Abstract: A method, program product and apparatus for controlling access to profile information, multi-media resources or social network functions of a first user by a second user not listed on a friend or group listing of the first user. An application retrieves a threshold criteria for access control and social network statistics in response to an attempted access by an entity without an appropriate privilege. The application compares the statistics to the threshold. Then, if the statistics meet the threshold criteria, the application allows access.

Abstract: Data for a first time period in a primary data sequence is compared with data for a second time period in each of a set of secondary data sequences. The durations of the first and second time periods are correlated, and the first time period is different from the second time period. To this extent, the data in the primary data sequence during the first time period provides a template for assigning a ranking to each secondary data sequence based on the corresponding data for the second time period.

Abstract: A technique for securing selected document content includes receiving, at a printer, an unsecured electronic document. Selected content of the electronic document is then encrypted, with an encryption key, at the printer. A paper document whose content includes the encrypted selected content of the electronic document is then printed. The encrypted selected content of the paper document is unintelligible prior to decryption with a decryption key.

Abstract: The Custom Access Controller adds a custom security hierarchy to the organizational data in the View Processor of WEBSPHERE Virtual Member Manager. Whenever an entity or application attempts to access a resources the access control engine starts the View Processor to identify the organizational data and assigned security policy for the resource. The assigned security policy is applied to a delegated administration path which is part of the delegated administration hierarchy but includes the appropriate path and security policy for the resource. The delegated administration path is sent to an access control engine that grants or denies access to the resource. A View Processor Interface allows network administrators to create and modify custom security hierarchies.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: An abstraction layer associates a party-focused object, a security-focused object, or both, with an abstraction object. The party-focused object has a property. The property is presented in the abstraction object defined by the mapping schema. The abstraction layer converts a set of repository objects to at least one abstraction object.

Abstract: A method and system for selecting master nodes to manage a target node group in a computer network having multiple nodes and overlapping node groups. The system includes determining a hamming distance for node pairs within the network. The node pair includes two node pair members and the hamming distance is the number of node groups the node pair members do not share in common. A participation index for nodes within the network is determined at a determining operation. The participation index is the number of node groups the node belongs to. An availability potential for node pairs is also determined. The availability potential is the sum of the participation indexes of the node pair members subtracted by the hamming distance of the node pair. An optimal combination of node pairs is found by searching for the maximum total availability potential for the network. A master node pair for the target node group is selected from the optimal combination of node pairs.

Abstract: Policies defining the entitlements to be assigned to a new identity joining a role are automatically generated. An automatic policy assigns a new identity the entitlements commonly owned by a predetermined number of identities in the role, which may be all of the role identities. A conditional policy recommends that a new identity be assigned the non-commonly-owned entitlements associated with the role identity whose non-entitlement attributes most closely match the non-entitlement attributes of the new identity. This may be automatically determined by iterating through a vector that maps the non-commonly-owned entitlements with the non-entitlement attributes of each role identity, comparing the non-entitlement attributes of the new identity to find the closest match. The non-commonly-owned entitlements of that identity are then recommended to be assigned to the new identity, upon approval.

Abstract: A role hierarchy is automatically generated by hierarchically ranking roles in a role based control system, each role including a plurality of identities having attributes. Iteratively at each hierarchical level: each non-cohesive role (wherein, in this case, at least one attribute is not possessed by every identity in the role) is replaced, at the same hierarchical level, by a cohesive role formed by grouping identities having at least one common attribute. The remaining identities are clustered into children roles based on attributes other than the common attribute, and the children roles are added to the role hierarchy at a hierarchical level below the cohesive role. If no common attribute exists in the non-cohesive role, the role is clustered into two or more new roles based on all the attributes in the role, and the non-cohesive role is replaced with the new roles at the same hierarchical level.

Abstract: An automated, bottom-up role discovery method for a role based control system includes automatically extracting identities and attributes from data sources and automatically clustering the identities based on the attributes to form recommended roles. The recommended roles may be modified by intervention of an administrator. Additionally, the recommended roles may be aggregated by defining the role definition as an attribute of each constituent identity, and re-clustering the identities to generate refined roles. The recommended, modified, and/or refined roles may then be utilized in a role based control system, such as a role based access control system. Periodically performing the role discovery process provides a means to audit a role based access control system.

Abstract: A method and system for selecting master nodes to manage a target node group in a computer network having multiple nodes and overlapping node groups. The system includes determining a hamming distance for node pairs within the network. The node pair includes two node pair members and the hamming distance is the number of node groups the node pair members do not share in common. A participation index for nodes within the network is determined at a determining operation. The participation index is the number of node groups the node belongs to. An availability potential for node pairs is also determined. The availability potential is the sum of the participation indexes of the node pair members subtracted by the hamming distance of the node pair. An optimal combination of node pairs is found by searching for the maximum total availability potential for the network. A master node pair for the target node group is selected from the optimal combination of node pairs.