchronized data to manage the end-users' access roles. This system allows a system analyst to build and limit “set and set” relationships, as well as “member and set” relationships to pass information and manage organizational networks, roles, functions, privileges, etc. Different roles under various application systems can have different access rights and functions assigned. This system breaks away from the limitation of the conventional RBAC (Role Based Access Control) and allows system analysts to manage and adapt access roles according to the practical needs of different users and their complicated relationships to the organization and one another.

An apparatus to implement role based access control which reduces administrative expenses associated with managing access in accordance with policies and roles. The apparatus includes a memory storing a first role based access control condition associated with an action and a subsystem executing an enforcement entity and a decision entity. In one preferred form, the two entities are independent entities. The enforcement entity receives a request for the action from a requestor with a role. Additionally, the enforcement entity communicates the role and the request to the decision entity for the decision entity's decision of whether the role satisfies the first condition. The decision entity then communicates the decision to the enforcement entity. Accordingly, the enforcement entity allows or denies the requestor the action based on the decision made by the decision entity.

A role based access control system is described that assigns roles, which otherwise are mutually exclusive, to users based on detecting designated conditions when the user initiates actions or operations on the network. The assignment of the role to a particular user may be conditional upon one or more such designated conditions occurring. In particular, two roles that are mutually exclusive of one another may be occupied by one user for purpose of performing specified operations upon designated conditions being detected when the user initiates one or more of the specified operations. Business rules specify conditions for assigning the conditional roles.

Under the present invention, role types are defined by association with certain permissible actions. Once defined in this manner, a role type can then be bound to “nodes” of a hierarchical tree that represent computer-based resources such as dynamic object spaces. Once bound to a node, instances of this role type are created that will be inherited by hierarchical descendants of that node unless a role type block (e.g., inheritance or propagation) has been established for the corresponding role type. The present invention also allows the computer-based resources to be defined as virtual or private. Virtual resources represent general protected concepts in the system instead of computer-based resources and are subject to be bound with roles, while private resources are not. That is, the private resources remain the “property” of the creating user or group.

An enterprise content management system such as an electronic contract system manages a large number of secure documents for many organizations. The search of these private documents for different organizational users with role-based access control is a challenging task. A content-based extensible mark-up language (XML)-annotated secure-index search mechanism is provided that provides an effective search and retrieval of private documents with document-level security. The search mechanism includes a document analysis framework for text analysis and annotation, a search indexer to build and incorporate document access control information directly into a search index, an XML-based search engine, and a compound query generation technique to join user role and organization information into search query. By incorporating document access information directly into the search index and combining user information in the search query, search and retrieval of private contract documents can be achieved very effectively and securely with high performance.

The present invention can enable increasing refinement of role-based permission to access data within a Role Based Access Control (RBAC) controlled computer system by enabling constraints to be written on the role-based permissions. The constraints may utilize each and every type or combination of subject, object, or environment information extracted from sources internal or external to the controlled computer system and may evaluate the content or context of the information extracted to enable refined and dynamic access after the role permission assignment and immediately before every access grant without the reassignment of roles.

A system and method for controlling access to a document processing device based on roles assigned to user groups. Each group of users has certain functions for which they are authorized to use the document processing device. The device compares a username and password with correlating information stored in an authentication server. The server transmits a list of functions for which the user is authorized to employ the device. The device then compares the requested function with the authorized functions to determine if the user is allowed to utilize the document processing device for the requested function. The document processing device then performs the authorized requested function.

A method of defining policies for controlling access to resources of a system. Authorization requirements for the system are modeled to obtain a model expressing each of a plurality of access control policies as a constraint. From the model is generated a single policy set in an authorization markup language that captures the requirements. This method can be used to define role-based access control policies in a format that can be adapted for input to a variety of access control mechanisms. This generative approach to access control design allows maintenance to be performed at the requirements level.

Identity context-based access control is implemented by generating an identity context expression from user identity data. In particular, users are clustered based on combinations of one or more attributes. These clusters comprise one or more identity context(s). Preferably, an intersection of attribute sets of each user in the cluster is formed. In addition, an intersection of attribute sets of each user not in the cluster also is formed. If the attribute set that is common across the cluster of users is not a subset of the attribute set that is common across the rest of the users, then the attribute set forms a unique identity context expression. To reduce the number of roles used in role-based access control (RBAC), at least one role is replaced with an identity context expression. Run-time access control is then enabled.

Methods and devices are provided for role-based access control of network devices. The network devices may constitute the fabric of a storage area network (“SAN”) that has been logically partitioned into virtual storage area networks (“VSANs”) that are allocated to various administrators. Roles assigned according to preferred aspects of the invention do not need to be hierarchical, but are customized according to administrators' needs.