Computer security system

US 20020095571A1
Filed: 01/18/2001
Published: 07/18/2002
Est. Priority Date: 01/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method for providing computer application security, the method comprising:

identifying secured resources within a software application;

grouping secured resources into user roles in a data store;

creating a plurality of surrogate identifiers in the data store, each surrogate identifier being associated with one user role;

associating users with user roles, each user being associated with one user role; and

determining access rights to the secured resources for each user according to a corresponding surrogate identifier without disclosing the corresponding surrogate identifier to the user, the corresponding surrogate identifier being associated with the one user role of the user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system provides system-wide computer application security using role-based identifiers. The programmer identifies secured functions within a software application using a hierarchical identifier. The hierarchical identifiers are grouped together into privilege sets. The privilege sets and other hierarchical identifiers are grouped together into job functions, which are in turn grouped into larger subsets called user roles. These user roles are stored in a data store. User identifiers are created. Each user identifier is linked to one user role in the data store. A surrogate identifier is created to correspond to each user role and is stored in the data store. The surrogate identifiers are not disclosed to the users. A user is given permission to access secured functions within an application by retrieving a surrogate identifier from the data store, which shares the same user role as the user. Access rights are determined using the surrogate identifier to validate permissions on a security provider.

168 Citations

26 Claims

1. A method for providing computer application security, the method comprising:
- identifying secured resources within a software application;
  
  grouping secured resources into user roles in a data store;
  
  creating a plurality of surrogate identifiers in the data store, each surrogate identifier being associated with one user role;
  
  associating users with user roles, each user being associated with one user role; and
  
  determining access rights to the secured resources for each user according to a corresponding surrogate identifier without disclosing the corresponding surrogate identifier to the user, the corresponding surrogate identifier being associated with the one user role of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 19, 20, 21, 22, 24, 25, 26)
- - 2. The method of claim 1, wherein identifying secured resources comprises:
    - identifying functions within the software application to be secured, the identified functions being secured resources; and
      
      invoking a security call before permitting access to the secured resources.
  - 3. The method of claim 2, wherein identifying secured resources further comprises:
    - installing an embedded module in the software application to capture the security call.
  - 4. The method of claim 1, wherein grouping secured resources into user roles comprises:
    - establishing in the data store links to each of the secured resources;
      
      selecting the links corresponding to related secured resources;
      
      grouping the selected links into user roles; and
      
      storing the user roles in the data store.
  - 5. The method of claim 1, wherein grouping secured resources into user roles comprises:
    - establishing in the data store links to each of the secured resources within the software application;
      
      selecting the links corresponding to related secured resources;
      
      grouping the selected links into privilege sets;
      
      grouping privilege sets and links into user roles; and
      
      storing the user roles in the data store.
  - 6. The method of claim 1, wherein grouping secured resources into user roles comprises:
    - establishing in the data store links to each of the secured resources within the software application;
      
      selecting the links corresponding to related secured resources;
      
      grouping the selected links into privilege sets;
      
      grouping privilege sets and links into job functions;
      
      grouping job functions, privilege sets and links into user roles; and
      
      storing the user roles in the data store.
  - 7. The method of claim 1, wherein creating a plurality of surrogate identifiers comprises:
    - associating each surrogate identifier with one user role in the data store; and
      
      replicating each surrogate identifier in a data store of a security provider.
  - 8. The method of claim 1, wherein associating a user with a user role comprises:
    - creating a list of user identifiers corresponding to existing users on a security provider;
      
      selecting user identifiers from the list;
      
      storing selected user identifiers in the data store; and
      
      associating each selected user identifier with one user role, the user role being undisclosed to the user.
  - 9. The method of claim 1, wherein determining access rights to one of the secured resources comprises:
    - authenticating the user as a valid user; and
      
      authorizing the user to access one of the secured resources.
  - 10. The method of claim 9, wherein authenticating the user comprises:
    - invoking programatically an embedded component within the software application when a secured resource is accessed;
      
      passing a resource name identifying the secured resource through the embedded component to a platform coordinator;
      
      retrieving an identifier and a security provider name from the user via the platform coordinator;
      
      passing the identifier and the security provider name to a security broker;
      
      relaying the identifier to a security provider associated with the security provider name for authentication;
      
      evaluating automatically the identifier against a data store of the security provider;
      
      returning an authentication result to the security broker;
      
      storing an authentication token with a time stamp in a cache of the security broker when authentication is successful, the authentication token created by the security broker based on the authentication result;
      
      retrieving the user role associated with the identifier from the data store;
      
      retrieving the surrogate identifier associated with the user role from the data store;
      
      passing the surrogate identifier and a secured resource name from the security broker to the security provider;
      
      evaluating automatically the surrogate identifier against the data store of the security provider;
      
      determining automatically permissions associated with the surrogate identifier on the security provider;
      
      returning an authorization result associated with the surrogate identifier to the security broker;
      
      creating automatically a permissions token on the security broker based on the authorization result;
      
      relaying the permissions token to the platform coordinator, the permissions token comprising both the secured resource and access rights;
      
      storing the permissions token with a time stamp in a cache on the platform coordinator; and
      
      relaying the access rights to the software application through the embedded component.
  - 11. The method of claim 9, wherein once the user is authenticated, authorizing the user comprises:
    - invoking programatically an embedded component within the software application when a secured resource is accessed;
      
      passing a resource name identifying the secured resource through the embedded component to a platform coordinator;
      
      retrieving an authentication token from a cache on the platform coordinator;
      
      passing the authentication token and the resource name to the security broker;
      
      comparing the authentication token against the cache on the security broker to identify a matching authentication token, the matching authentication token being associated in the cache with the surrogate identifier;
      
      passing the surrogate identifier and the resource name from the security broker to the security provider;
      
      evaluating automatically the surrogate identifier against the data store of the security provider;
      
      determining automatically permissions associated with the surrogate identifier on the security provider;
      
      returning an authorization result associated with the surrogate identifier to the security broker;
      
      creating automatically a permissions token on the security broker based on the authorization result;
      
      relaying the permissions token to the platform coordinator, the permissions token comprising both the secured resource and access rights;
      
      storing the permissions token with a time stamp in a cache on the platform coordinator; and
      
      relaying the access rights to the software application through the embedded component.
  - 12. The method of claim 9, wherein once the user is authenticated and authorized to access the secured resource, determining access rights to one of the secured resources further comprises:
    - invoking programatically an embedded component within the software application when the secured resource is accessed;
      
      passing a resource name identifying the secured resource through the embedded component to a platform coordinator;
      
      retrieving an authentication token from a cache on the platform coordinator;
      
      comparing the secured resource name with permissions tokens stored in the cache on the platform coordinator for a matching permissions token, the matching permissions token containing the secured resource name;
      
      relaying access rights associated with the matching permissions token to the software application through the embedded component.
  - 14. The method for providing computer security of claim 13, wherein determining access privileges comprises:
    - authenticating a user on the system; and
      
      authorizing access rights to secured resources in the software application.
  - 15. The method for providing computer security of claim 14, wherein authenticating a user comprises:
    - retrieving a user identifier;
      
      passing the user identifier to a security provider;
      
      verifying the user identifier against a data store on the security provider; and
      
      returning an encrypted authentication token.
  - 16. The method for providing computer security of claim 14, wherein authorizing access rights comprises:
    - capturing a security call from the software application, the security call containing a name identifying a secured resource;
      
      retrieving a user identifier;
      
      passing the user identifier to a security broker;
      
      retrieving one of the plurality of aliases from the data store of the security broker, the retrieved alias corresponding to the user identifier;
      
      passing the retrieved alias to a security provider;
      
      verifying the alias against a provider data store on the security provider;
      
      returning an encrypted permissions token to the software application; and
      
      determining access rights to the secured resource according to the permissions token.
  - 17. The method of claim 16 wherein retrieving a user identifier comprises:
    - gathering information about a user for authorizing access to secured resources, the information selected from the group consisting of user name and password, software token, hardware token, and digital signature.
  - 19. The computer security system of claim 18, wherein the computer workstations further comprise:
    - a platform coordinator installed on each workstation, the platform coordinator for routing permissions requests to security brokers, the platform coordinator capable of communicating with any one of the security brokers so that if one of the security brokers is unavailable, the platform coordinator can route the permissions requests to another security broker for proceeding with authentication and authorization.
  - 20. The computer security system of claim 18, wherein the security brokers further comprise:
    - a cache for storing an authentication token, the authentication token being used to retrieve a surrogate identifier associated with the authentication token.
  - 21. The computer security system of claim 18, wherein the security brokers route permissions requests programmatically to the security providers, each security broker being capable of routing permissions requests to any one of the security providers such that if one security provider is unavailable, the security broker can route permissions requests to another security provider.
  - 22. The computer security system of claim 18, wherein the security system further comprises:
    - administration utilities for configuring, updating and maintaining the data store and the security data store, the administration utilities providing a single software application for maintaining user identifiers, setting and changing permissions, creating security events, and tracking system usage and security events within the security system.
  - 24. The process for authorizing access rights according to claim 23, wherein authorizing the surrogate identifier to the computer security provider comprises:
    - passing the surrogate identifier to a security manager;
      
      querying for the surrogate identifier in a permissions list on the security provider using the security manager;
      
      determining surrogate permissions for the surrogate identifier according to the permissions list; and
      
      returning the surrogate permissions to the security broker.
  - 25. The process for authorizing access rights according to claim 24, wherein authorizing the surrogate identifier to the computer security provider further comprises:
    - passing the surrogate permissions from the security broker to a platform coordinator;
      
      storing the surrogate permissions with a time stamp in a cache on the platform coordinator;
      
      relaying the surrogate permissions to an embedded component within the software application;
      
      passing the surrogate permissions to a function within the software application, the function capable of interpreting the surrogate permission; and
      
      interpreting the surrogate permission using the function to permit or deny access rights to the secured resource.
  - 26. The process for authorizing access rights according to claim 23, wherein authenticating comprises:
    - passing the user identifier from the security broker to a security manager;
      
      querying for the user identifier in an authentication list on the security provider using the security manager;
      
      determining validity of the user identifier according to the authentication list; and
      
      returning a result to the security broker.

13. A method for providing computer security, the method comprising:
- securing a plurality of resources within a software application;
  
  identifying each of the plurality of resources in a data store;
  
  selecting some of the plurality of resources;
  
  grouping selected resources into user roles in the data store;
  
  creating a plurality of user names and a plurality of aliases in the data store, each user name and each alias being associated with the same one user role;
  
  replicating the plurality of resources, the user roles, the plurality of user names and the plurality of aliases in a plurality of data stores; and
  
  determining access privileges to the plurality of resources using an alias corresponding to a user name by virtue of the same one user role from one of the plurality of data stores.

18. A computer security system comprising:
- a plurality of computer workstations, each computer workstation having an operating system and a software application installed, the software application containing an embedded component;
  
  a plurality of security providers, each security provider having a security data store; and
  
  a plurality of security brokers, each security broker having a data store, each security broker being a computer in network communication with the computer workstations and the security providers;
  
  wherein each computer workstation is capable of communicating with each security broker; and
  
  wherein each security broker is capable of communicating with each security provider.

23. A process for authorizing access rights to secured resources in a software application, the process comprising:
- authenticating a computer user to a computer security provider via a user identifier corresponding to the computer user, the computer security provider returning a result to a security broker according to the user identifier;
  
  storing the result on the security broker;
  
  retrieving a surrogate identifier from the security broker, the surrogate identifier corresponding to the result, the surrogate identifier being undisclosed to the computer user; and
  
  authorizing the surrogate identifier to the computer security provider, the computer security provider returning surrogate permissions to the security broker, the surrogate permissions corresponding to the surrogate identifier, the surrogate permissions for determining access rights to secured resources in the software application according to the surrogate permissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jolly Seven, Series 70 of Allied Security Trust I (Allied Security Trust)
Original Assignee
Robert L. Bradee
Inventors
Bradee, Robert L.

Granted Patent

US 7,131,000 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6236   between heterogeneous systems

Y10S 707/99939   Privileged access

Computer security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links