Abstract: A Quorum network comprising an access controlled multi-tenant network is provided that is configured to enable access control and state isolation in a multi-tenancy Ethereum-based distributed ledger system. The access-controlled network includes one or more authenticating servers (also referred to as access controls) for providing permission control to the nodes in the network. In a standard multi-tenant network, each user of an entity (also referred to as an organization) is limited to only transacting with (also referred to as accessing) their own authorized resources. The access-controlled network utilizes an access controller to provide a singular truth for a set of managed nodes through a trusted entity (such as a Network Authorization Server).

Abstract: The present disclosure provides a secure, user-transparent, and highly efficient content provider-specific identifier (“CPSID”), sometimes referred to as a “read-only cookie” (“ROC”). These content provider-specific identifiers may be generated by the client device and encrypted with a public key of the content provider, preventing third parties from indirectly identifying matches, and obviating the need for provider-side cookie matching tables and resource-intensive tracking communications. The generation of content provider-specific identifiers may be controlled by user policies, such that identifiers are only created for content providers with compliant terms of service (ToS), e.g., retrievable from a predetermined address within the domain; content providers that are on a whitelist (e.g. for which the user has explicitly provided consent); and/or content providers that are not on a blacklist (e.g. for which the user has explicitly refused consent).

Abstract: Systems and methods for simplifying and consolidating permission sets from multiple heterogeneous file storage systems are disclosed. An example method includes acquiring from the first file storage system a first set of file system permissions having a first set of permission semantics, and acquiring from a second file storage system a second set of file system permissions having a second set of permission semantics that are different from the first set of permission semantics. The first set of file system permissions and the second set of file system permissions are converted to a unified set of file system permissions having unified permission semantics that are different from the first set of permission semantics and the second set of permission semantics. The unified set of file system permissions can be analyzed to make a determination regarding security levels of the first file storage system and of the second file storage system.

Abstract: A method of implementing sub-table replication starts with the processor detecting an update to an entitlements table. The processor performs filtering of a data table based on the update to the entitlements table. The data table including an entitlements column. The processor detects an update to the entitlements column and performs incremental replication of the data table by causing a version-based replication to be executed. Other embodiments are also described herein.

Abstract: Disclosed in the present invention is a method for authorizing an authorization operator in a system, comprising: a system operator selects one or more authorization operators, configuring one or more grantees for each authorization operator; respectively configuring, by each authorization operator, a permission for each grantee requiring permission configuration among all the grantees corresponding to the authorization operator; and executing, by said grantee, a corresponding operation according to the configured permission. According to the present invention, a plurality of the authorization operators may be configured, and each grantee may be authorized by the corresponding authorization operator having a clear understanding of the permission of the grantee, so that an error will not easily occur in an authorization operation.

Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for data security protection are provided. One of the methods includes: receiving a job associated with a project, wherein the project is associated with one or more data sources; identifying a plurality of inputs and a plurality of outputs associated with the job; determining a plurality of required permissions associated with the job, wherein each of the required permissions comprises an operation on a required data source, the operation corresponding to at least one of the inputs or the outputs; verifying that the one or more data sources associated with the project comprise the required data source associated with each of the required permissions; and generating a token associated with the job, the token encoding the required permissions associated with the job, wherein the token is required for execution of the job.

Abstract: A memory system includes a nonvolatile memory device; and a controller configured to control the nonvolatile memory device, wherein the controller is configured to: receive a system information request including a command and an argument from a host device; determine suitability of the system information request based on a fixed key included in the argument in response to the command; encrypt system information based the argument when the system information request is suitable; and transmit the encrypted system information to the host device.

Abstract: In various embodiments, a data storage system maintains a data store for a plurality of groups of users, where the data store includes a first section that is accessible by a first group of users, but not a second group of users, via the data storage system. In response to receiving, from a first user of the first group of users, a request to share data with the second group of users, the data storage system sends a request to a second user of the second group of users. Subsequent to receiving an acceptance from the second user, the data is stored in a second object in a second section of the data store that is accessible by the second group of users, but not the first group of users, via the data storage system.

Abstract: A method of implementing sub-table replication starts with the processor detecting an update to an entitlements table. The processor performs filtering of a data table based on the update to the entitlements table. The data table including an entitlements column. The processor detects an update to the entitlements column and performs incremental replication of the data table by causing a version-based replication to be executed. Other embodiments are also described herein.

Abstract: A method of implementing sub-table replication starts with the processor detecting an update to an entitlements table. The processor performs filtering of a data table based on the update to the entitlements table. The data table including an entitlements column. The processor detects an update to the entitlements column and performs incremental replication of the data table by causing a version-based replication to be executed. Other embodiments are also described herein.

Abstract: Computer-implemented methods and systems are provided for identifying IT service compositions corresponding to subsets of a set R of IT service requirements. Such a method includes providing a data structure including, for a set S of IT services, a master graph having master nodes representing respective subsets of like services in S, interconnected by master edges each representing an integration-need between nodes interconnected by that edge. The method further comprises, for each service composition being a set of services, integrated by integration components and spanning all master nodes, in the composition subgraph, comparing the composite attributes of services and integration components in that composition with the requirements in R? to select at least one preferred service composition for R?, and outputting composition data defining each preferred service composition.

Abstract: In non-limiting examples of the present disclosure, systems, methods and devices for providing cross-domain access to calendar availability are presented. A request to schedule an event may be received. The request may comprise an identity of an organizer user account, the organizer user account associated with a first domain, and an identity of an invitee user account, the invitee user account associated with a second domain. An importance level of the organizer user account to the invitee user account may be determined. A determination may be made as to whether the organizer user account has access to events in an electronic calendar associated with the invitee user account based on the importance level. One or more events that the organizer account has access to may be surfaced in an event scheduling assistant user interface associated with the organizer user account.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: The present technology can move operating system folders into a sync folder of a cross platform content management system, and redirect the operating system to look for the OS folders in the sync folder. The present technology also provides an invariant checker to make sure that another application has not moved the OS folders after they have been placed in the sync folder, and provides solutions when the OS folders are moved out of the sync folder of the content management system. Additionally, when OS folders for multiple client devices are in the sync folder on the content management system, the present technology can provide a mechanism to make the content items in an OS folder on a first client device also sync into an OS folder on second client device.

Abstract: A multi-tenant system that provides cloud-based identity management receives a request to execute a job, where the job has a scheduled start time, or a timeframe to complete, that exceeds the validity time of a request access token. The system generates the request access token corresponding to the job, where the request access token has access privileges. The system schedules the job and persists the request access token. The system triggers the job at the scheduled start time and generates a derived access token based on the request access token, where the derived access token includes the access privileges. The system then injects the derived access token during runtime of the job and calls a service using the derived access token to execute the job.

Abstract: Security credentials associated with a first account maintained by a database system are authenticated. Based on authenticating the security credentials, a user interface element is provided to enable sharing of customer data associated with the first account with an application. A request to share customer data with the application is received. Based on the request, third-party data that is accessible by the first account is identified. The third-party data corresponds to a second account maintained by the database system. The second account corresponds to a third-party data provider. The application is enabled to access cloud data associated with the first account based on the request. The cloud data comprises the customer data and the third-party data.

Abstract: A method for collection of digital documents from a plurality of sources, the method comprising: a step to determine a collection order defining a list of documents to be collected, each document being associated with a determined source and a determined identifier, a step to generate a plurality of web pages from the collection order, each web page including a loading area associated with each digital document from said source, each loading area being adapted to automatically store a digital document in a memory of a computer management system, and a step to send a collection email to each source, each collection email sent to a source including a computer link to access the web loading page associated with said source.

Abstract: Embodiments of this application provide a resource processing method, apparatus, and system, and a computer-readable medium.

Abstract: Systems, methods and computer program products for controlling access to data owned by an application subscriber using two-factor access control and user partitioning are disclosed. In one embodiment, applications are executed on a multi-tenant application platform in which user partitions designate associated users and authentication services for those users. Tenants may subscribe to the applications and may allow access to the subscriptions through designated entry points. Users that are authenticated according to the corresponding user partition and access the application through the designated entry point are allowed to access the application through the tenant's subscription.

Abstract: Techniques are described for pooling data originating from different entities into a data pool managed by a data pool management system for performing accurate and resource-efficient statistical and other data operations by entities. Techniques further include maintaining rule sets that govern access to the data sets of the data pool. The DPMS uses the rule sets to determine whether a particular data set, on which a particular operation is requested to be performed, qualifies as authorized data for the requesting entity. In an embodiment, the DPMS determines, based on one rule set, that the particular data set does not qualify as authorized data for the particular operation. The DPMS further determines that based on another rule set the particular data set does qualify as authorized data for the particular operation. Based on determining that authorizing rule set overrides the non-authorizing rule set, DPMS proceeds to performing the particular operation using the particular data set.

Abstract: A device secures open authorization (OAuth) resources according to systems described herein. In some instances, a resource server is configured for receiving a request for authorization from a client device. The request, for authorization to use a requested resource, may include a token having at least one claim. The resource server may interpret data of the token according to a domain specific language. The interpreting may obtain at least one rule associated with the at least one claim from among a range of resource access control rules. The rule may be compared against a resource request and operation. Based on the comparison, the request may be allowed or rejected. In one example, interpretation of the token may decode resources including quantities and combinations of uniform resource identifiers (URIs) claimed by the token using a domain specific language defined by a context-free grammar.

Abstract: An information processing system is provided which authenticates and authorizes a client device. In a case where it is determined that an error includes a time of an authentication and authorization server, the information processing system transmits a second authorization token request including the time of the authentication and authorization server to the authentication and authorization server.

Abstract: Techniques are described for transaction-based read and write operations in a distributed system. In an embodiment, an authorization protocol overlaid onto a transaction to control access to each of the data pools. Using the techniques described herein, the DTRS provides authorization mechanism to ensure that the entity, which hosts the data pool, may only access the data set from an originating entity based at least upon the access rules of the originating entity set for the data set. Additionally, the DTRS's read/write transactions keep the data pools of the DTRS in synch with each other, so each data pool stores the same data sets as another data pool of the DTRS. When a data integrity service of an entity generates a new data entry from a user transaction with a client application, a new write request is generated for the DTRS to which the data integrity service belongs.

Abstract: A system and method consistent with the present disclosure allows for a single NMS system to manage data access and control for N number of customer domains and associated users. In particular, an NMS consistent with the present disclosure may include a configuration that partitions the optical communication system by domain. For each domain, partitioning can further define per-user access constraints and privileges including access to specific equipment by, for instance, fiber pair designation, wavelength designation, specifically identified hardware elements, component categories, or any combination thereof. The NMS system may utilize a proxy server approach to authentication, e.g., using RADIUS, that allows for each party/customer to maintain separate authentication databases and equipment-specific constraints.

Abstract: A system for authorizing access to a resource associated with a tenancy in an identity management system that includes a plurality of tenancies receives an access token request for an access token that corresponds to the resource, the request including user information and application information, the user information including roles of a user and the application information including roles of the application. The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application. The system then provides the access token that includes the computed static scopes, where the scopes are based at least on the roles of the user and the roles of the application, and further including the computed dynamic roles and corresponding dynamic scopes.

Abstract: Aspects of the present disclosure relate to a device is configured to store a list of user identifiers and user attribute data, receive a set of access criteria specifying one or more attributes, receive and identify a user identifier via a data input component, determine an access status of the user identifier based on the access criteria, and present the access status in such a way as is perceivable by a user of the access control device.

Abstract: System and method to produce an anonymized electronic data product having an individually-determined threshold of re-identification risk, and adjusting re-identification risk measurement parameters based on individual characteristics such as geographic location, in order to provide an anonymized electronic data product having a sensitivity-based reduced risk of re-identification.

Abstract: A method, computer readable medium and apparatus for providing control of social networking sites are disclosed. For example, the method establishes an owner profile, receives a request from a third party user to post information on a social networking site associated with an owner, determines if the request should be granted in accordance with the owner profile and posts the information on the social networking site associated with the owner if the request is granted.

Abstract: An access configuration for an access control manager is generated. Access data including users, resources, and actions the users performed on the resources is received into a matrix. Clusters of the matrix are formed to produce ranges of the users and ranges of the resources having selected permission levels based on the actions. Administrator-modifiable security groups are created based on the ranges of users and administrator-modifiable resources groups based on the ranges of resources.

Abstract: A system may use metadata to identify and extract specific upstream data, provision data batches, and provide dynamic downstream data access. Workflow data is received by the system from a business process management application and modeled for downstream use. Use of a data staging engine includes utilization of a metadata repository that assists with the extraction, organization, transformation and loading of workflow data from a proprietary format to a modeled relational format. A self-service batch provisioning tool enables users and applications to request and receive batch payloads in an automated fashion. Users are presented with a graphical interface for submitting authorization credentials and justifications for workflow data request. Scope of accessible workflow data based on user-provided credentials and justifications are presented via the graphical interface and allow the user to select specific data subcategories for batch provisioning.

Abstract: A source code repository data store may contain source code module components, and a communication interface may support user displays at remote developer devices. A module coordination system computer server may access an electronic work request record, associated with a work request identifier, a release date, and at least a first source code module component in the source code repository data store. A first remote developer device may establish a first user display including individual lines of code (where each line that has been changed since a previous release of the first source code module component is tagged with an associated work request identifier and is shown in association with a developer identifier). According to some embodiments, a first user display reflects all changes dynamically that have been made since the previous release of the first source code module component, including those with other developer identifiers and multiple release dates.

Abstract: A multi-tenant system that provides cloud-based identity management receives a request to execute a job, where the job has a scheduled start time, or a timeframe to complete, that exceeds the validity time of a request access token. The system generates the request access token corresponding to the job, where the request access token has access privileges. The system schedules the job and persists the request access token. The system triggers the job at the scheduled start time and generates a derived access token based on the request access token, where the derived access token includes the access privileges. The system then injects the derived access token during runtime of the job and calls a microservice using the derived access token to execute the job.

Abstract: A dispersed storage network (DSN) includes a DSN memory, which in turn employs multiple distributed storage (DS) units to store encrypted secret material that can be decrypted using an unlock key. The unlock key is stored external to the DS unit, in some cases using multiple data slices dispersed throughout the DSN. To obtain the unlock key, the DS unit transmits authentication credentials to another device included in the DSN, but external to the DS unit. The other device authenticates the DS unit using the authentication credentials, and sends the unlock key to the DS unit. The DS unit uses the unlock key in normal decryption operations. In response to a security event, the DS unit transitions to a secure mode by erasing any material decrypted using the unlock key, the unlock key, and the DS unit's authentication credentials.

Abstract: A device secures open authorization (OAuth) resources according to systems described herein. In some instances, a resource server is configured for receiving a request for authorization from a client device. The request, for authorization to use a requested resource, may include a token having at least one claim. The resource server may interpret data of the token according to a domain specific language. The interpreting may obtain at least one rule associated with the at least one claim from among a range of resource access control rules. The rule may be compared against a resource request and operation. Based on the comparison, the request may be allowed or rejected. In one example, interpretation of the token may decode resources including quantities and combinations of uniform resource identifiers (URIs) claimed by the token using a domain specific language defined by a context-free grammar.

Abstract: A method for associating messages with media, including multiple media elements, during playing thereof, the method including sensing at least one media element currently being played by a user during playing of the media and based on the sensing of the at least one media element currently being played by a user, playing at least one message in time synchronization with playing of the at least one media element.

Abstract: Examples of the present disclosure describe systems and methods of conditionally authorization access to isolated collections of data. In aspects, a request to access an isolated collection of resource identifiers and relationships may be received by an application. A set of conditions may control access to the isolated collection. Upon receiving the request, the application may attempt to determine whether the set of conditions has been satisfied. If the set of conditions is determined to be satisfied, the application may provide the requestor with access to the isolated collection. If the set of conditions is determined to be unsatisfied, the application may prohibit the requestor from accessing the isolated collection.

Abstract: Embodiments perform token cache management by renewing tokens heuristically. A token renewal request interval is defined based on a configurable lifetime of a token and an acquisition duration. Upon expiration of the token renewal request interval, and in the event that the token is requested by at least one client application, the authentication module renews the token with a secure token service. Renewal may also occur in the absence of a request for the token by any client application if the cached token has been kept valid for less than a threshold time. In some examples, the tokens are associated with credentials for single sign-on during site recovery management.

Abstract: Embodiments regard conditional selection of compound fields of structured objects. An embodiment of a method for conditionally selecting compound fields from structured objects includes: receiving a query at a database system to select a compound field from any structured object that satisfies a condition; determining by the database system whether a structured object stored in a database satisfies the condition; generating automatically by the database system a plurality of accessors that correspond to a plurality of columns in the compound field associated with the structured object in response to a determination that the structured object satisfies the condition; and providing a result of the query, the result including the plurality of accessors.

Abstract: Aspects of the present disclosure relate to a device is configured to store a list of user identifiers and user attribute data, receive a set of access criteria specifying one or more attributes, receive and identify a user identifier via a data input component, determine an access status of the user identifier based on the access criteria, and present the access status in such a way as is perceivable by a user of the access control device.

Abstract: System and method to predict risk of re-identification of a cohort if the cohort is anonymized using a de-identification strategy. An input anonymity histogram and de-identification strategy is used to predict the anonymity histogram that would result from applying the de-identification strategy to the dataset. System embodiments compute a risk of re-identification from the predicted anonymity histogram.

Abstract: Embodiments are directed to a question and answer (QA) pipeline system that adjusts answers to input questions based on a user criteria, thus implementing a content-based determination of access permissions. The QA system allows for information to be retrieved based on permission granted to a user. Documents are ingested and assigned an access level based on a defined information access policy. The QA system is implemented with the defined information access policy, the ingested documents, and the inferred access levels. For the QA system implementation, a user enters a question; primary search and answer extraction stages are performed; candidate answer extraction is performed using only content the user is allowed to access; the candidate answers are scored, ranked, and merged; ranked answers based on user permissions are filtered; and answers are provided to the user.

Abstract: A method and apparatus of a device that installs a new access control list for a port of a network element is described. In an exemplary embodiment, a network element receives an indication that the first access control list for the port is to be updated with a second access control list and the port processes data communicated with port with the first access control list. In addition, the network element configures the port to use a fallback access control list, where the fallback access control list includes a plurality of rules and the port uses the fallback access control list to process data communicated with the port. Furthermore, the network element loads the second access control list for the port. The network element additionally configures the port to use the second access control list, wherein the port uses the second access control list to process data communicated with the port.

Abstract: A method for executing access control over an electronic device includes: detecting a position information of the electronic device with a positioning module; determining whether the electronic device has moved outside an authorized region according to the position information; and disabling a plurality of accessible functions of the electronic device according to a user information when the electronic device has moved outside the authorized region.

Abstract: A computer implemented method for filtering audience viewing of uniform resource locator (URL) data utilizing hashtags including: identifying a hashtag input by a first user; identifying at least one user preference of the first user, the at least one user preference related to data sharing preferences of the first user on an electronic platform; generating a uniform resource locator (URL) based on the identified hashtag and the identified at least one user preference of the first user; and using the URL, filtering data communication on the electronic platform, thereby displaying a privatized stream of data when the first user accesses the identified hashtag, the privatized stream of data accessible by a second user, the second user being authorized to view the privatized stream of data based on the data sharing preferences of the first user.

Abstract: A system, method, and computer-readable medium enable a domain name or host name registry to effectively manage status codes associated with the domain or host. Status codes are organized into status sets that can be added, removed, activated, or deactivated in accordance with a suitable change request. The status codes corresponding to a removed status set that are also enabled according to other active status sets are not removed when the removal of the status set is processed.

Abstract: A method for configuring user profiles associated with multiple hierarchical levels, including identifying multiple hierarchical levels in an organization to be configured, concurrently displaying multiple interface components corresponding respectively to the hierarchical levels, each interface component configured to receive user input for the respective hierarchical level, configuring data of a first user profile associated with a first hierarchical level based on a first value specified by user input, and configuring data of a second user profile associated with a second hierarchical level based on a second value specified by user input.

Abstract: A method, a computer program product, and a system for replicating different projections of data, comprising: examining metadata associated with data on a storage system to determine whether to replicate the data to at least one other storage system; and based on a positive determination, replicating the data to the at least one other storage system.

Abstract: An access control device configured to store a list of user identifiers and user attribute data, receive a set of access criteria specifying one or more attributes, receive and identify a user identifier via a data input component, determine an access status of the user identifier based on the access criteria, and present the access status in such a way as is perceivable by a user of the access control device.

Abstract: In one implementation, a resource classification system identifies a plurality of resource requests and generates a plurality of resource access measures based on the plurality of resource requests. Each resource request from the plurality of resource requests is associated with a resource from a plurality of resources by a resource identifier of that resource. Each resource access measure from the plurality of resource access measures is associated with a resource from the plurality of resources. The resource classification system applies a classifier to each resource access measure from the plurality of resource access measures to generate a classification result for the resource from the plurality of resources associated with that resource access measure, and assign a security classification to each resource from the plurality of resources based on the classification result for that resource.