Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1999-11-05
2003-02-04
Robinson, Greta L. (Department: 2177)
Data processing: database and file management or data structures
Database design
Data structure types
Reexamination Certificate
active
06516315
ABSTRACT:
FIELD OF THE INVENTION
The invention relates to a method of controlling access to information. More specifically, the invention relates to controlling user access to computer database information, possibly accessible in a client/server environment, in which the user may have an association with one or more objects in the database.
BACKGROUND OF THE INVENTION
As information has become more widely available to a larger number of corporate network users as well as to vendors, customers and the public, the need for precisely controlling access to this information has become paramount. Previous methods of access control, however, have not adequately met these needs.
Previous methods of access control focused on granting or denying access to classes of objects, but did not restrict access to specific objects, which is a practical necessity throughout business. Some examples of restricting access to specific objects include limiting patient information to only the caregivers that are currently treating them, limiting project information to current project team members, limiting department information to the current department employees, and limiting employee information to their current supervisors.
Even when an adequate level of access control has been achieved, it can be cumbersome to implement it because daily administration of access control lists may be required. For example, U.S. Pat. No. 5,276,901 to Howell et al. discloses a system for controlling group access to objects that uses group access control folders each having a security clearance. Folders can have a public access designation or an explicit access designation and/or a controlled access designation. For a user to have access to a folder having an explicit access designation, the user's ID must be listed explicitly within the folder. For a user to have access to a folder having a controlled access designation, the user must first have an affinity to the folder and can then access the folder if the user's clearance level is equal to or greater than the clearance level of the folder.
The disadvantage with the system of the '901 patent is that for a user who has an affinity to a folder having a controlled access designation and who is not listed in the folder's explicit access list, the system compares the clearance level of the folder to the clearance level of the user and not the clearance level of the affinity or relationship itself. Thus, this system thus does not provide for situations in which a user may have more than one relationship with a folder or an object wherein each relationship may have a different security level classification. Otherwise, to allow for flexibility of access in this system, the explicit access designation lists may have to be updated frequently, which can be time consuming.
U.S. Pat. No. 5,204,812 to Kasiraj et al. describes a method of controlling user access of documents based upon the relationship between the documents. Documents can be placed in a set comprising a linear relationship with the set of documents as a whole having a sensitivity classification. User access is controlled by determining the classification of the user and comparing it the sensitivity classification of the set of documents.
U.S. Pat. No. 5,204,812 to Kasiraj et al. also describes a prior art document classification method in which documents are protected based upon their classification of use such as “loan application,” while users are given classifications such as “loan officer.” A system administrator would set up allowable document labels and retention periods such that, for instance, the loan officer could view the loan application for a period of three years while the loan is active. The methods and prior method described in the '812 patent to Kasiraj et al., however, also do not provide for multiple relationships between an object and the user.
What is desired, therefore, is an access control technology in which users can access only those data objects that they have a relationship or association with, wherein each user may have one or more relationships with a data object and each different relationship can have a different security classification. It is further desired that the system can control the types of functions a user can perform on the data object and that the system does not required daily administration of access control.
SUMMARY OF THE INVENTION
Accordingly, an object of the present invention is to provide a method for access control of information on a computer system in which users can access only those data objects to which they have an appropriate security classification.
It is a further object of the present invention to provide a method of the above type in which the system can precisely control the parts of the data object that the user can access.
In another embodiment of the present invention, it is an object to provide a method of the above type in which the system can precisely control the types of functions that can be performed on the data object once a user has access to the object.
It is still another object of the present invention to provide a method of the above type in which daily administration of the access control is unnecessary.
These objects of the invention are achieved by a method for controlling access to information, which includes a plurality of data objects, on a computer system being accessible to a plurality of users, wherein the method generally comprises providing an access right for each relationship between a user and a data object, wherein each user can have a plurality of relationships to each data object, determining each relationship between the user and the data object when a user requests information about a data object, determining the security classification for each relationship between the user and the data object, and then granting the user access to the data object if one of the security classifications for all the relationships is equal to or greater than the security classification of the data object, and denying the user access to the data object if the security classifications for all the relationships are less than the security classification of the data object.
REFERENCES:
patent: 4621321 (1986-11-01), Boebert et al.
patent: 5204812 (1993-04-01), Kasiraj et al.
patent: 5276901 (1994-01-01), Howell et al.
patent: 5446903 (1995-08-01), Abraham et al.
patent: 5499371 (1996-03-01), Henninger et al.
patent: 5572673 (1996-11-01), Shurts
patent: 5826268 (1998-10-01), Schaefer et al.
patent: 5911143 (1999-06-01), Dienhart et al.
patent: 6038563 (2000-03-01), Bapat et al.
patent: 6105027 (2000-08-01), Schneider et al.
patent: 6141754 (2000-10-01), Choy
patent: 6292798 (2001-09-01), Dockter et al.
Ravi S. Sandhu et al..: “Access Control: Principles and Practice” IEEE Communications Magazine, U.S. IEEE Service Center, Piscataway, N.J., vol. 32, No. 9, Sep. 1, 1994, pp. 40-48.
Jonathan Moffet et al.: “Specifying Discretionary Access Control Policy for Distributed Systems”, Computer Communications, NL, Elsevier Science Publishers BV, Amsterdam, vol. 13, No. 9, Nov. 1, 1990, pp. 571-580.
Brian Moore, “Making a Secure Office System”, ICL Technical Journal, GB, Peter Pergrinus Ltd. Hitchin, vol. 7, No. 4, Nov. 1, 1991, pp. 801-815.
Kinney Michael K.
NeuVis, Inc.
Robinson Greta L.
Rosenblatt Gregory S.
Wiggin & Dana LLP
LandOfFree
Method for controlling access to information does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for controlling access to information, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for controlling access to information will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3150703