US20110321147A1 - Dynamic, temporary data access token - Google Patents

Dynamic, temporary data access token Download PDF

Info

Publication number
US20110321147A1
US20110321147A1 US12/825,291 US82529110A US2011321147A1 US 20110321147 A1 US20110321147 A1 US 20110321147A1 US 82529110 A US82529110 A US 82529110A US 2011321147 A1 US2011321147 A1 US 2011321147A1
Authority
US
United States
Prior art keywords
data
access token
subset
computer
registered user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/825,291
Inventor
Al Chakra
Yongcheng Li
Yuping C. Wu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US12/825,291 priority Critical patent/US20110321147A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LI, YONGCHENG, CHAKRA, AL, WU, YUPING C.
Priority to PCT/EP2011/060017 priority patent/WO2012000801A1/en
Priority to DE112011101357T priority patent/DE112011101357T5/en
Priority to GB1300464.3A priority patent/GB2494605A/en
Publication of US20110321147A1 publication Critical patent/US20110321147A1/en
Priority to US13/488,845 priority patent/US10068102B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data

Definitions

  • Embodiments of the invention relate to a dynamic, temporary data access token.
  • Dynamic data (i.e., information) is typically stored and managed in a centralized management system and retrieved and rendered to end users through client applications, such as browser applications. Examples of such applications are: portal, widget-based web application, etc. Access to the data requires that a user first signs in to the centralized management system by, for example, providing a user identifier (ID) and password. Thus, the requirement of signing in makes it difficult for a first user to share portions of the data in a restricted application with a second user who does not have a user identifier and password for signing in to the centralized management system.
  • ID user identifier
  • password password
  • a method, computer program product, and system for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data.
  • the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time.
  • the temporary data access token being valid, the subset of data is provided to the non-registered user.
  • access is denied to the subset of data by the non-registered user.
  • FIG. 1 illustrates a computing architecture in accordance with certain embodiments.
  • FIG. 2 illustrates logic for sharing data with a non-registered user in accordance with certain embodiments.
  • FIG. 3 illustrates logic for determining access in accordance with certain embodiments.
  • FIG. 4 illustrates logic for dynamically updating a temporary data access token in accordance with certain embodiments.
  • FIG. 5 illustrates a computer architecture that may be used in accordance with certain embodiments.
  • FIG. 1 illustrates a computing architecture in accordance with certain embodiments.
  • a server computer 100 is coupled to a registered user client computer 130 and a non-registered user client computer 140 .
  • the registered user client computer 130 is used by a user who registers with the server computer 100 by, for example, providing the server computer 100 with a user ID and password.
  • the registered user client computer 130 is also coupled to the non-registered user client computer 140 .
  • the non-registered user client computer 140 is used by a user who does not register with the server computer 100 (e.g., someone who would not normally be given access to data at the server computer 100 ).
  • the server computer 100 includes a token generator 110 and an integrator 120 .
  • the token generator 110 generates one or more registered user data access tokens 112 and generates one or more temporary data access tokens 114 .
  • the temporary data access tokens 114 may also be referred to as non-registered user data access tokens, limited tokens, temporal tokens, or delegated tokens.
  • An integrator 120 may be described as a software component that integrates the output from various other software components.
  • the server computer 100 stores at least one software application 160 , which includes one or more application components 162 .
  • An application component 162 may be described as part of the software application 160 and serves a specific function, such as weather report application component.
  • Other examples of application components 162 are portions of the application that produce data for the web page (e.g., an applet or a servlet).
  • one software application 162 is illustrated, embodiments may include any number of software applications.
  • the registered user client computer 130 also includes a token generator 110 .
  • the token generator 110 at the registered user client computer 110 generates one or more one or more temporary data access tokens 114 .
  • the registered user client computer 130 stores a registered user data access token 112 that is provided by the server computer 100 .
  • the registered user client computer 130 uses the registered user data access token 112 to access data at the server computer 100 .
  • the non-registered user client computer stores a non-registered use data access token 114 and uses the non-registered use data access token to access the data at the server computer 100 .
  • the server computer 100 is coupled to a data store 150 .
  • the data store 150 stores one or more data segments 152 .
  • Data segments 152 may be described as a database server that can be used to store and retrieve data.
  • An example of a data segment 152 is a dynamic content of a page of a web site.
  • Embodiments provide a new security model in which data segments 152 and/or application components 162 are associated with data access tokens (also referred to as security tokens) to provide more granular access control.
  • the token generator 110 allows a user who has registered with the server computer 100 to specify a temporary data access token 114 .
  • the temporary data access token 114 is shared by one or more non-registered users for a specific period of time (i.e., for a time period in which a web conference is occurring), for a subset of the data available at the server computer 100 , for a number of times the temporary data access token 114 can be used, and/or other factors.
  • the temporary data access token 114 has attributes, and these attributes are dynamic.
  • the attributes are dynamic in that the attributes can be changed (i.e., updated or modified) after the temporary data access token 114 has been issued. For example, the expiration date can be modified.
  • the subset of the data that can be viewed by the temporary data access token 114 can be modified.
  • the user at the registered user client computer 130 registers with the server computer 100 and obtains a registered user data access token 112 . Then, the registered user at the registered user client computer 130 uses the registered user data access token 112 to access data at the server computer 100 .
  • FIG. 2 illustrates logic for sharing data with a non-registered user in accordance with certain embodiments.
  • Control begins in block 200 with the token generator 110 at the server computer 100 retrieving and displaying one or more share points of data segments 152 and/or application components 162 (e.g., via a Graphical User Interface (GUI)) for the user at the registered user client computer 130 .
  • GUI Graphical User Interface
  • the token generator 110 displays the one or more share points in response to a request from the registered user at the registered user client computer 130 .
  • the token generator 110 at the server computer 100 receives identification of one or more of the share points of data segments 152 and/or application components 162 from the user at the registered user client computer 130 . Then, a user at the registered user client computer 130 identifies the one or more share points of data segments 152 and/or application components 162 via the GUI.
  • the token generator 110 at the server computer 100 provides application logic to enforce the security configuration.
  • the token generator retrieves and displays security options for the identified data segments 152 and/or application components 162 for the user at the registered user client computer 130 .
  • security options there are different security options associated with different data segments 152 and/or application components 162 . Examples of security options are the capability of view and edit the content).
  • the token generator 110 at the server computer 100 receives selection of security options from the end user who wishes to share the identified data segments 152 and/or application components 162 .
  • the token generator 110 generates the temporary data access token 114 for the identified data segments 152 and/or application components 162 with the selected security options.
  • the token generator 110 at the server computer 100 generates the temporary data access token 114 .
  • the token generator 110 at the registered user client computer 130 generates the temporary data access token 114 .
  • the temporary data access token 114 is provided to the non-registered user client computer 140 .
  • the token generator 110 at the server computer provides the temporary data access token 114 to the non-registered user client computer 140 .
  • the token generator at the registered client computer 130 provides the temporary data access token 114 to the non-registered user client computer 140 .
  • a non-registered user at the non-registered client computer 140 accesses the identified data segments 152 and/or application components 162 using the temporary data access token 114 .
  • a user can access (e.g., view or edit) the identified data segments 152 and/or application components 162 without signing in to the server computer 100 .
  • a password is created for the temporary data access token 114 .
  • the password and the temporary data access token 114 are provided to the non-registered user at the non-registered user client computer 140 .
  • each application component 162 registers to the integrator 120 .
  • the integrator 120 uses the temporary data access token 114 to determine whether to allow or deny access to the application component 162 .
  • the integrator 120 provides the application component 162 to the non-registered user client computer 140 , otherwise, the application component 162 is bypassed.
  • these application components 162 are not provided to the non-registered user client computer 140 , while the allowed application components 162 are provided.
  • the data records are like personal profile fields, such as name, contact, projects, etc.
  • Each data record registers itself with the integrator 120 , and the temporary data access token 114 is used to decide when a subset of the records are to be provided to the non-registered user client computer 140 .
  • the integrator 120 uses the temporary data access token 114 to determine whether to allow or deny access to the data record.
  • the integrator 120 provides the data record to the non-registered user client computer 140 , otherwise, the data record is bypassed.
  • these data records are not provided to the non-registered user client computer 140 , while the allowed data records are provided.
  • FIG. 3 illustrates logic for determining access in accordance with certain embodiments.
  • Control begins at block 300 with the integrator 120 receiving a request to access one or more data segments 152 and/or application components 162 from a non-registered user at a non-registered client computer 140 using the temporary data access token 114 .
  • the integrator 120 determines whether to allow access. The determination is based on the data segments 152 and/or application components 162 and the security options associated with the temporary data access token 114 . If the access is allowed, processing continues to block 304 , otherwise, processing continues to block 306 .
  • the integrator 120 provides access to the one or more data segments 152 and/or application components 162 .
  • the integrator 120 denies access to the one or more data segments 152 and/or application components 162 .
  • the software application 160 running at the server computer 100 displays the options of granular access, and the user then chooses a subset.
  • the software application 160 displays the options of access policies (e.g., insider, partner, and customer), and the user at the registered user client compute 130 then selects a policy.
  • the configuration type may be a combination of the first and second examples.
  • FIG. 4 illustrates logic for dynamically updating the temporary data access token 114 in accordance with certain embodiments.
  • the temporary data access token 114 is associated with a registered user 112 .
  • Control begins in block 400 with the software application 160 receiving a request from the registered user (at the registered use client computer 130 ) to modify the temporary data access token 112 .
  • the software application 160 is a server application.
  • the software application 160 sends the current configuration policy of the temporary data access token 114 to the registered user.
  • the registered user updates the temporary data access token 114 by updating the configuration policy.
  • the registered user submits the updates to the software application 160 by sending the updated configuration policy.
  • the software application 160 updates the associated temporary data access token 114 by saving the updated configuration policy.
  • the attributes e.g., the period of time
  • the temporary data access token 114 is dynamically updated (without updating the associated registered user data access token 112 ).
  • the updates are saved at the server computer 100 .
  • the integrator 130 uses the updated information to determine whether to allow access.
  • embodiments may be used in business-to-business (B2B) applications in which content or work is shared between collaborating businesses.
  • B2B business-to-business
  • One example might be in sharing specific aspects of internal content repositories with potential suppliers that are submitting bids to provide products/services.
  • non-registered users receive Uniform Resource Locators (URLs) to access data segments 152 and/or application components 162 with an embedded token that grants access, and these non-registered users are not required to establish accounts, logins, and so on, ahead of time.
  • URLs Uniform Resource Locators
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • the code implementing the described operations may further be implemented in hardware logic or circuitry (e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.
  • PGA Programmable Gate Array
  • ASIC Application Specific Integrated Circuit
  • FIG. 5 illustrates a computer architecture 500 that may be used in accordance with certain embodiments.
  • Server computer 100 registered user client computer 130 , and/or non-registered user client computer 140 may implement computer architecture 500 .
  • the computer architecture 500 is suitable for storing and/or executing program code and includes at least one processor 502 coupled directly or indirectly to memory elements 504 through a system bus 520 .
  • the memory elements 504 may include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
  • the memory elements 504 include an operating system 505 and one or more computer programs 506 .
  • I/O devices 512 , 514 may be coupled to the system either directly or through intervening I/O controllers 510 .
  • Network adapters 508 may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters 508 .
  • the computer architecture 500 may be coupled to storage 516 (e.g., a non-volatile storage area, such as magnetic disk drives, optical disk drives, a tape drive, etc.).
  • storage 516 may comprise an internal storage device or an attached or network accessible storage.
  • Computer programs 506 in storage 516 may be loaded into the memory elements 504 and executed by a processor 502 in a manner known in the art.
  • the computer architecture 500 may include fewer components than illustrated, additional components not illustrated herein, or some combination of the components illustrated and additional components.
  • the computer architecture 500 may comprise any computing device known in the art, such as a mainframe, server, personal computer, workstation, laptop, handheld computer, telephony device, network appliance, virtualization device, storage controller, etc.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided are techniques for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.

Description

    BACKGROUND
  • 1. Field
  • Embodiments of the invention relate to a dynamic, temporary data access token.
  • 2. Description of the Related Art
  • Dynamic data (i.e., information) is typically stored and managed in a centralized management system and retrieved and rendered to end users through client applications, such as browser applications. Examples of such applications are: portal, widget-based web application, etc. Access to the data requires that a user first signs in to the centralized management system by, for example, providing a user identifier (ID) and password. Thus, the requirement of signing in makes it difficult for a first user to share portions of the data in a restricted application with a second user who does not have a user identifier and password for signing in to the centralized management system.
  • For example, it would be useful to share corporate resources, such as conference rooms, a knowledge base, and personal information, to facilitate interaction with customers. As another example, it would be useful to print out paper documents with select information to share with others. For example, a problem occurs when a user wants to print out a paper document that contains both confidential and non-confidential data and wants to print the non-confidential part of the document to share with others).
  • Some conventional systems build customized applications for outside users, but these are expensive and not flexible.
  • Thus, there is a need for a dynamic, temporary data access token.
    • BRIEF SUMMARY
  • Provided are a method, computer program product, and system for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • Referring now to the drawings in which like reference numbers represent corresponding parts throughout:
  • FIG. 1 illustrates a computing architecture in accordance with certain embodiments.
  • FIG. 2 illustrates logic for sharing data with a non-registered user in accordance with certain embodiments.
  • FIG. 3 illustrates logic for determining access in accordance with certain embodiments.
  • FIG. 4 illustrates logic for dynamically updating a temporary data access token in accordance with certain embodiments.
  • FIG. 5 illustrates a computer architecture that may be used in accordance with certain embodiments.
    •  DETAILED DESCRIPTION
  • In the following description, reference is made to the accompanying drawings which form a part hereof and which illustrate several embodiments of the invention. It is understood that other embodiments may be utilized and structural and operational changes may be made without departing from the scope of the invention.
  • FIG. 1 illustrates a computing architecture in accordance with certain embodiments. A server computer 100 is coupled to a registered user client computer 130 and a non-registered user client computer 140. The registered user client computer 130 is used by a user who registers with the server computer 100 by, for example, providing the server computer 100 with a user ID and password. The registered user client computer 130 is also coupled to the non-registered user client computer 140. The non-registered user client computer 140 is used by a user who does not register with the server computer 100 (e.g., someone who would not normally be given access to data at the server computer 100).
  • The server computer 100 includes a token generator 110 and an integrator 120. The token generator 110 generates one or more registered user data access tokens 112 and generates one or more temporary data access tokens 114. The temporary data access tokens 114 may also be referred to as non-registered user data access tokens, limited tokens, temporal tokens, or delegated tokens. An integrator 120 may be described as a software component that integrates the output from various other software components.
  • The server computer 100 stores at least one software application 160, which includes one or more application components 162. An application component 162 may be described as part of the software application 160 and serves a specific function, such as weather report application component. Other examples of application components 162 are portions of the application that produce data for the web page (e.g., an applet or a servlet). Although one software application 162 is illustrated, embodiments may include any number of software applications.
  • In certain embodiments, the registered user client computer 130 also includes a token generator 110. In certain embodiments, the token generator 110 at the registered user client computer 110 generates one or more one or more temporary data access tokens 114. The registered user client computer 130 stores a registered user data access token 112 that is provided by the server computer 100. The registered user client computer 130 uses the registered user data access token 112 to access data at the server computer 100.
  • The non-registered user client computer stores a non-registered use data access token 114 and uses the non-registered use data access token to access the data at the server computer 100.
  • The server computer 100 is coupled to a data store 150. The data store 150 stores one or more data segments 152. Data segments 152 may be described as a database server that can be used to store and retrieve data. An example of a data segment 152 is a dynamic content of a page of a web site.
  • Embodiments provide a new security model in which data segments 152 and/or application components 162 are associated with data access tokens (also referred to as security tokens) to provide more granular access control. The token generator 110 allows a user who has registered with the server computer 100 to specify a temporary data access token 114. In certain embodiments, the temporary data access token 114 is shared by one or more non-registered users for a specific period of time (i.e., for a time period in which a web conference is occurring), for a subset of the data available at the server computer 100, for a number of times the temporary data access token 114 can be used, and/or other factors.
  • Moreover, the temporary data access token 114 has attributes, and these attributes are dynamic. The attributes are dynamic in that the attributes can be changed (i.e., updated or modified) after the temporary data access token 114 has been issued. For example, the expiration date can be modified. The subset of the data that can be viewed by the temporary data access token 114 can be modified.
  • Initially, the user at the registered user client computer 130 registers with the server computer 100 and obtains a registered user data access token 112. Then, the registered user at the registered user client computer 130 uses the registered user data access token 112 to access data at the server computer 100.
  • FIG. 2 illustrates logic for sharing data with a non-registered user in accordance with certain embodiments. Control begins in block 200 with the token generator 110 at the server computer 100 retrieving and displaying one or more share points of data segments 152 and/or application components 162 (e.g., via a Graphical User Interface (GUI)) for the user at the registered user client computer 130. In certain embodiments, the token generator 110 displays the one or more share points in response to a request from the registered user at the registered user client computer 130.
  • In block 202, the token generator 110 at the server computer 100 receives identification of one or more of the share points of data segments 152 and/or application components 162 from the user at the registered user client computer 130. Then, a user at the registered user client computer 130 identifies the one or more share points of data segments 152 and/or application components 162 via the GUI.
  • Thus, in embodiments, the token generator 110 at the server computer 100 provides application logic to enforce the security configuration.
  • In block 204, the token generator retrieves and displays security options for the identified data segments 152 and/or application components 162 for the user at the registered user client computer 130. In certain embodiments, there are different security options associated with different data segments 152 and/or application components 162. Examples of security options are the capability of view and edit the content).
  • In block 206, the token generator 110 at the server computer 100 receives selection of security options from the end user who wishes to share the identified data segments 152 and/or application components 162.
  • In block 208, the token generator 110 generates the temporary data access token 114 for the identified data segments 152 and/or application components 162 with the selected security options. In certain embodiments, the token generator 110 at the server computer 100 generates the temporary data access token 114. In certain embodiments, the token generator 110 at the registered user client computer 130 generates the temporary data access token 114.
  • In block 210, the temporary data access token 114 is provided to the non-registered user client computer 140. In certain embodiments, the token generator 110 at the server computer provides the temporary data access token 114 to the non-registered user client computer 140. In certain embodiments, the token generator at the registered client computer 130 provides the temporary data access token 114 to the non-registered user client computer 140.
  • Then, a non-registered user at the non-registered client computer 140 accesses the identified data segments 152 and/or application components 162 using the temporary data access token 114. Thus, a user can access (e.g., view or edit) the identified data segments 152 and/or application components 162 without signing in to the server computer 100.
  • In certain embodiments, a password is created for the temporary data access token 114. In such a case, the password and the temporary data access token 114 are provided to the non-registered user at the non-registered user client computer 140.
  • In embodiments, there are various levels of access control. At the highest application component level, each application component 162 registers to the integrator 120. When the integrator 120 receives a request to access an application component 162, the integrator 120 uses the temporary data access token 114 to determine whether to allow or deny access to the application component 162. When the application component 162 is allowed for access, the integrator 120 provides the application component 162 to the non-registered user client computer 140, otherwise, the application component 162 is bypassed. Thus, if multiple application components 162 are requested, and a subset (one or more) of the application components 162 are not allowed for access, these application components 162 are not provided to the non-registered user client computer 140, while the allowed application components 162 are provided.
  • At the data record level are related to the data segments 152. For example, the data records are like personal profile fields, such as name, contact, projects, etc. Each data record registers itself with the integrator 120, and the temporary data access token 114 is used to decide when a subset of the records are to be provided to the non-registered user client computer 140. When the integrator 120 receives a request to access a data record, the integrator 120 uses the temporary data access token 114 to determine whether to allow or deny access to the data record. When the data record is allowed for access, the integrator 120 provides the data record to the non-registered user client computer 140, otherwise, the data record is bypassed. Thus, if multiple data records are requested, and a subset (one or more) of the data records are not allowed for access, these data records are not provided to the non-registered user client computer 140, while the allowed data records are provided.
  • FIG. 3 illustrates logic for determining access in accordance with certain embodiments. Control begins at block 300 with the integrator 120 receiving a request to access one or more data segments 152 and/or application components 162 from a non-registered user at a non-registered client computer 140 using the temporary data access token 114. In block 302, the integrator 120 determines whether to allow access. The determination is based on the data segments 152 and/or application components 162 and the security options associated with the temporary data access token 114. If the access is allowed, processing continues to block 304, otherwise, processing continues to block 306. In block 304, the integrator 120 provides access to the one or more data segments 152 and/or application components 162. In block 306, the integrator 120 denies access to the one or more data segments 152 and/or application components 162.
  • In embodiments, there are various configuration types. As a first example, the software application 160 running at the server computer 100 displays the options of granular access, and the user then chooses a subset. As a second example, the software application 160 displays the options of access policies (e.g., insider, partner, and customer), and the user at the registered user client compute 130 then selects a policy. As a further example, the configuration type may be a combination of the first and second examples.
  • FIG. 4 illustrates logic for dynamically updating the temporary data access token 114 in accordance with certain embodiments. The temporary data access token 114 is associated with a registered user 112. Control begins in block 400 with the software application 160 receiving a request from the registered user (at the registered use client computer 130) to modify the temporary data access token 112. In certain embodiments, the software application 160 is a server application. In block 402, the software application 160 sends the current configuration policy of the temporary data access token 114 to the registered user. In block 404, the registered user updates the temporary data access token 114 by updating the configuration policy. In block 406, the registered user submits the updates to the software application 160 by sending the updated configuration policy. In block 408, the software application 160 updates the associated temporary data access token 114 by saving the updated configuration policy. For example, the attributes (e.g., the period of time) of the temporary data access token 114 may be updated. Thus, in certain embodiments, the temporary data access token 114 is dynamically updated (without updating the associated registered user data access token 112). The updates are saved at the server computer 100. Then, when the non-registered user at the non-registered user client computer 140 attempts to access one or more data segments 152 and/or application components 162, the integrator 130 uses the updated information to determine whether to allow access.
  • Thus, embodiments may be used in business-to-business (B2B) applications in which content or work is shared between collaborating businesses. One example might be in sharing specific aspects of internal content repositories with potential suppliers that are submitting bids to provide products/services.
  • In certain embodiments, non-registered users receive Uniform Resource Locators (URLs) to access data segments 152 and/or application components 162 with an embedded token that grants access, and these non-registered users are not required to establish accounts, logins, and so on, ahead of time.
    • Additional Embodiment Details
  • As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, solid state memory, magnetic tape or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • The code implementing the described operations may further be implemented in hardware logic or circuitry (e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.
  • FIG. 5 illustrates a computer architecture 500 that may be used in accordance with certain embodiments. Server computer 100, registered user client computer 130, and/or non-registered user client computer 140 may implement computer architecture 500. The computer architecture 500 is suitable for storing and/or executing program code and includes at least one processor 502 coupled directly or indirectly to memory elements 504 through a system bus 520. The memory elements 504 may include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution. The memory elements 504 include an operating system 505 and one or more computer programs 506.
  • Input/Output (I/O) devices 512, 514 (including but not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers 510.
  • Network adapters 508 may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters 508.
  • The computer architecture 500 may be coupled to storage 516 (e.g., a non-volatile storage area, such as magnetic disk drives, optical disk drives, a tape drive, etc.). The storage 516 may comprise an internal storage device or an attached or network accessible storage. Computer programs 506 in storage 516 may be loaded into the memory elements 504 and executed by a processor 502 in a manner known in the art.
  • The computer architecture 500 may include fewer components than illustrated, additional components not illustrated herein, or some combination of the components illustrated and additional components. The computer architecture 500 may comprise any computing device known in the art, such as a mainframe, server, personal computer, workstation, laptop, handheld computer, telephony device, network appliance, virtualization device, storage controller, etc.
  • The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
  • The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of embodiments of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated. The foregoing description of embodiments of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the embodiments to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. It is intended that the scope of the embodiments be limited not by this detailed description, but rather by the claims appended hereto. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the embodiments. Since many embodiments may be made without departing from the spirit and scope of the embodiments, the embodiments reside in the claims hereinafter appended or any subsequently-filed claims, and their equivalents.

Claims (18)

1. A computer-implemented method, comprising:
generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data; and
in response to the non-registered user attempting to access the subset of data with the temporary data access token,
determining whether the temporary data access token is valid for the subset of data based on the specified period of time;
in response to the temporary data access token being valid,
providing the subset of data to the non-registered user; and
in response to the temporary data access token not being valid, denying access to the subset of data by the non-registered user.
2. The method of claim 1, wherein the subset of data includes one of a data segment and an application component.
3. The method of claim 1, further comprising:
dynamically updating attributes of the temporary data access token.
4. The method of claim 1, wherein the non-registered user is a user who does not provide sign in information to the computer when trying to access the subset of data.
5. The method of claim 1, further comprising:
generating a registered user data access token for the registered user; and
associating the temporary data access token with the registered user.
6. The method of claim 1, further comprising:
receiving selection of security options for the temporary data access token.
7. A system, comprising:
hardware logic capable of performing operations, the operations comprising:
generating a temporary data access token for a subset of data for a specific period of time for a user who did not register with a computer providing access to the subset of the data; and
in response to a non-registered user attempting to access the subset of data with the temporary data access token,
determining whether the temporary data access token is valid for the subset of data based on the specified period of time;
in response to the temporary data access token being valid,
providing the subset of data to the non-registered user; and
in response to the temporary data access token not being valid, denying access to the subset of data by the non-registered user.
8. The system of claim 7, wherein the subset of data includes one of a data segment and an application component.
9. The system of claim 7, further comprising:
dynamically updating attributes of the temporary data access token.
10. The system of claim 7, wherein the non-registered user is a user who does not provide sign in information to the computer when trying to access the subset of data.
11. The system of claim 7, further comprising:
generating a registered user data access token for the registered user; and
associating the temporary data access token with the registered user.
12. The system of claim 7, further comprising:
receiving selection of security options for the temporary data access token.
13. A computer program product comprising a computer readable storage medium including a computer readable program, wherein the computer readable program when executed by a processor on a computer causes the computer to:
generate a temporary data access token for a subset of data for a specific period of time for a user who did not register with a computer providing access to the subset of the data; and
in response to a non-registered user attempting to access the subset of data with the temporary data access token,
determine whether the temporary data access token is valid for the subset of data based on the specified period of time;
in response to the temporary data access token being valid,
provide the subset of data to the non-registered user; and
in response to the temporary data access token not being valid, deny access to the subset of data by the non-registered user.
14. The computer program product of claim 13, wherein the subset of data includes one of a data segment and an application component.
15. The computer program product of claim 13, wherein the computer readable program when executed by the processor on by computer causes the computer to:
dynamically update attributes of the temporary data access token.
16. The computer program product of claim 13, wherein the non-registered user is a user who does not provide sign in information to the computer when trying to access the subset of data.
17. The computer program product of claim 13, wherein the computer readable program when executed by the processor on by computer causes the computer to:
generate a registered user data access token for the registered user; and
associate the temporary data access token with the registered user.
18. The computer program product of claim 13, wherein the computer readable program when executed by the processor on by computer causes the computer to:
receive selection of security options for the temporary data access token.
US12/825,291 2010-06-28 2010-06-28 Dynamic, temporary data access token Abandoned US20110321147A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US12/825,291 US20110321147A1 (en) 2010-06-28 2010-06-28 Dynamic, temporary data access token
PCT/EP2011/060017 WO2012000801A1 (en) 2010-06-28 2011-06-16 Dynamic, temporary data access token
DE112011101357T DE112011101357T5 (en) 2010-06-28 2011-06-16 Dynamic token for temporary data access
GB1300464.3A GB2494605A (en) 2010-06-28 2011-06-16 Dynamic,temporary data access token
US13/488,845 US10068102B2 (en) 2010-06-28 2012-06-05 Dynamic, temporary data access token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/825,291 US20110321147A1 (en) 2010-06-28 2010-06-28 Dynamic, temporary data access token

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/488,845 Continuation US10068102B2 (en) 2010-06-28 2012-06-05 Dynamic, temporary data access token

Publications (1)

Publication Number Publication Date
US20110321147A1 true US20110321147A1 (en) 2011-12-29

Family

ID=44627184

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/825,291 Abandoned US20110321147A1 (en) 2010-06-28 2010-06-28 Dynamic, temporary data access token
US13/488,845 Active US10068102B2 (en) 2010-06-28 2012-06-05 Dynamic, temporary data access token

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/488,845 Active US10068102B2 (en) 2010-06-28 2012-06-05 Dynamic, temporary data access token

Country Status (4)

Country Link
US (2) US20110321147A1 (en)
DE (1) DE112011101357T5 (en)
GB (1) GB2494605A (en)
WO (1) WO2012000801A1 (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120297205A1 (en) * 2011-05-18 2012-11-22 Cpo Technologies Corporation Secure User/Host Authentication
US20130144755A1 (en) * 2011-12-01 2013-06-06 Microsoft Corporation Application licensing authentication
WO2014007827A1 (en) * 2012-07-06 2014-01-09 Empire Technology Development Llc Processing connection request in online service
US20140242940A1 (en) * 2013-02-26 2014-08-28 Kt Corporation Sharing control right of m2m device
WO2015126124A1 (en) * 2014-02-18 2015-08-27 삼성전자 주식회사 Method and device for transmitting and receiving authentication information in wireless communication system
US20150324577A1 (en) * 2014-05-08 2015-11-12 Honeywell International Inc. Dynamic changing of access token types
US20150381370A1 (en) * 2012-05-24 2015-12-31 Lockbox, Inc. Systems and methods for validated secure data access
WO2016028304A1 (en) * 2014-08-21 2016-02-25 Hewlett-Packard Development Company, L.P. Request for network credential
US9491567B2 (en) 2013-03-05 2016-11-08 Kt Corporation Providing M2M data to unregistered terminal
AU2015202710B2 (en) * 2015-03-24 2017-04-13 Tata Consultancy Services Limited System and method enabling multiparty and multi level authorizations for accessing confidential information
US9801049B2 (en) 2012-08-14 2017-10-24 Kt Corporation Method and system for continuously forwarding monitored information of machine-to-machine devices by a subscriber's registered terminals to a designated user terminal
US20180012029A1 (en) * 2016-07-11 2018-01-11 Fuji Xerox Co., Ltd. Information processing system, information processing method, and non-transitory computer readable medium
US20180157726A1 (en) * 2016-12-07 2018-06-07 Google Inc. Systems and methods for standardizing interfaces for third party integration
US10068102B2 (en) 2010-06-28 2018-09-04 International Business Machines Corporation Dynamic, temporary data access token
WO2018195024A1 (en) 2017-04-18 2018-10-25 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US20190028514A1 (en) * 2017-07-24 2019-01-24 Cyberark Software Ltd. Providing privileged access to non-privileged accounts
US10268816B2 (en) * 2016-03-31 2019-04-23 Microsoft Technology Licensing, Llc Dynamic updating of process policies
US20210209242A1 (en) * 2013-03-13 2021-07-08 Comcast Cable Communications, Llc Methods and systems for managing data assets
US11190522B2 (en) 2019-07-15 2021-11-30 International Business Machines Corporation Access delegation using offline token
US11354431B2 (en) 2017-11-28 2022-06-07 Intuit Inc. Method and system for granting permissions to parties within an organization
US20230075552A1 (en) * 2021-09-03 2023-03-09 Mastercard International Incorporated Systems and methods for use in data coupling among data structures

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8990913B2 (en) * 2012-04-17 2015-03-24 At&T Mobility Ii Llc Peer applications trust center
US10474805B2 (en) * 2017-08-17 2019-11-12 Blackberry Limited Methods and devices for accessing protected applications
DE102019110972A1 (en) * 2019-04-29 2020-10-29 tapio GmbH Procedure for documenting information

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6279111B1 (en) * 1998-06-12 2001-08-21 Microsoft Corporation Security model using restricted tokens
US20030196087A1 (en) * 2002-04-16 2003-10-16 Xerox Corporation Ad hoc secure access to documents and services
US20050138388A1 (en) * 2003-12-19 2005-06-23 Robert Paganetti System and method for managing cross-certificates copyright notice
US20050254514A1 (en) * 2004-05-12 2005-11-17 James Lynn Access control of resources using tokens
US20070199057A1 (en) * 2005-10-14 2007-08-23 Softwareonline, Llc Control of application access to system resources
US20120039326A1 (en) * 2004-05-26 2012-02-16 Matsushita Electric Industrial Co., Ltd. Network System and Method For Providing an Ad-Hoc Access Environment

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6360254B1 (en) * 1998-09-15 2002-03-19 Amazon.Com Holdings, Inc. System and method for providing secure URL-based access to private resources
TW583539B (en) 1999-04-07 2004-04-11 Critical Path Inc Internet-based document management system and method of providing Internet-based document management
AU7593601A (en) * 2000-07-14 2002-01-30 Atabok Inc Controlling and managing digital assets
US7392546B2 (en) 2001-06-11 2008-06-24 Bea Systems, Inc. System and method for server security and entitlement processing
US20030046578A1 (en) * 2001-09-05 2003-03-06 International Business Machines Incorporation Apparatus and method for providing access rights information in metadata of a file
US20040006594A1 (en) * 2001-11-27 2004-01-08 Ftf Technologies Inc. Data access control techniques using roles and permissions
US7035854B2 (en) 2002-04-23 2006-04-25 International Business Machines Corporation Content management system and methodology employing non-transferable access tokens to control data access
US8069117B1 (en) * 2004-05-28 2011-11-29 Adobe Systems Incorporated Ad hoc access rights in restricted-access electronic space
US7512973B1 (en) 2004-09-08 2009-03-31 Sprint Spectrum L.P. Wireless-access-provider intermediation to facilliate digital rights management for third party hosted content
US7899754B2 (en) * 2004-12-03 2011-03-01 International Business Machines Corporation Enablement of system features with improved feature key
JP2006195586A (en) * 2005-01-11 2006-07-27 Ntt Docomo Inc Content delivery node, network equipment and sales system
US20070289024A1 (en) * 2006-06-09 2007-12-13 Microsoft Corporation Microsoft Patent Group Controlling access to computer resources using conditions specified for user accounts
US20080133726A1 (en) * 2006-12-01 2008-06-05 Microsoft Corporation Network administration with guest access
US7770214B2 (en) 2007-04-17 2010-08-03 International Business Machines Corporation Apparatus, system, and method for establishing a reusable and reconfigurable model for fast and persistent connections in database drivers
US20080313085A1 (en) * 2007-06-14 2008-12-18 Motorola, Inc. System and method to share a guest version of rights between devices
CN101136915B (en) 2007-10-16 2011-08-10 中兴通讯股份有限公司 Method and system for implementing multi-service united safety authentication
US7979902B2 (en) * 2007-11-13 2011-07-12 International Business Machines Corporation Using object based security for controlling object specific actions on a surface based computing device
US20090271847A1 (en) 2008-04-25 2009-10-29 Nokia Corporation Methods, Apparatuses, and Computer Program Products for Providing a Single Service Sign-On
FR2932048A1 (en) * 2008-05-27 2009-12-04 France Telecom METHOD AND SYSTEM FOR USER ACCESS TO AT LEAST ONE SERVICE PROVIDED BY AT LEAST ONE OTHER USER
US8438622B2 (en) 2008-07-10 2013-05-07 Honesty Online, Llc Methods and apparatus for authorizing access to data
US8196177B2 (en) * 2008-10-16 2012-06-05 International Business Machines Corporation Digital rights management (DRM)-enabled policy management for a service provider in a federated environment
US8931034B2 (en) * 2010-06-25 2015-01-06 Telefonaktiebolaget L M Ericsson (Publ) System, method, and policy engine for granting temporary access to electronic content
US20110321147A1 (en) 2010-06-28 2011-12-29 International Business Machines Corporation Dynamic, temporary data access token

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6279111B1 (en) * 1998-06-12 2001-08-21 Microsoft Corporation Security model using restricted tokens
US20030196087A1 (en) * 2002-04-16 2003-10-16 Xerox Corporation Ad hoc secure access to documents and services
US20050138388A1 (en) * 2003-12-19 2005-06-23 Robert Paganetti System and method for managing cross-certificates copyright notice
US20050254514A1 (en) * 2004-05-12 2005-11-17 James Lynn Access control of resources using tokens
US20120039326A1 (en) * 2004-05-26 2012-02-16 Matsushita Electric Industrial Co., Ltd. Network System and Method For Providing an Ad-Hoc Access Environment
US20070199057A1 (en) * 2005-10-14 2007-08-23 Softwareonline, Llc Control of application access to system resources

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Belenkiy et al. (2009). Randomizable Proofs and Delegatable Anonymous Credentials. Crypto 2009, LNCS 5677, pp. 108 - 125. *

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10068102B2 (en) 2010-06-28 2018-09-04 International Business Machines Corporation Dynamic, temporary data access token
US8683232B2 (en) * 2011-05-18 2014-03-25 Cpo Technologies Corporation Secure user/host authentication
US20120297205A1 (en) * 2011-05-18 2012-11-22 Cpo Technologies Corporation Secure User/Host Authentication
US20130144755A1 (en) * 2011-12-01 2013-06-06 Microsoft Corporation Application licensing authentication
US9680654B2 (en) * 2012-05-24 2017-06-13 Lockbox Llc Systems and methods for validated secure data access based on an endorsement provided by a trusted third party
US20150381370A1 (en) * 2012-05-24 2015-12-31 Lockbox, Inc. Systems and methods for validated secure data access
WO2014007827A1 (en) * 2012-07-06 2014-01-09 Empire Technology Development Llc Processing connection request in online service
US9942183B2 (en) 2012-07-06 2018-04-10 Empire Technology Development Llc Processing connection request in online service
US9331966B2 (en) 2012-07-06 2016-05-03 Empire Technology Development Llc Processing connection request in online service
US9801049B2 (en) 2012-08-14 2017-10-24 Kt Corporation Method and system for continuously forwarding monitored information of machine-to-machine devices by a subscriber's registered terminals to a designated user terminal
US20140242940A1 (en) * 2013-02-26 2014-08-28 Kt Corporation Sharing control right of m2m device
US10291712B2 (en) * 2013-02-26 2019-05-14 Kt Corporation Sharing control right of M2M device
US9491567B2 (en) 2013-03-05 2016-11-08 Kt Corporation Providing M2M data to unregistered terminal
US20210209242A1 (en) * 2013-03-13 2021-07-08 Comcast Cable Communications, Llc Methods and systems for managing data assets
US10708774B2 (en) 2014-02-18 2020-07-07 Samsung Electronics Co., Ltd. Method and device for transmitting and receiving authentication information in wireless communication system
WO2015126124A1 (en) * 2014-02-18 2015-08-27 삼성전자 주식회사 Method and device for transmitting and receiving authentication information in wireless communication system
US20150324577A1 (en) * 2014-05-08 2015-11-12 Honeywell International Inc. Dynamic changing of access token types
US9928362B2 (en) * 2014-05-08 2018-03-27 Honeywell International Inc. Dynamic changing of access token types
WO2016028304A1 (en) * 2014-08-21 2016-02-25 Hewlett-Packard Development Company, L.P. Request for network credential
US10623956B2 (en) 2014-08-21 2020-04-14 Hewlett-Packard Development Company, L.P. Request for network credential
AU2015202710B2 (en) * 2015-03-24 2017-04-13 Tata Consultancy Services Limited System and method enabling multiparty and multi level authorizations for accessing confidential information
US10268816B2 (en) * 2016-03-31 2019-04-23 Microsoft Technology Licensing, Llc Dynamic updating of process policies
CN107608641A (en) * 2016-07-11 2018-01-19 富士施乐株式会社 Information processing system and information processing method
US20180012029A1 (en) * 2016-07-11 2018-01-11 Fuji Xerox Co., Ltd. Information processing system, information processing method, and non-transitory computer readable medium
US10846414B2 (en) * 2016-07-11 2020-11-24 Fuji Xerox Co., Ltd. Information processing system, information processing method, and non-transitory computer readable medium
US20180157726A1 (en) * 2016-12-07 2018-06-07 Google Inc. Systems and methods for standardizing interfaces for third party integration
US11182402B2 (en) * 2016-12-07 2021-11-23 Google Llc Systems and methods for standardizing interfaces for third party integration
WO2018195024A1 (en) 2017-04-18 2018-10-25 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
EP3612967A4 (en) * 2017-04-18 2020-11-25 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US20210056196A1 (en) * 2017-04-18 2021-02-25 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US10936711B2 (en) 2017-04-18 2021-03-02 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US11550895B2 (en) * 2017-04-18 2023-01-10 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US10567438B2 (en) * 2017-07-24 2020-02-18 Cyberark Software Ltd. Providing privileged access to non-privileged accounts
US20190190957A1 (en) * 2017-07-24 2019-06-20 Cyberark Software Ltd. Providing privileged access to non-privileged accounts
US10264026B2 (en) * 2017-07-24 2019-04-16 Cyberark Software Ltd. Providing privileged access to non-privileged accounts
US20190028514A1 (en) * 2017-07-24 2019-01-24 Cyberark Software Ltd. Providing privileged access to non-privileged accounts
US11354431B2 (en) 2017-11-28 2022-06-07 Intuit Inc. Method and system for granting permissions to parties within an organization
US11190522B2 (en) 2019-07-15 2021-11-30 International Business Machines Corporation Access delegation using offline token
US20230075552A1 (en) * 2021-09-03 2023-03-09 Mastercard International Incorporated Systems and methods for use in data coupling among data structures
US11966492B2 (en) * 2021-09-03 2024-04-23 Mastercard International Incorporated Systems and methods for use in data coupling among data structures

Also Published As

Publication number Publication date
GB2494605A (en) 2013-03-13
US10068102B2 (en) 2018-09-04
DE112011101357T5 (en) 2013-02-07
US20120246710A1 (en) 2012-09-27
GB201300464D0 (en) 2013-02-27
WO2012000801A1 (en) 2012-01-05

Similar Documents

Publication Publication Date Title
US10068102B2 (en) Dynamic, temporary data access token
CN108293045B (en) Single sign-on identity management between local and remote systems
US9225704B1 (en) Unified management of third-party accounts
US9401931B2 (en) Method and system for dynamically associating access rights with a resource
US10263994B2 (en) Authorized delegation of permissions
US10165007B2 (en) Securing data usage in computing devices
US10127401B2 (en) Redacting restricted content in files
US11989314B2 (en) Document-level attribute-based access control
US20080109898A1 (en) Modular enterprise authorization solution
US9077704B2 (en) Multiple authentication support in a shared environment
US11924210B2 (en) Protected resource authorization using autogenerated aliases
US20120084869A1 (en) Claims-aware role-based access control
US10560435B2 (en) Enforcing restrictions on third-party accounts
US11625469B2 (en) Prevention of organizational data leakage across platforms based on device status
US20210117561A1 (en) Controlling access to cloud resources in data using cloud-enabled data tagging and a dynamic access control policy engine
US20080320590A1 (en) Method and apparatus for creating secured file views in a software partition
US10257182B2 (en) Login proxy for third-party applications
US11063922B2 (en) Virtual content repository
US9202080B2 (en) Method and system for policy driven data distribution
US20160014155A1 (en) Abstract evaluation of access control policies for efficient evaluation of constraints
US8396969B1 (en) Domain name buckets in a hosted storage system
US11616782B2 (en) Context-aware content object security
CA3154328A1 (en) Simplified user management functionality

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHAKRA, AL;LI, YONGCHENG;WU, YUPING C.;SIGNING DATES FROM 20100626 TO 20100628;REEL/FRAME:024924/0197

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION