Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-07-10
2001-01-30
Vu, Viet D. (Department: 2758)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S219000, C709S227000, C713S152000
Reexamination Certificate
active
06182142
ABSTRACT:
FIELD OF THE INVENTION
This invention generally relates to methods of controlling access to protected information resources in a network environment. The invention relates more specifically to methods, apparatus, and products for facilitating secure and selective access to network resources based on a role of a user of the resources.
BACKGROUND OF THE INVENTION
Computer networks have become ubiquitous in business, industry, and education. In one approach, a network is configured with one or more user accounts, each of which is uniquely associated with a human network user or host computer. The network also has one or more resources, such as application programs that provide various computing functions, which are available to all users. In this approach, a user logs into his or her user account, selects a desired application. A disadvantage of this approach is that every user has the same rights to access any of the network resources.
Development of the globally accessible, packet-switched network known as the Internet has enabled network resources, accounts and applications to become available worldwide. Development of hypertext protocols that implement the World Wide Web (“The Web”) is enabling networks to serve as a platform for global electronic commerce. In particular, the Web is enabling the easy exchange of information between businesses and their customers, suppliers and partners.
Businesses are rushing to publish information on the Web and just as quickly stumbling into several roadblocks. For example, some information is valuable and sensitive, and needs to be made available only to selected users. Thus, there is a need to provide selective access to network resources and information over the Web.
This need exists in the context of internal Web networks that are available to employees of an organization, called Intranets, as well as Web networks and resources that are available to external customers, suppliers and partners of the organization, called extranets. Extranet users may require information from a large number of diverse sources, for example, product catalogs, customer databases, or inventory systems. There may be millions of potential users, the number of which grows dramatically as an organization prospers. Thus, there is a need for a large-scale system that can provide selective access to a large number of information sources for a large number of users.
Because some of the information sources are sensitive, there is a need to provide secure access to the information.
Current networks and Web systems, including Intranets and extranets, are expensive and complex to implement. These technologies also change rapidly. There is a need for any information access method or system to integrate with and use existing equipment, software and systems. There is also a need for method and system that is flexible or adaptable to changing technologies and standards.
One approach to some of the foregoing problems and needs has been to provide each network resource or application program with a separate access control list. The access control list identifies users or hosts that are authorized to access a particular application. As new users or hosts are added to the network, the access control lists grow, making security management more complicated and difficult. Use of a large number of separate lists also makes the user experience tedious and unsatisfactory.
Another disadvantage of the foregoing approaches is duplication of management processes. To add new users to the system, a network administrator must repeat similar access processes for each application or resource to be made available to the new users. The redundancy of these processes, combined with rapid growth in the number of users, can make the cost of deploying, managing and supporting a system unacceptably high.
Thus, there is a need for a mechanism to govern access to one or more information resources in which selective access is given to particular users.
There is also a need for such a mechanism that is equally adaptable to an internal network environment and to an external network environment.
There is a further need for such a mechanism that is easy to configure and re-search configure as new users and resources become part of the system.
There is still another need for such a mechanism that is simple to administer.
SUMMARY OF THE INVENTION
The foregoing needs, and other needs and objectives that will become apparent from the description herein, are achieved by the present invention, which comprises, in one aspect, a method of controlling access to one or more information resources stored on a first server, the method comprising the steps of receiving information describing a user at the first server; identifying, at a second server coupled to the first server, a subset of the resources that the user is authorized to access, based on one or more roles that are stored in association with user identifying information; communicating information defining the subset to the first server; storing first information defining the subset, and second information defining the roles, in one or more tokens; communicating the tokens to a client that is associated with the user; and thereafter resolving requests to use the resources at the first server based on the tokens.
One feature of this aspect is the steps of defining a role of the user; and storing an association of the user to the role at the second server. A related feature is the steps of defining one or more roles and functional groups of an organization to which the user belongs; storing information describing the roles and functional groups in association with information describing the user; and determining whether the user may access the resource based on the information describing the roles and functional groups.
According to another feature, the identifying step further comprises the steps of connecting the first server to the second server, in which the second server stores information describing the user, one or more roles, one or more functional groups, the resources, and associations among them; and communicating a request for a profile of the user from the first server to the second server. In another feature, the receiving step further comprises the steps of receiving the information describing the user at a runtime module on the first server that also intercepts requests to access the resource. In yet another feature, the step of identifying further comprises the step of determining whether the user is authentic. A related feature is that the step of identifying further comprises the steps of communicating encrypted information between the first server and the second server describing resources that the user is authorized to use.
In another feature, the steps of communicating further comprise the steps of passing one or more encrypted tokens that define the user's roles and authorization rights from the second server to the first server. Another feature is that the steps of communicating further comprise the steps of passing one or more encrypted tokens that define the user's roles and authorization rights from the second server to the client; and storing the tokens in a memory of the client.
Another feature involves the steps of communicating, from the first server to the client, a customized display identifying only those resources that the user may access, whereby a single secure sign-on gives a user access to one or more of the resources. Still another feature involves the steps of communicating, from the first server to the client, information describing a customized display that identifies only those resources that the user may access.
In another aspect, the invention provides a method of controlling access to one or more information resources stored on a protected server, the method comprising the steps of receiving, at the protected server, login information describing a user who desires to access one of the resources; determining that the user is authentic and permitted to access one of the resources; identifying, at a second se
Belmonte Emilio
Win Teresa
Bingham Marcel K.
enCommerce, Inc.
Hickman Palermo & Truong & Becker LLP
Palermo Christopher J.
Vu Viet D.
LandOfFree
Distributed access management of information resources does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Distributed access management of information resources, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Distributed access management of information resources will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2530260