Electrical computers and digital processing systems: multicomput – Distributed data processing – Client/server
Reexamination Certificate
1997-06-11
2001-05-22
An, Meng-Al T. (Department: 2154)
Electrical computers and digital processing systems: multicomput
Distributed data processing
Client/server
C709S201000, C713S152000, C713S152000, C713S152000
Reexamination Certificate
active
06237023
ABSTRACT:
BACKGROUND OF THE INVENTION
This invention relates to an access control system and method, particular access control of a distributed system in which the resources of remote sites are shared using a computer network, by way of example.
Access control in a distributed system generally is achieved by combining an authentication mechanism in the distributed system with a resource protection mechanism at each site. For example, a distributed file system, which is a means of sharing files via a network, is used in a comparatively small-scale network environment such as a local area network (LAN). In such case user authentication means at the site level is appropriated in the network environment as well by unifying modes of user management, and resource protection is achieved based upon the authority granted to authenticated users. The file access control means for implementing this generally is provided by the operating system (OS).
In a comparatively large-scale network such as a wide-area network (WAN), on the other hand, use is made of authentication by an authentication system because unifying modes of user management is difficult. In a large-scale network environment, opportunities to share resources per se are fewer than in a small-scale network. However, in terms of providing the mechanism eventually used as the resource protection mechanism, the situation is the same as in the case of the small-scale network environment.
However, the following problems arise in the art described above:
The first problem is that satisfactory reliability cannot be assured merely by applying the site-level user authentication mechanism to a distributed system. Even if modes of user management are unified between sites, no legal force is involved and a certain site is capable of individually altering some of the management information. In cases such as these, it is possible for a site administrator to impersonate a user and it is difficult for the resource provider to detect this.
The second problem is that in a scenario in which the resource protection mechanism provided by the operating system (OS) is applied to distributed resources, ordinarily this is effective only at the site at which the resource protection mechanism is operating. Consequently, if there is an externally applied request for operation of a resource, the request must be dealt with based upon the rightful authority given to the site. However, as long as users once authenticated possess the same authority, it is not possible to cope with a situation in which reliability or level of authorization differ depending upon the site, even for the same user.
SUMMARY OF THE INVENTION
Accordingly, an object of the present invention is to provide an access control system and method in which, when shared resources in a distributed system are accessed, the shared resources can be protected safely and flexibly.
According to the present invention, the foregoing object is attained by providing an access control system for controlling access to a distributed system in which resources of remote sites are shared using a computer network, comprising acquisition means for acquiring an identifier of a terminal-which requests a service and an identifier of a user, decision means for uniquely deciding authority over the service request based upon the terminal identifier and user identifier that have been acquired, and judging means for judging, using the authority that has been decided, whether or not to accept the service request.
In another aspect of the invention, the foregoing object is attained by providing an access control system for controlling access to a distributed system in which resources of remote sites are shared using a computer network, comprising relay means for acquiring an identifier of a user requesting a service, intercepting the service request by transmitting, to a prescribed address, a service request message onto which the acquired user identifier has been added, and distributing a received message, and service providing means for acquiring as a user identifier an identifier added onto the received service request message, acquiring as a terminal identifier an identifier of the relay means that transmitted this service request message, uniquely deciding authority over the service request based upon the terminal identifier and user identifier that have been acquired, and judging, using the authority that has been decided, whether or not to accept the service request.
According to the present invention, the foregoing object is attained by providing an access control method for controlling access to a distributed system in which resources of remote sites are shared using a computer network, comprising an acquisition step of acquiring an identifier of a terminal which requests a service and an identifier of a user, a decision step of uniquely deciding authority over the service request based upon the terminal identifier and user identifier that have been acquired, and a judging step of judging, using the authority that has been decided, whether or not to accept the service request.
In another aspect of the invention, the foregoing object is attained by providing an access control method for controlling access to a distributed system in which resources of remote sites are shared using a computer network, comprising, in relay means for intercepting a service request and distributing a received message, a first acquisition step of acquiring an identifier of a user requesting a service and a transmission step of transmitting, to service providing means, a service request message to which the acquired user identifier has been added on, and, in the service providing means, a receiving step of receiving a service request message, a second acquisition step of acquiring as a user identifier the identifier added onto the received service request message, and acquiring is a terminal identifier an identifier of the relay means that transmitted this service request message, a decision step of uniquely deciding authority over the service request based upon the terminal identifier and user identifier that have been acquired, and a judging step of judging, using the authority that has been decided, whether or not to accept the service request.
In accordance with the present invention having the configuration described above, it is possible to provide an access control system and method in which, when shared resources in a distributed system are accessed, the shared resources can be protected safely and flexibly.
Other features and advantages of the present invention will be apparent from the following description taken in conjunction with the accompanying drawings, in which like reference characters designate the same or similar parts throughout the figures thereof.
REFERENCES:
patent: 4672572 (1987-06-01), Alsberg
patent: 4891838 (1990-01-01), Faber
patent: 4896319 (1990-01-01), Lidinsky et al.
patent: 4916738 (1990-04-01), Chandra et al.
patent: 5261070 (1993-11-01), Ohta
patent: 5278904 (1994-01-01), Servi
patent: 5590199 (1996-12-01), Krajewski et al.
patent: 5706427 (1998-01-01), Tabuki
patent: 5815664 (1998-09-01), Asano
patent: 5841970 (1998-11-01), Tabuki
patent: 0604911 A2 (1993-12-01), None
Tanenbaum, A.S. et al. “The Amoeba distributed operating system—a status report”, Computer Communications 14 (1991) Jul./Aug., No. 6, London,GB.
An Meng-Al T.
Canon Kabushiki Kaisha
El-Hady Nabil
Fitzpatrick ,Cella, Harper & Scinto
LandOfFree
System for controlling the authority of a terminal capable... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System for controlling the authority of a terminal capable..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System for controlling the authority of a terminal capable... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2488650