Abstract: Techniques for providing polymorphic query requests. A request is received that has at least a database query. The database query comprises at least an expression using a polymorphic relationship. The request is processed utilizing the polymorphic relationship. A user-readable result is provided for the query where the result is defined by at least the polymorphic relationship.

Abstract: In longitudinal datasets, it is usually unrealistic that an adversary would know the value of every quasi-identifier. De-identifying a dataset under this assumption results in high levels of generalization and suppression as every patient is unique. Adversary power gives an upper bound on the number of values an adversary knows about a patient. Considering all subsets of quasi-identifiers with the size of the adversary power is computationally infeasible. A method is provided to assess re-identification risk by determining a representative risk which can be used as a proxy for the overall risk measurement and enable suppression of identifiable quasi-identifiers.

Abstract: An authorization token verification request including a second authorization token is received from an application server having received a processing request along with the second authorization token from a client device, and, in a case where the authorization token is verified successfully on basis of the received second authorization token and the authorization token information, the local user information included in the authorization token information is responded to the application server.

Abstract: The Messaging Search and Management Apparatuses, Methods and Systems (“MSM”) transforms message, ranking request inputs via MSM components into work graphs, ML structure input data, ML structure, ranking response outputs. A work graph generation request that includes group level access control data may be obtained. A set of metadata access control carrying messages, a set of users, a set of channels, and a set of topics with access control data corresponding to the group level access control data may be determined. A user priority score for each of the other users, a channel priority score for each of the channels, and a topic priority score for each of the topics, from the perspective of each user, may be calculated. A work graph data structure may be generated that includes, for each user, data regarding the calculated user priority scores, channel priority scores, and topic priority scores.

Abstract: A policy language for an information management system has a three-layer structure that allows specifying one or more policies using policy abstractions. The policies and policy abstractions are in two different layers and decoupled from one another, so policies and policy abstractions may be specified and altered separately from each other. A third layer includes entity objects. A policy may refer to any number of policy abstractions. Multiple policies may reference a single policy abstraction, and a change to that policy abstraction will result in multiple policies being changed. Further, policy abstractions may be nested, so one policy abstraction may reference another policy abstraction, and so forth.

Abstract: Aspects of the present disclosure relate to a portable access control device. In some embodiments, the portable access control device is configured to store a list of user identifiers and user attribute data, receive a set of access criteria specifying one or more attributes, receive and identify a user identifier via a data input component, determine an access status of the user identifier based on the access criteria, and present the access status in such a way as is perceivable by a user of the access control device.

Abstract: A method, system and/or non-transitory computer readable medium is used with a service repository that stores service definitions for services. A query facility inspects service definitions in the service repository. The query facility determines, from the inspection, first attributes associated with a first service and different second attributes associated with a second service, the first and second attributes being related to syntactic and semantic aspects of the first and second services. Responsive to a service oriented request which indicates the first service, the query facility determines a composability of the first and second services in accordance with a service oriented query (SOQ) framework, based on the first and second attributes and rules regarding composability of attributes, the rules being in accordance with the SOQ framework, the composability of the first and second services being determined with respect to both the syntactic and semantic aspects of the first and second services.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for performing one or more actions based on determined access permissions for a plurality of users. These mechanisms and methods for performing one or more actions based on determined access permissions for a plurality of users can enable improved data collection and analysis, enhanced client knowledge of system access, etc.

Abstract: Implementations described and claimed herein provide systems and methods for dynamically masking an access control list corresponding to a file system object in response to a change mode command. In one implementation, a change mode command for a file system object to change a first mode to a second mode is received. The first mode defines a first set of access rights and the second mode defines a second set of access rights. In response to the change mode command, a mask is dynamically applied to an access control list corresponding to the file system object. The access control list has zero or more access control entries defining access permissions for the file system object. The mask modifies any of the zero or more access control entries that have access permissions that exceed the second set of access rights defined by the second mode. The access control list is preserved.

Abstract: A method and apparatus for detecting a multimedia content change, and a resource propagation system. The method comprises: when importing a resource address of multimedia content, acquiring original feature information of the multimedia content; receiving first feature information of the multimedia content from a client; determining, according to the first feature information and corresponding original feature information of the multimedia content, whether the resource address of the multimedia content is abnormal; and detecting whether multimedia content at an abnormal resource address is changed. It is firstly determined whether a resource address corresponding to multimedia content is abnormal, and if the resource address is abnormal, then it is determined whether the multimedia content corresponding to the resource address is changed, thereby preventing repeated checking of a large number of normal resource addresses, improving the detection efficiency, and reducing the detection cost.

Abstract: An information processing apparatus includes a storage managing unit configured to manage a storage device by dividing the storage device into a plurality of physical storage regions corresponding to respective modes used by the information processing apparatus, and a storage processing unit configured to cause data generated by the information processing apparatus during operation in a mode to be stored in a physical storage region corresponding to the mode. For example, the storage managing unit stores a policy in the storage device. The policy defines whether to permit the use of data between a plurality of security attributes corresponding to the respective physical storage regions.

Abstract: The system provides a method and apparatus for constructing, and for dynamically rearranging the order of content in a composite video. The re-ordering of clips in the composite video can be based on one or more weighting factors associated with each clip. These factors can include freshness or newness of the clip, popularity based on the number of “likes” of a clip by others, the content of the clip (e.g. celebrity creator or presence), paid boosting (e.g. for commercial concerns); and other factors. Each clip has associated metadata that can be used to assign a weight value to the clip for purposes of reordering the composite video.

Abstract: The present invention provides an information processing device that enables a reduction in the processing cost of verifying anonymity during anonymization when multi-dimensional data is the subject of anonymization. The information processing device is provided with: a unit which generates information indicating the correspondence between a record contained in a data set and a class specifying a unique combination of quasi-identifier attribute values; a unit which verifies the anonymity of each record on the basis of the class thereof indicated in the information; and a unit which, on the basis of the results of verifying the anonymity, updates the information in a manner such that whether or not the record satisfies the anonymity can be identified and outputs the record-class correspondence information.

Abstract: The disclosure relates to machine-learning behavioral analysis to detect device theft and unauthorized device usage. In particular, during a training phase, an electronic device may generate a local user profile that represents observed user-specific behaviors according to a centroid sequence, wherein the local user profile may be classified into a baseline profile model that represents aggregate behaviors associated with various users over time. Accordingly, during an authentication phase, the electronic device may generate a current user profile model comprising a centroid sequence re-expressing user-specific behaviors observed over an authentication interval, wherein the current user profile model may be compared to plural baseline profile models to identify the baseline profile model closest to the current user profile model.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Embodiments pertaining to managing access in one or more computing systems can include an operations controller in communication with the one or more computing systems for managing commercial transactions of the one or more computing systems and an access management controller in communication with the operations controller. The access management controller can receive an input including user roles and actions associated with the one or more computing systems. The access management controller can provide the input to the operations controller for implementation of access rules in accordance with relationships between the user roles and the actions. The access management controller can attempt to access in the one or more computing systems at least a portion of the user roles and the actions after the operations controller has implemented the access rules. The access management controller can compare the attempted access with the relationships to determine access discrepancies.

Abstract: Employment role data, trust data, and special permissions data, associated with a party is automatically obtained and/or monitored. The employment role data associated with the party, the trust data associated with the party, and the special permissions data associated with the party, is then analyzed to determine a set of allowed access permissions data to be associated with the party, the set of allowed access permissions data providing the party access to one or more resources. It is then either recommended that the set of allowed access permissions data be provided to the party, or the set of allowed access permissions data is automatically provided to the party.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying inconsistent security policies. One of the methods includes identifying running software components on a cluster of computers, a first subset of the components managing datasets, a second subset of the components managing other components; identifying entity pairs, each being either: (1) (i) a component paired with (ii) a dataset, or (2) two components paired with each other; determining, for each entity pair, a directed relationship from a first to a second entity, where the first entity is a component, and where the directed relationship represents the first entity executing a type of interaction with the second entity; identifying security policies affecting each entity that each limit user access to a type of interaction; and analyzing, for each entity, entity pairs including the entity and one or more security policies affecting the entity to identify inconsistent security policies.

Abstract: The system and method of visual role engineering uses a visual assessment tool to identify clusters of users and to define roles. A “cluster image” is generated that visually depicts the cluster tendencies of users and permissions. An operator of the visual assessment tool can visually identify clusters of users with the same permissions. The operator may select a cluster representing a subset of users, define a role for the subset of users, and assign permissions to the role. The process may be repeated in an iterative fashion until it is determined that no more roles are needed.

Abstract: A synchronization window for synchronizing data for a calendar in a client calendar data store on a calendar data client computer system with data for the calendar in a server calendar data store on a calendar data server computer system can be calculated using a current time. A request for synchronization data for calendar items for the calendar with calendar times that are within the synchronization window can be sent to the calendar data server. One or more responses to the request can be received from the calendar data server. The response(s) can include received records for calendar items that are at least partially within the synchronization window. The received records can include a master record of a recurring calendar item and an instance record of an occurrence of the recurring calendar item. The received records for the calendar items can be incorporated in the client calendar data store.

Abstract: Systems and methods are provided for a non-transitory computer readable medium storing instructions configured to retrieve a first list of operations for a device including a sensor, an actuator, or a combination thereof, included in an industrial control system. The instructions are also configured to display a first color for each operation in the first list of operations indicative of a modification privilege related to the respective operation.

Abstract: A computer-implemented method for detecting suspicious attempts to access data based on organizational relationships may include (1) detecting an attempt by a computing device within an organization to access an additional computing device within the organization, (2) identifying, based on a directory service associated with the organization that classifies the computing device and the additional computing device, an organizational relationship between the computing device and the additional computing device, (3) determining, based on the organizational relationship between the computing device and the additional computing device, that the attempt by the computing device to access the additional computing device is suspicious, and (4) performing a security action in response to determining that the attempt by the computing device to access the additional computing device is suspicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An “audience” object describes a collection of users who are known to or expected to view a display. Access control and processing of access dependent contents for an audience are implemented so that information before being displayed is limited to what is authorized for every member in the audience to access. An operator can preview what an expected audience would see. The operator is aided in determining what the effects would be of a newcomer joining an audience. The operator is aided in determining who in an audience causes a difference in authorization. Hardware can be tied in with the access control software.

Abstract: A method and apparatus for configuring identity federation configuration. The method includes: acquiring a set of identity federation configuration properties of a first computing system and a set of identity federation configuration properties of a second computing system; identifying one or more pairs of associated properties in the first and the second sets, where the pairs of associated properties include one property from each set of identity federation configuration; displaying, properties that need to be configured manually from the each sets of identity federation configuration properties, where the properties that need to be configured manually do not include the property in any pair of associated properties for which the value can be derived from the value of another property in the pair; automatically assigning a property that can be derived from the value of another property; and providing each computing systems with each set of identity federation properties.

Abstract: A method for restricting, based on predefined user profile information, access to software executing on a computing device of a user. The method comprises the following steps. Input data is intercepted from a user input device. The input data is compared with a list of restrictions in the user profile information to determining if an action associated with the input data is prohibited. The input data is passed to the software for execution only if the action associated with the input data is not prohibited. A method for restricting, based on predefined user profile information, access to notifications generated for a user is also provided.

Abstract: The present disclosure describes methods, systems, and computer program products for providing declarative authorizations for SQL data manipulation. One computer-implemented method includes defining a data access model by: defining at least one aspect to be used as an authorization-relevant attribute for a resource entity, defining a path definition from the resource entity to the at least one aspect to relate the at least one aspect to the resource entity the authorization is restricted on, defining at least one restriction for the at least one aspect as part of the path definition, wherein defining the at least one restriction includes determining which constraint condition are to be used and how the constraint conditions are to be combined, and defining/assigning a role to a user, the role defining authorization to the resource entity using, at least in part, the at least one aspect, and deploying a data control language document.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: A data construct called a semcard is a semantic (meaning-based) software object including semantic meta-tags and meta-data that describes a target object or thing. A target object can be any type of digital or physical entity or identifier, or it can be tacit knowledge, such as ideas, concepts, processes or other data existing in a user's mind, provided that the user represents this knowledge in the semcard. A semcard embodies information about its own structure—rules, history, state, policies and goals regarding automation, display, access permissions, sharing and other operations of the semcard and any optional target object. It can also represent a semantic link between two semcards, or a semantically typed link or a standard Web hyperlink between a semcard and its referent target. A collection of semcards represents a knowledge network; single semcards, and knowledge networks, can be browsed, shared, searched, disseminated, manipulated, displayed, organized, and stored.

Abstract: Techniques to estimate the probability of a future event occurring are described. The techniques include decomposing a data input stream to build a database of precursor data and building predictive models using the precursor data. Also disclosed are techniques in which by using a search engine to search a database of models to find a model and a user can query a found model to develop an inference of the likelihood of the future event.

Abstract: The invention provides a method of automatically verifying certain items in a database relating to a set of people, and including for each person a plurality of data items such as age, first name, gender, a portrait, fingerprint images, or other biometric data items, the method incorporating determining for each person a plurality of correlations associating certain data items of that person with one another, for each data item being verified, calculating a confidence score depending at least on a first correlation of the data item being verified with a first other data item for the same person and on a second correlation of the data item being verified with a second other data item for the same person, and a step of comparing the score with a threshold value in order to determine whether the data item being verified is or is not valid.

Abstract: A system for controlling access within an enterprise to information associated with recipients of an electronic message campaign of the enterprise sent to a plurality of recipient devices wherein the enterprise includes hierarchically structured Business Units having an enterprise level Business Unit at the highest level and a plurality of second level Business Units and an enterprise system communicatively coupled to a network and including an enterprise level device communicatively coupled to a plurality of second level devices includes a server and an electronic message engine The server is configured to assign an enterprise account to the enterprise system and to allow the enterprise level device to communicate selected portions of the recipient list. The electronic message engine is configured to generate electronic messages within a message campaign for sending to recipients identified by each of the second level devices from the selected portions of the recipient list.

Abstract: A journaling system provides access to subsets of user information in a segregated fashion. This permits its users to define access settings for their user information thereby limiting which other users may access the user information. In one or more embodiments, the journaling system may include a server or other computing device and one or more storage devices used to store the user information, associated access settings, or both. The access settings may define particular criteria which must be met before a subset of user information may be accessed, and may identify particular users that may access the subset of user information.

Abstract: The invention relates to a method for a computer system storing electronic objects being defined by metadata items. The method comprises deriving access rights from one or more security components originating from respective metadata items of at least one object, and determining the effective access rights for the object by means of the security components. The invention also relates to a method for a computer system storing electronic objects being defined by metadata items, wherein access rights for an object are determined by means of one or more pseudo-users. The invention also relates to an apparatus, a computer system and a computer readable medium comprising a computer program stored therein for carrying out the methods.

Abstract: In accordance with embodiments, there are provided techniques for providing perceivable stimuli in an interface of a multi-tenant on-demand database system. These techniques for providing perceivable stimuli facilitate collaborative efforts of groups of users of a multi-tenant on-demand database system while maintaining access constraints amongst users associated with a common tenant.

Abstract: A media player may be adapted to manage presence information distribution and access to facilitate media communication between compatible devices. Devices connecting in an ad-hoc or other network topology include a plurality of presence settings that determine how or if the device appears to be available for communication to other devices over the network. Additionally, the presence settings identify other, specific devices or groups of devices that may communicate with a device. By comparing the presence settings of a sending device with the settings of a receiving device, the receiving device may determine a presence state for all devices within communication range.

Abstract: A device may correspond to a physical access controller in a distributed physical access control system. The device in a distributed system may include logic configured to detect a request from an application to access an application dataset, wherein the application dataset corresponds to a distributed dataset and determine whether the application dataset exists in the distributed system. The logic may be further configured to generate the application dataset in the distributed system, in response to determining that the application dataset does not exist in the distributed system, and send, to other devices in the distributed system, a request to join a dataset group that includes devices associated with the application dataset, in response to determining that the application dataset exists in the distributed system.

Abstract: Technologies are described herein for caching variably sized access control lists (ACLs) in a data storage system utilizing page object caching. A request to access a file is received. An inode number of the requested file is identified. A hash key based on the inode number and a predefined hash value is determined. A determination is made as to whether the hash key is contained in a hash list. In response to determining that the hash key is contained in the hash list, access to a page object in the memory is provided. The page object contains an access control list (ACL) associated with the requested file. The ACL is retrieved from the page object.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for conditionally allowing an application of an entity access to data of another entity in an on-demand database service. These mechanisms and methods for conditionally allowing an application of an entity access to data of another entity in an on-demand database service can enable embodiments to limit such access to the data, as desired. Furthermore, embodiments of such mechanisms and methods may provide additional security when sharing data among different subscribers to an on-demand database service.

Abstract: To prevent conflicts of interest, an information management system is used to make sure two or more groups are kept apart so that information does not circulate freely between these groups. The system has policies to implement an “ethical wall” to separate users or groups of users. The user or groups of user may be organized in any arbitrary way, and may be in the same organization or different organizations. The two groups (or two or more users) will not be able to access information belonging to the other, and users in one group may not be able to pass information to the other group. The system may manage access to documents, e-mail, files, and other forms of information.

Abstract: Systems and methods for permission maintenance are presented. In one embodiment, a permission maintenance method includes: gathering permission indication information including permission indications associated with various stored information; analyzing the permission indication information including analyzing potential permission indication origination; and creating interface presentation information based upon results of the analyzing the permission indications, wherein the interface presentation information includes information related to potential origination of a permission indication. The gathering can include scanning a file system and collecting active directory information. The analyzing can include determining the type of access a principal is given to a file. The analyzing can also include determining if a principal is associated with a group and the type of permissions given to the group.

Abstract: The invention relates to an online web-based medical database and collaboration tool that can be used by surgeons, hospitals, medical institutions, manufacturers and others to collect, store, analyze and harvest clinical and radiologic data. The clinical registry system includes a registry database and a registry processor in electrical communication with the registry database and performing operations on the registry database. The registry database stores patient data from a plurality of sites, a plurality of registry groups and an indicator for each of the plurality of sites identifying which of the plurality of registry groups each site is a member. The members of a registry group have access to aggregated data and comparative reports of all the registry group members in real-time. Each site may be a member of one registry group, multiple registry groups, or no registry groups.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for storing documents that are being tracked in an on-demand service. These mechanisms and methods for storing documents in an on-demand service can enable embodiments to provide the sharing of documents and the storing of the documents in association with a tag. The ability of embodiments to provide the sharing of documents and the storing can enable an efficient searching for a shared document. In an embodiment, the shared document is categorized upon being stored.

Abstract: Systems and methods are presented for dynamically controlling role-based access to enterprise applications. The access includes both a user's ability to access a requested functionality (hereinafter referred to as “features”) in an enterprise applications, as well as the user's ability to access the specific data (and request filtering of the data) within the enterprise applications. The systems and methods provide dynamic control by utilizing a number of separate tables for identifying each element (user, role and feature), with join-tables used to define, on an active/customized basis, the association of each user with respect to a particular role (user_role join-table) and association of each feature with the listing of roles (feature_role join-table). The join-tables and specific element tables may be modified during runtime to modify any of the associations or listings.

Abstract: User specific logs in multi-user applications. Level data associating a user of a multi-user application with a respective log level is received. The multi-user application then records an amount of information determined by the log level corresponding to the user presently using the multi-user application.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for sharing tenant information utilizing a multi-tenant on-demand database service. These mechanisms and methods for sharing tenant information utilizing a multi-tenant on-demand database service can allow automatic sharing of information owned by a first tenant with other tenants of the multi-tenant on-demand database service. In this way, collaboration among tenants of the multi-tenant on-demand database service may be enabled via the sharing of the tenant information.

Abstract: A remote storage digital video recorder (RS-DVR) system is disclosed. The RS-DVR system includes a network interface to communicate data between the RS-DVR system and a subscriber system via a network, a file system module coupled to the network interface, an ingest agent coupled to the file system module to receive encoded media segments that represent media content files encoded at a plurality of different bitrates, and a storage architecture coupled to the file system to store the encoded media segments, resulting in stored media segments. The RS-DVR carries out a number of functions and operations to service multiple subscribers and associated subscriber systems, such as various storage device management operations, file structure techniques, assignment of recorded media to subscribers, file system indexing, and supporting shared and per-subscriber content rights.

Abstract: File management systems and methods are presented. In one embodiment, implementation of a method for determining the accurate ownership of a file within a data system includes: identifying a first plurality of access events for a file, wherein the file is associated with a directory of related files; identifying a second plurality of access events for the related files within the directory, wherein access events in the first and second plurality of access events occur within a period; determining a pool of users accessing files within the directory within the period; and selecting a user from the pool of users as an inferred owner of the file based on access metrics related to the plurality of access events.

Abstract: According to one embodiment, the resource access unit accesses a first resource including a replication target object and policy data assigned to the object. The policy data includes base policy data including a first condition and assertion policy data including a second condition. The first retrieval unit obtains first attribute data for accessing the first resource. The first policy evaluation unit determines whether the first attribute satisfies the first condition. When the first condition is satisfied, the copy processing unit executes the copy processing for copying the object. The second retrieval unit obtains the second attribute data for accessing the second resource. The second policy evaluation unit determines whether the second attribute data satisfies the second condition. When the second condition is satisfied, the paste processing unit executes paste processing for pasting the object to the second resource.