WO2012173599A1 - System and method for controlling access - Google Patents

System and method for controlling access Download PDF

Info

Publication number
WO2012173599A1
WO2012173599A1 PCT/US2011/040304 US2011040304W WO2012173599A1 WO 2012173599 A1 WO2012173599 A1 WO 2012173599A1 US 2011040304 W US2011040304 W US 2011040304W WO 2012173599 A1 WO2012173599 A1 WO 2012173599A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
decision support
access
support system
current
Prior art date
Application number
PCT/US2011/040304
Other languages
French (fr)
Inventor
Siani Pearson
Marco Casassa Mont
Peter J. REID
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2011/040304 priority Critical patent/WO2012173599A1/en
Publication of WO2012173599A1 publication Critical patent/WO2012173599A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Definitions

  • Access control is a system which enables an authority (e.g., computer) to control access to areas and resources in a given physical facility or computer- based information system.
  • An access control system within the field of physical security, is generally observed as the second layer in the security of a physical structure.
  • FIG. 1 illustrates an example of a decision support access control system.
  • FIG. 2 illustrates an example of a system for decision support access control and associated databases.
  • FIG. 3 illustrates an example of a decision support system.
  • FIG. 4 illustrates an example of an access control system.
  • FIG. 5 illustrates a flowchart of an example method for decision support access control.
  • FIG. 6 illustrates an example of a computer system that can be employed to implement the systems and methods illustrated in FIGS. 1-5.
  • FIG. 1 illustrates an example of a decision support access control system 100.
  • the system 100 includes computer readable instructions that provide functionality for enabling or disabling access to a computer system 110.
  • this includes a computer readable medium 120 comprising computer readable instructions.
  • Such instructions can include an access control system 130 to enable or disable admittance to a computer system 110 based on an access request 140 (or requests) from a requestor.
  • a decision support system 150 is provided to augment control decisions determined by the access control system 130, where the decision support system analyzes a current contextual input 160 (or inputs) associated with the requestor to enable or disable the admittance to the computer system 110.
  • the access control system 130 may analyze items such as passwords that are submitted via the access request 140 and submitted by the requestor or user of the system.
  • the decision support system 150 may further analyze the contextual input 160 to determine whether or not access can be granted to the computer 110.
  • contextual input 160 refers to a user's current situation or circumstances as they relate at the time of the request.
  • a question relating to a requestor's mother's maiden name does not relate to current context or circumstance but rather a past event, where a question relating to the requestor's current country, citizenship, age, ID numbers such as passport or license numbers, or other current information, for example, help to establish relevant context for the decision support system 150 that can be employed to enable or disable entry to the computer at 1 10.
  • the access control system 130 can employ a policy to enable or disable admittance to the computer system 110.
  • the decision support system 150 can employ a decision support database (See FIG. 2) that stores rules and questionnaires, for example, to analyze the contextual input 160.
  • the decision support database can include legal or legislative data, business constraint data, or security constraint data, for example.
  • Other components of the access control system 130 include a policy enforcement point to generate the contextual input 160 for the decision support system 150. This can also include a policy decision point to facilitate redirection of the decision support system 150 in case of failure to the access request 140.
  • other components may include an audit log to facilitate context determinations for the decision support system 150 which can also access a personal database to store confidential information of a user, wherein the confidential information is further processed to determine context for the decision support system.
  • the decision support system 150 can generate questions or requests for information to further analyze a user's context.
  • the decision support system 150 can also analyze a user's access purposes, contractual terms, or contractual conditions in order to enable or disable admittance to the computer system 110.
  • FIG. 2 illustrates an example of a system 200 for decision support access control and associated databases.
  • the system 200 includes a processing unit 210 (or processor) that executes instructions from a memory 214 that includes firmware or other storage media for storing computer executable instructions associated with a computer.
  • the processing unit 210 and memory 214 can be provided as part of a hybrid tool that includes a decision support system 220 that is associated with components of an access control system as described in more detail below.
  • the decision support system (DSS) 220 can be triggered to gather additional context that is utilized before an automated decision can be performed.
  • context is related to a user or requestor's current condition or circumstance or situation, where automated questions can be queried by the decision support system 220 to determine such current conditions.
  • the DSS 220 can be used in order to allow (e.g., strongly)
  • PEP Policy Enforcement Point
  • PDP Policy Decision Point
  • the DSS 220 can create awareness of what needs to be satisfied to receive access and can require the user to make statements (e.g., regarding current context), in addition to collecting credentials or other information from various sources.
  • the DSS 220 can be driven by a set of rules 250 with exception management and strong tracking of authenticated users' statements by means of auditing and checking at the audit log 244.
  • a context 260 can be output by the PDP 234 to the DSS 220 for further interactions, where exception management can involve discretionary statements made by users or by administrators. The circumstances where these can occur can be covered by policies 270.
  • a personal data and confidential information store 280 that can be processed by the PEP 230 to further determine current contextual conditions of the user or requestor.
  • the system 200 includes the memory 214 for storing computer executable instructions associated with a computer. This includes the processing unit 210 for accessing the memory 214 and executing the computer executable instructions.
  • the computer executable instructions can include the decision support system 220 to process a current contextual input to determine access to a computer system.
  • the policy enforcement point 230 is provided to process access requests 226 to the computer system and to issue grants or to deny access to the computer system based on the current contextual input.
  • the policy decision point 234 is provided to redirect control to the decision support system in the event of a denial of access to the computer system.
  • the decision support database 250 stores rules and questionnaires to analyze the current contextual input, wherein the decision support database includes legal or legislative data, business constraint data, or security constraint data.
  • the audit log 244 Is employed to facilitate context determinations for the decision support system 220.
  • the personal database 280 is provided to store confidential information of a user, wherein the confidential information is further processed to determine current context for the decision support system 220, wherein the decision support system generates questions or requests for information to further analyze a user's current context.
  • FIGS. 3 and 4 are now provided to illustrate example details of the decision support system 150 and access control system 130 depicted in FIG. 1.
  • FIG. 3 illustrates an example of a decision support system 300 and is related to the decision support system 150 depicted in FIG. 1.
  • contextual input 310 is processed by a decision support system 320 (DSS).
  • DSS decision support system 320
  • Such input 310 can include answers to questions that are generated by the decision support system 320 to determine a requestor's current context or condition.
  • the decision support system 320 After processing the contextual input 310, the decision support system 320 generates an automated decision 330 that is applied to augment access control decisions of a decision support system that is described in more detail below with respect to FIG. 4.
  • the decision support system (DSS) 320 is a computer- based information system that supports business or organizational decision-making activities.
  • the DSS 320 serves the management, operations, and planning levels of an organization and helps to make decisions, which may be rapidly changing and not easily specified in advance via policy or hard-coded rules.
  • the DSS 320 can be associated with an access control system (described in FIG. 4) in order to grant or deny access to a computer system based on a user's present context.
  • the DSS 320 also includes knowledge-based systems.
  • the DSS 320 can be an interactive software-based system to help decision makers compile useful information from a combination of raw data, documents, personal knowledge, or business models to identify and solve problems and make decisions regarding access and current context.
  • the acquired knowledge of the DSS 320 can be employed to augment or assist access control decisions at 330.
  • FIG. 4 illustrates an example of an access control system 400 such as related to the access control system depicted at 130 of FIG. 1.
  • the access control system 400 is illustrated with two main functional blocks.
  • a policy enforcement point 410 (PEP) and a policy decision point 420 (PDP) may be provided as previously described with respect to FIG. 2.
  • PEP policy enforcement point
  • PDP policy decision point
  • Access control systems 400 provide the essential services of identification and authentication (l&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.
  • identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.
  • other functions can also be served by the access control system 400 (e.g., coordinating with decision support system to perform joint security or access decision based on determined current contextual conditions).
  • FIG. 5 illustrates an example method 500 for decision support access control, It is noted that such method 500 can be automatically executed by one or more computer systems.
  • the method 500 includes processing a request to access a computer system. As described previously, such initial processing can be provided by an access control system where initial authentication or authorization may occur (e.g., password exchange).
  • the method includes analyzing a policy to access the computer system in conjunction with the request. Such policy analysis could occur at a policy decision point, where further data may be employed to gather other data from the requestor such as current contextual data, for example.
  • the method includes requesting a current user context associated with the policy before granting the access to the computer system. As described previously, such current context can be determined by a decision support system for example, where queries are sent to the requestor and analyzed in substantially real-time to enable or deny access to the requestor.
  • FIG. 6 is a schematic block diagram illustrating an example system 600 of hardware components capable of implementing examples disclosed in FIGS. 1-5.
  • the system 600 can include various systems and subsystems.
  • the system 600 can be a personal computer, a laptop computer, a workstation, a computer system, an appliance, an application-specific integrated circuit (ASIC), a server, a server blade center, a server farm, a mobile device, such as a smart phone, a personal digital assistant, and so forth.
  • ASIC application-specific integrated circuit
  • the system 600 can include a system bus 602, a processing unit 604, a system memory 606, memory devices 608 and 610, a communication interface 612 (e.g., a network interface), a communication link 614, a display 616 (e.g., a video screen), and an input device 618 (e.g., a keyboard and or a mouse).
  • the system bus 602 can be in communication with the processing unit 604 and the system memory 606.
  • the additional memory devices 608 and 610 such as a hard disk drive, server, stand alone database, or other non-volatile memory, can also be in communication with the system bus 602.
  • the system bus 602 operably
  • system bus 602 also operably interconnects an additional port (not shown), such as a universal serial bus (USB) port.
  • USB universal serial bus
  • the processing unit 604 can be a computing device and can include an application-specific integrated circuit (ASIC).
  • the processing unit 604 executes a set of instructions to implement the operations of examples disclosed herein.
  • the processing unit can include a processor core.
  • the additional memory devices 606, 608 and 610 can store data, programs, instructions, database queries in text or compiled form, and any other information that can be needed to operate a computer.
  • the memories 606, 608 and 610 can be implemented as computer-readable media (integrated or removable) such as a memory card, disk drive, compact disk (CD), or server accessible over a network.
  • the memories 606, 608 and 610 can comprise text, images, video, and or audio.
  • the memory devices 608 and 610 can serve as databases or data storage. Additionally or alternatively, the system 600 can access an external system (e.g., a web service) through the communication interface 612, which can communicate with the system bus 602 and the communication link 614.
  • an external system e.g., a web service
  • the system 600 can be used to implement, for example, a client computer, a printer server, and at least some components of printers the can be employed in a system that manages a print job.
  • Computer executable logic for implementing the system 600 can reside in the system memory 606, and or in the memory devices 608 and/or 610 in accordance with certain examples.
  • the processing unit 604 executes one or more computer executable instructions originating from the system memory 606 and the memory devices 608 and 610.
  • the term "computer readable medium" as used herein refers to a medium that participates in providing instructions to the processing unit 604 for execution.

Abstract

One example provides an access control system to enable or disable admittance to a computer system based on an access request. A decision support system is provided to augment control decisions determined by the access control system, wherein the decision support system analyzes a contextual input to enable or disable the admittance to the computer system.

Description

SYSTEM AND METHOD FOR CONTROLLING ACCESS
BACKGROUND
[0001] Access control is a system which enables an authority (e.g., computer) to control access to areas and resources in a given physical facility or computer- based information system. An access control system, within the field of physical security, is generally observed as the second layer in the security of a physical structure.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] FIG. 1 illustrates an example of a decision support access control system.
[0003] FIG. 2 illustrates an example of a system for decision support access control and associated databases.
[0004] FIG. 3 illustrates an example of a decision support system.
[0005] FIG. 4 illustrates an example of an access control system.
[0006] FIG. 5 illustrates a flowchart of an example method for decision support access control.
[0007] FIG. 6 illustrates an example of a computer system that can be employed to implement the systems and methods illustrated in FIGS. 1-5.
DETAILED DESCRIPTION
[0008] FIG. 1 illustrates an example of a decision support access control system 100. The system 100 includes computer readable instructions that provide functionality for enabling or disabling access to a computer system 110. In one example, this includes a computer readable medium 120 comprising computer readable instructions. Such instructions can include an access control system 130 to enable or disable admittance to a computer system 110 based on an access request 140 (or requests) from a requestor. A decision support system 150 is provided to augment control decisions determined by the access control system 130, where the decision support system analyzes a current contextual input 160 (or inputs) associated with the requestor to enable or disable the admittance to the computer system 110. For example, the access control system 130 may analyze items such as passwords that are submitted via the access request 140 and submitted by the requestor or user of the system. The decision support system 150 may further analyze the contextual input 160 to determine whether or not access can be granted to the computer 110. In this example, contextual input 160 refers to a user's current situation or circumstances as they relate at the time of the request. Thus, a question relating to a requestor's mother's maiden name does not relate to current context or circumstance but rather a past event, where a question relating to the requestor's current country, citizenship, age, ID numbers such as passport or license numbers, or other current information, for example, help to establish relevant context for the decision support system 150 that can be employed to enable or disable entry to the computer at 1 10.
[0009] As will be described in more detail below with respect to FIG. 2, the access control system 130 can employ a policy to enable or disable admittance to the computer system 110. Also, the decision support system 150 can employ a decision support database (See FIG. 2) that stores rules and questionnaires, for example, to analyze the contextual input 160. The decision support database can include legal or legislative data, business constraint data, or security constraint data, for example. Other components of the access control system 130 include a policy enforcement point to generate the contextual input 160 for the decision support system 150. This can also include a policy decision point to facilitate redirection of the decision support system 150 in case of failure to the access request 140. As will be described in more detail below, other components may include an audit log to facilitate context determinations for the decision support system 150 which can also access a personal database to store confidential information of a user, wherein the confidential information is further processed to determine context for the decision support system. In another example, the decision support system 150 can generate questions or requests for information to further analyze a user's context. The decision support system 150 can also analyze a user's access purposes, contractual terms, or contractual conditions in order to enable or disable admittance to the computer system 110.
[0010] In general, there is a desire to enhance traditional access control mechanisms within a range of service delivery models to facilitate that individual user needs and context-dependent legal and business requirements are taken into account. Furthermore, some of the required information utilized for access control decisions may not be immediately available or known or contemplated beforehand. The system 100 addresses these issues by introducing real-time accountability and complementing access control solutions with a decision support system 150.
[0011] For purposes of simplification of explanation, in the present example, different components of the system 100 are illustrated and described as performing different functions. However, one of ordinary skill in the art will understand and appreciate that the functions of the described components can be performed by different components, and the functionality of several components can be combined and executed on a single component The components can be implemented, for example, as software (e.g., computer executable instructions), hardware (e.g., an application specific integrated circuit), or as a combination of both (e.g., firmware). In other examples, the components could be distributing among remote devices across a network as describe in more detail below with respect to FIG. 2.
[0012] FIG. 2 illustrates an example of a system 200 for decision support access control and associated databases. The system 200 includes a processing unit 210 (or processor) that executes instructions from a memory 214 that includes firmware or other storage media for storing computer executable instructions associated with a computer. The processing unit 210 and memory 214 can be provided as part of a hybrid tool that includes a decision support system 220 that is associated with components of an access control system as described in more detail below. For data access requests where there is 'missing information' or information that requires additional validation, the decision support system (DSS) 220 can be triggered to gather additional context that is utilized before an automated decision can be performed. As described previously, context is related to a user or requestor's current condition or circumstance or situation, where automated questions can be queried by the decision support system 220 to determine such current conditions.
[0013] The DSS 220 can be used in order to allow (e.g., strongly)
authenticated people to access protected resources by holding them accountable for statements and information they provide in order to access such resources. An end user at interface 224 requests access at 226 to a resource via a Policy Enforcement Point (PEP) 230. The PEP 230 intercepts this access request 226 and redirects it to a Policy Decision Point (PDP) 234. By making an access control decision that may also consider current business, contractual and regulatory rules, an automated result (e.g., access granted or denied) can be reached.
[0014] The overall process flow is shown in the system 200 where
administrators or managers at 240 may vouch for credentials/assertions, where these statements and the end users' statements can be audited at 244 to facilitate accuracy and enterprise compliance. The DSS 220 can create awareness of what needs to be satisfied to receive access and can require the user to make statements (e.g., regarding current context), in addition to collecting credentials or other information from various sources.
[0015] The DSS 220 can be driven by a set of rules 250 with exception management and strong tracking of authenticated users' statements by means of auditing and checking at the audit log 244. A context 260 can be output by the PDP 234 to the DSS 220 for further interactions, where exception management can involve discretionary statements made by users or by administrators. The circumstances where these can occur can be covered by policies 270. Also, shown is a personal data and confidential information store 280 that can be processed by the PEP 230 to further determine current contextual conditions of the user or requestor.
[0016] In one aspect, the system 200 includes the memory 214 for storing computer executable instructions associated with a computer. This includes the processing unit 210 for accessing the memory 214 and executing the computer executable instructions. The computer executable instructions can include the decision support system 220 to process a current contextual input to determine access to a computer system. The policy enforcement point 230 is provided to process access requests 226 to the computer system and to issue grants or to deny access to the computer system based on the current contextual input. The policy decision point 234 is provided to redirect control to the decision support system in the event of a denial of access to the computer system. The decision support database 250 stores rules and questionnaires to analyze the current contextual input, wherein the decision support database includes legal or legislative data, business constraint data, or security constraint data. The audit log 244 Is employed to facilitate context determinations for the decision support system 220. The personal database 280 is provided to store confidential information of a user, wherein the confidential information is further processed to determine current context for the decision support system 220, wherein the decision support system generates questions or requests for information to further analyze a user's current context.
[0017] FIGS. 3 and 4 are now provided to illustrate example details of the decision support system 150 and access control system 130 depicted in FIG. 1. FIG. 3 illustrates an example of a decision support system 300 and is related to the decision support system 150 depicted in FIG. 1. As shown, contextual input 310 is processed by a decision support system 320 (DSS). Such input 310 can include answers to questions that are generated by the decision support system 320 to determine a requestor's current context or condition. After processing the contextual input 310, the decision support system 320 generates an automated decision 330 that is applied to augment access control decisions of a decision support system that is described in more detail below with respect to FIG. 4.
[0018] In general, the decision support system (DSS) 320 is a computer- based information system that supports business or organizational decision-making activities. The DSS 320 serves the management, operations, and planning levels of an organization and helps to make decisions, which may be rapidly changing and not easily specified in advance via policy or hard-coded rules. Thus, in this example, the DSS 320 can be associated with an access control system (described in FIG. 4) in order to grant or deny access to a computer system based on a user's present context. The DSS 320 also includes knowledge-based systems. Thus, the DSS 320 can be an interactive software-based system to help decision makers compile useful information from a combination of raw data, documents, personal knowledge, or business models to identify and solve problems and make decisions regarding access and current context. As noted, in the example, the acquired knowledge of the DSS 320 can be employed to augment or assist access control decisions at 330.
[0019] FIG. 4 illustrates an example of an access control system 400 such as related to the access control system depicted at 130 of FIG. 1. In this example, the access control system 400 is illustrated with two main functional blocks. A policy enforcement point 410 (PEP) and a policy decision point 420 (PDP) may be provided as previously described with respect to FIG. 2. As noted previously, other
components that are not illustrated may also be provided and these may include policy and personal data stores in addition to interfaces for accessing the access control system 400, for example. Access control systems 400 provide the essential services of identification and authentication (l&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did. As can be appreciated, other functions can also be served by the access control system 400 (e.g., coordinating with decision support system to perform joint security or access decision based on determined current contextual conditions).
[0020] FIG. 5 illustrates an example method 500 for decision support access control, It is noted that such method 500 can be automatically executed by one or more computer systems. At 510, the method 500 includes processing a request to access a computer system. As described previously, such initial processing can be provided by an access control system where initial authentication or authorization may occur (e.g., password exchange). At 520, the method includes analyzing a policy to access the computer system in conjunction with the request. Such policy analysis could occur at a policy decision point, where further data may be employed to gather other data from the requestor such as current contextual data, for example. At 530, the method includes requesting a current user context associated with the policy before granting the access to the computer system. As described previously, such current context can be determined by a decision support system for example, where queries are sent to the requestor and analyzed in substantially real-time to enable or deny access to the requestor.
[0021] FIG. 6 is a schematic block diagram illustrating an example system 600 of hardware components capable of implementing examples disclosed in FIGS. 1-5. The system 600 can include various systems and subsystems. The system 600 can be a personal computer, a laptop computer, a workstation, a computer system, an appliance, an application-specific integrated circuit (ASIC), a server, a server blade center, a server farm, a mobile device, such as a smart phone, a personal digital assistant, and so forth.
[0022] The system 600 can include a system bus 602, a processing unit 604, a system memory 606, memory devices 608 and 610, a communication interface 612 (e.g., a network interface), a communication link 614, a display 616 (e.g., a video screen), and an input device 618 (e.g., a keyboard and or a mouse). The system bus 602 can be in communication with the processing unit 604 and the system memory 606. The additional memory devices 608 and 610, such as a hard disk drive, server, stand alone database, or other non-volatile memory, can also be in communication with the system bus 602. The system bus 602 operably
interconnects the processing unit 604, the memory devices 606-610, the
communication interface 612, the display 616, and the input device 618. In some examples, the system bus 602 also operably interconnects an additional port (not shown), such as a universal serial bus (USB) port.
[0023] The processing unit 604 can be a computing device and can include an application-specific integrated circuit (ASIC). The processing unit 604 executes a set of instructions to implement the operations of examples disclosed herein. The processing unit can include a processor core.
[0024] The additional memory devices 606, 608 and 610 can store data, programs, instructions, database queries in text or compiled form, and any other information that can be needed to operate a computer. The memories 606, 608 and 610 can be implemented as computer-readable media (integrated or removable) such as a memory card, disk drive, compact disk (CD), or server accessible over a network. In certain examples, the memories 606, 608 and 610 can comprise text, images, video, and or audio.
[0025] Additionally, the memory devices 608 and 610 can serve as databases or data storage. Additionally or alternatively, the system 600 can access an external system (e.g., a web service) through the communication interface 612, which can communicate with the system bus 602 and the communication link 614.
[0026] In operation, the system 600 can be used to implement, for example, a client computer, a printer server, and at least some components of printers the can be employed in a system that manages a print job. Computer executable logic for implementing the system 600 can reside in the system memory 606, and or in the memory devices 608 and/or 610 in accordance with certain examples. The processing unit 604 executes one or more computer executable instructions originating from the system memory 606 and the memory devices 608 and 610. The term "computer readable medium" as used herein refers to a medium that participates in providing instructions to the processing unit 604 for execution.
[0027] What have been described above are examples. It is, of course, not possible to describe every conceivable combination of components or methods, but one of ordinary skill in the art will recognize that many further combinations and permutations are possible. Accordingly, this disclosure is intended to embrace all such alterations, modifications, and variations that fall within the scope of this application, including the appended claims.

Claims

CLAIMS What is claimed is:
1. A computer readable medium comprising computer readable instructions comprising:
an access control system to enable or disable admittance to a computer system based on an access request from a requestor; and
a decision support system to augment control decisions determined by the access control system, wherein the decision support system analyzes a current contextual input associated with the requestor to enable or disable the admittance to the computer system.
2. The computer readable medium of claim 1 , wherein the access control system employs a policy to enable or disable admittance to the computer system.
3. The computer readable medium of claim 1 , wherein the decision support system employs a decision support database that stores rules and questionnaires to analyze the current contextual input.
4. The computer readable medium of claim 3, wherein the decision support database includes legal or legislative data, business constraint data, or security constraint data.
5. The computer readable medium of claim 3, further comprising a policy enforcement point to generate the contextual input for the decision support system.
6. The computer readable medium of claim 5, further comprising a policy decision point to facilitate redirection of the decision support system in case of failure to the access request.
7. The computer readable medium of claim 6, further comprising an audit log to facilitate context determinations for the decision support system.
8. The computer readable medium of claim 6, further comprising a personal database to store confidential information of a user, wherein the confidential information is further processed to determine current context for the decision support system.
9. The computer readable medium of claim 6, wherein the decision support system generates questions or requests for information to further analyze a user's current context.
10. The computer readable medium of claim 9, wherein the decision support system analyzes access purposes, contractual terms, or contractual conditions in order to enable or disable admittance to the computer system.
11. A method, comprising:
processing, by a computer, a request to access a computer system;
analyzing, by the computer, a policy to access the computer system in conjunction with the request; and
requesting, by the computer, a current user context associated with the policy before granting the access to the computer system.
12. The method of claim 11 , further comprising granting or denying access to the computer system, by the computer, based on the current user context and the policy.
13. The method of claim 11 , further comprising analyzing, by the computer, answered questions received from a user to determine the current user context.
14. The method of claim 13, further comprising processing, by the computer, a policy enforcement point or a policy decision point to determine the current user context.
15. A system, comprising:
a memory for storing computer executable instructions associated with a computer; and
a processing unit for accessing the memory and executing the computer executable instructions, the computer executable instructions comprising:
a decision support system to process a current contextual input to determine access to a computer system;
a policy enforcement point to process access requests to the computer system and to issue grants or to deny access to the computer system based on the current contextual input;
a policy decision point to redirect control to the decision support system in the event of a denial of access to the computer system;
a decision support database that stores rules and questionnaires to analyze the current contextual input, wherein the decision support database includes legal or legislative data, business constraint data, or security constraint data;
an audit log to facilitate context determinations for the decision support system; and
a personal database to store confidential information of a user, wherein the confidential information is further processed to determine current context for the decision support system, wherein the decision support system generates questions or requests for information to further analyze a user's current context.
PCT/US2011/040304 2011-06-14 2011-06-14 System and method for controlling access WO2012173599A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2011/040304 WO2012173599A1 (en) 2011-06-14 2011-06-14 System and method for controlling access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2011/040304 WO2012173599A1 (en) 2011-06-14 2011-06-14 System and method for controlling access

Publications (1)

Publication Number Publication Date
WO2012173599A1 true WO2012173599A1 (en) 2012-12-20

Family

ID=47357363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/040304 WO2012173599A1 (en) 2011-06-14 2011-06-14 System and method for controlling access

Country Status (1)

Country Link
WO (1) WO2012173599A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070276944A1 (en) * 2006-05-09 2007-11-29 Ticketmaster Apparatus for access control and processing
US20080107274A1 (en) * 2006-06-21 2008-05-08 Rf Code, Inc. Location-based security, privacy, assess control and monitoring system
US20100287584A1 (en) * 2009-05-07 2010-11-11 Microsoft Corporation Parental control for media playback
US20110055905A1 (en) * 2009-08-31 2011-03-03 Kyocera Mita Corporation Authentication apparatus and computer-readable medium storing authentication program code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070276944A1 (en) * 2006-05-09 2007-11-29 Ticketmaster Apparatus for access control and processing
US20080107274A1 (en) * 2006-06-21 2008-05-08 Rf Code, Inc. Location-based security, privacy, assess control and monitoring system
US20100287584A1 (en) * 2009-05-07 2010-11-11 Microsoft Corporation Parental control for media playback
US20110055905A1 (en) * 2009-08-31 2011-03-03 Kyocera Mita Corporation Authentication apparatus and computer-readable medium storing authentication program code

Similar Documents

Publication Publication Date Title
CN110197058B (en) Unified internal control security management method, system, medium and electronic device
US8336091B2 (en) Multi-level authentication
JP5800389B2 (en) Method, system, and computer program for enabling fine-grained discretionary access control for data stored in a cloud computing environment
US11019068B2 (en) Quorum-based access management
US20120311696A1 (en) Override for Policy Enforcement System
WO2019052496A1 (en) Account authentication method for cloud storage, and server
US8516539B2 (en) System and method for inferring access policies from access event records
JP6932175B2 (en) Personal number management device, personal number management method, and personal number management program
US8856881B2 (en) Method and system for access control by using an advanced command interface server
US8869234B2 (en) System and method for policy based privileged user access management
US20090178129A1 (en) Selective authorization based on authentication input attributes
US20090313684A1 (en) Using windows authentication in a workgroup to manage application users
US20130047263A1 (en) Method and Apparatus for Emergency Session Validation
US20110239269A1 (en) Automated security analysis for federated relationship
US10560435B2 (en) Enforcing restrictions on third-party accounts
US20160057168A1 (en) System and methods for efficient network security adjustment
WO2020056015A1 (en) Deployment and communications gateway for deployment, trusted execution, and secure communications
US8095969B2 (en) Security assertion revocation
US11238408B2 (en) Interactive electronic employee feedback systems and methods
US20080066169A1 (en) Fact Qualifiers in Security Scenarios
Nogoorani et al. TIRIAC: A trust-driven risk-aware access control framework for Grid environments
US8850515B2 (en) Method and apparatus for subject recognition session validation
US11086643B1 (en) System and method for providing request driven, trigger-based, machine learning enriched contextual access and mutation on a data graph of connected nodes
US9159065B2 (en) Method and apparatus for object security session validation
WO2012173599A1 (en) System and method for controlling access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11867848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11867848

Country of ref document: EP

Kind code of ref document: A1