Techniques are disclosed to provide correctness-preserving security for graph databases. In various embodiments, security context data associated with a user with respect to a graph database is stored. A query associated with the user with respect to the graph database is received. A path is allowed to be traversed in connection with responding to the query based at least in part on a grant of a traversal right, reflected in the security context data, to traverse one or more of a node and a relationship included in the path.

The present technology can provide a mechanism for providing a team member transfer interface to an administrator user for transferring team member user accounts from one team to another and also a mechanism for transferring the team member user accounts, such as by switching an assignment of one or more user accounts from a first team to another in a single atomic action. The transferring of the team member user accounts may also depend on passing a set of validation checks that check for inconsistencies that could cause an error in the transfer, and also updating access and privileges associated with being members of certain teams.

An open source library rating is generated for an open source library based on dependencies of the library, vulnerabilities of the library, an age of the library, a popularity of the library, a history of the library, or any suitable combination thereof. The rating of a specific version of a library may be generated based on a base score for all versions of the library and a version score for the specific version of the library. An authorization system receives a request from a developer to add a library to a software application. In response, the authorization system accesses a rating for the library. Based on the rating, the authorization system approves the request, denies the request, or recommends an alternative library.

A content management system for collecting files from one or more authenticated submitters in a collection folder. A collector, who generates the collection folder, can invite one or more submitters to submit one or more files to the collection folder. The one or more submitters have limited rights to the collection folder. The limited rights can include uploading rights and prohibiting a submitter from viewing files that other submitters associated with the collection folder submitted. Thus, the collection folder is able to store files from the one or more submitters, but prevent them from viewing other's submissions.

A data processing system communicates with a secure third-party database to obtain information about a user that is usable to determine one or more items associated with the user. The system then coordinates gathering and identification of additional data relevant to the user from other third-party data sources, to potentially update the user's information stored with the secure third-party database. The updated information may then be accessed at the secure third-party database to determine items associated with the user, which may include additional items in view of the additional data

A TPM is implemented in an SOC for thwarting PIN state replay attacks. Programmable fuses are used as a counter and an on-die RAM stores a blown-fuse count and a TPM state that includes a PIN-failure count and a fuse count. TPM initialization includes incrementing the TPM state PIN-failure count if the blown-fuse count is greater than the TPM state fuse count. Once a PIN is received, if the TPM state PIN-failure count satisfies a PIN failure policy and the PIN is correct, the TPM state PIN-failure count is cleared, and if the PIN is incorrect, a fuse is blown and the blown-fuse count is incremented. If the fuse blow fails, TPM activity is halted. If the fuse blow succeeds, the TPM state PIN-failure count is incremented and the TPM state fuse count is set equal to the blown-fuse count. The TPM state is saved to off-die non-volatile memory.

Disclosed herein are system, method, and computer program product embodiments for preemptively evaluating whether roles are over-privileged within an (IAM) identity and access management system. Roles may be over-privileged when they are granted permissions to perform certain actions outside the scope granted to those roles. The evaluation occurs without submitting the certain actions to the IAM system and allows roles to be evaluated on a preemptive basis so that corrective actions may be taken to prevent unauthorized access to resources. Roles may be associated with policies which may each define different permissions for accessing resources. The evaluation may involve generating an effective policy from the policies associated with a role to provide a comprehensive view of all permissions associated with the role. The specified solution operates to generate an effective permission for accessing a resource and evaluating whether that effective permission is outside of a permissible scope of access for the role.

Upon receiving a usage request that includes a file identifier and a version identifier from a user terminal 20, a control server 10 transmits a file request that is based on the usage request to a file management system, and transmits a permission information request that is based on the usage request to a distributed ledger system. Upon receiving the file request, the file management system acquires the file that corresponds to the combination of the file identifier and the version identifier and transmits the file to the control server 10. Upon receiving the permission information request, the distributed ledger system acquires permission information that corresponds to the combination of the file identifier and the version identifier from a distributed ledger, and transmits the permission information to the control server 10. The control server 10 transmits the file to the user terminal 20 if the user of the user terminal has viewing permission based on the permission information.

A method implements a customer recognition system. A request with an identifier of an unidentified user is received. Sparse data is generated from string information corresponding to the identifier. Preexisting identifiers are filtered to generate a list of candidate identifiers using the sparse data. The plurality of preexisting identifiers correspond to a plurality of preexisting users. A core identifier is selected by determining a match between the identifier and a preexisting identifier from the preexisting identifiers using distance information generated using the list of candidate identifiers. The core identifier is matched to the identifier using the match to identify the unidentified user as a preexisting user from the plurality of preexisting users.

Convenient sharing of information among authorized network users may be facilitated by allowing a user to send information originating from multiple applications in aggregate form to another user, e.g., using a secure messaging service. In scenarios where data access is restricted, a server may check the recipient's access privileges prior to forwarding the information to her.