IBM · Filed Jan 6, 2025 · Published Jul 9, 2026 · verified — real USPTO data

IBM Patents a Two-Server Permission Check for Controlling Who Gets What Data

Most access control systems treat all resources on a server as a single unit. IBM's new patent wants to break that wide open, checking permissions at one server and then minting a short-lived credential to unlock only the specific data a user actually needs on a second server.

IBM Patent: Fine-Grained Access Control Across Servers — figure from US 2026/0197322 A1
Figure from the official USPTO publication.
See all 4 drawings from this filing ↓
Publication number US 2026/0197322 A1
Applicant International Business Machines Corporation
Filing date Jan 6, 2025
Publication date Jul 9, 2026
Inventors Shrinivas Kulkarni
CPC classification 726/4
Grant likelihood Medium
Examiner LAKHIA, VIRAL S (Art Unit 2431)
Status Non Final Action Mailed (May 12, 2026)
Document 20 claims

How IBM's access signature system actually works

Imagine you work at a large company and need to pull a specific report stored on a remote system. Today, many setups either give you full access to that remote system or none at all. IBM's patent describes a smarter middle path: your request first hits a gatekeeper server that checks exactly who you are and what you're asking for.

If you're allowed to see that specific resource, the gatekeeper creates a one-time access signature combining your verified identity with the remote server's own credentials. That signature, along with your original request, gets forwarded to the second server where the data actually lives.

The result is that you get access to only that one resource, not the whole system. It's the difference between a hotel key card that opens one room versus a master key that opens every door on the floor.

How the base server builds and passes an access signature

The patent describes a three-stage architecture built around a base server that acts as a central policy enforcer.

  • A connector (a software agent or middleware layer) receives the user's initial request and forwards it to the base server along with an authenticated user ID, meaning the user's identity has already been verified before this step.
  • The base server evaluates the request to determine exactly which target resources are being asked for, then checks whether that specific user is allowed to access those specific resources.
  • If permission is granted, the base server combines the user's verified ID with the credentials of the second server (the system that actually holds the data) to create an access signature, essentially a cryptographic proof that both parties are legitimate.
  • That signature travels with the original request to the second server, which can then verify it and serve only the permitted resource.

The key engineering choice here is that permission decisions happen at the base server, not the data server. The data server doesn't need to maintain its own full user permission database; it just trusts the signed token it receives.

What this means for enterprise data security

Enterprise software often deals with a frustrating tradeoff: either you give someone broad access to a system (which creates security exposure) or you build a custom permission layer on every individual data store (which is expensive and error-prone). IBM's approach puts the decision logic in one place and passes a verified, limited-scope credential to wherever the data lives.

For companies running distributed infrastructure across multiple internal servers or cloud environments, this could reduce the risk of over-permissioning. If a user's credentials are compromised, the blast radius is limited to whatever that access signature was scoped to, rather than an entire server.

Editorial take

This is a competent, workmanlike patent covering access control infrastructure. It's not flashy, but permission management is genuinely one of the most common sources of enterprise data breaches. IBM is staking out IP in a space where it already sells a lot of identity and security software, so expect to see something like this appear in a future IBM Security or IBM Cloud IAM product.

The drawings

4 drawing sheets from US 2026/0197322 A1 · click any drawing to enlarge

Patent filing page

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.