Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
2001-01-16
2004-09-14
Geckil, Mehmet B. (Department: 2142)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S229000, C709S223000
Reexamination Certificate
active
06792462
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to administration of network environments, and more particularly to delegation of administrator powers in network environments.
BACKGROUND OF THE INVENTION
Enterprise computing is evolving from a centralized, mainframe-based model, to distributed client-server and Internet based computing. These trends generally are increasing the complexity of managing enterprise systems and infrastructures. Management challenges for such enterprise systems are further increased where the network environment includes features such as corporate web farms, large-scale intranets, e-Commerce applications, on-line customer relationships, remote sales offices, integrated business partnerships and extended supply chains. Such an extended enterprise network environment is schematically illustrated in FIG.
1
. Thus, it is desirable for enterprise systems and applications to reach beyond the walls of the traditional enterprise definition. In light of these enterprise network environment trends, network administrators are increasingly challenged in their efforts to simplify administration tasks, increase security and reduce network costs.
Various approaches have been taken to expand upon the earliest models for network administration, such as various Windows products from Microsoft Corporation which provided for specific users with extensive administrative powers designated on the system as administrators while other users are denied access to these administrative powers. Thus, security and administration of the network environment in such products is provided by bifurcating users into administrators who have full administration authorities and users with no such authority.
Given the increased reliance on and complexity of the enterprise network environment, improvements to this basic administrator/user model have been provided in an attempt to allow controlled delegation of administrator authorities to designated users without requiring that such users be provided full administration powers and authorities over the network environment. Examples of such known approaches include the Windows 2000 Active Directory from Microsoft Corporation and the enterprise administrator previously offered by Mission Critical Software (now NetIQ Corporation) of Houston, Tex.
Active Directory is a feature supporting administration tasks. The Active Directory is a directory service that is integrated with Windows 2000 Server and offers hierarchical views, extensibility, scalability, and distributed security to business customers. The directory service is integrated with both Internet and intranet environments, provides intuitive naming for the objects it contains, scales from a small business to a large enterprise, works with familiar tools, such as Web browsers, and provides open application programming interfaces. In essence, Active Directory allows management of an enterprise environment by making a variety of objects be presented like a file directory.
To provide administrators with the power to create their own directory object types, the Active Directory is extensible through a schema mechanism. If a user has an important piece of information that the user wants to publish in the directory, he or she can create a whole new object type and publish it. For example, a wholesale distributor may want to create a warehouse object to put in its directory, with information that is specific to that business. New object classes can be defined and instances added.
The directory services themselves define a wide variety of classes. For example, the Active Directory provides standard objects for Domain, Organization Units (OU), User, Group, Machine, Volume, and PrintQueue, as well as a set of “connection point” objects used by Winsock, Remote Procedure Call (RPC), and Distributed Component Object Model (DCOM) services to publish their binding information.
The Active Directory provides an administration structure that allows for some decentralized administration generally without compromising security. Because each domain is a security boundary, multiple security boundaries are possible. With this design, administrators in domain A are not generally automatically administrators in domain B. The container hierarchy may be important where the scope of administration is the domain, and the administrator of a domain has authority over every object and service within that domain. The Active Directory grants privileges to users based on the specific functions they must perform within a given scope. Administrative scope can include an entire domain, a subtree of OUs within a domain, or a single OU.
With the Active Directory, large structures of users can be created in which each user can potentially access all of the information stored in the directory, but the security boundaries remain clear. Security boundaries can also be much smaller than domains. For example, when a user account is created, it is associated with a particular domain, but it can also be put into an organizational unit. Permission to create users in an organizational unit can be delegated, allowing someone to create users or other directory objects in one place only, with rights within that OU only. In addition, OU hierarchies can be created. The Active Directory provides specific permissions which can be delegated and restricted in scope. However, Active Directory still uses a static membership approach with Access Control List (ACL) based management. An ACL is a table which identifies access rights of a user to objects in Active Directory.
The Active Directory uses multimaster replication. Some directory services use a master-slave approach to do updates: all of the updates must be made to the master copy of the directory, and these are then replicated to the slave copies. This is generally adequate for a directory with a small number of copies and an environment where all of the changes can be applied centrally, but this approach does not typically scale beyond small-sized organizations, nor does it address the needs of decentralized organizations. Because the Active Directory offers multimaster replication, individual changes made in one copy of the directory are generally automatically replicated to other appropriate copies of the directory, whether connected via point-to-point or store-and-forward links.
Windows 2000 also provides a Security Configuration Editor designed to allow a user to perform configuration at a macro level. In other words, the editor allows a user to define a number of configuration settings and have them enacted in the background. With this tool, some configuration tasks can be grouped and automated using a macro-based station over the ACL-based Active Directory; they may, therefore, no longer require numerous, iterative key presses and repeat visits to a number of different applications to configure a group of machines.
Windows 2000 also provides Group Policy and Security Groups, which can be used to filter Group Policy by using membership in Security Groups and setting ACL permissions. Doing so enables processing of Group Policy Objects and allows Group Policy to be applied to Security Groups. By using ACLs and Security Groups, you can modify the scope of Group Policy Objects.
Finally, Windows 2000 provides a Microsoft Management Console (MMC) that is an (ISV)-extensible, common console framework for management applications. MMC itself does not supply any management behavior, but instead provides a common environment for Snap-Ins. Snap-Ins define the actual management behavior. Snap-Ins are administrative components integrated into a common host (MMC). The MMC environment may provide for seamless integration between Snap-Ins, even those provided by different vendors.
The Enterprise Administrator (EA) product also provided for some delegation of powers and automation of procedures to facilitate administration of an enterprise network environment. More particularly, EA provided rules based delegation of powers to users to allow for limited delegation of administrator powers t
Bernhardt Thomas
Erickson Marcus Richard
Vaidya Chandrashekhar
Geckil Mehmet B.
Myers Bigel & Sibley & Sajovec
NetIQ Corporation
LandOfFree
Methods, systems and computer program products for rule... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods, systems and computer program products for rule..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods, systems and computer program products for rule... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3269984