Computer security system
First Claim
1. A method for providing computer application security, the method comprising:
- identifying secured resources within a software application;
grouping secured resources into user roles in a data store;
creating a plurality of surrogate identifiers in the data store, each surrogate identifier being associated with one user role;
associating users with user roles, each user being associated with one user role; and
determining access rights to the secured resources for each user according to a corresponding surrogate identifier without disclosing the corresponding surrogate identifier to the user, the corresponding surrogate identifier being associated with the one user role of the user.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system provides system-wide computer application security using role-based identifiers. The programmer identifies secured functions within a software application using a hierarchical identifier. The hierarchical identifiers are grouped together into privilege sets. The privilege sets and other hierarchical identifiers are grouped together into job functions, which are in turn grouped into larger subsets called user roles. These user roles are stored in a data store. User identifiers are created. Each user identifier is linked to one user role in the data store. A surrogate identifier is created to correspond to each user role and is stored in the data store. The surrogate identifiers are not disclosed to the users. A user is given permission to access secured functions within an application by retrieving a surrogate identifier from the data store, which shares the same user role as the user. Access rights are determined using the surrogate identifier to validate permissions on a security provider.
-
Citations
26 Claims
-
1. A method for providing computer application security, the method comprising:
-
identifying secured resources within a software application;
grouping secured resources into user roles in a data store;
creating a plurality of surrogate identifiers in the data store, each surrogate identifier being associated with one user role;
associating users with user roles, each user being associated with one user role; and
determining access rights to the secured resources for each user according to a corresponding surrogate identifier without disclosing the corresponding surrogate identifier to the user, the corresponding surrogate identifier being associated with the one user role of the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 19, 20, 21, 22, 24, 25, 26)
-
-
13. A method for providing computer security, the method comprising:
-
securing a plurality of resources within a software application;
identifying each of the plurality of resources in a data store;
selecting some of the plurality of resources;
grouping selected resources into user roles in the data store;
creating a plurality of user names and a plurality of aliases in the data store, each user name and each alias being associated with the same one user role;
replicating the plurality of resources, the user roles, the plurality of user names and the plurality of aliases in a plurality of data stores; and
determining access privileges to the plurality of resources using an alias corresponding to a user name by virtue of the same one user role from one of the plurality of data stores.
-
-
18. A computer security system comprising:
-
a plurality of computer workstations, each computer workstation having an operating system and a software application installed, the software application containing an embedded component;
a plurality of security providers, each security provider having a security data store; and
a plurality of security brokers, each security broker having a data store, each security broker being a computer in network communication with the computer workstations and the security providers;
wherein each computer workstation is capable of communicating with each security broker; and
wherein each security broker is capable of communicating with each security provider.
-
-
23. A process for authorizing access rights to secured resources in a software application, the process comprising:
-
authenticating a computer user to a computer security provider via a user identifier corresponding to the computer user, the computer security provider returning a result to a security broker according to the user identifier;
storing the result on the security broker;
retrieving a surrogate identifier from the security broker, the surrogate identifier corresponding to the result, the surrogate identifier being undisclosed to the computer user; and
authorizing the surrogate identifier to the computer security provider, the computer security provider returning surrogate permissions to the security broker, the surrogate permissions corresponding to the surrogate identifier, the surrogate permissions for determining access rights to secured resources in the software application according to the surrogate permissions.
-
Specification