Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1999-08-03
2002-07-23
Lim, Krisna (Department: 2757)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S229000
Reexamination Certificate
active
06425011
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates to technology for changing computer network services depending on the user.
2. Description of Related Art
Conventionally in client (user)-server network computing systems, to determine user access for services administered by a server, the system that
FIG. 11
illustrates has been largely used. The system depicted in
FIG. 11
includes a server and a group of users using services provided by the server. As shown in
FIG. 11
, each server has a user database DB, an Access Control List database ACLDB, authorization means, and access determination means. Users are registered in the user database, and are assigned user IDs on the server as unique names. Access control lists, which correspond user IDs or user ID sets with access privileges for services, are stored in the ACLDB for each of the services. The authorization means verifies that a user is a legitimate registered user. The access determination means determines what sort of access privileges for services an authorized user holds. Access privileges for user utilization of services are determined in this system as follows.
(1) First, the system requests user identification, using a password or like authorization information and the user database, and authorizing a user by utilizing the authorization means.
(2) The system then determines access privileges using the access determination means. Searching the service ACLs, a record containing the user's ID is found and the access privilege written in the record decides the user's access.
Typically, however, a single user will use several servers among a plurality of servers administered by the same organization, complicating the method of determining access privileges outlined above. Furthermore, when changes in user, access privileges or services arise, the user DB and ACLDB on the server concerned have to be updated. The work of thus updating and meanwhile maintaining consistency in the several databases is not only time-consuming and costly, but is liable to give rise to errors.
Herein, applications such as the “Kerberos” security system for client/server computing, provided on access administration servers exclusively for authorization and access administration, have been advocated. The access administration server executes operations to determine user authorization and an abstract access level, i.e., access privilege, and then issues access data certifying the access status the administration server has determined. The application server does not conduct individual authorizations, but determines access privileges using access data.
FIG. 12
illustrates the concept of a system wherein this sort of method is utilized. The system shown by
FIG. 12
is composed of an access administration server, an application server group that provides services, and a user group. A user who is to use a service must obtain access privilege data from the access administration server, and submit the data to the application server that provides the service.
The access administration server includes a user database, authorization means, and first issuing means. User names, and access designators that express users' access on the application servers, are described by the user database. Access designators, one type of which are user IDs, abstractly describe user access. The authorization means confirms that a user is a properly registered user. The first issuing means issues access data.
The application server includes an ACL database, access data verification means, and access privilege determination means. In the ACL database are the afore-mentioned ACLs for every service. The access data verification means verifies whether access data is proper, and whether a user is a legitimate holder of the access data. The access privilege determination means determines actual access privileges.
When a user is going to use a service, the system shown in
FIG. 12
determines access privileges by the procedures below.
(1) The user initially accesses the access administration server and obtains access data. The process therein is as below.
Utilizing the authorization means, the administration server authorizes a user using authorization information such as a password. The user then submits access data request. Utilizing the first issuing means, the administration server searches the user database seeking the user's access privilege designator in a designated application server and issues to the user access data containing the access privilege data sought.
The issued access data contains information for preventing illegitimate service use.
(2) The user then submits the access data to the application server. Utilizing the access data verification means, the application server verifies the legitimacy of the access data. The application server then verifies that the user is a legitimate holder of the access data using information in the access data.
(3) Once the access data is verified as being legitimate, the application server determines access privilege using the access privilege determination means as follows. Initially, the ACL is searched with the access privilege designator in the access data. The access denoted by the ACL record found is the user's access.
By using this method, users may be added or deleted, and user access altered, just by updating the access administration server database, which makes updating less trouble and errors less likely to occur.
Nevertheless, with conventional methods, all users have to be registered, even with methods by which access privileges are determined using an access administration server. Therefore, when there are many users, the burden of updating the databases is the burden of the small number of administrators who administrate the access administration servers. Consequently, problems as below occur.
Users using a server once or short-term only users, and users for whom access changes frequently, for example, bring about frequent updating of the user database, placing a large burden on the administrators and moreover readily inviting administrative errors.
On the other hand, administrators have been inclined to impose application procedures on the users in order to facilitate administration. This makes necessary procedures consequently bothersome from the user's point of view, and moreover makes it take a lot of time to obtain access.
Further, even wherein a service is put under its own administration, to give access to the service, users must be registered in the user database on the administration server by applying to the server administrator. Naturally, the administrator cannot register users without accessing the administration server. Therefore, for self-administrating services to grant access requires a means of accessing the administration server either directly or remotely, and a lot of time and effort.
Further still, depending on the type of service, users who have been given access privileges sometimes want to give the access privileges to a third party whom the users permit. Herein, with conventional methods, this requires the time and effort of accepting an application from a user and transmitting the application to the administration server administrator to have the third party registered.
SUMMARY OF THE INVENTION
An object of the present invention is to address the afore-noted problems by simplifying access administration to relieve the burden on administrators and at the same time curtail the time and effort users need to obtain access privileges.
In view of the above problems, an access administration method according to claim 1 is a method for administering user categories for a service. The service has different service contents corresponding to different user categories. The method is to be conducted by a party who provides at least one service content of the service. The method comprises steps of providing access data containing information pertaining to an access for accessing the service; issuing the access data to parties who use the se
Mitsuoka Madoka
Otani Koji
Sugano Hiroyasu
Fujitsu Limited
Lim Krisna
Staas & Halsey , LLP
LandOfFree
Access administration method and device therefor to provide... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Access administration method and device therefor to provide..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Access administration method and device therefor to provide... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2841060