Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Authorization

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20130031624APPLICANT SCREENING - A system of screening servers, screener client computers, and screening kiosks distribute an applicant screening process among multiple sites and multiple participants. To facilitate and secure communications of screening results and applicant actions, a personal identification code is provided that identifies individual sets of screening results. In this manner, the applicant is authenticated and can then enter appropriate applicant profile data into a secure screening account, such as via a screening kiosk. Screening results may be generated for the applicant in association with a unique personal identification code. This code can then be communicated to the screener, who can access the screening results along with a recommendation, if desired, by sending the code to a screening server. The screener can also enter appropriate screening information into another secure screening account.01-31-2013
20100088759DEVICE-SIDE INLINE PATTERN MATCHING AND POLICY ENFORCEMENT - Inline pattern matching and policy enforcement may be implemented by a memory storage device. In an example embodiment, a device-implemented method includes acts of receiving, intercepting, and performing and conditional acts of invoking or permitting. A request from a host to perform a memory access operation is received at a memory storage device. Data flowing between an I/O channel and physical storage of the memory storage device is intercepted. A pattern matching procedure is performed on the data with reference to multiple target patterns in real-time while the data is being intercepted. If a pattern match is detected between the data and a target pattern, a policy enforcement mechanism is invoked. If a pattern match is not detected between the data and the multiple target patterns, the request from the host to perform the memory access operation is permitted.04-08-2010
20110191846IMAGE PROCESSING DEVICE CAPABLE OF SWITCHING CONTROL MODES - An image processing device includes a processing unit that performs processing on image data, an obtaining unit that obtains a number of users, and a control unit that executes a job by controlling the processing unit to perform the processing in one of control modes. The control unit switches between the control modes based on the number of users.08-04-2011
20090193520SYSTEM AND METHOD FOR PROVIDING REPUTATION RECIPROCITY WITH ANONYMOUS IDENTITIES - System and method for providing reciprocity in a reputation system are described. In one embodiment, the method comprises: responsive to receipt by a first entity of a Reputation Guarantee (“RG”) request from a second entity, creating a token in accordance with specifications set forth in the RG request and forwarding the token to the second entity, wherein the token may include reputation information developed using reputation forming information (“RFI”) of the second entity and policies concerning treatment of the RFI of the second entity; forwarding the token to a third entity by at least one of the first and second entities; responsive to the token received by the third entity not including the reputation information of the second entity: forwarding from the third entity to the first entity the token and an assertion request; and responsive to receipt of the token and the assertion request, forwarding by the first entity to the third entity an assertion including the reputation information in accordance with the policies concerning treatment of the RFI of the second entity.07-30-2009
20080256630IMAGE FORMING APPARATUS, CONTROL METHOD OF IMAGE FORMING APPARATUS, PROGRAM, AND STORAGE MEDIUM - An image forming apparatus for executing a processing flow including a plurality of steps, includes a determination unit which determines whether or not a processing flow to be executed includes an instruction required step that requires an instruction of a user, a selection unit which selects, when the processing flow to be executed includes the instruction required step, a notification destination of information required to display an operation window for accepting the instruction of the user, a notification control unit which notifies the notification destination selected by the selection unit of the operation window, and an execution unit which executes processing of the instruction required step according to instruction contents input via the operation window.10-16-2008
20080256629Management Apparatus, System, and Method for Protecting a Memory Storage Card - A management apparatus, system, and method for protecting a memory storage card are provided. The management apparatus comprises an access unit and a check unit. The access unit is configured to read a first security message, and a second security message of the memory storage card. The check unit is configured to check the first and second security messages to generate a check result. The management apparatus makes the memory storage card available according to the check result and efficiently prevents the memory storage card from theft.10-16-2008
20080256627COPYRIGHTS WITH POST-PAYMENTS FOR P2P FILE SHARING - In accordance with an embodiment, a method, apparatus or tangible computer medium (which stores computer executable code or program code) performs or facilitates: determining one or more aspects of an unauthorized copy of electronic content accessible to or through a user device; and conducting a transaction between the user device and a legitimizing party to legitimize the electronic content in view of the determined aspect(s). The electronic content may be unsecured copyrighted content.10-16-2008
20120246718Method and System for Implementing Collaboration and Crowd-Sourced Distribution on a Content Management System - Systems and methods are provided for delegating permissions of a content provider for a content item to a delegate. In a graphical interface, a content selection input is configured to receive a selection of a content item from a plurality of content items to be delegated. A delegate selection input is configured to receive an identification of a delegate to which the permissions are to be assigned. The interface includes a plurality of permissions assignment inputs, where a permissions assignment input identifies a particular action and is configured to receive a selection of a permission type for the particular action. The identified delegate is permitted to perform the particular action according to the selected permission type for the selected content item.09-27-2012
20120246717APPARATUS, SYSTEMS AND METHODS FOR SECURELY STORING MEDIA CONTENT EVENTS ON A FLASH MEMORY DEVICE - Systems and methods are operable to securely store media content events on a flash memory device. An exemplary embodiment receives user-provided authorization information, compares the received user-provided authorization information with authorization information associated with the flash memory device, and permits access to a flash memory of the flash memory device when the received user-provided authorization information corresponds to the authorization information.09-27-2012
20100043070FILE-ACCESS CONTROL APPARATUS AND PROGRAM - In a file-access control system according to an embodiment of this invention, control data in accordance with actions made is imparted, as an obligation-type policy, to a document file. Next, a policy evaluation control unit evaluates and executes the obligation-type policy imparted to the document file in accordance with the action to the document file. The execution of the obligation-type policy includes the controlling of a document application on the basis of an obligation fulfillment action. Therefore, an active control can be performed in accordance with any manipulation made to the document, and the access to the document can be changed.02-18-2010
20100107243PERMISSIONS CHECKING FOR DATA PROCESSING INSTRUCTIONS - A data processing system having a processor and a target device processes decorated instructions (i.e. an instruction having a decoration value). A device of the data processing system such as the processor sends transactions to the target device over a system interconnect. The transactions include an indication of an instruction operation, an address associated with the instruction operation, a decoration value (i.e. a command to the target device to perform a function in addition to a primary function of the executed instruction), and access permissions associated with the address. The target device (e.g. a memory with functionality in addition to storage functionality) determines whether a decoration operation specified by the decoration value is permissible based on the received access permissions. The target device performs the decoration operation if appropriate permissions exist.04-29-2010
20100095373System, Method and Program for Controlling Access Rights - A system for controlling access rights of artifacts having computer operated functions of a computer program includes an access control database which has policies that control access by a party to the artifacts in an application development environment. The system includes an access control environment having the artifacts. The system includes an access policy controller in communication with the access control database and the application development environment which implements the policies and controls access by the party to the artifacts being controlled. A computer program embodied on a computer readable medium for controlling access rights of a party during composition, design and execution includes a plurality of artifacts. At least a first of the plurality of artifacts having a part being modifiable by the party and operative with all other artifacts of the plurality of artifacts after being modified. A method for controlling access rights of artifacts having computer operated functions of a computer program includes the steps of requesting by a party a request to access to the artifacts in an application development environment. There is the step of controlling access by the party to the artifacts in the application development environment with policies in an access control database by implementing the policies with an access policy controller in communication with the access control database and the application development environment. An apparatus for controlling access rights of artifacts having computer operated functions of a computer program.04-15-2010
20090044269DIGITAL SIGNAL PROCESSING APPARATUS - If content is transmitted/received through a digital signal bus, protection of copyright causes a problem because of no deterioration in quality. Accordingly, authentication is required. The quantity of information to be processed is, however, so large that a long time is required for authentication. Accordingly, both achievement of handling property as in conventional analog connection and protection of copyrighted content without user's awareness become an object. The foregoing object can be achieved by authentication which is executed, for management of copyright, among apparatuses connected to the digital signal bus when the apparatuses are powered on or connected to the digital signal bus or when an input terminal connected to the digital signal bus is selected. The object can be further achieved by an encryption key shared among these apparatuses.02-12-2009
20110004934Computer Access Educational Tools System - Computers are currently often used for entertainment when they have been primarily provided to the user—often a child—primarily for education or work use. This invention aims to build in a gateway that makes access to the computer conditional upon passing a test or demonstrating completion of prior tasks such as homework or assignments.01-06-2011
20090038006User authentication with image password - A method and apparatus authenticates a user with an image password. In one implementation, a method is provided. According to the method, a plurality of icons are displayed. The plurality of icons are arranged in a pattern. The method receives a sequence of selected inputs. Each of the inputs corresponds to one of the plurality of icons. The method further repositions the plurality of icons after each input and determines whether the user is authenticated based on the received sequence.02-05-2009
20120192270CLUSTERED FILESYSTEMS FOR MIX OF TRUSTED AND UNTRUSTED NODES - A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.07-26-2012
20090158425USER DEFINABLE POLICY FOR GRADUATED AUTHENTICATION BASED ON THE PARTIAL ORDERINGS OF PRINCIPALS - Apparatus, methods, and computer program products are disclosed that determine an actor context of an actor as well as an access environment for an attempted operation responsive to the actor context and a necessary condition. The method also evaluates whether the access environment satisfies the necessary condition and activates a principal responsive to the evaluation and authenticates the actor against the principal.06-18-2009
20110067100JOB PROCESSING SYSTEM AND IMAGE PROCESSING APPARATUS - A multi function periphery includes a plurality of the modules (a scan control section 03-17-2011
20110067098FACIAL RECOGNITION FOR DOCUMENT AND APPLICATION DATA ACCESS CONTROL - A presentation system including a computing device, a display device coupled to the computing device and an image capture device that obtains an image containing facial images of at least two individuals capable of viewing the display device, the at least two individuals including a primary user and at least one secondary user, is provided. The system also includes a recognition apparatus operably coupled to the computing device and including a permission engine, the permission engine applying a policy to a protected information element displayed on the display screen, the policy causing one or more actions to be taken based on the identify of the primary and one or more of the secondary users.03-17-2011
20130067569METHODS AND STRUCTURE FOR MANAGING VISIBILITY OF DEVICES IN A CLUSTERED STORAGE SYSTEM - Methods and system for implementing a clustered storage solution are provided. One embodiment is a storage controller that communicatively couples a host system with a storage device. The storage controller comprises an interface and a control unit. The interface is operable to communicate with the storage device. The control unit is operable to identify ownership information for a storage device, and to determine if the storage controller is authorized to access the storage device based on the ownership information. The storage controller is operable to indicate the existence of the storage device to the host system if the storage controller is authorized, and operable to hide the existence of the storage device from the host system if the storage controller is not authorized.03-14-2013
20090007261RECEIVING DATA IN A DATA STORE IN A SERVER COMPUTER SYSTEM - The present invention provides a method and system of receiving data in a data store in a server computer system. In an exemplary embodiment, the method and system include (1) receiving client authentication information of a client computer system, (2) receiving a data signature of the data from the client computer system, and (3) attempting to locate in the data store at least one data chunk with a stored data signature equal to the received data signature.01-01-2009
20090007260Security Synchronization Services - As a result of the inability to assign security in multiple applications at one time, there is an opportunity to tie the disparate security systems together. Security synchronization services is a method and apparatus that uses roles to provide a common administration experience for all applications that use it and fits better for new applications.01-01-2009
20090055926MANAGEMENT APPARATUS, MANAGEMENT METHOD AND RECORDING MEDIUM STORING PROGRAM - A management apparatus which includes: a receiving unit that receives first authorization information for a first document that is already issued and contains document identification information identifying at least one document for which it is possible to issue authorization information and an issuance request requesting that second authorization information for a second document be issued; a verifying unit that verifies authenticity of the first authorization information that is received by the receiving unit; a checking unit that, in a case where the authenticity of the first authorization information is verified, checks whether or not document identification information identifying the second document is included in the first authorization information; and an issuing unit that, in a case where the document identification information identifying the second document is included in the first authorization information, issues the second authorization information.02-26-2009
20110302650INITIATION OF STORAGE DEVICE SCANS - Example embodiments relate to initiation of storage device scans based on a record of existing scans of the storage device. In particular, example embodiments include a mechanism that maintains a record of existing scans of the storage device including an entry for each scan initiated by one of a plurality of scanning processes. In some embodiments, the record of existing scans may then be accessed in determining whether to initiate or permit initiation of a new scan.12-08-2011
20110296523ACCESS CONTROL MANAGEMENT MAPPING RESOURCE/ACTION PAIRS TO PRINCIPALS - The access control management technique described herein manages access control to one or more resources. Rather than mapping individuals or groups to permissions, the technique maps each permission (the right to perform an action on a resource) to the list of authorized principals (the users and groups authorized to perform the action on the resource). These lists are written in text form just as one would write the list of recipients (individuals and groups) of an email composition window. The technique also provides various operations to allow a user to manage the list of authorized principals and the authorizations assigned to a principal to access the resource/action pair.12-01-2011
20090119773APPARATUS AND METHODS OF CONFIGURABLE SYSTEM EVENT AND RESOURCE ARBITRATION MANAGEMENT - Methods, apparatus, and computer-readable media for management and arbitration of dedicated mobile communication resources for mobile applications are provided. Mobile applications can be given a priority level that establishes an importance with respect to one or more other mobile applications and at least one mobile resource. If competing applications attempt to access the mobile resource concurrently, access can be provided to an application having higher priority level. Furthermore, control of a resource can be taken away from an application having lower priority in order to affect control of such resource for a higher priority application. In one aspect, a privilege code of an application can be verified prior to establishing control of the resource for the application, to mitigate a likelihood of inappropriate transfer of resources. Accordingly, the subject disclosure provides for management of dedicated resources for a mobile processing environment to effect important device functions with minimum delay.05-07-2009
20100005525Authorization method with hints to the authorization code - Authorizing a user for accessing a system, data, or a physical location is accomplished by receiving an authorization code from the user and determining whether the received code matches a valid authorization code. To relieve the user from the need of memorizing complex authorization codes, the authorizing party presents hints to a valid authorization code. The hints are presented concurrently with the user's entering of the authorization code.01-07-2010
20090165125SYSTEM AND METHOD FOR CONTROLLING USER ACCESS TO A COMPUTING DEVICE - A system and method for controlling user access to a computing device (e.g. a mobile device). In some embodiments, access rights are provided to a user based on successfully verified authentication factors, even where the user is unable to provide all the authentication factors typically required for access to the computing device. In one broad aspect, one or more authentication factors are provided by a user, and are received and verified by a security module application residing and executing on the computing device. When less than all of the authentication factors that would typically be expected in authenticating a user for access to the computing device is received and successfully verified, a subset of the available access rights selected from a plurality of different pre-defined subsets of access rights is provided to the user. The specific access rights provided to the user are based on the successfully verified authentication factors.06-25-2009
20100169966Resource description framework security - Systems, methods, and other embodiments associated with resource description framework (RDF) security are described. One example method includes generating, based on sensitivity labels associated with the contents of a triple in an RDF record, a sensitivity label. The example method may also include comparing the sensitivity label to an access label associated with an entity requesting an action associated with the record to be performed. The example method may also include performing the action upon determining that the entity has sufficient permission to request the action.07-01-2010
20100031352System and Method for Enforcing Licenses During Push Install of Software to Target Computers in a Networked Computer Environment - Systems, methods, and computer-readable media for enforcing licenses during the push install of a software package in a networked environment via parsed serial numbers.02-04-2010
20090138965SYSTEMS AND METHODS FOR PROVIDING ACCESS CONTROL AND ACCOUNTING INFORMATION FOR WEB SERVICES - A method for providing access control and accounting information for one or more services is described. A service request is received from a device. A service to execute the service request is selected. A determination is made whether the device is authorized to access the selected service. The accounting information associated with executing the service request using the selected service is calculated.05-28-2009
20090165129METHOD FOR DELEGATING PRIVILEGES TO A LOWER-LEVEL PRIVILEGE INSTANCE BY A HIGHER-LEVEL PRIVILEGE INSTANCE - A method for a higher-level privilege instance to delegate privileges to a lower-level privilege instance, through which the granting of privileges, P06-25-2009
20090165126Manufacturing control system - Methods and systems for a manufacturing control system include but are not limited to identifying at least one object data file configured to produce an object by a manufacturing machine; confirming that an authorization code is associated with the object data file, the authorization code configured to be received by the manufacturing machine, the manufacturing machine adapted to receive the authorization code; and enabling the manufacturing machine to interface with the object data file only if the authorization code meets one or more predetermined conditions.06-25-2009
20090150995METHODS AND SYSTEMS FOR PROVIDING WEBSITE HOSTING SECURITY - A method for registering user identification data in an application service provider data repository is provided, where the application service provider provides web services for a plurality of customers, each customer having a plurality of users with respective user identification data. The method includes receiving user identification data from one of the users through a website associated with one of the plurality of customers, retrieving customer identification data based on a uniform resource locator assigned to the website, concatenating the user identification data and customer identification data to create a user key, and registering a user account within the data repository based on the created user key.06-11-2009
20080244736MODEL-BASED ACCESS CONTROL - Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems.10-02-2008
20100122341AUTHENTICATING USERS WITH MEMORABLE PERSONAL QUESTIONS - One embodiment provides a system that verifies a user's identity. The system generates a list including a plurality of items and formulates a substantially large set of security questions base on the plurality of items. The number of questions in the set is significantly larger than a subset of security questions presented to the user to reduce the likelihood of the same questions being asked repeatedly. During account creation, the system presents to the user the subset of questions, and receives and stores a response from the user. At least one question in the subset is selected based on user information that is automatically extracted from devices associated with the user. Subsequently, the system receives a request to reset the user's password and presents the subset of questions to the requester. The system determines whether the requester is the user by comparing the requester's response with the stored user response.05-13-2010
20090094695ACCOUNT ASSOCIATION GENERATION - Illustrative embodiments provide a computer implemented method, data processing system and computer program product for generating an association between a configuration item and an account. In one illustrative embodiment, the computer implemented method comprises selecting the configuration item requiring account association to create a selected configuration item, and selecting a set of rules for the selected configuration item to form a set of selected rules, wherein the selected set of rules is used to associate configuration items to accounts. Further the method determines whether a match is present between the set of selected rules and the selected configuration item, and responsive to determining that a match is present, obtains account mapping information for an account identified by the match, and associates the selected configuration item with the account using the account mapping information.04-09-2009
20100083373METHODS AND APPARATUS FOR DETERMINING USER AUTHORIZATION FROM MOTION OF A GESTURE-BASED CONTROL UNIT - Methods and apparatus for determining user authorization from motion of a gesture-based control unit are disclosed. An example method to determine user authorization from motion of a gesture-based control unit disclosed herein comprises detecting motion of the gesture-based control unit, the motion caused by a user, determining a detected gesture from a sequence of one or more detected motions of the gesture-based control unit, and identifying the user from the detected gesture to determine an authorization for use by the gesture-based control unit.04-01-2010
20100088760DEBUG SECURITY LOGIC - A system comprises debug logic usable to debug the system. The system also comprises processing logic capable of accessing the debug module using electronic signals. The system further comprises security logic configured to prevent the processing logic from accessing the debug logic unless the security logic is provided with a passkey that matches another passkey stored in the system.04-08-2010
20100083374TECHNIQUES TO MANAGE ACCESS TO ORGANIZATIONAL INFORMATION OF AN ENTITY - Techniques to manage access to organization information for an entity are described. An apparatus may include a presentation component operative to present an organizational chart on a presentation surface. The organizational chart may comprise multiple nodes associated with members of an organization, and connections between the nodes representing hierarchical relationships between the nodes. A security component may be communicatively coupled to the presentation component. The security component may be operative to receive a request to modify a characteristic of the organizational chart from an operator, access security settings for the operator, and authorize the operator to modify a characteristic of the organizational chart. Authorization may be granted, for example, when the operator is a delegate and a permission level for the delegate allows a modification operation associated with the modify request. Other embodiments are described and claimed.04-01-2010
20090064321Methods for Providing User Authentication in a Computer Network or System - Embodiments of the present invention relate to methods for providing user authentication for a computer-type device or for a computer network. The method includes showing an interactive display comprising a plurality of media items. The plurality of media items may include a pre-designated authentication media item. A user is prompted to select the pre-designated media item from the plurality of media items, and may further be prompted to select a pre-designated location in the pre-designated media item. Network or other authentication may be provided if the user selects the pre-designated media item (and location) from the plurality of media.03-05-2009
20090165130CONTENTS TRANSMISSION METHOD AND CONTENTS TRANSMISSION SYSTEM - Mobile unit 06-25-2009
20080295168Method and communication system for controlling security association lifetime11-27-2008
20090089876APPARATUS SYSTEM AND METHOD FOR VALIDATING USERS BASED ON FUZZY LOGIC - An apparatus, system, and method are disclosed for validating users based on fuzzy logic. An interface with security questions is presented to a user who requires authentication. A typical scenario is authentication for password recovery. The interface comprises security questions for the user to answer. The security questions may be limited or unlimited response questions. The answers to the security questions are either scored using fuzzy logic, which may attribute a value between “1” and “0” based on similarity with the original, correct answer; or scored using digital logic. When fuzzy logic scoring is used, a similarity score is computed for each answer. The similarity score is compared against a similarity score threshold to either grant or deny access. An average similarity score is also computed for all answers and compared against an average similarity score threshold to either grant or deny access.04-02-2009
20080209548Method of and Circuit for Identifying and/or Verifying Hardware and/or Software of an Appliance and of a Data Carrier Cooperating with the Appliance - In a method of and circuit for identifying and/or verifying the hardware and/or software of an appliance and of a data carrier, for example a smartcard, cooperating with the appliance, it is provided that a first unit (E08-28-2008
20080216172SYSTEMS, METHODS, AND APPARATUS FOR SECURE TRANSACTIONS IN TRUSTED SYSTEMS - Systems, methods, and software for protecting the identities of individuals, groups, and organizations are provided. In one embodiment, the systems, methods, and software provided by the present invention include a challenge-response architecture based upon entity-specific knowledge for verification of identity. In one aspect, a method for authenticating a first entity to at least one other entity includes creating an authenticator effective to authenticate said first entity to said at least one other entity; providing said authenticator or a substantially secure derivative thereof to an intermediary authentication service configured to interrogate said first entity; receiving a response to an identity interrogation from said first entity at said intermediary; and comparing at said intermediary the content of said response, or a derivative of said content, to said authenticator or said substantially secure derivative thereof to generate an estimation as to whether said first entity is authentic at said intermediary.09-04-2008
20090282475Media Streams from Containers Processed by Hosted Code - Described is a technology by which code, such as an untrusted web application hosted in a browser, provides content through an interface for playback by an application environment, such as an application environment running in a browser plug-in. Content may be in the form of elementary video, audio and/or script streams. The content is in a container that is unpackaged by the application code, whereby the content may be packaged in any format that the application understands, and/or or come from any source from which the application can download the container. An application environment component such as a platform-level media element receives information from an application that informs the application environment that the application is to provide media stream data for playback. The application environment requests media stream data (e.g., samples) from the application, receives them as processed by the application, and provides the requested media stream data for playback.11-12-2009
20110173695System and Methods for Secure Transaction Management and Electronic Rights Protection - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.”07-14-2011
20090119772SECURE FILE ACCESS - In one method, the embodiments herein providing secure file access when a user opens an application and uses the application to make a request to open a data file on a secure file system. The method checks a trusted application list, by kernel extension, to determine if the application comprises a trusted application. The method also checks the user's permission to access the secure file system. The embodiments herein pass an “extended” permission to any applications that are trusted applications. Therefore, the methods herein control access to the secure file system based not only on the user's permission, but also on the “extended” permission, such that the kernel extension allows access to files. With embodiments herein, the trusted application performs the extended permission management.05-07-2009
20090282474METHOD FOR SAFELY EXECUTING AN UNTRUSTED NATIVE CODE MODULE ON A COMPUTING DEVICE - A system that safely executes a native code module on a computing device. During operation, the system receives the native code module, which is comprised of untrusted native program code expressed using native instructions in the instruction set architecture associated with the computing device. The system then loads the native code module into a secure runtime environment, and proceeds to execute a set of instructions from the native code module in the secure runtime environment. The secure runtime environment enforces code integrity, control-flow integrity, and data integrity for the native code module. Furthermore, the secure runtime environment moderates which resources can be accessed by the native code module on the computing device and/or how these resources can be accessed. By executing the native code module in the secure runtime environment, the system facilitates achieving native code performance for untrusted program code without a significant risk of unwanted side effects.11-12-2009
20090313694GENERATING A CHALLENGE RESPONSE IMAGE INCLUDING A RECOGNIZABLE IMAGE - Provided are a method, system, and article of manufacture for generating a challenge response image including a recognizable image. A challenge image is generated including random elements and a recognizable image. The challenge image is transmitted to a recipient. Recipient input associated with the transmitted challenge image is received. A determination is made as to whether the received recipient input matches a descriptor associated with the recognizable image in the challenge image. Indication is made that the recipient correctly identified the recognizable image.12-17-2009
20100287611SYSTEM AND METHOD FOR MANAGING CAPTURED CONTENT - Provided are apparatuses and methods in a mobile communication and content capturing device for controlling ownership and use of captured content. A mobile device capturing content of a user of a target device may automatically request authorization to use and own the captured content from the target device and user. The mobile device may detect the target device by comparing metadata associated with the captured content with device information of a target device. Alternatively, the capture device may communicate with a server to facilitate the authorization request process. The capture device may further establish a piconet with one or more intermediate wireless devices to detect and request authorization from a target device outside of the capture device's wireless range. Tokens may further be implemented to reduce transmission and processing times of various communication information including authorization requests and content files.11-11-2010
20090007262COMPUTER READABLE MEDIUM FOR RESOLVING PERMISSION FOR ROLE ACTIVATION OPERATORS - A computer-readable storage medium storing instructions executable by a processor for resolving permissions using role activation operators to evaluate permissions assigned to a user in a role context inheritance hierarchy. The stored instructions comprise several steps: a step of retrieving a plurality of activated roles within a role context that match roles assigned to a user, wherein one or more permissions in the role context inherit from one or more permissions in a parent role context in a role context permission inheritance hierarchy; a step of determining an aggregate permission for each of the plurality of activated roles, wherein a role activation operator determines how an activated role is evaluated; a step of processing the aggregate permissions for the plurality of activated roles; and a step of resolving a final permission for the user.01-01-2009
20090007259Restricting Access to Information - Technologies are presented herein for restricting access to information. According to various embodiments described herein, an authorization device is provided that includes functionality for detecting other proximately located authorization devices. When an authorization device detects another proximately located authorization device, authorization data stored in the detected device is retrieved. The retrieved authorization data is compared to stored authorization data and a determination is made as to whether a person associated with the detected device is authorized to receive information. The authorization device provides an indication as to whether the person is authorized to receive information. The authorization device may also provide an indication of the particular information that the person is authorized to receive. The authorization device may also be utilized to ensure that only authorized individuals participate in a meeting and that each participant is authorized to receive the information that is the subject of the meeting.01-01-2009
20110209214METHOD AND SYSTEM FOR PROVIDING RECORDING DEVICE PRIVILEGES THROUGH BIOMETRIC ASSESSMENT - A method and system for providing recording device privileges through biometric assessment are disclosed herein. An embodiment of the method includes monitoring information associated with a recording device. The information includes a recording device location, dynamic biometric data, knowledge data, and recording device identification data. From the monitored information, an identity of a then-current user of the recording device is determined. An authorization level for the then-current user is determined, and recording device access privileges are dynamically adjusted based on the determined authorization level.08-25-2011
20110209213AUTHORIZATION LOGIC IN MEMORY CONSTRAINED SECURITY DEVICE - Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity.08-25-2011
20080244737STORAGE DEVICE - A storage device has a data erasing function. A controller of a storage device, such as an USB, has a lost timer section and an emergency timer section. Both timer sections halt clocking operation as a result of initiation of use of the storage device by an authorized user. The lost timer section commences s clocking operation as a result of completion of use of the storage device by the authorized user. The emergency timer section commences clocking operation as a result of unauthorized removal of the storage device. When either the lost timer section or the emergency timer section outputs a count-up signal, data in flash ROM are erased.10-02-2008
20080282345APPARATUS FOR CONTROLLING PROCESSOR EXECUTION IN A SECURE ENVIRONMENT - Various embodiments described herein relate to apparatus for executing software in a secure computing environment. A secure processor can be used and configured to request a context swap from a first context to a second context when switching execution from a first portion of software to a second portion of software. A context manager, which can be in communication with the secure processor, can be configured to receive and initiate a requested context swap. A trust vector verifier, which can be in communication with the secure processor and the context manager, can be configured to load a trust vector descriptor upon command from a context manager.11-13-2008
20080235791System and Method for Distributed Module Authentication - Distributed module authentication allows security checks to be initiated by multiple software modules. Module authentication processes can be inserted into two or more modules in an operating system and/or various other applications. These module authentication processes can verify the integrity of binaries associated with one or more modules in computer memory. Security checks can be performed on modules stored on disk, in active system memory, or in any other location. Various security checks can be coordinated with each other to ensure variety and frequency of module authentication, as well as to randomize the module authentication process that performs a particular security check. In addition, security processor code can be interleaved within normal application code, so the security code is difficult for attackers to remove or disable without damaging the useful functionality of an application.09-25-2008
20120084856GATHERING, STORING AND USING REPUTATION INFORMATION - A method and a system for collecting and maintaining historical party reputation data and for using the historical party reputation data to calculate an access decision rating and recalculating the access decision rating when the historical party reputation data has changed has a reputation updater for updating a reputation when a party's reputation has changed, a reputation storer for storing the party's reputation, an access decision rating maker for making a rating on a party's access abilities based upon the party's reputation and reputation history storage for storing a party's reputation having access decision rating storage for storing previous and present access decision storage ratings.04-05-2012
20080282344E-MAIL AUTHENTICATION - A system and method for determining whether an e-mail originates from a sender authorized by an address provider to send the e-mail to an intended recipient's e-mail address. The e-mail identifies an address provider from which the intended recipient's e-mail address was obtained. The e-mail is delivered to the intended recipient only upon verification that the sender is authorized by the address provider to obtain the intended recipient's e-mail address. The system and method may also provide for determining whether an e-mail originates from a forged source. A server receives data relating to an e-mail, including a purported sender and a verification host. The server queries the verification host with information pertaining to the e-mail and requests confirmation that the e-mail originates from the purported sender. The e-mail is determined to originate from a forged source unless the verification host responds that the e-mail originates from the purported sender.11-13-2008
20080244738ACCESS CONTROL - An access control method includes receiving an access request to a file system from a user terminal through a common Internet file system (CIFS) or a network file system (NFS) and determining whether the access request should be allowed. The method includes determining whether a basic permission attribute of an access request used in the NFS should be allowed with reference to access control information associated with basic permission attributes, the basic permission attribute being associated with an access request received from the user terminal through the CIFS, the access control information indicating whether an access request to respective objects of the file system should be allowed or denied, and the access control information being stored in an access-control-information storing unit. The method also includes determining whether the access request associated with the allowed basic permission attribute should be allowed, in reference to the access control information.10-02-2008
20080271140Verification for Computer Programs that Include External Call References - A program verification mechanism includes an external call reference verification mechanism that verifies external call references in a computer program. The external call reference verification mechanism checks the computer program after the computer program has been loaded by a loader/linker. The loader/linker stores a list of trusted entry points that specifies a trusted entry point for each external call reference, along with a list of allowable caller code for each trusted entry point. The external call reference verification mechanism determines the entry point for each instruction that is an external call reference, determines whether the entry point is listed as the trusted entry point for the external call reference, and whether the external call reference instruction is in the list of allowable caller code for the trusted entry point. If so, the computer program is verified. If not, verification of the computer program fails.10-30-2008
20100146620Centralized Device Virtualization Layer For Heterogeneous Processing Units - A method for providing an operating system access to devices, including enumerating hardware devices and virtualized devices, where resources associated with a first hardware device are divided into guest physical resources creating a software virtualized device, and multiple instances of resources associated with a second hardware device are advertised thereby creating a hardware virtualized device. First and second permission lists are generated that specify which operating systems are permitted to access the software virtualized device and the hardware virtualized device, respectively. First and second sets of virtual address maps are generated, where each set maps an address space associated with either the software virtualized device or the hardware virtualized device into an address space associated with each operating system included in the corresponding permission list. The method further includes arbitrating access requests from each of the plurality of operating systems based on the permission lists and the virtual address maps.06-10-2010
20090126011APPLICATION SECURITY MODEL - Performing security sensitive operations with an application security model. Security agnostic code is executed. The security agnostic code is identified as not having authorization to perform a security sensitive operation. Executing the security agnostic code includes calling code identified as security safe critical code. In response to the security agnostic code calling the security safe critical code, the security safe critical code is executed. The security safe critical code includes functionality for performing validity checks. Executing the security safe critical code includes performing an validity check for the security agnostic code. When the security agnostic code passes the validity check, code identified as security critical code is called. In response to the security safe critical code calling the security critical code, the security critical code is executed. The security critical code is authorized to perform the security sensitive operation.05-14-2009
20090165127Authorization rights for operational components - Various methods and systems include exemplary implementations for a security-activated operational component. Possible embodiments include but are not limited to obtaining access to an object data file configured to implement various functional operation regarding one or more objects; verifying validity of an authorization code associated with the object data file; and controlling operation of the operational component to enable or prevent its activation pursuant to the authorization code in accordance with one or more predetermined conditions.06-25-2009
20090138966Advanced, self-balancing video multiplexer system - An advanced video multiplexer system designed and optimized for next generation on-demand video distribution is described. The system optimizes identifies a multi-program transport stream best able to accommodate new sessions based upon Quality of Service (QoS) and QAM utilization ratios. MPTS channels are rebalanced via re-grouping and transrating as necessary to optimize bandwidth utilization. Multiple video formats are supported via built-in transcoding. The multiplexer manages encryption resources and supports new sessions using previously allocated encryption resources where possible. Sessions can be grouped into encryption channels either by using a single authorization tier per channel policy, or by requiring all clients of the group to be in physically separated service groups. Encryption channels can be released when a channel no longer serves any clients or when one or more other channels that have been assigned the same entitlement can accommodate any remaining clients.05-28-2009
20080320590METHOD AND APPARATUS FOR CREATING SECURED FILE VIEWS IN A SOFTWARE PARTITION - A computer implemented method, apparatus, and computer program product for creating secured file views of a protected file. The process receives a request to access the file, wherein the file is stored in a common location, and wherein the request includes a set of file viewing parameters. The process identifies a callback function associated with the file and calls the callback function with the set of file viewing parameters to form a set of virtual viewing parameters. Thereafter, the process generates a secured file view of the file using the virtual viewing parameters, wherein the secured file view is viewable by a user of an authorized partition.12-25-2008
20090187986AUTHENTICATION SERVER, AUTHENTICATION METHOD AND AUTHENTICATION PROGRAM - Upon receipt of a service use request from a client, an authentication server device reads one or more image information pieces from an image information storage storing multiple image information pieces each containing one or more known symbols, one or more dummy symbols, or both of them, and thereafter creates challenge data using the one or more read image information pieces so that one or more two-dimensional images each containing one or more of the known symbols and one or more two-dimensional images each containing one or more of the dummy symbols can be presented to the user of the client, one image at a time. Upon receipt of response data, the authentication server device judges whether or not the received response data matches the one or more known symbols contained in the challenge data, and approves the service use of the client device if the match is confirmed.07-23-2009
20090031418Computer, method for controlling access to computer resource, and access control program - Valid state judging means judging a valid state of an access permission based on state of an execution environment; an access permission management table specifying an access permission to computer resource based on the valid state by the valid state judging means; and an access control execution environment conducting access control based on the access permission management table are provided.01-29-2009
20090077659Image processing apparatus, session managing method and session managing program - An image processing apparatus, a session managing method, and a session managing program allow an operator to change his or her role flexibly. The image processing apparatus comprises a session managing unit for managing information about an operator who is logged in as a session, and a role determination unit for determining a role of the operator. The session managing unit includes a login session unit that is generated upon login of the operator, and a subject unit that generates information indicating the operator, a group to which the operator belongs, and an existing role of the operator. Upon request for a role change from the operator, the login session unit requests initialization of the subject unit. The subject unit then generates information indicating a role after role change based on the role after role change that is confirmed by the role determination unit.03-19-2009
20090064322Security Process Model for Tasks Within a Software Factory - Security for a software factory is provided by detecting a request by a user to utilize the software factory. Upon being authenticated, the user is granted permission to access specific areas of the software factory. A log is created of locations in software factory that have been accessed by the user. This log is then utilized in an audit that describes how effective the software factory is in creating deliverable software.03-05-2009
20120079590METHOD FOR ENFORCING RESOURCE ACCESS CONTROL IN COMPUTER SYSTEMS - A method and system for enforcing access control to system resources and assets. Security attributes associated with devices that initiate transactions in the system are automatically generated and forwarded with transaction messages. The security attributes convey access privileges assigned to each initiator. One or more security enforcement mechanisms are implemented in the system to evaluate the security attributes against access policy requirements to access various system assets and resources, such as memory, registers, address ranges, etc. If the privileges identified by the security attributes indicate the access request is permitted, the transaction is allowed to proceed. The security attributes of the initiator scheme provides a modular, consistent secure access enforcement scheme across system designs.03-29-2012
20080263657Control of Media Components in a Session - A method for applying control to a plurality of media components in a media session, comprising determining a level of control for at least one component, and applying the determined level of control to said at least one component.10-23-2008
20110231930INCORPORATING VISUAL ASPECTS TO IDENTIFY PERMISSIONS AND SECURITY LEVELS IN AGGREGATED CONTENT - In one embodiment, a method includes identifying content associated with a composition and at least one authorization associated with a user. The content is a subject of a request for access associated with the user, and is an aggregate of a plurality of sections. The plurality of sections includes a first section with a first authorization level and a second section with a second authorization level that is higher than the first authorization level. The method also includes determining if at least one authorization indicates that the user may access the first section and determining if at least one authorization indicates that the user may access the second section. The first section is portrayed to the user if it is determined that the user may access the first section, and the second section is portrayed to the user if it is determined that the user may access the second section.09-22-2011
20100154054Clustered File System for Mix of Trusted and Untrusted Nodes - A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.06-17-2010
20090205043INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM - An information processing system includes: storage that stores electronic information in which an operation authority for each of a plurality of users is set in each of a plurality of defined work states; an acceptance unit that accepts an operation request for electronic information stored in the storage, and an operation execution unit that executes an operation for the electronic information of operation object in accordance with the operation authority based on a non-administrator authority of the user in the work state of the electronic information if the operation request based on an administrator authority by the user having the administrator authority and the non-administrator authority for the electronic information is accepted by the acceptance unit.08-13-2009
20090083851SERIALIZED LOCK COMBINATION RETRIEVAL SYSTEMS AND METHODS - Disclosed are embodiments of systems and methods for retrieving combination lock codes in a secure environment. In some embodiments, each of a plurality of combination locks are linked with a serial code. A user may then enter user identity information into a retrieval system. After the system has validated the user identity information, the user may enter a serial code into the system, the serial code associated with a combination lock for which the user would like to retrieve a corresponding combination code. Upon receipt of the serial code from the user, the system may securely transmit a combination code associated with the desired combination lock to the user. In one embodiment, the secure transmission of the combination code is done by sending an electronic mail message to an electronic mail account of the user.03-26-2009
20090222915System and Method for Securely Clearing Secret Data that Remain in a Computer System Memory - A system, method, and program product is provided that initializes a counter maintained in a nonvolatile memory of a security module to an initialization value. The security module receives requests for a secret from requesters. The security module releases the secret to the requesters and the released secrets are stored in memory areas allocated to the requesters. A counter is incremented when the secret is released. Requestors send notifications to the security module indicating that the requestor has removed the secret from the requestor's memory area. The security module decrements the counter each time a notification is received. When the computer system is rebooted, if the counter is not at the initialization value, the system memory is scrubbed erasing any secrets that remain in memory.09-03-2009
20090249479AUTHENTICATION MANAGEMENT METHODS AND MEDIA - A method for managing authentication includes receiving a request at a directory service for authentication from a first of a plurality of users operating a first of a plurality of products, wherein the directory service associates each of the plurality of users with a plurality of roles for each of the plurality of products. The method also includes authenticating the first user utilizing the directory service, wherein the directory service provides a first role associated with the first user and the first product in response to the request.10-01-2009
20090222916EMBEDDED PATCH MANAGEMENT - A method, system and apparatus is provided for embedded patch management. In one embodiment, a method is provided. The method includes receiving a call to a code module. The method further includes checking a guardian stack for indications of authorization. The guardian stack is separate from an execution stack. The method also includes passing the call to an internal code module. Moreover, the method includes executing the code module.09-03-2009
20100005526INFORMATION PROCESSING APPARATUS AND METHOD - An information processing apparatus includes: a positional relation acquisition section that detects a person who is in a predetermined area around a display device and acquires a positional relation between the detected person and the display device; an authentication section that authenticates a person at an authentication position which is a position in the predetermined area; a control section that stores a correspondence between the positional relation and the state of displaying, associates, if a person is authenticated, the authenticated person, a person detected at the authentication position at the time of authentication, and a predetermined right of access, makes a determination as to whether or not the authenticated person has a right of access to the display information displayed, so as to change the correspondence according to the determination, and controls the state of displaying based on the correspondence and the positional relation.01-07-2010
20080307522Data Management Method, Program For the Method, and Recording Medium For the Program - When user data and a program stored in a computer is recorded into an electronic recording medium by a recording device connected to the computer and carried outside, its recording is limited. The data management program stored in a computer has a function used when writing data from the computer onto the recording medium, for authenticating a user and disabling a person other than the authorized person to perform writing. The data management program authenticates whether the user is an authorized person by using a USB memory containing a secret key for authentication.12-11-2008
20080307523Federated ontology index to enterprise knowledge - A method, system, and computer program product for using a federated ontology as an index to enterprise knowledge are provided. The method includes receiving a request for the enterprise knowledge, mapping the request to a concept within the federated ontology, and searching the federated ontology for the concept to identify one or more data sources holding the enterprise knowledge. The method further includes retrieving the enterprise knowledge from the identified one or more data sources as search result data, and returning the search result data.12-11-2008
20100162389PROVIDING PERMISSION TO PERFORM ACTION ON AN ELECTRONIC TICKET - Described are methods and systems related to providing permission to a user to perform an action on a workflow driven ticket. The ticket is accessed to determine an action type to be performed on the ticket and a correlated object associated therewith. A role based permission tuple is determined based upon a role of the user. A ticket based permission tuple is determined by generating a universal permission tuple based upon the action type and generating a dependency map based upon the correlated object. The dependency map is mapped to the universal permission tuple to construct the ticket based permission tuple. The role based permission tuple is supplemented with the ticket based permission tuple, to provide the required permission to execute the action. Upon an execution of the action, the permission is partially revoked, by removing the ticket based permission tuple.06-24-2010
20100186085Method and System to Support Dynamic Rights and Resources Sharing - The invention relates to method for deriving a sub-right from a right, the right comprising a plurality of components, each of which specifies an aspect of the right. A component may be, for example, a principal, an action, a resource, and a condition. The invention also relates to a method for integrating a first right with a second right. Furthermore, the invention relates to a method of sharing rights by deriving a sub-right from a right, allowing use of the sub-right, and integrating the sub-right with the right. In addition, the invention relates to a system to support rights sharing by enabling the derivation of a sub-right from a right, the right comprising plural components each of which specifies an aspect of the right, the system comprising a receiving module for receiving a sub-right, the sub-right comprising plural components each of which specifies an aspect of the sub-right, and a confirmation module for confirming that the values of the components of the sub-right can be derived from the values of the corresponding components of the right. The invention further relates to a method for deriving a sub-right from a pool of rights granted by a grantor to a grantee for controlling use of resources within a computing environment, the computing environment having a mechanism for enforcing rights within the environment to control use of resources in accordance with the rights.07-22-2010
20090077658ARCHIVE OF TEXT CAPTURES FROM RENDERED DOCUMENTS - A facility for storing a text capture data structure for a particular user is described. The data structure comprises a number of entries. Each entry corresponds to a text capture operation performed by the user from a rendered document. Each entry contains information specifying the text captured in the text capture operation.03-19-2009
20090077657SYSTEM AND METHOD OF MANAGING USER ROLES IN AN AUTOMATED WORKFLOW PROCESS - A system and method that enable a user to establish a criteria for a plurality of user roles associated with a system of processing an authoring assignment. The system and method may also enable the user to customize the criteria. The system and method may enable a user to assign a role to a user and perform a function on the authoring assignment associated with that role. The system and method may maintain a history of each function performed on the authoring assignment by the user. The roles may enable a user to request, create, modify, approve, reject or publish an authoring assignment or any combination thereof. The system and method may enable a user to modify a role assigned to a user and assign a role to a user based on a function to be performed by that user.03-19-2009
20090077656IMAGE FORMING APPARATUS, IMAGE FORMING SYSTEM, AND CONTROL METHOD OF IMAGE FORMING APPARATUS - An image forming apparatus according to the present invention is an image forming apparatus capable of playing plural roles alone, the image forming apparatus including an authentication database in which association between a user and authentication information of the user is registered, a role management database in which association between the user and the role allocated to the user, association between a department to which a plurality of users belong and the role allocated to the department, and association between the user and the department to which the user belongs are registered, an authenticating unit that performs authentication of the user according to matching between authentication information inputted by the user and the authentication information registered in the authentication database, and a role managing unit that permits, with reference to the role management database, the user authenticated by the authenticating unit to use the role allocated to the user and permits the department to which the user authenticated by the authenticating unit belongs to use the role allocated to the department.03-19-2009
20100235907Authorization Caching In A Multithreaded Object Server - Systems and methods are included for accessing resource objects in a multi-threaded environment. A request is received from a requester to perform an operation with respect to a resource object, where the requested resource object has multiple associations with other objects. A determination as to whether an authorization cache entry corresponding to the requested resource object contains sufficient permission data for granting or denying the request for access to the requested resource object is made. A grant or deny of access to the requested resource object is returned when the authorization cache entry corresponding to the requested resource object contains sufficient permission data.09-16-2010
20090106834SYSTEMS AND METHODS FOR ENHANCING SECURITY BY SELECTIVELY OPENING A LISTENING PORT WHEN AN INCOMING CONNECTION IS EXPECTED - The present solution reduces the attack surface of a server by selectively opening a server port for listening when a client has been authenticated/authorized via another machine or process, and directed to connect to the server in question. When not selectively listening on a port, the server does not listen or open ports for connections or otherwise minimizes the number of open ports. By selectively listening for connections, the server reduces the opportunity for hackers to attack the server process, and improves the security of the server. The ability to selectively listen on a port at specific times may be combined with additional meta information—like ticketing and prior authentication information to help further secure the server. The meta information may identify and ensure that only the correct remote endpoint is allowed to connect via the port. Instead of first listening for connections and then authenticate and authorize the received connection as with typical servers, the present solution first authenticates/authorizes a connection via another machine or process, then listens for an expected and authorized connection.04-23-2009
20100050254ASSOCIATING OPERATING SYSTEM NATIVE AUTHORIZATIONS WITH CONSOLE ROLES - Disclosed is a computer implemented method and apparatus to provide authorizations to an administrative user. An integrated solutions console (ISC) receives an administrative user login corresponding to a console administrative user. The ISC presents a list of at least one management task. The ISC presents at least one input interface to a display for an administrative user name and at least one console role. The ISC receives an administrative user name and a console role. The ISC obtains an authorization descriptor that can be used to couple the administrative user name and the console role.02-25-2010
20110067099Multifunction Multimedia Device - A method for interpreting messages, user-defined alert conditions, voice commands and performing an action in response is described. A method for annotating media content is described. A method for presenting additional content associated with media content identified based on a fingerprint is described. A method for identifying that an advertisement portion of media content is being played based on a fingerprint derived from the media content is described. A method of one media device recording particular media content automatically in response to another media device recording the particular media content is described. A method of concurrently playing media content on multiple devices is described. A method of publishing information associated with recording of media content is described. A method of deriving fingerprints by media devices that meet an idleness criteria is described. A method of loading, modifying, and displaying a high definition frame from a frame buffer is described. A method of recording or playing media content identified based on fingerprints is described.03-17-2011
20090320127Approach for Printing Locked Print Data Using User and Print Data Authentication - An approach is provided for printing locked print data using user and print data authentication. The approach is applicable to a wide variety of contexts and implementations and includes the use of bi-directional security measures to ensure a secure transmission of a document to a printer and secure retrieval of the document from the printer by one or more intended recipients. In particular, the bi-directional security measures ensure that: 1) the document is received only by the intended recipient designated by the creator, 2) both the document's creator and the intended recipient are successfully authenticated, 3) the document received by the intended recipient is the document that was created by the creator, and 4) the document received by the intended recipient is identical to the document created by the creator.12-24-2009
20090165124REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN - An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members.06-25-2009
20090165128Authentication of a Contributor of Online Content - Methods, computer program products and systems are described for online-content management. Online content from multiple contributors is received at one or more first computers for public online display. An authentication score is determined for a contributor of the multiple contributors. The contributor's name and a representation of the contributor's authentication score is published online for display on one or more second computers in association with the online content received from the contributor.06-25-2009
20090038007METHOD AND APPARATUS FOR MANAGING CLIENT REVOCATION LIST - A method and apparatus for managing a client revocation list are provided. The method includes receiving a first client revocation list from a server; and selectively discontinuing an operation of a client, based on the first client revocation list. By doing so, the method and the apparatus can securely control contents.02-05-2009
20100306843IMAGE FORMING APPARATUS AND COMPUTER-READABLE STORAGE MEDIUM FOR COMPUTER PROGRAM - An image forming apparatus includes a first authentication portion performing a first authentication process on a user, a second authentication portion that performs a second authentication process on the user successfully authenticated by the first authentication portion, and thereby determines whether or not the user is permitted to log onto the apparatus, and a cooperative setting portion performing setting therethrough, on a user-by-user basis, whether or not the first authentication process and the second authentication process are performed in combination with each other. If the user for whom setting is performed such that the first authentication process and the second authentication process are performed in combination with each other is successfully authenticated by the first authentication portion, then the second authentication portion determines that the user is to be permitted to log onto the apparatus based on the associated information and ends the second authentication process.12-02-2010
20090070868INFORMATION PROCESSOR, AUTHENTICATION CONTROL METHOD, AND STORAGE MEDIUM - An information processor is disclosed that includes an authentication part configured to authenticate a user based on predetermined information; an information obtaining part configured to obtain first information to be used to authenticate the user from an external device; and an authentication control part configured to cause the authentication part to authenticate the user by inputting information based on the first information to the authentication part as the predetermined information. The information obtaining part is configured to obtain the first information using a program module whose correlation with the information obtaining part is recorded in a recording medium.03-12-2009
20090070867METHOD FOR SECURELY ENABLING DYNAMIC INSTRUMENTATION - A method is provided for securely enabling dynamic instrumentation. The method includes categorizing probes, upon creation, into one or more classes, providing lists of permissions for activating the probes and associating users with the permissions for activating the probes, such that certain users have permissions for activating certain probes. Users are associated with permissions by mapping classes of probes to permissions and mapping users to permissions, mapping classes of users to probes, or mapping users to at least one of classes of probes and classes of capabilities.03-12-2009
20130145460Progammable Customized User Interface for Transport Refrigeration Units - A control device having a graphical user interface for controlling the operation of a transport refrigeration unit is disclosed. The graphical user interface may include a menu structure having multiple levels of menu options, executable functions and data items that may be navigated and viewed by a user. Access to the various menus may be user-specific and controlled so that a subset of the information in the menu structure is available to normal users, and larger subsets of the information are available to advanced users having higher levels of authorization to the menus and information contained in the graphical user interface device. The graphical user interface may also include programmable soft keys that may take users directly to frequently viewed menu options, functions and data items without the necessity of navigating through the levels of the menu structure.06-06-2013
20110035799METHOD AND SYSTEM FOR CHILD AUTHENTICATION - Methods and systems for child authentication are described. In one embodiment, a communication enablement request may be received to enable electronic communications between a first child and a second child. A confirmation acceptance code may be electronically generated. The confirmation acceptance code may be associated with the first child and the second child. The confirmation acceptance code may be received from a parental representative of the second child. The electronic communication may be enabled between the first child and the second child based on the receiving of the confirmation acceptance code from the parental representative of the second child. Additional methods and systems are disclosed.02-10-2011
20110113488ACCESS TO USER INFORMATION - A method may include storing user information associated with a first user, where the user information includes at least two of location information, presence information, address book information or calendar information. The method may also include storing access control information identifying criteria for allowing parties to access the user information and receiving, from a first party, a request for access to at least a first portion of the user information. The method may further include determining, based on the access control information, whether the first party is authorized to access the first portion of the user information and providing access to the first portion of the user information, when it is determined that the first party is authorized to access the first portion of the user information.05-12-2011
20090313695Methods and Systems for Checking Run-Time Integrity of Secure Code Cross-Reference to Related Applications - Methods and systems to guard against attacks designed to replace authenticated, secure code with non-authentic, unsecure code and using existing hardware resources in the CPU's memory management unit (MMU) are disclosed. In certain embodiments, permission entries indicating that pages in memory have been previously authenticated as secure are maintained in a translation lookaside buffer (TLB) and checked upon encountering an instruction residing at an external page. A TLB permission entry indicating permission is invalid causes on-demand authentication of the accessed page. Upon authentication, the permission entry in the TLB is updated to reflect that the page has been authenticated. As another example, in certain embodiments, a page of recently authenticated pages is maintained and checked upon encountering an instruction residing at an external page.12-17-2009
20090031419MULTIMEDIA SYSTEM AND SERVER AND METHODS FOR USE THEREWITH - A multimedia server receives a plurality of programs of a multimedia source. The multimedia server includes a tuning module to receive the plurality of programs and to select a set of programs from the plurality of programs based on a set of program select commands that is derived from select requests. A program mixer mixes the set of programs into a stream of program data. One or more transceiving modules transmit the stream of program data on to corresponding communication paths and receive the select requests. A client module produces the select requests for one or more clients. The client module includes a selection module to produce at least one of the select requests. A network interface controller transmits at least one of select requests to the multimedia server and receives the stream of program data via the communication path or paths in response.01-29-2009
20090025081METHOD AND SYSTEM FOR CONFIGURING LOCAL AND REMOTE RESOURCES TO ACCOMPLISH RENDERING OF MULTIMEDIA CONTENT ON DISSIMILAR FORMAT DEVICES BASED ON USER BIOMETRIC DATA - A system and method is provided for communication of information in a mobile communication device (WMCD) configured to network connection may include discovering via a wireless mobile communication device, available communication resources based on acquired biometric data for a user of the WMCD, and communicating multimedia information between the WMCD and one or more of the discovered available resources. The acquired biometric data may include physical and behavioral biometric data to be authenticated and validated by a pattern recognition database. A connection between the WMCD and one or more discovered available resources may be established through linking the acquired biometric data to resources in available local or remote network. The established connection may enable the WMCD to consume or redirect media from the available resources and may be dynamically adjusted and updated based on dynamic sensing of the acquired biometric data in the available network or available resources.01-22-2009
20090313693METHOD AND SYSTEM FOR GRAPHICAL PASSCODE SECURITY - A method and system for electronic access security uses touches and movements on a touch sensitive surface to determine graphical passcode that are used in a manner similar to passwords. Graphical passcodes comprise various combinations of swipes, taps or drags on a touchscreen surface as defined by a user. A user's selected graphical passcode is stored in memory for comparison to subsequent entries of graphical passcode in order to authenticate the users. An envelope may be generated to define a range of acceptable pressure, speed, coordinate positions or other parameters, as a function of time or position, required for passcode authentication. The envelope may be stored in a computer memory and is used to authenticate a user by determine whether an entered graphical passcode falls within the envelope.12-17-2009
20100064365METHOD FOR PASSWORD BASED AUTHENTICATION TRUST GENERATION AND AUTHORIZATION THEREOF - A method and system is provided to authorize a user to access in a service of higher trust level. The method includes the steps of defining first password, assigning a second password to a user, generating a value for each constituent of second password on operating an exclusivity relationship, calculating the score for the second password on summing the generating value, combining trust levels of multiple users to attain a higher trust level in aggregate, and obtaining access in a service if the aggregated trust level of users are equal to or more than the predetermined trust level of the service. The present technique provides flexibility of authenticating and authorizing a user to access in a service to perform desirable functions thereon. The present technique eliminates the requirement of tokens, pins, dongles etc while attaining a higher trust level to perform a task which belongs to a higher trust level.03-11-2010
20100064364Method for Creating Multiple Virtualized Operating System Environments - A method of processing multiple workload using virtualized operating system environments. The creation of a new user in a global operating system may automatically cause the creation of a working partition (WPAR) instance. The user will be associated with the WPAR instance and a virtualized operating system environment will be created from the global operating system within the WPAR instance. Within the WPAR instance, the user may be assigned a root identification which enables the user to have root access privileges to perform operations or processes that may only be performed by a root user. The removal of a user from the system also results in the deletion of the associated WPAR.03-11-2010
20080256628Security Objects Controlling Access To Resources - Controlling access to resources through use of security objects including creating a security object in dependence upon user-selected security control data types, the security object comprising security control data and at least one security method; receiving a request for access to the resource; receiving security request data; and determining access to the resource in dependence upon the security control data and the security request data. Creating a security object includes storing in the security object a resource identification for the resource; storing in the security object an authorization level of access for the resource; storing in the security object user-selected security control data types; and storing in the security object security control data for each user-selected security control data type. Embodiments include deploying the security object on a security server or on a client device.10-16-2008
20100058466SYSTEMS AND METHODS FOR PROVIDING SECURITY FOR SOFTWARE APPLICATIONS - The described embodiments relate generally to methods and systems for providing computer security. In one embodiment, a security system is provided for use with a core application configured to interact with at least one add-in module, and the add-in module being configured to provide at least one privilege. The security system includes a privilege registry configured to identify the at least one privilege and its corresponding add-in module and a privilege assignments table identifying a privilege assignment type for the at least one privilege and corresponding to at least one assignee.03-04-2010
20100058465SECURE VIRTUAL TAPE MANAGEMENT SYSTEM WITH EARLY READ SUPPORT OPTIONS - A secure virtual tape management system with early read support options. The system includes at least two mainframe hosts having a catalog storing tape related information. A primary virtual tape emulation system includes an adaptor and includes software for facilitating remote configuration and utilization of the virtual tape management. A virtual tape system catalog storing tape related information is attached to the virtual tape management. Remote data storage devices may be in communication with the virtual tape management central processing unit. Software resident on the catalog monitors tape related information on the primary virtual tape emulation system for criteria matching a virtual tape to be made available to a secondary host and initiates immediate transfer of that data allowing it to be read in a paced manner by the secondary host before the primary host has completed its series of tape writes.03-04-2010
20110083178CONTROLLING ACTIVATION OF AN APPLICATION PROGRAM IN AN AUDIO SIGNAL PROCESSING SYSTEM - User operates a selection switch to instruct temporary activation of an application. For the application of which the temporary activation has been instructed, a CPU of a console allocates resources necessary for signal processing by a DSP of an engine and for a parameter editing function of the console. In the DSP, a bypass parameter is set to ON. Thus, there is provided a state capable of accepting various parameter setting operation related to the application, but the signal processing based on the application program is prevented from being started in a substantive manner. In response to a full activation instruction of an application via a full activation instruction switch, the bypass parameter is set to OFF, so that audio signal processing based on the application can be started. In this way, preparatory work for setting parameters related to the application can be performed efficiently.04-07-2011
20120304285CENTRALIZED DEVICE VIRTUALIZATION LAYER FOR HETEROGENEOUS PROCESSING UNITS - A method for providing an operating system access to devices, including enumerating hardware devices and virtualized devices, where resources associated with a first hardware device are divided into guest physical resources creating a software virtualized device, and multiple instances of resources associated with a second hardware device are advertised thereby creating a hardware virtualized device. First and second permission lists are generated that specify which operating systems are permitted to access the software virtualized device and the hardware virtualized device, respectively. First and second sets of virtual address maps are generated, where each set maps an address space associated with either the software virtualized device or the hardware virtualized device into an address space associated with each operating system included in the corresponding permission list. The method further includes arbitrating access requests from each of the plurality of operating systems based on the permission lists and the virtual address maps.11-29-2012
20110072512APPARATUS AND METHOD FOR PROVIDING COMMUNICATION SERVICE USING COMMON AUTHENTICATION - In an environment including a first service providing system and a second service providing system, the first service providing system forwards common authentication information received from a terminal to the second service providing system to perform authentication when the terminal that is located in a service provision area of the first service providing system and has requested connection is a visiting user. The first service providing system makes a connection request to the second service providing system based on the authentication result that is provided from the second service providing system based on the common authentication information. The second service providing system provides the communication service to the terminal by using the resources of the first service providing system.03-24-2011
20110061102License management server, license management method, and computer program product - A license management server connected to an MFP includes an activating unit that, upon receiving an application activation request from the MFP, accesses a license management DB, and, when the number of licenses associated with a product key of the application in the license management DB is one or greater, grants a license for the application to the MFP and cancels the license for the application granted to the MFP upon receiving a deactivation request, and a license managing unit 03-10-2011
20110061103Domain Isolation Through Virtual Network Machines - A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.03-10-2011
20110061101COMPUTER SYSTEM AND METHOD OF CONTROLLING THE SAME - A computer system including that restricts access of an unauthorized. The computer system preferably includes: a system unit; an identification information storage unit storing user identification information about a user of the computer system; a communication unit communicating with a service server storing user authentication information about the user of the computer system; and a controller receiving the user authentication information corresponding to the user identification information through the communication unit and controlling the system unit to perform a selective operation on the basis of the user authentication information.03-10-2011
20100325724SCOPE MODEL FOR ROLE-BASED ACCESS CONTROL ADMINISTRATION - Architecture that provides centrally located role-based administration where role assignments that are used to calculate scopes for each operation and create a filtered request that only returns objects that the user is allowed to manage. No access checks are needed. The architecture addresses the proliferation of scope definitions by at least creating a set of relative scopes such as that can generically apply to multiple users at once. More specifically, self-relative scopes and absolute scopes are provided.12-23-2010
20120151577Archive of Text Captures from Rendered Documents - A facility for storing a text capture data structure for a particular user is described. The data structure comprises a number of entries. Each entry corresponds to a text capture operation performed by the user from a rendered document. Each entry contains information specifying the text captured in the text capture operation.06-14-2012
20080229413Authorizing Information Flows - Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.09-18-2008
20100077475PARTIAL INSTALLATION BASED ON AVAILABLE PRIVILEGES - Component identifications in a package identify components to be installed and/or components to be uninstalled. Each component has one or more install-uninstall-privilege requirements, namely, credentials that must be available to an installer-uninstaller in order to install-uninstall that component. Individual components and component sets are installed and/or uninstalled based on the privilege requirement(s) and the privilege(s) available to a current user of a target system. If required privilege(s) are not available, notice is given and additional privileges are requested. A user may receive partial functionality from a partially completed installation, and additional components may be installed later as more privileges become available.03-25-2010
20100058464Implementing a Process-Based Protection System in a User-Based Protection Environment in a Computing Device - A computing device having a security model based on user permissions is provided with an ability to emulate a security model based on process capabilities by providing each executable program on the device with a separate user identity.03-04-2010
20090222914SECURITY MANAGEMENT METHOD AND APPARATUS, AND SECURITY MANAGEMENT PROGRAM - According to the present invention, a security management program which is recorded in a computer readable recording medium and is used to control access to target data in accordance with a security level of a device and an access right of a user, comprises a code of a user authentication step of setting the access right of the user with reference to a saved user authentication history when access to an authentication server cannot be made; and a code of a security level setting step of determining a security level of the device in accordance with a state of the device, and saving the determined security level.09-03-2009
20110055919System and Method for the Designation of Items in a Virtual Universe - The present invention enables items in a Virtual Universe to be tagged as available for pickup by one or more designated users. The present invention permits a designated user to be alerted that there is an item designated for that user/avatar and available for pick-up at a location in the Virtual Universe. A user may designate another user (or user's avatar), for example, a minor for whom the designating user has responsibility, as an “item” to be tracked. For privacy and other reasons, this and other features may be implemented on an opt-in basis.03-03-2011
20110055918ACCESS CONTROL MODEL OF FUNCTION PRIVILEGES FOR ENTERPRISE-WIDE APPLICATIONS - Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.03-03-2011
20100319067Method and System for Managing Object Level Security Using an Object Definition Hierarchy - In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy.12-16-2010
20100325725COMPUTER READABLE MEDIUM, METHOD FOR CONTROLLING EXECUTION OF PROCESSING, AND INFORMATION PROCESSING APPARATUS - A computer readable medium storing program causing a computer to execute a process for controlling execution of a processing, the process includes receiving, outputting, and executing. The receiving step receives a first request indicating an execution request of the processing from a user. The outputting step outputs processing correspondence information corresponding to the processing to recording medium when an execution result of the processing at the time of receiving the first request from user to which a first authority is given and a second authority is not given differs from an execution result of the processing at the time of receiving the first request from a user to which the second authority is given in case that the first request is sent from user to which both of the first authority and the second authority are given.12-23-2010
20110258698Tailored System Management Interface - Processes and techniques for tailoring operations management in a system are described. The processes and techniques allow a user to customize operations management based on the user's function within a system and the particular tasks that the user wishes to accomplish. Simplified user interfaces can be created by scoping the interfaces based on user profiles, preferences and system components.10-20-2011
20110072513PROVISIONAL ADMINISTRATOR PRIVILEGES - A system grants “provisional privileges” to a user request for the purpose of provisionally performing a requested transaction. If the provisionally-performed transaction does not put the system in a degraded state, the transaction is authorized despite the user request having inadequate privileges originally.03-24-2011
20110093950PROGRAM-BASED AUTHORIZATION - Techniques which allow definition and enforcement of program-based action authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the program file indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.04-21-2011
20110126281Controlling Resource Access Based on Resource Properties - Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.05-26-2011
20110088091METHODS AND APPARATUS TO MAINTAIN VALIDITY OF SHARED INFORMATION - Example methods and apparatus to maintain validity of shared information are disclosed. A disclosed example method involves receiving a communication requesting an extensible markup language (XML) document from an XML document management client associated with a principal. In addition, the example method involves generating a subset of the XML document for the principal such that validity of the subset is ensured by including all document parts required according to an XML schema despite the principal having access rights to only certain parts of the XML document but not other parts. The other parts are included in the subset without values.04-14-2011
20110138460SYSTEM AND METHOD FOR LOADING APPLICATION CLASSES - In an application, variants of a class may be generated and associated with different security permissions for the application. When a class is to be loaded, a determination is made as to the application's security permissions, e.g. by decoding a security token. The class is then retrieved from a repository that stores class variants matching the required security level. The retrieved class variant, which may have a full or a reduced functionality as appropriate for the security permission may then by loaded.06-09-2011
20100180339SECURITY TOKEN AND SYSTEM AND METHOD FOR GENERATING AND DECODING THE SECURITY TOKEN - The present invention provides a system and method for encoding and decoding security labels utilisable in a computing system. The method for encoding includes, in part, ascribing an integer value to each one of a set of characteristics. Thereafter, to encode a particular security label, the integer values for each of the set of characteristics that describe the label are combined to arrive at a single integer value.07-15-2010
20090300758PROVISIONING SECRETS IN AN UNSECURED ENVIRONMENT - A method and apparatus for generating provisioning data to provision a device are described. A provisioning bundle is validated according to a relationship between a configuration and a bundle sequence number identifying the provisioning bundle. A provisioning request includes a device hardware identifier identifying the device. An authorization for the provisioning request is determined for generating provisioning data including the provisioning bundle personalized by the device hardware identifier for the device.12-03-2009
20090293120ANTI-THEFT METHOD AND APPARATUS WITH WIRELESS TECHNOLOGIES - An anti-theft method to be executed in an active peer, comprising: (a) transmitting radio RF signals to a passive peer to detect whether one of the active peer and the passive peer as a monitored object is in the coverage area of the radio range of the other one of the active peer and the passive peer as a dock; (b) checking whether the monitored object is permitted to leave the dock when detecting that the monitored object is going to leave the area of the dock; (c) sending an alarm signal to an alarm apparatus if the monitored object is not permitted to leave the dock.11-26-2009
20100031351Security-activated production device - Methods and systems for a security-activated production device include but are not limited to obtaining access to an object data file configured to produce one or more objects on the production device; verifying an authorization code associated with the object data file; and controlling operation of the production device to enable or prevent production of the one or more objects pursuant to the authorization code in accordance with one or more predetermined conditions.02-04-2010
20100017876ACCESS CONTROL AND ENTITLEMENT DETERMINATION FOR HIERARCHICALLY ORGANIZED CONTENT - Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control and entitlement determination for hierarchically organized content. In an embodiment of the invention, a method for access control and entitlement determination for hierarchically organized content can be provided. The method can include selecting a node in hierarchically organized content, inferring entitlements for direct descendants of the selected node based upon expressly conferred permissive access rights amongst ancestors and descendants of the selected node and expressly conferred impermissive rights amongst descendants of the selected node. Finally, the method can include applying the inferred entitlements in a view to the hierarchically organized content.01-21-2010
20110138461EXECUTION ENVIRONMENT FILE INVENTORY - A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.06-09-2011
20120060216MEDICAL INFORMATION NAVIGATION ENGINE (MINE) SYSTEM - A method of transacting medical information includes receiving medical information from a medical sources, identifying, mapping, and consolidating the received medical information by a back-end medical processor, providing access to specific relevant data, based on a user's security privileges, within the identified, mapped, and consolidated medical information, based on user-specific functions or roles by a front-end medical processor, and generating user-customized processed medical information to a plurality of users, with at least a portion of the user-customized processed medical information being provided to each of the plurality of users based on its relevancy to each user's specific function or role and each user's associated security privileges.03-08-2012
20120047575SYSTEMS AND METHODS FOR PERFORMING ACCESS ENTITLEMENT REVIEWS - Embodiments of the invention relate to risk assessments and, more particularly to performing access risk assessments based on identified outliers.02-23-2012
20120005748SAFETY CONTROLLER AND METHOD FOR CONTROLLING AN AUTOMATED INSTALLATION - A safety controller for controlling an automated installation has a control unit to which a plurality of control input signals are supplied from the sensors of the installation. The control unit produces a plurality of control output signals on the basis of the control input signals in accordance with a user program running in said control unit in an automatic mode. The plurality of control output signals actuate the actuators. The safety controller also has a diagnosis evaluation unit that ascertains which one of a plurality of operating states is present at a defined instant of time and produces an operating state signal which represents the ascertained operating state. A diagnosis selection unit generates a diagnosis report as a function of the operating state signal and as a function of a user access authorization signal and/or a special operating mode signal. The diagnosis report representing the ascertained operating state thus varies depending on specific circumstances, such as a certain user access authorization or a certain operating mode.01-05-2012
20120011587SYSTEMS AND METHODS FOR ESTABLISHING TRUST BETWEEN ENTITIES IN SUPPORT OF TRANSACTIONS - Systems and methods for determining the identity of entities who meet trust requirements of a privilege grantor include an identity and trust management system including at least one computing device in communication with at least one entity, at least one privilege grantor, and at least one authoritative source. At least one rule is received from the at least one privilege grantor that must be satisfied for the at least one privilege grantor to trust an entity. A database is established of at least one entity with information about the at least one entity. The at least one authoritative source is queried to determine whether at least a portion of the information about the at least one entity is correct. A response is received from the at least one authoritative source as to whether or not the portion of information is correct. The database stores a result of the query without storing data underlying the result. The information stored in the database is compared with the at least one rule to determine if the at least one entity meets the at least one rule. The at least one privilege grantor is notified whether the at least one entity meets the at least one rule based on the comparison, without providing the at least one privilege grantor with either data stored in the database for the at least one entity or the data underlying the result.01-12-2012
20120023575CONTENT MANAGEMENT DEVICE AND CONTENT MANAGEMENT METHOD - A content management device, includes: a folder level access control information storage unit configured to store folder level access control information indicating access rights of a user to a folder where content is stored; an access control unit configured to acquire content level access control information indicating access rights of a user to content, from a predetermined content level access control unit; and a user interface configured to output display data for displaying a hierarchical structure between at least one folder and at least one content stored in the at least one folder, along with information indicating whether or not an inconsistency has occurred in access rights between the folder level access control information of the at least one folder and the content level access control information of the content stored in the at least one folder.01-26-2012
20110099627COMPUTING PLATFORM - The present application describes a computing platform incorporating a trusted entity and storing, in non-volatile memory, one or more indicators, which indicate a current update status of an executable program code, and one or more expected values associated with measurement of the program code, the trusted entity being programmed to update the one or more indicators, by reference to the expected values, in response to a measured change in a current update status of the program code.04-28-2011
20120131667NONDESTRUCTIVE TESTING SYSTEM - A nondestructive testing apparatus includes a display section and a storage section which stores predetermined executable functions. Each of the predetermined functions is initially set to one of a permitted state and a disabled state, and one of a display state and a non-display state on the display section. In an initial state, at least one of the predetermined functions is set to the disabled state and the non-display state. The nondestructive testing apparatus can receive permission information which unlocks at least one of the predetermined functions initially set to the disabled state so as to be set to the permitted state, and unlocks at least one of the predetermined functions initially set in the non-display state so as to be in the display state. The apparatus displays an operation icon only with respect to all of the predetermined functions set to the display state.05-24-2012
20100050253SYSTEM AND METHOD FOR REAL WORLD BIOMETRIC ANALYTICS THROUGH THE USE OF A MULTIMODAL BIOMETRIC ANALYTIC WALLET - A system and method for real world biometric analytics through the use of a multimodal analytic wallet. The system includes a biometric wallet comprising a pervasive repository for storing biometric data, the pervasive repository including at least one of a biometric layer, a genomic layer, a health layer, a privacy layer, and a processing layer. The biometric wallet further comprises a biometric analytic interface configured to communicate the biometric data to one or more devices.02-25-2010
20100050252ROLE NAVIGATION DESIGNER AND VERIFIER - Systems and methods are provide for providing role navigation design and verification. An embodiment includes displaying user interface having at least one secured element, identifying a first privilege needed for access the secured element, and associating the privilege with a role, whereby a user having the role may access the at least one secured element.02-25-2010
20100275260Deterministic Serialization of Access to Shared Resource in a Multi-Processor System for code Instructions Accessing Resources in a Non-Deterministic Order - Managing access to resources shared among multiple processes within a computer system. Multiple program instances of an application are almost simultaneously executed on multiple processors for fault tolerance. The replication solution supports the recording and subsequent replay of reservation events granting the shared resources exclusive access rights to the processes, when one program code instruction may request access to a set of shared resources in a non-deterministic order.10-28-2010
20090106835METHOD AND APPARATUS FOR PROTECTING SENSITIVE INFORMATION ON A PUBLICLY ACCESSED DATA PROCESSING SYSTEM - The illustrative embodiments described herein provide a computer implemented method, apparatus, and computer program product protecting sensitive information on a data processing system. A determination is made as to whether a data processing system is publicly accessed. Responsive to determining that a data processing system is publicly accessed, the system identifies sensitive information. The data processing system monitors for the presence of sensitive information. Responsive to detecting the presence of the sensitive information, the system presents a warning to a user of the data processing system.04-23-2009
20090038005PRIVILEGE-BASED ACCESS SYSTEM - In one embodiment, an apparatus comprises a network interface system and a logic system. The network interface system comprises at least one network interface. The logic system comprises at least one logic device configured to do the following: receive, via the network interface system, task indications that a first person has completed predetermined tasks; ascertain points to award for the predetermined tasks; receive, via the network interface system, an access request to access identified content; determine a number of points required for granting the access request; determine a number of points currently available to the first person; determine whether to grant the access request; and send, via the network interface system, a message to a device indicating whether to grant the access request.02-05-2009
20090019543SYSTEM AND METHOD FOR ENCODING AND DECODING DATA AND REFERENCES TO DATA IN MACHINE-READABLE GRAPHICAL CODES - A system for decoding machine-readable graphical codes is provided. The system includes a graphical code reading device configured to read a graphical code and generate reference encoded source data. The reference encoded source data includes a first reference identifier and a second portion. The system also includes a computing device in electronic communication with the graphical code reading device. The computing device also includes a reference decoder configured to effect conversion of the reference encoded source data into source data. The source data includes first affiliated data in place of the first reference identifier. The first affiliated data may be longer in length than the first reference identifier. The source data also includes the second portion. The computing device also includes a software application configured to use the source data.01-15-2009
20090019542METHOD AND SYSTEM FOR INTELLIGENT ROUNTING BASED ON PRESENCE DETECTION - A message, which is to be routed to one of a plurality of authorized parties comprising a first authorized party and a second authorized party, is received by a routing system. A Web service is polled to detect for a presence of the first authorized party. After determining that the presence of the first authorized party remains undetected over an allocated time interval, the Web service is polled to detect for a presence of the second authorized party. In response to detecting the presence of the second authorized party, the message is routed to an active communication device associated with the second authorized party.01-15-2009
20110126282System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies - Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.05-26-2011
20080301805METHODS OF COMMUNICATING OBJECT DATA - In an embodiment, a method of communicating an object data is provided. The method comprises receiving the object data from a first medical information system at a second medical information system, checking for an authorization for a user of the second medical information system to view the object data and displaying the object data upon finding the authorization. The method further comprises de identifying the object data upon not finding the authorization for the user and displaying the de identified object data at the second medical information system.12-04-2008
20120266239AUTHORIZED DATA ACCESS BASED ON THE RIGHTS OF A USER AND A LOCATION - Access to files is properly granted regardless of whether an accessing user is located at their primary location or at any “roaming” location. In particular, the techniques herein consider the user rights, rights of any computer from which the user is accessing files, and the rights associated with the files themselves, such as by determining the User ∩ Computer intersection of access rights (an overlap between rights of the user and rights of the computer), and applying these access rights to file rights (e.g., file metadata) to determine what access the user has to the files (e.g., viewing, modifying, etc.).10-18-2012
20120240224SECURITY SYSTEMS AND METHODS FOR DISTINGUISHING USER-INTENDED TRAFFIC FROM MALICIOUS TRAFFIC - Security systems and methods distinguish user-intended input hardware events from malicious input hardware events, thereby blocking resulting malicious output hardware events, such as, for example, outgoing network traffic. An exemplary security system can comprise an event-tracking unit, an authorization unit, and an enforcement unit. The event-tracking unit can capture a user-initiated hardware event. The authorization unit can analyze a user interface to determine whether the input hardware event should initiate outgoing hardware events and, if so, to create an authorization specific to the outgoing event initiated by the input event. This authorization can be stored in an authorization database. The enforcement unit can monitor outgoing hardware events and block the outgoing events for which no authorization matching the outgoing events are found in the authorization database.09-20-2012
20080289036TIME-BASED CONTROL OF USER ACCESS IN A DATA PROCESSING SYSTEM INCORPORATING A ROLE-BASED ACCESS CONTROL MODEL - Computer implemented method, system and computer usable program code for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model. A computer implemented method for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model includes providing at least one timing attribute for a role, wherein each at least one timing attribute specifies a timing condition by which a user is enabled to use the role. The user is enabled to use the role pursuant to satisfying the at least one timing attribute.11-20-2008
20110239293AUDITING ACCESS TO DATA BASED ON RESOURCE PROPERTIES - Described is a technology, such as implemented in an operating system security system, by which a resource's metadata (e.g., including data properties) is evaluated against an audit rule or audit rules associated with that resource (e.g., object). The audit rule may be associated with all such resources corresponding to a resource manager, and/or by a resource-specific audit rule. When a resource is accessed, each audit rule is processed against the metadata to determine whether to generate an audit event for that rule. The audit rule may be in the form of one or more conditional expressions. Audit events may be maintained and queried to obtain audit information for various usage scenarios.09-29-2011
20120090024METHOD AND SYSTEM FOR QUALIFICATION OF AN ELEMENT - The invention relates to a method and a system for creating and qualifying one or more elements, such as multimedia content or, more generally, a performance by an author. The invention more particularly aims at associating a qualification level with an element so that a consultation work can be available, as regards relevance, robustness, skills and authorisation, and thus a degree of objective reliability can be granted to said element. Preferably, the invention relates to the generation of a bank of elements such as questions for television or radio quiz shows, on-line games, etc.04-12-2012
20120102567Hybrid System Implementing Distinct and Co-existing Application Execution Environments and Methods for Implementing the Same - A hybrid system is provided. The system includes a computing device implementing a first application execution environment (AEE) and a second AEE. The first AEE is configured to be isolated from the second AEE. The first software application associated with the first AEE is configured to be processed on the first AEE such that the first software application is denied direct access to the second AEE. A second software application associated with the second AEE is configured to be processed on the second AEE such that the second software application is denied direct access to the first AEE.04-26-2012
20130014252PORTABLE COMPUTER ACCOUNTS - User accounts, authentication information and user home directories are stored on an external storage media that can be transferred from one device to another. Measures are included for detecting tampering of stored information and for preventing possibly conflicting or damaging account and file information from entering a host device.01-10-2013
20080250495AUTHENTICATION PROCESSING APPARATUS, AUTHENTICATION PROCESSING METHOD, RECORDING MEDIUM STORING AUTHENTICATION PROCESSING PROGRAM, RECORDING MEDIUM STORING INFORMATION PROCESSING PROGRAM AND INFORMATION PROCESSING SYSTEM - An authentication processing apparatus, which includes: an authentication processing section that performs authentication using an authentication method selected from authentication methods provided; a storage section that stores authentication information indicating whether or not the authentication succeeds; a determination section that, when an operation on electronic information associated to one or more authentication methods is performed, determines whether the operation on the electronic information is permitted or not, on the basis of the one or more authentication methods associated to the electronic information and the stored authentication information; and an authentication request section that, when the determination section determines that the operation on the electronic information is not permitted, detects from among the one or more authentication methods associated to the electronic information an authentication methods for which it is not indicated in the authentication information that an authentication succeeds, and requests the authentication using the detected authentication method.10-09-2008
20080229412Associating Security Information with Information Objects - A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.09-18-2008
20080222722Method and Apparatus for Sequential Authentication Using One or More Error Rates Characterizing Each Security Challenge - Methods and apparatus are provided for sequential authentication of a user that employ one or mole error rates characterizing each security challenge. According to one aspect of the invention, a user is challenged with at least one knowledge challenge to obtain an intermediate authentication result; and the user challenges continue until a cumulative authentication result satisfies one or more criteria. The intermediate authentication result is based, for example, on one or more of false accept and false reject error probabilities for each knowledge challenge. A false accept error probability describes a probability of a different user answering the knowledge challenge correctly. A false reject error probability describes a probability of a genuine user not answering the knowledge challenge correctly. The false accept and false reject error probabilities can be adapted based on field data or known information about a given challenge.09-11-2008
20080222721DIGITAL MULTIPLE APPARATUS - Authentication data is read when a digital multiple apparatus main body starts, it is authenticated whether the authentication data read is regular authentication data, a printing operation is permitted if the authentication data read is the regular authentication data, and print data is printed with information on at least the authentication data and date and time information of printing added to the print data.09-11-2008
20120254992Providing greater access to one or more items in response to determining device transfer - A computationally implemented method includes, but is not limited to: determining that a computing device associated with a first user and that was in possession of a second user has been transferred from the second user to the first user; and providing at least greater access via the computing device to one or more items in response to determining that the computing device has been transferred from the second user to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.10-04-2012
20120254991Access restriction in response to determining device transfer - A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; and restricting access via the computing device to one or more items in response to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.10-04-2012
20130091565Access Control for Electrical Charging Stations - A method for access control and session control of electrical producers and/or consumers in accessible energy transfer units is provided, wherein the producer or the consumer is authenticated and authorized at the energy transfer unit, and producer- or consumer-specific data are forwarded by the energy transfer unit to an energy provider after authentication and authorization of the producer or the consumer. A temporarily-valid session token is generated for the control of the energy transfer by the energy provider, and forwarded to the energy transfer unit and the producer or the consumer. Electrical energy is transferred between the energy transfer unit and the producer or the consumer, wherein in a defined time interval during the energy transfer process the session token is sent at least once by the energy transfer unit to the producer or the consumer and from the producer or the consumer to the energy transfer unit.04-11-2013
20110314540PREVENTING ABUSE OF SERVICES THROUGH INFRASTRUCTURE INCOMPATIBILITY - Spammers, and other abusers of web services, may be deterred in their attempts to sign up for these services at large scale by making changes to the service registration procedure, where the changes are designed to break the spammer's infrastructure. In one example, a procedure to register for a web service involves presenting a Human Interaction Proof (HIP, or “captcha”) to the user, and gating access to the service upon receipt of a correct solution. If spammers use botnets and/or image capture techniques to initiate registration processes and to transport the HIPs to human or automated solvers, then the registration procedure can be changed in a way that is incompatible with capturing these images, or in a way that is incompatible with receiving HIP solutions from someplace other than the location at which registration was initiated.12-22-2011
20130125234IMAGE FORMING APPARATUS, IMAGE FORMING APPARATUS CONTROL METHOD, AND STORAGE MEDIUM STORING PROGRAM - The history of the output destination of a job is displayed, and selection of a send destination in the history by a user is accepted. It is determined whether the user has an authority to register the selected send destination in a database in which output destination candidates used when executing a job are registered. If it is determined that the user has the authority, an acceptance display is presented to be able to accept an instruction of registration of the send destination in the database.05-16-2013
20080209549COMPUTER READABLE MEDIUM, DOCUMENT PROCESSING APPARATUS, DOCUMENT PROCESSING SYSTEM, DOCUMENT PROCESSING METHOD, AND COMPUTER DATA SIGNAL - A computer readable medium storing a program causing a computer to execute a process for document processing, the process includes: receiving image data obtained by, with an image reading apparatus, reading a document of a predetermined format in which contents of an electronic document stored in a storage portion while being associated with identification information, the identification information, and an entry for additional information are arranged; extracting entered additional information from the entry area of the received image data; and correlating the extracted additional information with an electronic document associated with the identification information.08-28-2008
20130152194SYSTEM, METHOD AND SOFTWARE FOR CONTROLLING ACCESS TO VIRTUAL MACHINE CONSOLES - A system and method for controlling access to virtual machine consoles. The system includes a console access controller configured to register an owner to a virtual machine to open a defined limit of consoles and capture the defined limit of consoles. An image console control is configured to receive a request to check-out one or more of the captured consoles in one of an exclusive mode and a shared mode and determine whether the check-out request was made by the owner. The console access controller is further configured to open the one or more captured consoles in the exclusive mode to the owner if the check-out request is made by the owner and recapturing the one ore more consoles in response to a check-in request from the owner.06-13-2013
20100287612Method for resource and admission control - The present invention discloses a method for resource and admission control, which relates to the communication field. The method of the present invention includes the following steps: during the process of the service authorization of resource and admission control in the PULL mode, the policy decision function entity (PD-FE) performs the QoS resource authorization for the service request, then informs the authorization information of the authorized service flow to the Policy Execute Function Entity (PE-FE); after the PE-FE receives the authorization information, the association relationship between the PD-FE and the authorization information of the authorized service flow is established; during the process of resource reservation of the authorized service flow initiated by the Customer Premises Equipment (CPE), the PE-FE selects the PD-FE according to the above mentioned corresponding relationship, and interacts with the PD-FE. The method of the present invention enables PE-FE or TRC-FE to select to implement the process of resource reservation request for the is PD-FE authorized by the service flow that initiates the resource reservation request, after receiving the resource reservation request of the service flow.11-11-2010
20100299751MICROCOMPUTER HAVING A PROTECTION FUNCTION IN A REGISTER - A control unit controls execution of an instruction according to a decode result of an instruction code. A GRA register stores an access attribute for each of the plurality of general-purpose registers. A mode storage unit stores modes for controlling an operation of a CPU. When the control unit makes a request for access to the general-purpose register, register access allowance determining circuit determines whether the access to the general-purpose register in question is to be allowed or not, depending on the access attribute stored in the GRA register and the mode stored in the mode storage unit. Therefore, the number of the general-purpose registers used corresponding to the mode can be changed, and efficiency of use of the general-purpose registers can be optimized.11-25-2010
20100319068METHOD AND SYSTEM FOR PERFORMING DELEGATION OF RESOURCES - A method for performing delegation of resources, in particular services, wherein a user—resource owner—has access to a resource offered by a service provider and wherein the resource is delegated to at least one other user—delegate—by using delegation credentials, is characterized in that the method includes the steps of defining authorization rules for the delegate regarding resource access restrictions and registering the authorization rules at an identity provider thereby employing the delegation credentials, performing an authentication of the delegate at the service provider, and performing an authorization of the delegate at the identity provider based on the authorization rules. Furthermore, a corresponding system is disclosed.12-16-2010
20130160114INTER-THREAD COMMUNICATION WITH SOFTWARE SECURITY - A circuit arrangement and method utilize a process context translation data structure in connection with an on-chip network of a processor chip to implement secure inter-thread communication between hardware threads in the processor chip. The process context translation data structure maps processes to inter-thread communication hardware resources, e.g., the inbox and/or outbox buffers of a NOC processor, such that a user process is only allowed to access the inter-thread communication hardware resources that it has been granted access to, and typically with only certain types of authorized access types. Moreover, a hypervisor or supervisor may manage the process context translation data structure to grant or deny access rights to user processes such that, once those rights are established in the data structure, user processes are permitted to perform inter-thread communications without requiring context switches to a hypervisor or supervisor in order to handle the communications.06-20-2013
20110314541Integrated Circuit, Method and Electronic Apparatus - An integrated circuit having a first security operation state arranged for utility operation, and a second security operation state arranged for test operation is disclosed. In the second security operation state, a first set and a second set of objects are available, while a third set of objects are unavailable. In the first security operation state, the third set of objects is available with authorization by a security mechanism of the first security operation state. The third set of objects is made unavailable by logic circuitry of the integrated circuit, when operating in the second security operation state, by the logic circuitry being arranged to control limited operation of parts of the integrated circuit comprising the third set of objects when operating in the second security operation state such that bypassing of the security mechanism of the first security operation state is disabled. An electronic apparatus utilising such an integrated circuit, and a method are also disclosed.12-22-2011
20110321159Dynamic Management of Role Membership - A method and system for dynamically managing entity membership in a role, using role configurations that comprise one or more dynamic role filters, which are linked to data sources such as databases or web services. The role filters are dynamic because, each time a role membership is queried, the role configuration and its component role filters must be evaluated with respect to the current information in the linked data sources. The roles may be used in role-based access control systems or entity identification systems.12-29-2011
20120030756User Permissions In Computing Systems - A system and method of verifying accuracy of permission and access levels in a mainframe system are presented. The system and method may include receiving a plurality of records including a user identifier and an associated access level. The access level in the record may be matched (e.g., the access level on the stored record must be less than or equal to the access on the new system to “pass” the test) to the access level in a mainframe system. If the access levels match, the access level may be stored in the mainframe system. If the access levels do not match, the record may be flagged and correction of the inconsistency may be performed.02-02-2012

Patent applications in class Authorization