Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: Creating web application using cloud-based friction-free databases without web hosting knowledge. User credentials are received at a web application service for initiating a web application task via client software. The user credentials are analyzed to determine whether to grant the user permission to initiate the requested web application task. The web application task is initiated when the permission is granted. Data associated with the initiated web application task is received at the web application service for analysis of the data to host and render a web application based solely on received data provided without basis of web hosting knowledge.

Abstract: Embodiments of a system and method are disclosed concerning the management of file usage. The method of controlling file access may manage a file with a target ID that has a sender and a recipient. The method may also establish a priority level key associated with the file. The priority level key may control file access. The method may provide the file access to the recipient if the recipient has access rights corresponding to the priority level key.

Abstract: An entitlement system and method of operating the same includes a file share storage and a file publisher that receives schedule data and generates a formatted file in a first format from the schedule data. The file publisher stores the formatted files in the file share storage. The entitlement system also includes an entitlement cache and a file processor communicating the formatted files from the file share storage to the entitlement cache. An authorization server receives an access request from a user device and accesses the formatted file. The authorization server compares a first content identifier from the formatted file to an authorized rights list for the user device and authorizes the user device to access the content in response to comparing.

Abstract: A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

Abstract: Aspects of the disclosure provide methods and systems for cross domain discovery. According to the disclosure, an object can include multiple entities defined by an originator. The multiple entities have different scopes corresponding to different access restrictions. Further, the originator defines keywords for each of the multiple entities. A system for cross domain discovery stores the multiple entities in an object service component, and stores the keywords and access restrictions in a search service component. The search service component conducts a search based on the keywords and access restrictions in response to a search request from a user. An entity is provided to the user based on the user's credential and the searching.

Abstract: Techniques for controlling access to shared data files such as stored in a collaborative file sharing service. Organizations want to have access to data originated by their employees and want that access to continue even when the employees leave the company. Also, organizations do not want former employees to have access to the company's files. A file storage service uses an Organization's recovery key while creating a recovery record for a file (which may be stored in a folder), and protected using a Work identity. The individual person who originally creates a file and/or shares a folder securely with others is considered the folder's owner as long as he is part of the same Organization. User's identities are validated upon access. The keys are also purged from a local key store as soon as identity changes are detected. In this way, the folder owner will not be able to decrypt files stored in a folder shared using a Work identity if the identity is canceled by the Organization.

Abstract: Methods and systems for monitoring privileged user access of a database using a computer having at least one processor are provided. The system monitors database transactions. If a transaction is made by a privileged user, the system records information relating to the transaction in an audit database and/or in an audit file. If a transaction is made by a terminated or otherwise unauthorized privileged user, the system can be adapted to alert management of a possible security breach.

Abstract: A method, and computer-readable media for performing the method, for managing business transactions. Electronic transaction documents are received from authenticated users and stored in a database, with system usage data regarding users' access to and use of the system captured and stored in the database. Only specified parties are afforded access to system usage data for each user.

Abstract: In an information management system, activity data is collected and analyzed for patterns. The information management system may be policy based. Activity data may be organized as entries including information on user, application, machine, action, object or document, time, and location. When checking for patterns in the activity or historical data, techniques may include inferencing, frequency checking, location and distance checking, and relationship checking, and any combination of these. Analyzing the activity data may include comparing like types or categories of information for two or more entries.

Abstract: Access management to femto cell service is provided through access control list(s) (e.g., white list(s), or black list(s)). White list(s) includes a set of subscriber station(s) identifier numbers, codes, or tokens, and also can include additional fields for femto cell access management based on desired complexity. White list(s) can have associated white list profile(s) therewith to establish logic of femto coverage access based on the white list(s). A mechanism for reciprocal addition of access field attributes in access control lists and white list profiles also is provided. The mechanism allows at least in part for a first subscriber to be added to a configured white list of a second subscriber, when the first subscriber configures a new white list, the second subscriber is reciprocally incorporated in the new white list. Such mechanism can be driven and facilitates generation of associations among groups of subscribers that share specific commonalities.

Abstract: Embodiments of apparatus, systems and methods facilitate deployment of distributed computing applications on hybrid public-private infrastructures by facilitating secure access to selected services running on private infrastructures by distributed computing applications running on public cloud infrastructures. In some embodiments, a secure tunnel may be established between proxy processes on the public and private infrastructures and communication between the distributed computing application and the selected services may occur through the proxy processes over the secure tunnel.

Abstract: A profile management apparatus for controlling available media content includes an individual identifier module, a profile creation module, a profile selection module, and a media control module. The individual identifier module automatically identifies one or more individuals as currently within a perceiving range of an output device receiving input from a media player without user input. The profile creation module automatically creates a new profile without user input in response to determining that a profile associated with the one or more individuals does not exist. The profile selection module selects at least one profile associated with the one or more individuals. The media control module controls media that is available for selection on the media player based one or more of media usage information and content restriction rules of the at least one profile.

Abstract: The illustrative embodiments described herein provide systems and methods for conducting transactions with a customer using text messages. In one embodiment, a method includes receiving a first text message from a mobile communication device associated with a customer. The first text message includes a request from the customer to receive one or more text messages from a vendor. The method also includes adding the customer to a set of consenting customers in a customer database in response to receiving the first text message. The set of consenting customer including customers that consent to receiving text messages from the vendor. The method also includes sending a second text message to the mobile communication device. The second text message is associated with a service offered by the vendor.

Abstract: A method of managing access rights to corporate records is described. Employee data with respect to a first organizational hierarchy is maintained in a database, and file records data with respect to a second organizational hierarchy is maintained in another database. A request from an employee is received for a file record. A determination is made as to whether the requesting employee matches an entry in the first organizational hierarchy. Another determination is made as to whether the requested file record matches a file record of file records that the requesting employee is authorized to access, and access to the requested file record is permitted or denied to the requesting employee based upon the determinations.

Abstract: A method, program product and apparatus for controlling access to profile information, multi-media resources or social network functions of a first user by a second user not listed on a friend or group listing of the first user. An application retrieves a threshold criteria for access control and social network statistics in response to an attempted access by an entity without an appropriate privilege. The application compares the statistics to the threshold. Then, if the statistics meet the threshold criteria, the application allows access.

Abstract: A remote storage digital video recorder (RS-DVR) system is disclosed. The RS-DVR system includes a network interface to communicate data between the RS-DVR system and a subscriber system via a network, a file system module coupled to the network interface, an ingest agent coupled to the file system module to receive encoded media segments that represent media content files encoded at a plurality of different bitrates; and a storage architecture coupled to the file system to store the encoded media segments, resulting in stored media segments. The RS-DVR carries out a number of functions and operations to service multiple subscribers and associated subscriber systems, such as various storage device management operations, file structure techniques, assignment of recorded media to subscribers, file system indexing, and supporting shared and per-subscriber content rights.

Abstract: A method for controlling access to a file system having data elements, including the steps of maintaining a record of respective actual accesses by users of the file system to the data elements, defining a proposed removal of a set of the users from a superset of the users, wherein members of the superset have common access privileges to a portion of the data elements, and wherein following an implementation of the proposed removal, members of the set retain respective proposed residual access permissions, ascertaining, prior to the implementation of the proposed removal, that at least one of the respective actual accesses are disallowed to the members of the set, or to non-members of the set having actual access profiles which are similar to the actual access profiles of the members of the set, by the respective proposed residual access permissions, and generating an error indication, responsively to the ascertaining.

Abstract: A system for enabling users to select combination of characters includes a database, a system restriction module, a rule engine and processing module. The database comprises a list of combinations of characters. The system restriction module comprises instructions to select combinations of characters present in the database, based on input received from a user. The rule engine comprises instructions to add combinations of characters to the characters selected from the database, based on input received from the user. The processing module is configured to apply the input to query the system restriction module and fetch corresponding instructions; apply the input to query the rule engine and fetch corresponding instructions; query the database based on the instructions fetched from the system restriction module; generate complete combinations of characters based on the instructions fetched from the rule engine; and communicate generated complete combinations of characters to the user.

Abstract: Access to customer relationship management (CRM) secured field instances is enabled based on field settings. A requester's identity determines action paths to be executed in order to enable access to fields. A client application's user privileges are inherited to enable access to secured fields. Such access through a granted privilege is provided through an API intermediating inheritance of user's privileges from client application.

Abstract: An automatic resource ownership assignment system, the system including resource ownership indicators definition functionality operative to allow an operator of the system to define resource ownership indicators, automatic resource ownership recommendation functionality operative to provide, to at least one user of the system, a recommendation to assign ownership of at least one resource to a potential owner, based on the resource ownership indicators, and automatic resource ownership assignment functionality which, responsive to predetermined at least partial approval of the at least one recommendation by the at least one user and approval of said at least one recommendation by the potential owner, is operative to automatically assign ownership of the at least one resource to the potential owner.

Abstract: A hosted storage system receives a storage request that includes a single object and conforms to an API implemented by the hosted storage system. The API is designed to only support a single object in a storage request. The hosted storage system, in response to determining that the single object is an archive file, extracts each of the bundled files from the archive file and stores each of the extracted files in the hosted storage system such that each of the extracted files is separately accessible by the client system over the network.

Abstract: A license management apparatus includes: a license information storage; a reproduced user information storage; an invalidation information storage; a compare unit; an update unit; and a setting unit.

Abstract: A central data warehouse includes embedded data marts. These embedded data marts, referred to as workspaces, are assigned centrally manage data by reference only but rely directly on the centrally managed data and the underlying infrastructure. Workspaces still allow departments in an enterprise to perform certain actions on their own (like adding new data and building new models) without having to instantiate copies of the centrally managed data in a locally managed data mart.

Abstract: Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

Abstract: A method, system and computer program product for automatically granting access to content referenced in a microblog. A microblog post having content referenced therein is received by a microblog server. The microblog post includes a special character (e.g., “@”) designating a user, group or community. Furthermore, the microblog post includes a special character (e.g., “!”) designating the content. In response to recognizing the special character designating the content, the microblog server grants access to the designated content to the user, group or community referenced in the microblog post. By including a special character in the microblog post to designate content to be made available to the user, group or community referenced in the microblog post, the user can now designate the content to be made available to the users, groups and/or communities that do not previously have rights to access the content in an easy and efficient manner.

Abstract: A computer-implemented method for generating role-based authorizations includes collecting, by a processor, a plurality of permissions from an access control list, creating, by the processor, a plurality of content space specification files that includes the plurality of permissions from an access control list, processing, by the processor, the plurality of content space specification files to generate a plurality of access control list roles and outputting, by the processor, the plurality of access control list roles.

Abstract: In a dispersed storage network where slices of secure user data are stored on geographically separated storage units, a managing unit connected to the network may seek to broadcast and update secure access control list information across the network. Upon a target device receiving the broadcast the target device creates and sends an access control list change notification message to all other system devices that should have received the same broadcast if the broadcast is a valid request to update access control list information. The target device waits for responses from the other system devices to validate that the broadcast has been properly sent to a threshold number of other system devices before taking action to operationally change local data in accordance with the broadcast.

Abstract: An improved method and system for providing path-level access control to a structured document in a collection stored in a database, where the structured document includes a plurality of nodes is disclosed. The method includes the steps of providing an access control policy for the collection, where the access control policy comprises a plurality of access control rules, generating a path for each node of the plurality of nodes in the document, and generating for each path associated with a node a corresponding value expression based on at least one access control rule of the plurality of access control rules. According to the method and system of the present invention, the corresponding value expression is utilized during access control evaluation to determine whether a user is allowed to access a node in the structured document.

Abstract: The present invention relates to a method for preventing the simultaneous modification of the same database object in a shared database by more than one user during the database development stage comprising the steps of: (a) creating security roles for said users, wherein each of the security roles has a modification permission set for denying or granting at least one modification permission to at least one said database object; (b) assigning each of said security roles to each of said users; (c) providing means for said users to request said modification permission to said database object; (d) receiving said request from a first user for said modification permission to said at least one database object; (e) determining that said security roles of said users, excluding the security role of first user, are set to deny said modification permissions to said object; (f) updating said security role of said first user to grant said modification permission to said object; (g) allowing said first user to modify said

Abstract: A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

Abstract: A service request from a user is received to execute an operation on an instance of a business object. Thereafter, an access control check is performed to confirm whether the user is allowed to execute the requested operation on a type of business object corresponding to the business object specified and based on an access group associated with the user. Subsequently, the user is either provided with access to the instance of the business object to execute the operation if the access control check confirms that the user is allowed to execute the operation on the instance of the business object, or prevented from accessing the instance of the business object to execute the operation on the instance of the business object. Related apparatus, systems, techniques and articles are also described. Related apparatus, systems, techniques and articles are also described.

Abstract: Aspects of the invention provide for updating TCAMs while minimizing TCAM entry updates to add/delete ACL rules. For example, one aspect provides a method for minimizing updates in a router forwarding table, such as a TCAM, including a plurality of rules indexed by priority. This method comprises providing a proposed rule to be added to the router forwarding table, identifying a range of candidate entries in the router forwarding table for the proposed rule, determining a minimum set of rules to relocate, and creating an empty entry in the range of candidate entries based upon the minimum set of rules to relocate. The method may further comprise reallocating the minimum set of rules by, for example, shifting the minimum set of rules in sequence based on priority, and adding the proposed rule to the empty entry in the range of candidate entries.

Abstract: A method of managing file permissions in a remote file storage system includes defining permissions for the remote file storage system and controlling access to objects on the remote file storage system according to the permissions of the remote file storage system. The permissions are transferred to a client file storage system remote from the remote file storage system, and access to objects on the client file storage system is controlled according to the permissions of the remote file storage system. A remote file storage system includes a permissions file generator operative to generate a permissions file, which is transmitted to a client file storage system for enforcement at the client file storage system.

Abstract: In a file server for suppressing power consumption of a storage apparatus, when a file sharing program receives a file access from a client, the program references a mapping table. The program addresses the access to the target file in the volume of a RAID group where the target file is stored. A coupling-request reception program memorizes a coupling time for each user into a coupling history table. A grouping program applies a grouping to users whose coupling time-zones are similar. A data transfer program transfers, into the same RAID group, data of the files associated with the grouped users, thereby collecting the data into the same RAID group. Thus, the time-zone when no access is made to the RAID group (i.e., non-coupling time-zone) can be made longer. Accordingly, a spin-up/down request program makes a spin-down request to the RAID group in the non-coupling time-zone.

Abstract: A system and method for data storage and removal includes providing databases and providing encryption keys. Each database is associated with a database time period and each encryption key is associated with an encryption time period. Data items are received and each data item is encrypted using the encryption key associated with the encryption time period that corresponds to a time associated with the data item. Each encrypted data item is stored in the database associated with the database time period that corresponds to the time associated with the data item. Each encryption key is deactivated at a predetermined time after the associated encryption time period ends. Each database is made irretrievable upon a determination that all of the encryption keys associated with the data items stored in that database have been deactivated.

Abstract: A social network allows its members to regulate what data is accessible to other members using one or more privacy settings. A particular member of the social network can modify the one or privacy settings to grant or deny different users access to different data. When a member modifies a privacy setting, the social network determines which information pathways communicating data between members are affected. The affected information pathways are then modified responsive to the privacy setting to communicate data identified by the modified privacy setting and enforce the new privacy restrictions.

Abstract: Implementations described and claimed herein provide systems and methods for dynamically masking an access control list corresponding to a file system object in response to a change mode command. In one implementation, a change mode command for a file system object to change a first mode to a second mode is received. The first mode defines a first set of access rights and the second mode defines a second set of access rights. In response to the change mode command, a mask is dynamically applied to an access control list corresponding to the file system object. The access control list has zero or more access control entries defining access permissions for the file system object. The mask modifies any of the zero or more access control entries that have access permissions that exceed the second set of access rights defined by the second mode. The access control list is preserved.

Abstract: Various implementations for contextual keyword-based access control are disclosed comprising one or more methods, systems, computer-readable media comprising instructions, and devices for annotating content with keywords, assigning a user to a group, associating the group with the keywords in a context and determining a privilege for the user to access the content based on the keywords, the context and the group.

Abstract: Global object access auditing techniques are described. In an implementation, a global SACL for a resource and an object SACL are merged to form a merged SACL responsive to a request for access to an object. The merged SACL is checked to determine what activity is to generate an audit event.

Abstract: The technology performs database access control in a manner that decreases computational cost of the database access control with an object type definition of a database object that permit multiple parent objects. The system determines whether to grant a user access to a database object via a first set of access control paths that do not rely on whether the user has permission to access a minimum number of parent objects of the database object. Responsive to a determination not to grant the user access via the first set of access control paths, the system determines whether to grant the user access to the database object via a second set of access control paths that determine whether the user has permission to access the minimum number of parent objects of the database object.

Abstract: A documentation inventory manager which assigns a protection key to each piece of documentation that is received. More specifically, when providing information to a receiving company, a client provides their files to a common FTP server. As a support team of the receiving company accesses the files and stores some or all of the files to a local storage system, the files are modified to include an imbedded header record. In certain embodiments, the imbedded header record includes information regarding an original file name sent by the client, a key value that is assigned to that version of the downloaded file, permissions such as whether the file can be copied, and the inventory manager location. Each time a version of the file is downloaded to a different location within the receiving company, that file name, location, and new unique key is updated in the documentation inventory manager.

Abstract: In a business application, contexts can be switched based on a selected customer. A first authorization profile can be associated with the business application. The authorization profile can restrict a user's ability to access, enter new or update existing information. In response to selection of a first element, such as a customer, the authorization profile can be switched to a second, different authorization profile with different read and/or write privileges. Context switching can also be used which includes additional features beyond the authorization profile. For example, personalization parameters that affect look and feel can be swapped. Additionally, available actions or pages accessible in the application can be swapped.

Abstract: Embodiments of the present invention include a method and apparatus for performing incremental mapping of virtual machine incremental images. The method and apparatus comprise creating a map of the base file as well as the incremental file, utilizing at least a portion of the file tables contained in the various images. This map indicates the type of change (i.e., whether the file is contained completely in an incremental image, is contained in the base image, or is contained in both). In another embodiment, the map may also contain the location of the change or the location of the file within the sequentially stored images upon the backup media.

Abstract: A method, system and computer-readable medium for controlling access to a relational database is presented. The method includes: defining and creating a plurality of entitlement tables, wherein the entitlement tables are usable by multiple relational databases; receiving a request, from a user, for access to requested data in a relational database, wherein the user is identified by a user identifier that is set by a relational database program; and determining if the user is authorized to access the requested data by comparing the user identifier with an entry in an entitlement table that is associated with the requested data in the relational database, wherein the entitlement table defines which data classifications are authorized to be accessed by the user. The plurality of entitlement tables may have a priority hierarchy, wherein the priority hierarchy defines a higher priority entitlement table as being dominant to a lower priority entitlement table.

Abstract: Organization and assignment of access privileges to resources in a computer network. The resources of the network are organized into a hierarchical tree structure, with each node in the tree representing a resource, resource group, or resource instance. Read and/or write permission to one or more resources may be explicitly granted to the resource or implicitly granted based upon the location of the resource in the hierarchical structure. The access rights attach to the resource(s). Upon movement of the resource within the tree structure or to an alternate tree structure, the access rights associated therewith remain with the relocated resource.

Abstract: Methods for providing a generic database security application using virtual private database (VPD) functionality are provided. The methods may include inserting rows into a user security table in a database providing VPD functionality, each row comprising a user ID for which database access is to be controlled, the name of a database object to be secured, and a predicate; and defining a security policy function common to all secured database objects, said security policy function generating a second predicate to be appended by the database's VPD functionality to queries made on a queried secured database object by a querying user, said second predicate based on at least one predicate in at least one row in the user security table, the at least one row referencing the name of the queried secured database object and the user ID of the querying user. Related systems and computer program products are also provided.

Abstract: An Internet delivery method delivers electronic information products to a plurality of users via the Internet. A plurality of display formats are stored in a database. The display formats including at least a default display format and a custom display format. Information is also stored for each user indicating whether the user is a specific type of user. When a user logs in, the user is identified as being that specific type of user. If the user is identified as the specific type of user, then an electronic information product is delivered to the user in the custom display format. The electronic information products are accessed via computers connected to the Internet, including wireless devices.

Abstract: A method for collaborative management of a process is disclosed herein. The method includes electronically creating a declaration document containing information relating to one or more characteristics of an equipment unit involved in effecting the process. The method further includes electronically creating, at least partially based upon the information contained within the declaration document, an instruction document prescribing changes in one or more operational parameters of the equipment unit. The declaration document may be created by an operator of the equipment unit and the instruction document may be created by a user entity having electronic access to the declaration document.

Abstract: The described embodiments of invention comprises a method and an apparatus for regulating access to objects by authorized entities. Authorized entities are entities authorized for access by either an owner entity of the regulated object or an entity authorized to authorize access to the regulated object. Each user, which may be a physical person or another information system, is identified using standard user validation techniques. When an object is first created or introduced to the system, that information is associated with an owner, who is one user on the system. The present embodiment allows the owner to define relationships with other users, either generally or regarding a particular object. The owner may or may not have trusted relationships with other users. A second user that has a trusted relationship with the owner automatically has access to the object without additional intervention by the owner. In addition, the second user may have a trusted relationship with another user.