Electrical computers and digital processing systems: multicomput – Distributed data processing
Reexamination Certificate
1999-10-19
2003-06-03
Najjar, Saleh (Department: 2157)
Electrical computers and digital processing systems: multicomput
Distributed data processing
C709S203000, C709S225000
Reexamination Certificate
active
06574656
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a network system and a method to limit, in a network system consisting of a plurality of computer systems with communication lines, the execution of transaction commands given from one to another of the plurality of computer systems.
2. Description of the Related Art
In a network system consisting of a plurality of computer systems connected via a wide area network or the like, for instance, decentralized data management system, computer systems are often installed correspondingly to groups using the respective computer systems. The “group” in this context may be a group of any size, ranging from a large organization such as a corporation to a small one such as a department or a section in a corporation. Conceivable ways of being “installed corresponding to groups” include installation of one computer system for each group, installation of one computer system for a plurality of groups, and installation of a plurality of computer systems for one group.
In such a network system, where information registered with the computer system of one group is to be referenced and updated from the computer system of another group, if every operator is allowed to perform such a transaction with no limitation at all, the reliability of data stored on the network may be hurt if any operator updates or otherwise manipulates any data wrongly either intentionally or by mistake.
Therefore, to avoid such trouble, it is necessary to supplement each transaction command with authority information indicating which operator may execute that particular transaction command.
Incidentally, conceivable methods to attach authority information to transaction commands include having each computer system manage authority information on operators of all the groups. This method, however, presupposes that all computer systems possess data needed for authorization of operations (hereinafter called “authorization data”), and accordingly if authorization data possessed by one computer system is augmented or altered, that augmentation and alternation will have to be reflected in all other computer systems. Therefore, this method requires communication to have the augmentation and alteration reflected in the other computer systems, resulting in a problem of consuming more of system resources and thereby inviting a drop in the overall system performance.
Methods according to the prior art for setting program execution authority (authority for command use) in a network system include one to control execution of transaction jobs on a group-by-group basis in a plurality of computer systems, which is disclosed in the Japanese Patent Application Laid-Open No. Hei 7-219899. However, the technique disclosed by this patent application requires that, where a group authorized to execute transaction jobs is to be registered with an execution authority library, the registration is classified by the computer ID. It also requires setting of information on the opposite computer to be authorized for execution, type of authorization and the like for each set of program data, resulting in complexity of operation.
SUMMARY OF THE INVENTION
An object of the present invention, therefore, is to provide network system and a method capable of limiting the execution of transaction commands entered from one computer system to another without requiring communication to achieve identify authorization data held by the computer systems.
According to an aspect of the present invention, there is provided a network system including a first computer system, a second computer system, and communication lines to connect the first and second computer systems,
the first computer system comprising:
a first memory for storing a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
a first authorization unit for referencing, when a command to be executed by the second computer system is entered by an operator, the first set of authorization data and judging whether or not the operator is to be authorized to execute the command; and
a first execution unit for augmenting, if the first authorization unit judges that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and transmitting the augmented command to the second computer system as a request from the group to execute the command; and
the second computer system comprising:
a second memory for storing a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
a second authorization unit for referencing, when the command is received from the first computer system, the second set of authorization data and judging whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
a second execution unit for executing the command, if the second authorization unit judges that the command is to be authorized for execution, in response to the execution request from the group.
According to another aspect of the present invention, in the foregoing network system,
the second set of authorization data further includes information on matching between a group and data to which access is to be authorized in response to the execution request from the group;
the second authorization unit references the second set of authorization data and judges whether or not the data to be accessed by the command are to be allowed access to in response to the request from the group whose command is augmented with identifying information; and
the second execution unit, if the second authorization unit judges that the data may be allowed access to in response to the request from the group, executes the command.
According to still another aspect of the present invention, in the foregoing network system,
the first execution unit further augments the command with operator identifying information and transmits it to the second computer system;
the second memory further stores a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands;
the second authorization unit refers to the list of unauthorized operators and judges whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
the second execution unit, if the second authorization unit judges that the operator is not be authorized to execute the command, does not execute the command.
According to still another aspect of the present invention, there is provided a method to limit the execution of commands, comprising:
a first registration step to register with a first computer system a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
a second registration step to register with a second computer system a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
a first authorization step to reference, when a command to be executed by the second computer system is entered by an operator into the first computer system, the first set of authorization data and to judge whether or not the operator is to be authorized to execute the command; and
a first execution step to augment, if it is judged at the first authorization step that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command from
Nagaoka Akihiro
Nishimura Mitsuhiko
Foley & Lardner
Najjar Saleh
NEC Corporation
LandOfFree
Network system and method for limiting the execution of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network system and method for limiting the execution of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network system and method for limiting the execution of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3090899