Abstract: A method, system and computer program for business process automation facilitates transforming a user's identity/credentials as part of the enablement of transaction fulfillment, e.g., within a SOA environment. In one embodiment, identity and attribute information is added to one or more business process models that each represents a sub-transaction within an overall transaction fulfillment business process flow. As the business model is mapped to an execution environment, the identity and attribute information in the model is used to configure appropriate tooling to define the identity/attribute transformation required to complete the particular portion of the transaction represented by the model.

Abstract: A method, system, apparatus, and computer program product are presented for processing cookies that are transmitted from a server through a proxy server to a client that is operated by a user. The proxy server detects that a response message from the server for the client has an associated cookie. The proxy server extracts a domain identifier associated with the server from the response message, and the proxy server retrieves a set of parameters that contain domain identifiers that are associated with indications of whether to block transmission of cookies from servers associated with the domain identifiers. The proxy server then processes the cookie in the response message in accordance with the retrieved set of parameters and the extracted domain identifier, either blocking or not blocking cookies from the identified domain. Blocked cookies are cached for subsequent use. Multiple sets of parameters may be configured by the user.

Abstract: A method is presented for enforcing a privacy policy concerning management of personally identifiable information in a centralized manner through a privacy proxy agent. A proxy intercepts a message from a first system to a second system, e.g., from a server to a client, and determines whether the message is associated with an operation on personally identifiable information; if not, then the proxy sends the message to the second system, but if so, then the proxy determines whether the operation on the personally identifiable information is compliant with a privacy policy and with user preference information with respect to the privacy policy for a user who is associated the personally identifiable information. If the message is compliant with the privacy policy and user preference data, then the proxy sends the first message to the second system; otherwise, an error indication is returned to the first system.

Abstract: A reference monitor that authorizes information flows between elements of a data processing system is provided. The elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

Abstract: This invention automates the selection of purpose usages when a user agent interacts with a web site that has been enabled for automated purpose usage information exchange. A user first configures the purpose usage automation in his or her user agent. At this stage, which typically occurs off-line, the user decides on a level of automation when specifying the one or more purpose usages. If desired, this preference may depend on how “trusted” the site is to the user. Later, when the user navigates to an organization's web site, the user agent communicates the purpose usage settings to the organization according to the level of purpose usage automation that has been configured. In particular, when a user's agent visits a web site, the user agent detects that “automated purpose usage” is enabled for the web site. The web site then provides the user agent with a list of one or more purpose usage options required or desired by the organization.

Abstract: A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.

Abstract: One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response.

Abstract: A method, system, and computer usable program product for propagating information in a trust chain processing are provided in the illustrative embodiments. Upon a trust client invoking the trust chain processing, a mapped security information is received, the mapped security information being stored in a memory or a data storage associated with a data processing system. A set of security information attributes are located from the mapped security information according to a configuration. The set of security information attributes are packaged to form a packaged security information. The packaged security information is issued to a target system, the target system being distinct from the trust client that invoked the trust chain processing. The locating, the packaging, and the issuing collectively form monitoring the trust chain processing. A next component in the trust chain processing may be invoked. The invoking may occur before, after, or during the monitoring.

Abstract: A method for authorizing information flows based on security information associated with information objects is provided. A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

Abstract: A computer implemented method, data processing system, and computer program product for logical management and provisioning of business applications within the framework of an identity management system. The illustrative embodiments providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system. The illustrative embodiments define user entitlements on a user account associated with the managed service. The illustrative embodiments provision user access to the business applications via the managed service in the identity management system upon user request.

Abstract: A reference monitor that authorizes information flows between elements of a data processing system is provided. The elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

Abstract: A web browser is provided with a logout enablement function that traps a browser or page shutdown request and prevents that request from completing until the browser (or page) has logged out from one or more current server-side application sessions. The logout enablement function ensures that server-side resources that have been invoked for a given session are released before the web browser can be shutdown. The function is implemented as native browser code, a web page applet, a Java server page, a script, a control associated with the browser, and a browser plug-in.

Abstract: A reference monitor system, apparatus, computer program product and method are provided. In one illustrative embodiment, elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

Abstract: This invention automates the selection of purpose usages when a user agent interacts with a web site that has been enabled for automated purpose usage information exchange. A user first configures the purpose usage automation in his or her user agent. At this stage, which typically occurs off-line, the user decides on a level of automation when specifying the one or more purpose usages. If desired, this preference may depend on how “trusted” the site is to the user. Later, when the user navigates to an organization's web site, the user agent communicates the purpose usage settings to the organization according to the level of purpose usage automation that has been configured. In particular, when a user's agent visits a web site, the user agent detects that “automated purpose usage” is enabled for the web site. The web site then provides the user agent with a list of one or more purpose usage options required or desired by the organization.

Abstract: The present invention provides a way to protect PII (or, more generally, any user “sensitive” information) throughout its life cycle in an organization. The techniques described herein ensure that a user's PII is protecting during storage, access or transfer of the data. Preferably, this objective is accomplished by associating given metadata with a given piece of PII and then storing the PII and metadata in a “privacy protecting envelope.” The given metadata includes, without limitation, the privacy policy that applies to the PII, as well as a set of one more purpose usages for the PII that the system has collected from an end user's user agent (e.g., a web browser), preferably in an automated manner. Preferably, the PII data, the privacy policy, and the user preferences (the purpose usages) are formatted in a structured document, such as XML.

Abstract: The present invention provides methods, systems, computer program products, and methods of doing business whereby legacy host application/system access is integrated with single sign-on in a modern distributed computing environment. A security token used for signing on to the modern computing environment is leveraged, and is mapped to user credentials for the legacy host environment. These user credentials are programmatically inserted into a legacy host data stream, thereby giving the end user the look and feel of seamless access to all applications/systems, including not only modern computing applications/systems but also those residing on (or accessible through) legacy hosts. In addition to providing users with the advantages of single sign-on, the disclosed techniques enable limiting the number of user identifiers and passwords an enterprise has to manage.

Abstract: A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

Abstract: Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: The present invention provides methods, systems, computer program products, and methods of doing business whereby legacy host application/system access is integrated with single sign-on in a modem distributed computing environment. A security token used for signing on to the modem computing environment is leveraged, and is mapped to user credentials for the legacy host environment. These user credentials are programmatically inserted into a legacy host data stream, thereby giving the end user the look and feel of seamless access to all applications/systems, including not only modem computing applications/systems but also those residing on (or accessible through) legacy hosts. In addition to providing users with the advantages of single sign-on, the disclosed techniques enable limiting the number of user identifiers and passwords an enterprise has to manage.

Abstract: A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.