Electrical computers and digital processing systems: multicomput – Computer network managing
Reexamination Certificate
1998-05-14
2002-09-10
Etienne, Ario (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer network managing
C709S226000
Reexamination Certificate
active
06449643
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention is directed to a management system for a communication network, and more particularly to an access control system where privileges are assigned to system resources when they are discovered.
2. Background Art
Many of today'intelligent network elements (NEs) have the ability to report their configuration to an external management system either on request or autonomously as changes occur. Intelligent NEs are software driven in every aspect from maintenance to control, to release upgrades.
The management of these NEs requires a robust and highly efficient system which can process a large volume of data over a geographically distributed network. Network management tools typically run on PC or UNIX workstations and enable maintenance, surveillance and administration of the elements that make-up a network. It allows providers to offer faster response times for service configurations and can reduce calls to customers service requests.
As customer transmission networks grow, so does the demand for the number of users who need access to the system. No longer can the entire customer network be managed centrally from a single point, rather the need for distributed network management, locally and geographically, becomes a growing requirement.
Definition of some terms used in this specification are provided next.
A component or an object is an encapsulated part of a software system with a well defined interface. Components serve as the building blocks of a systems, or the elements of a software part list, and can be either generic or application specific. Generic components serve as a system skeleton, enabling code reuse and faster development of new capabilities.
A process is a self-contained package of data and executable procedures which operate on that data, comparable to a task in other known systems. Processes can be used to implement objects, modules or other high-level data abstractions. Objects interact through functions and procedure invocations.
A function is an action that users may take, process or activate in the management system.
A resource is a piece of hardware or a service in the network of interest, managed by the network management system.
User and user groups are the human users of these management systems. Users with similar rights are put together in a user group.
In a distributed multi-process network management product, it is critical to control access to functions and resources. In a traditional system, a user should be limited to specific rights on specific directories of a central computer system. Currently, security access involves access control to a network, multi-platform/distributed user management, and control over anybody in the world to protect specific processes and data on a sensitive distributed system. Obviously, this kind of control is complex and multi-faced.
A network management product provides access to a wide range of resources and performs many different types of functions. Each function may apply to different resources types. In addition, the rules for how users get rights may be very complex. One user may inherit the rights of another or their may be a concept of user groups. It would be unfortunate to require each distributed component to understand all of these complexities for the ‘overhead’ task of providing access control.
Access control systems typically depend on knowing about all access controllable resources before privileges can be assigned to users/groups. Many current access control systems require knowledge of user rights to be embedded in all distributed components requiring access control. Other access control systems require fixed knowledge of resource and/or function types in a central partitioning engine.
For example, access control in Unix has a fixed set of functions and resources, i.e. read, write, and execute on files, while it does handle providing defaults for new files. Kerberos is an authentication service for open network systems that uses a centralized ticket granting agent, the key distribution center.
However, it is not always possible to know about all resources that require access control initialization. In some systems, it is not possible to query all resources at any time. Nonetheless, these systems can still require access control on a per resource basis.
Rule based systems can provide access control resources in scenarios where all resources are not available. These systems apply rules to resource properties to determine privileges, however these systems do not allow rules to be overridden on a per resource basis and have changes retained, especially after knowledge that the resource was lost. For example, Unix ‘forgets’ file permissions if a file is destroyed and recreated.
There is a need for providing a security manager with means for controlling the access to the resources of a network where privileges are assigned to system resources dynamically, when they are discovered.
There is also a need for providing a partitioning engine that takes responsibility for managing user rights while still allowing individual distributed components to provide arbitrary resources, resource types and functions, even decided at run-time if desired.
SUMMARY OF THE INVENTION
It is an object of the present invention to provide an access control system for a communication network which alleviates totally or in part the drawbacks of the prior art systems.
It is another object of this invention to provide an access control system where the privileges are assigned to system resources as they are discovered and the access control information gathered gradually over time is retained, ever if knowledge of the resources is lost. This ensures that resources maintain correct privileges.
Still another object of the invention is to provide a generic partitioning engine designed to provide flexible access control features to a distributed application. The generic partitioning engine of this invention provides distributed components with. services that allow the component to efficiently control access to its resources and functions. These generic partitioning services are designed such that each component need not understand the partitioning rules and so that the partitioning engine need not to understand any specifics of the resources or functions.
Yet another object of the invention is to provide a partitioning engine that manages user rights and allows also for individual distributed components to provide arbitrary resources, resource types and functions.
Accordingly, in a network manager system provided with a plurality of components specialized for executing a plurality of functions on a plurality of resources of a network, and with a graphical user interface (GUI), an access control system comprising, at a component of the network manager, a database for storing access control data pertinent to the component including all resources accessible to the component, all functions executable by the component and all users that have the right to use the component, according to a set of privileges for each user, an access control library for writing and reading the access control data to and from the database for execution of a network operation according to the set of privileges on request from a user having the set of privileges, and an access control user interface connected to the access control library for viewing and editing the access control data on the GUI.
Further, in a network manager system provided with a plurality of components specialized for executing a plurality of functions on a plurality of resources of a network, and with a graphical user interface (GUI), a method for controlling access of a user comprising the steps of storing, in a database of a component of the network manager, access control data pertinent to the component including all resources accessible to the component, all functions executable by the component and all users that have the right to use the component, accessing the database with an access control library for using the acces
Hyndman Arn Close
Walls Gordon F.
Etienne Ario
Kupstas Tod
Millard Allan P.
Nortel Networks Limited
LandOfFree
Access control with just-in-time resource discovery does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Access control with just-in-time resource discovery, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Access control with just-in-time resource discovery will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2855178