Automated Group Access Control Streamlines Secure Data Sharing for Enterprises

Inventiv.org
November 25, 2025

Invented by Ackerly; William Rodgers, Tschampel; Timothy Robert, Dumm; Timothy Allen

Managing who can see or change digital information is a big challenge today. This article explores a new method for controlling access to data, based on a recent patent application. We will cover why this invention matters, how it builds on older ideas, and what makes it special. By the end, you will understand how attribute-based group access control can help keep digital information safe and flexible.

Background and Market Context

Every day, more information gets stored on computers and in the cloud. Companies, hospitals, schools, and governments save photos, medical images, contracts, emails, and many other types of files. With so much data, it is very important to make sure only the right people can see or change certain information. Letting the wrong person in can lead to leaks, privacy problems, or even crime.

In the past, most systems used “usernames and passwords” or “roles” to decide who could see what. For example, only doctors could access patient records, and only managers could see company budgets. These “role-based” systems are easy to set up but are not always flexible. Sometimes, you want to give access based on other things, like the user’s department, their security clearance, or even the kind of computer they use. Maybe you want to share a document only with people using secure laptops, not anyone who logs in from a café.

Because work is now global, and people use many types of devices from many places, the old ways of controlling access are not enough. Cloud computing, remote work, and data sharing agreements between companies make things even harder. A business might want to share certain data with a partner, but only if the partner’s computers meet security rules. Hospitals must protect health records and follow privacy laws. Governments may need to control access to files based on security clearance or organization.

All this calls for a better way to manage access to information. That is where “attribute-based access control” comes in. Instead of just looking at who someone is or what role they have, the system checks other facts—called attributes. These can include things like a person’s job, where they are, what device they use, their clearance level, or even if the data is sensitive. This gives much more control and lets organizations set smarter rules.

The patent application we are discussing describes a new way to create and manage groups of users based on these attributes. It does this automatically, every time a new file is uploaded. The goal is to help data owners keep control over their information, share it with the right people, and meet legal or contract rules, all without lots of manual work.

Scientific Rationale and Prior Art

To understand how this invention improves things, let’s look at how access control has worked before. Early systems used simple “user-based” checks. If your name was on a list, you could open the file. Later, “role-based access control” (RBAC) became popular. Here, people were grouped by their roles, like “nurse,” “teacher,” or “admin.” Each role had permissions, and if your role matched, you got access.

RBAC works well for many situations but has limits. What if a nurse should only see records from her hospital, not from others? Or what if a doctor can only access data while inside the hospital, not from home? What if a business wants to share a file with partners, but only with those using company-approved laptops?

To answer these needs, “attribute-based access control” (ABAC) was developed. ABAC looks at many facts—attributes—about the user, the device, the data, and the situation. For example, an ABAC system could require that:

  • The user is a doctor and works in the Cardiology department and is using a hospital-issued device and is logged in from inside the hospital network.

ABAC is much more flexible, but it can be hard to set up and manage, especially when there are lots of files and users. Also, many existing systems and applications are not built to use ABAC—they expect simple roles or groups. This makes it tough to use ABAC in the real world without a lot of custom work.

In the past, some attempts have been made to mix ABAC with group-based controls. But these systems often needed manual setup. Data owners or admins had to create groups by hand and assign rules, which takes time and is easy to get wrong. If a new file is added, someone has to remember to set up the right group with the right rules. This leads to mistakes and security gaps.

Some older systems tried to automate parts of this, like tagging files with certain labels and using those labels to limit access. But these systems were often limited, worked only with certain types of data, or could not handle complex rules that mix user, device, and data attributes. Also, they did not always update groups in real time as new files arrived or as user/device attributes changed.

This is where the new invention stands out. It brings together the power of ABAC with the practical use of groups. It does this by making groups dynamically, based on the data’s attributes and the users’ or devices’ attributes, every time a new file is uploaded. This reduces human error, saves time, and gives better security. It also works with existing systems that expect group-based permissions.

The scientific idea here is to automate the bridge between the flexible, rich rules of ABAC and the simple, practical model of group-based access. By having a system that listens for new data, checks its details, turns those details into rules, and then creates groups on the fly, organizations get the best of both worlds: smart control and easy management.

Invention Description and Key Innovations

Now let’s break down how this invention works and what makes it unique. The core idea is an access control management system that uses a few main parts:

  • A data event monitor that watches for new files or data objects being uploaded.
  • A data analysis engine that looks at the details (metadata and content) of each new file.
  • An access group generator that creates special groups based on the rules found.
  • A database that stores the data and keeps track of access groups and rules.

Here is how the process works, step by step, in simple words:

1. Watching for New Data: Whenever someone uploads a file to the system, the data event monitor is notified. This can happen with any kind of file—text, images, or anything else.

2. Analyzing the File: The data event monitor checks the file’s details, such as who owns it, what kind of data it is, and other tags (metadata). If the file has special tags, like “Confidential” or “Cardiology Department,” these are noticed. The monitor can also look at the file content using tools like text readers or scanners to find more clues about what the file is and who should see it.

3. Creating Rules Automatically: The data analysis engine takes this information and creates rules. For example, it might decide: “Only users with secret clearance can see this file,” or “Only people from the HR department using secure devices can access this document.” These rules are based on the attributes found in the metadata or content.

4. Making Groups on the Fly: The access group generator takes these rules and creates a special group (with a unique group ID) for users who meet the rule. For example, it might make a group called “Secret_Cardio_Staff” for users with secret clearance in the cardiology department. The file is then linked to this group, so only users in the group can access it. If a group with the same rules already exists, the system reuses it, so there are not a lot of duplicate groups.

5. Granting or Denying Access: When someone wants to open a file, the system checks if they belong in the group linked to that file. If their attributes match the group’s rules, they get access. If not, they are blocked. If their situation changes (like they log in from a different device or lose clearance), the system can update their group membership right away.

This way, the system always keeps access up to date, based on the latest data about users, devices, and files. It also supports different types of rules—some that last a long time (like clearance level), some that change with each session (like network location), and some that can change instantly (like device health).

The system works with many kinds of databases and can fit into cloud, on-premise, or mixed setups. It does not require manual setup for each new data file, saving time and reducing mistakes.

Some key innovations include:

  • Automatic group creation: No need for admins to make groups by hand for every file.
  • Real-time updates: Groups and permissions can change as soon as new data arrives or user/device details change.
  • Fine-grained control: Rules can be as simple or as detailed as needed, mixing user, device, and data attributes.
  • Works with existing systems: Because it uses groups, it can connect to older applications that expect group-based access controls.
  • Reduces risk: By automating the process, there are fewer chances for mistakes or forgotten permissions.

This invention is especially useful for organizations that need to share data in a safe way, follow rules or laws about privacy, or manage lots of users and files. Hospitals, banks, schools, and companies working together on projects can all benefit.

It also works well in the cloud, where files and users can come from many places. The system is flexible: it can be used for any kind of data, on any kind of computer or device, and supports many types of networks and storage.

Another important detail is that the system can be set up as software, hardware, or a mix, and can run on many kinds of computers. It uses common programming languages and can work with popular databases.

Finally, the invention includes methods for handling group IDs, so that if the same rules apply to many files, the groups can be reused. This keeps things simple and efficient.

Conclusion

Attribute-based group access control is a powerful new way to manage who can see or use digital information. This patent application describes a system that listens for new files, figures out who should access them using smart rules, and sets up groups automatically. It brings the flexibility of attribute-based controls to everyday systems that rely on groups, making it easier and safer to share data. As more organizations move to the cloud and need to follow complex rules, this invention offers a simple, automatic, and reliable way to protect information and give access only to the right people at the right time.

By understanding and adopting these ideas, companies and data owners can get better security, save time, and avoid mistakes. The result is a safer digital world where information is shared only with those who truly need it.

Click here https://ppubs.uspto.gov/pubwebapp/ and search 20250217455.

Tags:

Related Articles

Unlocking Secure, Easy-to-Remember Passphrases in Local Languages for Emerging Market Users

Invented by BHAVSAR; Karan Rajesh, DOKE; Pankaj Harish, SHINDE; Sujit...

Seamless Data Uplink Across 5G Networks: Faster, More Reliable Connectivity for Mobile Devices

Invented by Chen; Yuqin, Hu; Haijing, Xu; Fangli, Apple Inc....