Abstract: A method, program product and apparatus for controlling access to profile information, multi-media resources or social network functions of a first user by a second user not listed on a friend or group listing of the first user. An application retrieves a threshold criteria for access control and social network statistics in response to an attempted access by an entity without an appropriate privilege. The application compares the statistics to the threshold. Then, if the statistics meet the threshold criteria, the application allows access.

Abstract: The Custom Access Controller adds a custom security hierarchy to the organizational data in the View Processor of WEBSPHERE Virtual Member Manager. Whenever an entity or application attempts to access a resources the access control engine starts the View Processor to identify the organizational data and assigned security policy for the resource. The assigned security policy is applied to a delegated administration path which is part of the delegated administration hierarchy but includes the appropriate path and security policy for the resource. The delegated administration path is sent to an access control engine that grants or denies access to the resource. A View Processor Interface allows network administrators to create and modify custom security hierarchies.

Abstract: Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system.

Abstract: Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system.

Abstract: A method, program product and apparatus for controlling access to profile information, multi-media resources or social network functions of a first user by a second user not listed on a friend or group listing of the first user. An application retrieves a threshold criteria for access control and social network statistics in response to an attempted access by an entity without an appropriate privilege. The application compares the statistics to the threshold. Then, if the statistics meet the threshold criteria, the application allows access.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.

Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace their P3P policy and/or other relevant characteristics related to their privacy policy needs (those that they adhere to, referred to as “privacy policies”; those that they require, referred to as “privacy preferences”, or both). Submitted with the privacy policy is a digital signature that is tied to the owner of the web objects to which the privacy policy pertains. Using a digital signature assures the integrity of the privacy policy since it travels with the privacy policy and thus refers back to the original sender of the policy rather than the middleman (the E-marketplace), and if the document (the privacy policy) to which it is attached has been tampered with, the digital signature will be invalidated.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: Mechanisms are provided for performing a role engineering project for applying security roles to access operations targeting resources. A plurality of data objects representing one or more user identities, permissions, and resources of an organization computing system are received. One or more filter criteria for filtering the plurality of data objects to generate a subset of data objects for consideration during the role engineering project are received. The one or more filter criteria specify a scope of the role engineering project. The one or more filter criteria are applied to generate the subset of data objects. Role engineering project operations are performed on the subset of data objects to generate one or more security roles. The one or more security roles are deployed to the organization computing system to control access operations targeting resources of the organization computing system.

Abstract: Parties involved in a transaction in an E-marketplace identify characteristics of a transaction that they are willing to accept and/or that they can provide. To do this, an attribute certificate is created for each party that contains the attributes of a buyer, seller, or third-party participant who will be transacting business in the particular E-marketplace. The attributes pertain to specifics of the transaction. The party submitting the attribute also identifies alternative conditions which, if they exist would be acceptable for conducting the transaction. Once these criteria, in the form of the attribute certificates, are received by the E-marketplace, the E-marketplace verifies the attributes. A server in the E-marketplace is configured to determine various combinations of participants that can match the deal criteria. In this manner, the E-marketplace “choreographs” the transaction to meet the needs of all.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.

Abstract: A technique for securing selected document content includes receiving, at a printer, an unsecured electronic document. Selected content of the electronic document is then encrypted, with an encryption key, at the printer. A paper document whose content includes the encrypted selected content of the electronic document is then printed. The encrypted selected content of the paper document is unintelligible prior to decryption with a decryption key.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.

Abstract: The Custom Access Controller adds a custom security hierarchy to the organizational data in the View Processor of WEBSPHERE Virtual Member Manager. Whenever an entity or application attempts to access a resources the access control engine starts the View Processor to identify the organizational data and assigned security policy for the resource. The assigned security policy is applied to a delegated administration path which is part of the delegated administration hierarchy but includes the appropriate path and security policy for the resource. The delegated administration path is sent to an access control engine that grants or denies access to the resource. A View Processor Interface allows network administrators to create and modify custom security hierarchies.

Abstract: In general, the present invention provides a method, system, and program product for managing personal attributes across enterprise domains. Specifically, under the present invention, personal attributes for an end-user will be located among the enterprise domains. Once located, the personal attributes will be grouped into a set of profiles based on associated services (e.g., medical, insurance, etc.). The end-user can log into the system to see his/her personal attributes and to provide input regarding how access to the personal attributes should be controlled. Specifically, based on the end-user's input (and possibly other factors such as applicable legislation) an access control policy will be generated and used to control access to the personal attributes. In addition, any transactions involving the personal attributes will be recorded so that auditing can take place.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: Parties involved in transacting business in an E-marketplace (E-marketplace participants) each identify and submit to the E-marketplace relevant characteristics related to their privacy policy needs. When it is determined that two or more participants are collaborating in a transaction (e.g., a supplier and a shipper; two suppliers; three buyers), the privacy policies of the collaborative group are aggregated to produce a single policy that represents the primary policies of the collaborative transaction being presented by the collaborative group.

Abstract: Parties involved in a particular transaction in an E-marketplace each identify and submit to the E-marketplace relevant characteristics related to that transaction. The identification of the party is not revealed with this submission. To achieve this, an attribute certificate is created which contains attributes related to a buyer or seller's potential participation in a transaction. The attributes that are selected pertain to specifics of the transaction and not to the certificate holder. Each of the attributes are verified by a trusted authority (e.g., the E-marketplace acting as an intermediary for the transaction) so that when the attribute certificate is supplied to a party, the party is assured that the information it contains is accurate. In this manner, parties to a negotiation in a particular transaction are able to know immediately and with a high level of assurance that certain critical elements to the proposed transaction are met (or are capable of being met).

Abstract: A method and apparatus in a data processing system for managing sessions for a secure access to the data processing system. A request for a secure connection is received. The secure connection is established, wherein information used to facilitate the secure connection is generated. The information is stored for a selected period of time, wherein the selected period of time is selected to optimize server resources.