Apparatus and method for managing multiple user identities on a networked computer system

US 20020143909A1
Filed: 03/27/2001
Published: 10/03/2002
Est. Priority Date: 03/27/2001
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one processor;

a memory coupled to the at least one processor;

a first user registry residing in the memory that contains a first user identity for a selected user;

a second user registry residing in the memory that contains a second user identity for the selected user; and

an identity mapping mechanism that provides a mapping between the first user identity and the second user identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method allow a system administrator to manage multiple user identities in multiple user registries in different processing environments. An identity mapping mechanism is provided that includes a directory service that includes entries that reference user identities in the multiple registries, and that reference identity mappings between those entries. The identity mapping mechanism includes an interface defined by a plurality of APIs that allow accessing and correlating the multiple user identities and the identity mappings. A programmer can generate an application or tool that uses the identity mapping mechanism by calling the APIs in the interface. In this manner, administration of user identities occurs with the user as the primary focus, rather than the platform. In addition, a common tool can be used to manage the user identities of different environments, making administration of user identities in a heterogenous network more efficient and cost-effective.

78 Citations

View as Search Results

34 Claims

1. An apparatus comprising:
- at least one processor;
  
  a memory coupled to the at least one processor;
  
  a first user registry residing in the memory that contains a first user identity for a selected user;
  
  a second user registry residing in the memory that contains a second user identity for the selected user; and
  
  an identity mapping mechanism that provides a mapping between the first user identity and the second user identity.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1 wherein the first user registry comprises a user registry in a first processing environment.
  - 3. The apparatus of claim 2 wherein the second user registry comprises a user registry in a second processing environment that is different than the first processing environment.
  - 4. The apparatus of claim 1 wherein the identity mapping mechanism comprises:
    - a directory service that contains a plurality of user identity mappings that correlate the first user identity in the first registry to the second user identity in the second registry, and that references the first and second user registries; and
      
      schema for the directory service that specifies relationships between a plurality of entries in the directory service, where at least one entry includes the user identity mappings.
  - 5. The apparatus of claim 4 wherein the directory service comprises Lightweight Directory Access Protocol (LDAP).
  - 6. The apparatus of claim 1 further comprising a global identifier residing in the memory that corresponds to the selected user, and wherein the mapping comprises a first correlation between the first user identity and the global identifier and a second correlation between the second user identity and the global identifier.

7. An apparatus comprising:
- at least one processor;
  
  a memory coupled to the at least one processor;
  
  a first user registry residing in the memory containing a first plurality of user identities;
  
  a second user registry residing in the memory containing a second plurality of user identities;
  
  a directory service that contains a plurality of user identity mappings that correlate a first user identity in the first user registry to a second user identity in the second user registry, and that references the first and second user registries; and
  
  schema for the directory service that specifies relationships between a plurality of entries in the directory service, where at least one entry includes the user identity mappings.
- View Dependent Claims (8, 9, 10, 11, 13, 14, 15, 17, 18)
- - 8. The apparatus of claim 7 wherein the first user registry comprises a user registry in a first processing environment.
  - 9. The apparatus of claim 8 wherein the second user registry comprises a user registry in a second processing environment that is different than the first processing environment.
  - 10. The apparatus of claim 7 wherein the directory service comprises Lightweight Directory Access Protocol (LDAP).
  - 11. The apparatus of claim 7 further comprising a global identifier residing in the memory that corresponds to the selected user, and wherein the mapping comprises a first correlation between the first user identity and the global identifier and a second correlation between the second user identity and the global identifier.
  - 13. The networked computer system of claim 12 wherein the first user registry comprises a user registry in a first processing environment.
  - 14. The networked computer system of claim 13 wherein the second user registry comprises a user registry in a second processing environment that is different than the first processing environment.
  - 15. The networked computer system of claim 12 further comprising a global identifier accessible via the network that corresponds to the selected user, and wherein the mapping comprises a first correlation between the first user identity and the global identifier and a second correlation between the second user identity and the global identifier.
  - 17. The method of claim 16 wherein the identity mapping mechanism comprises:
    - a directory service that contains a plurality of user identity mappings that correlate the first user identity in the first registry to the second user identity in the second registry, and that references the first and second user registries; and
      
      schema for the directory service that specifies relationships between a plurality of entries in the directory service, where at least one entry includes the user identity mappings.
  - 18. The method of claim 17 wherein the directory service comprises Lightweight Directory Access Protocol (LDAP).

12. A networked computer system comprising:
- a network that interconnects a plurality of computer systems;
  
  a first computer system coupled to the network that includes a first user registry for a first processing environment that contains a first user identity for a selected user;
  
  a second computer system coupled to the network that includes a second user registry for a second processing environment that contains a second user identity for the selected user; and
  
  a mechanism coupled to the network that provides a mapping between the first user identity and the second user identity.

16. A method for managing a plurality of user identities on a plurality of computer system coupled to a network, each user identity corresponding to a defined processing environment, the method comprising the steps of:
- providing an identity mapping mechanism that provides a mapping between a first user identity in a first user registry and a second user identity in a second user registry; and
  
  invoking the identity mapping mechanism to determine the mapping between the first user identity and the second user identity.

19. A method for correlating a plurality of user identities on a plurality of computer systems coupled to a network, the method comprising the steps of:
- generating a global identifier corresponding to a user;
  
  mapping a first user identity in a first user registry to the global identifier; and
  
  mapping a second user identity in a second user registry to the global identifier.

20. A program product comprising:
- (A) an identity mapping mechanism that provides a mapping between;
  
  (A1) a first user identity for a selected user residing in a first user registry; and
  
  (A2) a second user identity for the selected user residing in a second user registry; and
  
  (B) computer-readable signal bearing media bearing the identity mapping mechanism.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 29, 30, 31, 32, 33, 34)
- - 21. The program product of claim 20 wherein the signal bearing media comprises recordable media.
  - 22. The program product of claim 20 wherein the signal bearing media comprises transmission media.
  - 23. The program product of claim 20 wherein the first user registry comprises a user registry in a first processing environment.
  - 24. The program product of claim 23 wherein the second user registry comprises a user registry in a second processing environment that is different than the first processing environment.
  - 25. The program product of claim 20 wherein the identity mapping mechanism comprises:
    - a directory service that contains a plurality of user identity mappings that correlate the first user identity in the first registry to the second user identity in the second registry, and that references the first and second user registries; and
      
      schema for the directory service that specifies relationships between a plurality of entries in the directory service, where at least one entry includes the user identity mappings.
  - 26. The program product of claim 20 wherein the directory service comprises Lightweight Directory Access Protocol (LDAP).
  - 27. The program product of claim 20 wherein the identity mapping mechanism provides a mapping between the first user identity and the second user identity by creating a global identifier that corresponds to the selected user, and by generating a first correlation between the first user identity and the global identifier and a second correlation between the second user identity and the global identifier.
  - 29. The program product of claim 28 wherein the signal bearing media comprises recordable media.
  - 30. The program product of claim 28 wherein the signal bearing media comprises transmission media.
  - 31. The program product of claim 28 wherein the first user registry comprises a user registry in a first processing environment.
  - 32. The program product of claim 31 wherein the second user registry comprises a user registry in a second processing environment that is different than the first processing environment.
  - 33. The program product of claim 28 wherein the directory service comprises Lightweight Directory Access Protocol (LDAP).
  - 34. The program product of claim 28 wherein the plurality of user identity mappings each comprise a mapping between the first user identity and a global identifier that corresponds to the selected user, and a mapping between the global identifier and the second user identity.

28. A program product comprising:
- (A) a directory service that contains a plurality of user identity mappings that correlate a first user identity in a first user registry to a second user identity in a second user registry, and that references the first and second user registries; and
  
  (B) schema for the directory service that specifies relationships between a plurality of entries in the directory service, where at least one entry includes the user identity mappings; and
  
  (C) computer-readable signal bearing media bearing the directory service and the schema.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Botz, Patrick S., Fleming, Patrick Jerome

Granted Patent

US 6,981,043 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 21/41   where a single sign-on prov...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99948   Application of database or ...

Apparatus and method for managing multiple user identities on a networked computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for managing multiple user identities on a networked computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links