Abstract: A method for validating an access request with respect to an application is provided. The method includes: receiving an access request from a user with respect to an application; retrieving, from a memory, group identification information that relates to at least one group to which the user belongs; retrieving, from the memory, scope information that indicates qualifications and/or characteristics of a relationship between the user and the at least one group; and generating a token that notifies the application of the group identification information and the scope information, and is usable by the application for validating the access request. The method may be implemented in an Active Directory Federation Services (AD FS) environment.

Abstract: A method for controlling access to a set of data is provided. The method includes receiving, via an interface, a request from an agent to access the set of data in a database; extracting an access criterion relating to a predefined data access constraint and a predetermined data access policy from the request; and determining whether the agent is granted access to the set of data using the criterion, where the access criterion is based on an attribute that is associated with an element within the set of data.

Abstract: A method for defining a policy for providing access to a system is provided. The method includes: identifying, for each of a plurality of information classes within an information model, at least one respective information attribute; defining, for at least one of the at least one respective information attribute, a respective predicate filter function; determining, based on the defined at least one respective predicate filter function, at least one access rule that relates to a corresponding information attribute; defining the policy with respect to each of the plurality of information classes based on the constructed API and each of the determined at least one access rule; and constructing an application programming interface (API) for the information model based on the defined policy. The API may be augmented by updating parameters based on the defined policy.

Abstract: A method for governing a policy for providing access to a system is provided. The method includes: receiving a plurality of policy data units, each respective policy data unit including information that relates to an access determination with respect to the system; processing the plurality of policy data units by constructing a first directed graph of policy data unit processors, and obtaining an access policy rule as a result of the processing; evaluating the obtained access policy rule across a compute environment that is distributed in time and space by using the first directed graph; generating a signed access token that relates to a predetermined user based on the obtained access policy rule; and transmitting the signed access token to the predetermined user.

Abstract: A method for validating an access request with respect to an application is provided. The method includes: receiving an access request from a user with respect to an application; retrieving, from a memory, group identification information that relates to at least one group to which the user belongs; retrieving, from the memory, scope information that indicates qualifications and/or characteristics of a relationship between the user and the at least one group; and generating a token that notifies the application of the group identification information and the scope information, and is usable by the application for validating the access request. The method may be implemented in an Active Directory Federation Services (AD FS) environment.

Abstract: A method for controlling access to a set of data is provided. The method includes receiving, via an interface, a request from an agent to access the set of data in a database; extracting an access criterion relating to a predefined data access constraint and a predetermined data access policy from the request; and determining whether the agent is granted access to the set of data using the criterion, where the access criterion is based on an attribute that is associated with an element within the set of data.

Abstract: A method for defining a policy for providing access to a system is provided. The method includes: identifying, for each of a plurality of information classes within an information model, at least one respective information attribute; defining, for at least one of the at least one respective information attribute, a respective predicate filter function; determining, based on the defined at least one respective predicate filter function, at least one access rule that relates to a corresponding information attribute; defining the policy with respect to each of the plurality of information classes based on the constructed API and each of the determined at least one access rule; and constructing an application programming interface (API) for the information model based on the defined policy. The API may be augmented by updating parameters based on the defined policy.