Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1998-01-29
2001-02-13
Maung, Zarni (Department: 2756)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S203000, C713S152000
Reexamination Certificate
active
06189032
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a client-server system. In particular, the present invention relates to various services that a server provides to a client terminal, a client-server system that can control the access right to a certain service by a user of a client terminal, and server and client terminals which make up the system.
BACKGROUND OF THE INVENTION
In recent years, due to the advancement of information communication equipment, there has been widespread use of work stations and local area networks (LAN) having personal computers, and the like, mutually connected as terminals. Accompanying this trend, the mode of using computers is shifting from the stand alone type to the client-server type.
Compared to the stand alone type, the client-server system can easily coordinate the work performed by a plurality of users (client terminal users). Furthermore, the client-server system is capable of making the server execute operations requiring advanced processing capacity, thereby relieving client terminals from the burden of having the capability to perform such advanced processing capacity. This results in a significant cost savings.
However, in the client-server system, since a plurality of users use the server through the client terminals, it is necessary to control the access to the particular service by a user in order to avoid leakage of official secrets and falsification of information. This is provided among the various services that the server provides to the users through the client terminals.
Usually, the foregoing access control in the conventional client-server system is performed such that the operating system (OS) of the server employs a control table called the access control list to limit accesses to the directories and files by each of the users or by each of the programs. The method of controlling accesses by the users employing this access control list is represented, for example, by D. E. R. Denning, entitled “Cryptography and Data Security” (published by Addison-Wesley Publishing Company, Inc.). A short description of this material follows.
The state of a system is defined by a set S of subjects s as active entities, a set O of objects o as entities to be protected by the system, and a set R of combinations r of individual access rights such as reading, writing, and executing.
The access to each object o
i
is controlled by the access control list o
i
[s
j
, r
j
].
Here, i, j satisfy 0<i<n, 0<j<m, respectively; however, n is the number of the factors of the set O (total number of the objects), m is the number of the factors of the set S (total number of the subjects).
Suppose that the object o
k
(here, the k is a constant satisfying 0<k<n) is a file named F, and there are two access control lists set to the object o
k
, which are called as o
k
[user A, reading], and o
k
[user B, reading•writing•executing].
In this case, the server permits to user B three types of accesses to the file F, namely, reading, writing, and executing. However, the server permits to user A only one type of access to the file F, reading, and does not permit other accesses.
The present inventors have recognized the following problems in the prior art system. These problems are set forth below. In the conventional client-server system for controlling accesses by the users employing the foregoing access control list, the manager of the server sets the foregoing access control list in the server, and the server is thus made to control accesses by the users to various services that the concerned server provides. In a business organization, when performing a transaction, often times the person in charge of the concerned transaction has to obtain the approval of a superior. Also, there can be instances where the person in charge has to beforehand obtain consent of a plurality of co-workers in charge of the same transaction. These situations can occur as well in the client-server system. That is, when a user uses a service that the server provides through the client terminal, there are cases that the concerned user has to beforehand acquire the approval and consent of another user.
In such cases, in the conventional client-server system for controlling accesses by the users employing the foregoing access control list, the condition for determining the access control is composed of only what kinds of access rights (reading, writing, executing, etc.) each of a plurality of the users (subjects) using the concerned system has. This creates the following problems:
(1) When the access control list is set so as to allow the foregoing user to receive the service, there is a possibility that the concerned user can forget to acquire the approval and consent by another user in advance and access the concerned service. This will not bring about a proper control of accesses by the users.
(2) When the access control list is set so as not to allow the foregoing user to receive the service, a time consuming procedure is necessary whereby the concerned user informs of the approval and consent that have been acquired in advance to the manager of the server, and has the manager modify the access control list so as to be able to use the foregoing service. This imposes a burden on the user and the manager of the server.
Thus, in the conventional client-server system, when a user of the client terminal receives a service that the server provides, the access to the foregoing service by the concerned user cannot properly be controlled if the approval and consent by another user are required.
The present invention has been made in view of the foregoing circumstances, and it is therefore an object of the invention to provide a client-server system, a server, and a client terminal, whereby, even if an approval and consent are required in case a user of the client terminal receives a service that the server provides, the access to the foregoing service by the concerned user can properly be controlled.
SUMMARY OF THE INVENTION
In order to accomplish the foregoing object and others not specifically mentioned, the client-server system of the present invention includes at least one client terminal and at least one server that provides at least one service. The server includes control table storage means for storing a control table to indicate, as to each of at least the foregoing one service, a correspondence between identification information of a plurality of users using the foregoing client terminal or level information of the users specified by the concerned identification information and an approval condition to specify the presence of an approval for receiving the concerned service supply, and in case an approval is required an identification information of at least one user who can give the concerned approval; and service supply control means for controlling a supply of at least the foregoing one service to the foregoing client terminal.
The foregoing client terminal includes input means for receiving an instruction by a user using the concerned client terminal, such as an input of an identification information of a user and a service supply request of a service that the foregoing server provides; and transmission means for transmitting an instruction to the server by the foregoing user that the foregoing input means received.
The foregoing service supply control means includes approval condition retrieval means for retrieving an approval condition specified in correspondence with an identification information of the concerned user or a level information of a user specified by the concerned identification information from the foregoing control table storage means, as to a service specified by the foregoing service supply request by a user using the concerned client terminal, transmitted from the foregoing client terminal; and service supply execution means for executing a processing in accordance with the concerned service supply request, when an approval condition detected by the foregoing approval condition retrieval means in
Kitagawa Makoto
Matsunaga Kazuo
Miyazaki Seiji
Susaki Seiichi
Umeki Hisashi
Cardone Jason D.
Hitachi , Ltd.
Mattingly Stanger & Malur, P.C.
Maung Zarni
LandOfFree
Client-server system for controlling access rights to... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Client-server system for controlling access rights to..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Client-server system for controlling access rights to... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2613281