Abstract: A computer-implemented system and method includes method includes receiving a data request for data in a database from a user; determining if the user is an internal user or a portal user; consulting, if the user is the internal user, a first security setting associated with the data to determine if the requested data is public or private, and if the user is the portal user, consulting a second security setting separate from the first security setting to determine if the requested data is public or private; providing, if the requested data is public, access information to the user; performing, if the requested data is private, additional processing to determine if the user has access to the requested data.

Abstract: The present invention provides an approach to manage and control document transmission and electronic communication. Specifically, the present invention provides control over data associated with multiple types of data communication. Along these lines, embodiments of the present invention provide a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control. This type of granular control is critical for information sharing within a networked computing environment. This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists (ACL's) for the hub-spoke system. To this extent, embodiments of the present invention provide functionality to automatically update ACL's as documents are being forwarded or otherwise communicated between multiple parties. These ACL's are kept up to date through the analysis of to whom (and where) a document has been sent.

Abstract: A method of assigning the UNIX computers in a network to one of a plurality of groups called zones, of creating independent sets of UNIX identity information for each network entity (user or group) for separate zones, and of associating an entity's sets of UNIX entity information with a single global entity record for the entity in the network's identity resolver. A further method of allowing a UNIX computer to request entity information from the identity resolver, and of the identity resolver returning resolved entity information appropriate for the requesting computer's zone. A further method of managing sets of zone-specific UNIX identity information in the identity resolver to ensure that entity names and entity identification numbers are not duplicated within a zone and to all the same names and numbers to be duplicated across zones. Other embodiments are also described.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for providing a dynamic access control list for an object in a computer- implemented content management system. A list of one or more subjects is received. Each of the subjects is associated with a set of operations that the subject has permission to perform on the object in accordance with a first rule-set. A set of dynamic evolution conditions is defined. The dynamic evolution conditions specify under what circumstances to evolve the access control list to a new state in which a second rule-set describes a different set of operations to be associated with one or more of the subjects. The dynamic evolution conditions, the subjects, and the operations are stored in a dynamic access control list on a server in the content management system. A content management system is also described.

Abstract: Particular embodiments of the present invention are related to a social network site with enhanced user interaction functionality. In particular implementations, a method includes accessing a list of contacts that are connected to an owner of a personal page of a social network; identifying one or more contact pairs from the list, wherein the contacts in each contact pair are not connected to each other; computing an affinity score for each identified contact pair; randomly selecting one or more of the contact pairs based on corresponding affinity scores; providing a friend connector user interface module to the owner of the personal page, wherein the friend connector user interface prompts the owner to invite the contacts of the selected contact pair to establish a connection association relative to the social network; and conditionally transmitting an invitation to the contacts of the contact pair based on one or more actions of the owner relative to the friend connector interface.

Abstract: A slice server includes a network port, a central processing unit, and memory. The central processing unit (CPU) is operable to receive, via the network port, a request to access a virtual digital data storage vault. The CPU then determines whether the slice server supports the virtual digital data storage vault. When the slice server supports the virtual digital data storage vault, the CPU determines whether the request is valid. When the request is valid, the CPU executes the request to generate a response.

Abstract: A method for determining group membership in a computer system, the method comprising: obtaining an identifier that describes a member of a group, the member of a group having a member hash table that contains group membership information describing to what groups a member belongs; performing a primary search of a plurality of groups to determine if each group contains the member's identifier, each group in the plurality having a group hash table that describes to what other groups the group belongs, caching the results of the primary search in the member hash table, for each group to which the member belongs, performing a secondary search of a plurality of groups to determine what groups contain the group to which the member belongs, and caching the results of the secondary search into the group hash table and merging the results into the member hash table, and reading the member hash table to determine group membership.

Abstract: A method, system and computer readable media for optimistic access of data objects in a processing system. The method, system and computer readable media comprise providing a list of position objects. Each of the position objects can be associated with a data object. The method, system and computer readable medium include utilizing a thread to mutex a position object of the list of position objects and to associate the position object with a data object, and accessing the data object by the thread. The method, system and computer readable medium record a free level of a memory allocator as a read level of the position object and record a version number of the data object as the version number of the position object after the access has been determined to be safe.

Abstract: A method and apparatus for scanning structured data from a data repository having an arbitrary data schema and for applying a policy to the data of the data repository are described. In one embodiment, the structured data is converted to unstructured text data to allow a schema-independent policy to be applied to the text data in order to detect a policy violation in the data repository regardless of the data schema used by the data repository.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for storing documents that are being tracked in an on-demand service. These mechanisms and methods for storing documents in an on-demand service can enable embodiments to provide the sharing of documents and the storing of the documents in association with a tag. The ability of embodiments to provide the sharing of documents and the storing can enable an efficient searching for a shared document. In an embodiment, the shared document is categorized upon being stored.

Abstract: The present invention relates to a system and methodology to facilitate security for data items residing within (or associated with) a hierarchical database or storage structure. A database security system is provided having a hierarchical data structure associated with one or more data items. The system includes a security component that applies a security policy to the data items from a global location or region associated with a database. Various components and processes are employed to enable explicit and/or inherited security properties to be received by and propagated to the data items depending on the type of data structure encountered or processed.

Abstract: An information processing apparatus includes a creation unit and a registration unit. The creation unit acquires first limited use information which is associated with a designated object and stored in an object storage unit from the object storage unit in accordance with an instruction to specify the designated object, and creates second limited use information containing information indicated by the acquired first limited use information and described in a different form from the acquired first limited use information. The registration unit registers the second limited use information created by the creation unit in a second limited use storage unit.

Abstract: A method, system, and computer program product for dynamic field-level access control in a Wiki. The method comprises: inserting a virtual field in a Wiki using delimiters; and assigning sole ownership of the virtual field to a user who first inserts the virtual field, where the owner of the virtual field controls access to the virtual field using at least one access control list.

Abstract: An address book data download request issued from a data communication apparatus is received. On the basis of authority of a user of the data communication apparatus which has issued the download request and a security level set for each address information in address book data stored in a storage medium, address information is extracted from the address book data. Address book data containing the extracted address information is transmitted to the data communication apparatus.

Abstract: A system and method for logon access management that includes capturing a logon id and associated user data, the logon id allowing access to at least one of an application or data outside of a entity, automatically searching for a match of at least a portion of the user data with id data inside the entity, and transforming the logon id into a network id when a match is found. The entity may be a company, business, organization, system, or network.

Abstract: The present invention provides a solution to manage and control document transmission and electronic communication. Specifically, the present invention solves the problem of having control over data (documents, image files, and attachments hereafter referenced as “documents”) that are associated with multiple types of data communication. Along these lines, the present invention provides a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control. This type of granular control is critical for information sharing within a Cloud computing environment. This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists (ACL) for the hub-spoke system. To this extent, this present invention solves the problem of being able to automatically update ACL's as documents are being forwarded or otherwise communicated between multiple people.

Abstract: Techniques for providing limited access to data stored in records of databases are disclosed. The techniques can be implemented in a database program operating on a computer system. The database program can provide a Graphical User Interface that can be used to conveniently define calculation expressions that limit operations on the records of the database. The calculation expression can be defined for a user or group of users with respect to a particular operation that can be requested to be performed on the records of the database. The calculation expression can be defined based on fields of the records, as well as other information, for example, various state variables of the database (e.g., date, time, number of records, etc.) The calculation expression can, in turn, be evaluated with respect to each record to determine whether a request to perform an operation on that particular record should be granted or denied.

Abstract: A system for transmission of data between a first device operated by a first user and a second device includes a database that receives a first set of data input by the first user and a second set of data input by the second user. In one embodiment, the first set of data includes an immediate mode of access and/or one or more future modes of access of the first user which correlate to one or more specific time periods during which the future mode of access will become the immediate mode of access. Additionally, the first set of data can include a time-dependent schedule of the future mode of access of the first user.

Abstract: Disclosed is a data processing system-implemented method, a data processing system and an article of manufacture for controlling access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects The data processing system-implemented method includes receiving a user request to access one or more relational objects of the database, identifying any access restrictions defined for the one or more relational objects, determining whether any identified access restrictions are applicable to the user request, determining whether any determined applicable access restrictions are to be enforced for the user request, and allowing access to the one or more relational objects based on the determined enforceable access restrictions.

Abstract: A method is provided for securely enabling dynamic instrumentation. The method includes categorizing probes, upon creation, into one or more classes, providing lists of permissions for activating the probes and associating users with the permissions for activating the probes, such that certain users have permissions for activating certain probes. Users are associated with permissions by mapping classes of probes to permissions and mapping users to permissions, mapping classes of users to probes, or mapping users to at least one of classes of probes and classes of capabilities.

Abstract: A method, system and computer program product for enabling the concurrent editing of a document containing a plurality of independent or loosely connected segments by multiple authors is described. Among other things, the invention allows assigning of editing rights for each segment to a defined set of segment authors, making available a special segment that contains metadata shared by all the segments of said documents, and providing email means private to said document, for facilitating communication between the authors of the document.

Abstract: Implementations of the present disclosure provide computer-implemented methods including generating a changelist corresponding to at least one computer code object that is digitally stored in a repository database, assigning a team to the changelist, the team comprising a plurality of members, initiating access to the computer code object using a computer that is in communication with the repository database, enabling access to the computer code object when a user of the computer is a member of the team, and prohibiting access to the computer code object when the user of the computer is not a member of the team.

Abstract: Methods, systems, and products for governing access to objects on a filesystem. In one general embodiment, the method includes providing a framework in an operating system environment for support of a plurality of access control list (ACL) types, thereby enabling governing of access to objects on a filesystem according to an associated definition of an ACL type; and accepting definitions of ACL types. The associated definition may comprise a kernel extension.

Abstract: A control method for modifying information concerning a remote work site includes: (i) setting up a database that comprises information concerning a remote work site; (ii) using an electronic device that has an image-capturing unit, in order to capture images of equipment or construction sites at the remote work site; (iii) communicating with an access platform and an option menu arranged on the access platform via an Internet connected module, creating an issue in a network database via the electronic device with an Internet browser and accessing information about the issue via the option menu that allows access to the database according to an authority level of a user; or creating an issue directly on a network database via an network connected module; and (iv) modifying the information in accordance with the issue of the images from the remote work site.

Abstract: In private equity and debt funding operations, resource providers define electronic data collection templates to be filled in by prospective resource consumers to form semi-homogeneous profiles. Providers and/or consumers can assign themselves and/or third parties various individualized levels of permissions to access and to perform activities on the profiles. Providers can organize profiles into portfolios to further manage the data. All accesses and activities, such as changes to the data, are tracked and recorded in logs useful for audit purposes.

Abstract: A computer-implemented method for providing protection for a data file is disclosed. The method includes employing allowable location information to control access to information of the data file, wherein the allowable location information is associated with the data file The information in the data file is inaccessible if a location of a computer employed to access the data file is not within an allowable geographic area defined by the allowable location information.

Abstract: A method, system, and computer program product for dynamic field-level access control in shared documents. The method comprises: providing a field in a shared document, wherein the field is not owned by a user and can be edited by any user; and assigning sole ownership of the field to a user who first edits the field, wherein the owner of the field controls access to the field using at least one access control list.

Abstract: A server receives from a user's computer a request to store a file and a file hash value. The server determines whether a file with the same hash value is stored on the server. If so, the server grants access to the server's file copy. If not, the server requests the user to upload the file and stores it. The server grants access to the copy by sending the user a pointer to the copy's storage location and associating the user with the pointer in a database. The server can challenge the user's right to access the copy by requesting a file password or a portion of the file stored on the user's computer. The server can limit access to the server's copy to users who successfully respond to the challenge.

Abstract: A system and method for managing access control lists on network devices is provided. One or more access control lists are retrieved from one or more computing devices. The one or more access control lists are stored. A request to update the one or more access control lists is received. The one or more access control lists are automatically updated based on the request. The updated one or more access control lists are then deployed to the one or more computing devices.

Abstract: A master management system includes a duty master creating part that counts the number of users in each group of same-attribute users who desire to use each of the applications, that identifies the applications each of which the number of users desiring to use is equal to or larger than a predetermined number, that creates and stores a master in a master management database of a storage device; and an individual setting part that identifies virtualization-possible applications of the applications each of which the number of users desiring to use is equal to or smaller than the predetermined number, and that sets data on users desiring to use the virtualization-possible applications in the distribution destination list of a distributing server.

Abstract: One embodiment relates to an automated method for compressing an n-partite representation of an access control list or other binary relation. A first joining procedure is applied to join first and second relations in the n-partite representation and so eliminate a first intermediate set of elements, resulting in a first (n?1)-partite representation. A first re-factoring procedure generates updated first and second relations and an updated first intermediate set of elements, resulting in an updated n-partite representation. Other features, aspects and embodiments are also disclosed.

Abstract: A flag and a wait period are used to guarantee that readers of two data values see the updated first value before they see the updated second value, where the second value has to be updated after the first value is updated and thus is dependent on the first value. The first value is updated, and a flag associated with the first data value is set. The flag effectively prevents further updating of the first data value until it has been cleared. A length of time is waited for, such that any reading of the first data value and the second data value is guaranteed to not see the second data value as updated unless the first data value is also seen as updated. The flag is then cleared, such that further updating of the first data value can again occur. The second data value is finally updated.

Abstract: A method includes storing, at a discovery service, address information for each of a plurality of information services providers. For each of the plurality of information services, product data of a respective information provider and access right data (defining access rights to the product data) are also stored. At the discovery service, a query is received from an information requester, the query being related to specific product data for a product identifier included in the query. A first information service, of the plurality of information services, is identified as an information provider of the specific product data, and first address information for the first information service is retrieved. The query is routed from the discovery service to the first information service using the first address information. The first information service selectively responds directly to the information requester in accordance with the access right data of the first information service.

Abstract: In a dispersed storage network where slices of secure user data are stored on geographically separated storage units (44), a managing unit (18) connected to the network (20) may seek to broadcast and update secure access control list information across the network (20). Upon a target device (e.g., devices 12, 14, 16, 18, or 44) receiving the broadcast the target device creates and sends an access control list change notification message to all other system devices that should have received the same broadcast if the broadcast is a valid request to update access control list information. The target device waits for responses from the other system devices to validate that the broadcast has been properly sent to a threshold number of other system devices before taking action to operationally change local data in accordance with the broadcast.

Abstract: Computer programs, methods and systems for managing a setting information database of a computer system are described. The computer system includes an original setting information database and an administrative database which store setting information of the system. Each time a write request to write data to the setting information database is received from a requester, a write processing portion writes the requested data to the administrative database. When a read processing portion receives a read request to read data from the setting information database, if the data is included in the administrative database, the read processing portion passes the data from the administrative database to the program that issued the read request. An editing portion cleans up the administrative database using a white list to ensure that only a trusted program can write data.

Abstract: Under the present invention, role types are defined by association with certain permissible actions. Once defined in this manner, a role type can then be bound to “nodes” of a hierarchical tree that represent computer-based resources such as dynamic object spaces. Once bound to a node, instances of this role type are created that will be inherited by hierarchical descendants of that node unless a role type block (e.g., inheritance or propagation) has been established for the corresponding role type. The present invention also allows the computer-based resources to be defined as virtual or private. Virtual resources represent general protected concepts in the system instead of computer-based resources and are subject to be bound with roles, while private resources are not. That is, the private resources remain the “property” of the creating user or group.

Abstract: A method and system for collaborative computing environment access restriction and orphan data management is provided in the form of establishment and implementation of a data handling policy in which the data handling policy for one of a person and a role is stored on a computer storage medium. The data handing policy is implemented in the collaborative computing environment by providing access to data in accordance with the established data handling policy. Access to the data handling policy is provided to a person affected by the data handling policy in which the access to the data handling policy includes allowing the affected person to view the data handling policy.

Abstract: A system and method operable to cache and retrieve flight availability data. System components are a cache database for storing flight availability data, an airline cache control for configuring the cache database for a plurality of airlines, a subscriber cache control for configuring the cache database for a plurality of subscribers, and a cache query utility for interacting with the cache database. Additional system components are a data display utility for displaying flight availability data stored in the cache database, a success rate utility for tracking statistics associated with use of the cache database, and a dual mode processing utility that allows access to flight availability data from either the cache database or a real-time response. The system is provided as an intermediary between the subscribers and a plurality of airline servers.

Abstract: A reputability analysis system receives a domain assessment request associated with a domain and accesses a database to find a match for the domain. A reputability score is derived according to a hierarchical analysis of a matching domain in the database. Traceability, accountability, and association information associated with the domain assessment request may also be used to adjust the reputability score.

Abstract: A flag and a wait period are used to guarantee that readers of two data values see the updated first value before they see the updated second value, where the second value has to be updated after the first value is updated and thus is dependent on the first value. The first value is updated, and a flag associated with the first data value is set. The flag effectively prevents further updating of the first data value until it has been cleared. A length of time is waited for, such that any reading of the first data value and the second data value is guaranteed to not see the second data value as updated unless the first data value is also seen as updated. The flag is then cleared, such that further updating of the first data value can again occur. The second data value is finally updated.

Abstract: Provided are a method, system, and article of manufacture for using an access control list rule to generate an access control list for a document included in a file plan. A file plan includes a plurality of containers, wherein each container is capable of providing management information for documents in the file plan. An access control list rule indicates one of a plurality of access control list rules, wherein the access control list rules provide different ways to form file plan document access control lists using at least one of an access control list defined for a container and a pre-file plan document access control list indicating users enabled to access the document before the document is added to the file plan. A request to add a document to the file plan is received and a file plan document access control list is generated according to the defined access control list rule. The file plan document access control list is associated with the document in the file plan.

Abstract: A database management system is provided for protecting data from being malicious update or deleted. The system is arranged to hold as a table attribute an insert-only attribute and a row deletion prohibition period, and as an access right attribute a row insertion date and time holding column name and to specify a row insertion date and time when a row was inserted, for disabling said date and time data. When requesting a table data update or a row deletion, the table attribute and the row insertion date and time are checked for preventing the malicious update and deletion.

Abstract: A method and storage media for performing access resolution using ACL types is provided. Under an AND semantic, an intersection set formed from the types of multiple ACLs protecting a resource may be utilized to efficiently determine whether a request for a privilege to access the resource is granted or denied. If the privilege is not a member of the intersection set, the privilege cannot be granted. A union set may be used for an OR semantic. A global ACL type may represent all privileges system-wide or application-wide. A global ACL may represent a system-wide or application-wide access policy. A conjunction of a global ACL and a regular ACL may be stored in a cache. The union set, intersection set, or access resolution may also be cached for subsequent request processing.

Abstract: A method, computer program product, and system for evaluating access control or filter conditions are provided. The method, computer program product, and system provide for developing a test model involving a plurality of access control or filter conditions, assigning a binary value to each of a plurality of scenarios of the test model, wherein the binary value includes a binary digit for each of the plurality of access control or filter conditions, and calculating an expected result for each of the plurality of scenarios through a logical AND operation of the binary digits in the binary value assigned to the scenario.

Abstract: A system and method operable to cache and retrieve flight availability data. System components are a cache database for storing flight availability data, an airline cache control for configuring the cache database for a plurality of airlines, a subscriber cache control for configuring the cache database for a plurality of subscribers, and a cache query utility for interacting with the cache database. Additional system components are a data display utility for displaying flight availability data stored in the cache database, a success rate utility for tracking statistics associated with use of the cache database, and a dual mode processing utility that allows access to flight availability data from either the cache database or a real-time response. The system is provided as an intermediary between the subscribers and a plurality of airline servers.

Abstract: A method and system for providing an automated security access policy in a document management system are described. The security policies are applied based on metadata rules. Once a document is added to the document managements system, the metadata rules are evaluated using the metadata of the document. Based on the results of the evaluation security access policies are applied to the document.

Abstract: A buddy list manager stores a buddy list sent from a receiver terminal and manages the buddy list. A controller accepts an updating request and identifying information of a third party terminal from the third party terminal. When the controller accepts the updating request and the identifying information from the third party terminal, the controller determines whether the third party has an updating authority for updating the buddy list or not, using the identifying information. If the controller judges that the third party has an updating authority for updating the buddy list, then the controller permits the third party terminal to update the buddy list.

Abstract: The present invention concerns an XML data base management system (XDBMS, 10) for an XML database (20) comprising XML documents (30), each XML document (30) comprising one or more structural elements (35) and adhering to an XML schema (40), wherein at least one of the structural elements (35) is protected against access of a user (60), the XDBMS (10) comprising: a. an optimizer (300) adapted to process an XQuery (50) of the user (60) comprising one or more XQuery expressions (55) and further adapted to generate an optimized XQuery execution plan (70); b. an execution engine (400) adapted to execute the optimized XQuery execution plan (70) to retrieve XML data (80) from the XML database (20), characterized in that c. the optimizer (300) is adapted to generate the optimized XQuery execution plan (70), so that all XQuery expressions (55) relating to one or more of the structural elements (35) which are protected against access of the user (60) are ignored by the optimizer (300).

Abstract: Apparatus, methods and computer program products are described herein for automatically decrypting electronic communication that is harvested from custodians in an enterprise-wide electronic discovery system. Automatic decryption provides for electronic communication that is encrypted to be decrypted, even in instances in which the system is not provided the password and/or decryption key(s) from the encrypting custodian. The automatic decryption process, which ensues prior to delivering data to the third party data analysis provider or the requesting party, allows for data that may otherwise be unavailable or incomprehensible to the third party or requester to be readily accessible. Thus, decryption of such data in a relatively efficient and automated manner is highly beneficial.

Abstract: A file access control device included in a file management system having a storage unit has an access control management unit that controls access to the storage unit or to a file for which an access is requested while checking a file access right referring to access right information which is set for the storage unit and for each file stored in the storage unit, an access right setting processor that sets, when a file is read from the storage unit and transmitted in response to a file acquisition request when access is permitted by the access control management unit, to a file to be transmitted, an access right based on an access right which is set for the storage unit and an access right which is set for the file and adds, to the file, access right information, and a transmission processor that transmits the file.