Patent application number | Description | Published |
20090063289 | TRUSTED STATEMENT VERIFICATION FOR DATA PRIVACY - Embodiments of the present invention address deficiencies of the art in respect to privacy data management and provide a novel and non-obvious method, system and computer program product for trusted statement verification for data privacy. In one embodiment of the invention, a method for trusted statement verification for data privacy can be provided. The method can include deducing a claim from an attribute for personal data for an end user, receiving a request from a personal data consumer to vouch for an assertion based upon the attribute, comparing the assertion to the claim, and providing a voucher for the assertion to the personal data consumer on behalf of the end user if the claim supports the assertion without revealing the attribute to the personal data consumer. | 03-05-2009 |
20090064272 | DATABASE AUTHORIZATION RULES AND COMPONENT LOGIC AUTHORIZATION RULES AGGREGATION - Embodiments of the present invention provide a method, system and computer program product for aggregating database and component logic authorization rules in a multi-tier application. In an embodiment of the invention, a method for aggregating database and component logic authorization rules in a multi-tier application system can include aggregating role-based authorization rules for both a persistence layer and a logic layer of a multi-tier application in a unified policy, distributing the unified policy to both the persistence layer and the logic layer of the multi-tier application, transforming the unified policy into respectively a set of role based permissions for the persistence layer and a set of role based permissions for the logic layer, and applying the set of role based permissions for the persistence layer in the persistence layer, and the set of role based permissions for the logic layer in the logic layer of the multi-tier application. | 03-05-2009 |
20090171989 | Identity Data Model Broker - A method, system and computer program product for handling identity data from heterogeneous sources utilizes an Identity Data Model Broker (IDMB). The IDMB maps fields between heterogeneous data sources, served by disparate Identity Attribute Service (IdAS) context providers, to establish a normalized data format. Within an IdAS, an abstract data model, which is brokered the IDMB, is created to present a normalized view of the data from the IDMB. When a request for data is received at the IdAS, the requested data is retrieved from appropriate data sources, through respective IdAS context providers, normalized to the abstract data model, and provided to the requester by the IdAS, such that the heterogeneous data sources are shielded from the requester. | 07-02-2009 |
20100306824 | TRUST AND IDENTITY IN SECURE CALENDAR SHARING COLLABORATION - In some embodiments, a system includes a database of trust information that internalizes security and trust relationships between a first entity and a second entity in regards to scheduling, and a central trust manager operable to determine from the database of trust information whether a trust relationship exists between a first organization and a second organization, the central trust manager also being operable to provide availability information of a user of the first organization to a second user of the second organization, the central trust manager also being operable to determine whether the second user of the second organization is granted access to requested calendar data and the central trust manager also being operable to provide the requested calendar data. | 12-02-2010 |
20110162034 | DISCOVERY AND MANAGEMENT OF CONTEXT-BASED ENTITLEMENTS ACROSS LOOSELY-COUPLED ENVIRONMENTS - A method, apparatus and computer program product are provided to model and manage context-based entitlements that govern a user's access to information, applications and systems across a loosely-coupled distributed environment. One such distributed environment is a federated environment, which may span across companies, organizations, and geographical locations and regions. According to one embodiment, an entitlement modeling framework comprises a discovery module and an entitlement generator module. The discovery framework generates a data model for storing information concerning user identity, context, relationships between users, relationships between users and contexts and relationships between contexts. Preferably, the user identity, context, relationships between users, relationships between users and contexts, and relationships between contexts, are stored as attributes in the data model. An entitlement generator generates an entitlement according to the data model, wherein the entitlement (e.g., a user entitlement) is generated according to one or more contexts. | 06-30-2011 |
Patent application number | Description | Published |
20090183184 | DECLARATIVE INSTANCE BASED ACCESS CONTROL FOR APPLICATION RESOURCES WITH PERSISTED ATTRIBUTES AND STATE - Embodiments of the present invention provide a method, system and computer program product for declarative instance based access control for persistent application resources in a multi-tier application. In one embodiment of the invention, a method for instance based access control in a persistent application resource can be provided. The method can include creating one or more instances of an persistent application resource for a particular user or based on attributes of the user, coupling the instance(s) of the persistent application resource to a database implementing row-level access control, initializing access to the database according to a role or attribute for the particular user, and accessing a restricted set of data in the database through the instance(s) of the persistent application resource. | 07-16-2009 |
20100043050 | FEDERATING POLICIES FROM MULTIPLE POLICY PROVIDERS - One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response. | 02-18-2010 |
20120185694 | INFORMATION PROCESSING APPARATUS, A SERVER APPARATUS, A METHOD OF AN INFORMATION PROCESSING APPARATUS, A METHOD OF A SERVER APPARATUS, AND AN APPARATUS EXECUTABLE PROGRAM - To provide an information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable program. | 07-19-2012 |
20120210419 | SECURITY MANAGEMENT FOR AN INTEGRATED CONSOLE FOR APPLICATIONS ASSOCIATED WITH MULTIPLE USER REGISTRIES - A system for security management for applications associated with multiple user registries can include an integrated console configured to host a one or more applications or resource objects in corresponding realms. The system also can include one or more roles mapped to different ones of the resource objects and also to different users permitted to access the integrated console. The system yet further can include a user relationship system having associations with multiple different ones of the roles. Finally, the system can include console security management logic programmed to manage authentication for the users using realm of the resource object while not requiring a separate user registry for the integrated console. | 08-16-2012 |
20130304702 | CONTROLLING ENTERPRISE DATA ON MOBILE DEVICE VIA THE USE OF A TAG INDEX - A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer. | 11-14-2013 |
20130305058 | CONTROLLING ENTERPRISE DATA ON MOBILE DEVICE VIA THE USE OF A TAG INDEX - A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer. | 11-14-2013 |
20140075492 | Identity context-based access control - Identity context-based access control is implemented by generating an identity context expression from user identity data. In particular, users are clustered based on combinations of one or more attributes. These clusters comprise one or more identity context(s). Preferably, an intersection of attribute sets of each user in the cluster is formed. In addition, an intersection of attribute sets of each user not in the cluster also is formed. If the attribute set that is common across the cluster of users is not a subset of the attribute set that is common across the rest of the users, then the attribute set forms a unique identity context expression. To reduce the number of roles used in role-based access control (RBAC), at least one role is replaced with an identity context expression. Run-time access control is then enabled. | 03-13-2014 |
Patent application number | Description | Published |
20110296430 | CONTEXT AWARE DATA PROTECTION - A method, system, and computer usable program product for context aware data protection. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted. | 12-01-2011 |
20110302093 | MITIGATING DISTRIBUTION AND CONSUMPTION OF COUNTERFEIT PRODUCTS - A method, system, and computer usable program product for mitigating distribution or consumption of counterfeit products in a supply chain are provided in the illustrative embodiments. A first set of identifiers is generated to associate with a product to be manufactured. The first set of identifiers includes identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). The first set of identifiers is associated with the product and a status indicator. The status indicator is set to a first value representative of the product being an original product and the product being available for sale. The first set of identifiers is transmitted to another second application. | 12-08-2011 |
20110302094 | MANUFACTURING AND DISTRIBUTION TO AVOID COUNTERFEIT PRODUCTS - A method, system, and computer usable program product for improved manufacturing and distribution to avoid counterfeit products in a supply chain are provided in the illustrative embodiments. For manufacturing to avoid a counterfeit product, a product to be manufactured is selected. Production volume information is determined, the production volume information including a number of units of the product to be produced. An identifier of a manufacturer of the product, an identifier of the product, and the production volume information are sent and several sets of identifiers are received. Each set of identifiers include identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). One set of identifiers is uniquely associated with one unit of the product being produced. A unit of the product is manufactured such that the unit includes a corresponding set of identifiers. | 12-08-2011 |
20110302095 | PRE AND POST PURCHASE IDENTIFICATION OF COUNTERFEIT PRODUCTS - A method, system, and computer usable program product for pre and post purchase identification of counterfeit products in a supply chain are provided in the illustrative embodiments. A customer reference number (CRN) associated with a unit of product is identified. The unit of product has associated therewith a unique set of identifiers including the CRN, a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). The CRN is sent to a second application and a message is received from the second application in response to sending the CRN. If the message includes a second CAN that is not the same as the CAN associated with the unit, the unit is determined to be a counterfeit product. | 12-08-2011 |
20120185952 | CONTEXT AWARE DATA PROTECTION - A method, for context aware data protection is provided. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted. | 07-19-2012 |