Instrument access control system

US 20040093526A1
Filed: 11/12/2002
Published: 05/13/2004
Est. Priority Date: 11/12/2002
Status: Active Grant

First Claim

Patent Images

1. In a system including a plurality of instruments, a method comprising steps of:

(A) receiving logon credentials from a user in an attempt to access a select one of the plurality of instruments;

(B) determining whether the logon credentials authorize the user to access the select one of the plurality of instruments by comparing the credentials to credential information stored in a data store accessible over a network to the plurality of instruments; and

(C) granting the user access to the select one of the plurality of instruments only if it is determined that the logon credentials authorize the user to access the select one of the plurality of instruments.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for centrally managing a set of network-connected laboratory instruments is disclosed. For example, the system includes a centralized database that includes information about the instruments in the system and about the authorized users of the system. In particular, the centralized database indicates which users are authorized to use each of the instruments in the system. The database may also include information about the operations that each user is authorized to perform using the instruments and information indicating whether tests performed by each instrument must be signed using one or more electronic signatures. The system may recognize a number of “roles,” each of which is associated with a particular set of rights, and may assign one or more roles to each user. Instruments and other elements of the system may access the centralized database over a network to enforce the user rights represented by the information in the database.

Citations

38 Claims

1. In a system including a plurality of instruments, a method comprising steps of:
- (A) receiving logon credentials from a user in an attempt to access a select one of the plurality of instruments;
  
  (B) determining whether the logon credentials authorize the user to access the select one of the plurality of instruments by comparing the credentials to credential information stored in a data store accessible over a network to the plurality of instruments; and
  
  (C) granting the user access to the select one of the plurality of instruments only if it is determined that the logon credentials authorize the user to access the select one of the plurality of instruments.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising a step of:
    - (D) prior to the step (B), determining whether the user is an authorized user of the system based on the logon credentials; and
      
      wherein the step (C) comprises a step of granting the user access to the select one of the plurality of instruments only if it is determined that the user is an authorized user of the system and it is determined that the logon credentials authorize the user to access the select one of the plurality of instruments.
  - 3. The method of claim 2, wherein the step (D) is performed by an operating system authentication mechanism.
  - 4. The method of claim 3, wherein the step (C) is performed by means distinct from the operating system authentication mechanism.
  - 5. The method of claim 4, wherein the means distinct from the operating system authentication mechanism comprises a server serving the data store.
  - 6. The method of claim 1, wherein the step (B) comprises steps of:
    - (B)(1) identifying a role of the user;
      
      (B)(2) identifying a set of instrument access rights associated with the role;
      
      (B)(3) determining whether the set of instrument access rights associated with the role includes the right to access the select one of the plurality of instruments; and
      
      B)(4) determining that the logon credentials authorize the user to access the select one of the plurality of instruments if it is determined that the set of instrument access rights associated with the role includes the right to access the select one of the plurality of instruments.
  - 7. The method of claim 1, wherein the step (B) is performed by a computer on which an operating system executes, wherein the operating system recognizes a first set of user roles, and wherein the step (B)(1) comprises a step of selecting the role from among a second set of roles that is independent of the first set of roles.
  - 8. The method of claim 1, wherein the step (B) comprises steps of:
    - (B)(1) identifying a role of the user;
      
      (B)(2) identifying a set of default instrument access rights associated with the role;
      
      (B)(3) identifying a set of user-specific instrument access rights associated with the user;
      
      (B)(4) applying the user-specific instrument access rights to the default instrument access rights to obtain a set of final instrument access rights associated with the user;
      
      (B)(5) determining whether the set of final instrument access rights associated with the user includes the right to access the select one of the plurality of instruments; and
      
      (B)(6) determining that the logon credentials authorize the user to access the select one of the plurality of instruments if it is determined that the set of final instrument access rights associated with the user includes the right to access the select one of the plurality of instruments.
  - 9. The method of claim 1, wherein the step (B) is performed by a computer on which an operating system executes, wherein the operating system recognizes a first set of user roles, and wherein the step (B)(1) comprises a step of selecting the role from among a second set of roles that is independent of the first set of roles.
  - 10. The method of claim 1, wherein the step (A) comprises a step of receiving the logon credentials from the user through an input device coupled locally to the select one of the plurality of instruments.
  - 11. The method of claim 1, wherein the logon credentials comprise a username and a password.
  - 12. The method of claim 1, wherein the step (B) comprises steps of:
    - (B)(1) transmitting an authorization request over the network to a server;
      
      (B)(2) receiving an authorization response over the network from the server; and
      
      (B)(3) determining whether the authorization response indicates that the logon credentials authorize the user to access the select one of the plurality of instruments.
  - 13. The method of claim 1, further comprising a step of:
    - (D) identifying a set of operations that the user has the right to perform using the select one of the plurality of instruments; and
      
      (E) allowing the user to perform on the select one of the plurality of instruments only those operations in the identified set of operations.
  - 14. The method of claim 1, wherein the step (B) comprises a step of determining whether the logon credentials authorize the user to access the select one of the plurality of instruments by comparing the credentials to credential information stored in a local copy of the data store.

15. A system comprising:
- a plurality of instruments;
  
  receiving means for receiving logon credentials from a user in an attempt to access a select one of the plurality of instruments;
  
  first determining means for determining whether the logon credentials authorize the user to access the select one of the plurality of instruments by comparing the credentials to credential information stored in a data store accessible over a network to the plurality of instruments; and
  
  rights granting means for granting the user access to the select one of the plurality of instruments only if it is determined that the logon credentials authorize the user to access the select one of the plurality of instruments.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, further comprising:
    - second determining means for determining whether the user is an authorized user of the system based on the logon credentials; and
      
      wherein the right granting means comprises means for granting the user access to the select one of the plurality of instruments only if it is determined that the user is an authorized user of the system and it is determined that the logon credentials authorize the user to access the select one of the plurality of instruments.
  - 17. The system of claim 16, wherein the second determining means comprises a component of an operating system authentication mechanism.
  - 18. The system of claim 17, wherein the rights granting means comprises a component distinct from the operating system authentication mechanism.
  - 19. The system of claim 18, wherein the component distinct from the operating system authentication mechanism comprises a server serving the data store.
  - 20. The system of claim 15, wherein the first determining means comprises:
    - first identifying means for identifying a role of the user;
      
      second identifying means for identifying a set of instrument access rights associated with the role;
      
      second determining means for determining whether the set of instrument access rights associated with the role includes the right to access the select one of the plurality of instruments; and
      
      third determining means for determining that the logon credentials authorize the user to access the select one of the plurality of instruments if it is determined that the set of instrument access rights associated with the role includes the right to access the select one of the plurality of instruments.
  - 21. The system of claim 20, wherein the first determining means comprises a software program executing on a computer on which an operating system executes, wherein the operating system recognizes a first set of user roles, and wherein the first identifying means comprises means for selecting the role from among a second set of roles that is independent of the first set of roles.
  - 22. The system of claim 15, wherein the first determining means comprises:
    - first identifying means for identifying a role of the user;
      
      second identifying means for identifying a set of default instrument access rights associated with the role;
      
      third identifying means for identifying a set of user-specific instrument access rights associated with the user;
      
      application means for applying the user-specific instrument access rights to the default instrument access rights to obtain a set of final instrument access rights associated with the user;
      
      second determining means for determining whether the set of final instrument access rights associated with the user includes the right to access the select one of the plurality of instruments; and
      
      third determining means for determining that the logon credentials authorize the user to access the select one of the plurality of instruments if it is determined that the set of final instrument access rights associated with the user includes the right to access the select one of the plurality of instruments.
  - 23. The system of claim 22, wherein the first determining means comprises a software program executing on a computer on which an operating system executes, wherein the operating system recognizes a first set of user roles, and wherein the first identifying means comprises means for selecting the role from among a second set of roles that is independent of the first set of roles.
  - 24. The system of claim 15, wherein the receiving means comprises means for receiving the logon credentials from the user through an input device coupled locally to the select one of the plurality of instruments.
  - 25. The system of claim 15, wherein the logon credentials comprise a username and a password.
  - 26. The system of claim 15, wherein the first determining means comprises:
    - means for transmitting an authorization request over the network to a server;
      
      means for receiving an authorization response over the network from the server; and
      
      means for determining whether the authorization response indicates that the logon credentials authorize the user to access the select one of the plurality of instruments.
  - 27. The system of claim 15, further comprising:
    - means for identifying a set of operations that the user has the right to perform using the select one of the plurality of instruments; and
      
      means for allowing the user to perform on the select one of the plurality of instruments only those operations in the identified set of operations.
  - 28. The system of claim 15, wherein the first determining means comprises means for determining whether the logon credentials authorize the user to access the select one of the plurality of instruments by comparing the credentials to credential information stored in a local copy of the data store.

29. A computer-implemented method comprising steps of:
- (A) receiving a first electronic signature from a first user to sign results of a test performed by an instrument;
  
  (B) authenticating the user based on credentials associated with the user;
  
  (C) identifying a role of the user;
  
  (D) determining whether the role of the user satisfies a role criterion; and
  
  (E) accepting the first electronic signature only if the role of the user satisfies the role criterion.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The method of claim 29, wherein the step (D) comprises a step of determining whether the user is a supervisor.
  - 31. The method of claim 29, wherein the step (D) comprises a step of determining whether the user qualifies as a supervisor according to 21 CFR Part 11.
  - 32. The method of claim 29, wherein the step (C) is performed by a computer executing an operating system, wherein the operating system recognizes a first set of user roles, and wherein the step (D) comprises a step of identifying the role from among a second set of roles that is independent of the first set of roles.
  - 33. The method of claim 29, further comprising steps of:
    - (F) determining whether role verification is required; and
      
      (G) performing steps (C), (D), and (E) only if it is determined that role verification is required.

34. A system comprising:
- receiving means for receiving a first electronic signature from a first user to sign results of a test performed by an instrument;
  
  authentication means for authenticating the user based on credentials associated with the user;
  
  identification means for identifying a role of the user;
  
  first determining means for determining whether the role of the user satisfies a role criterion; and
  
  acceptance means for accepting the first electronic signature only if the role of the user satisfies the role criterion.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The system of claim 34, wherein the first determining means comprises means for determining whether the user is a supervisor.
  - 36. The system of claim 34, wherein the first determining means comprises means for determining whether the user qualifies as a supervisor according to 21 CFR Part 11.
  - 37. The system of claim 34, wherein the identification means comprises a software program executed by a computer executing an operating system, wherein the operating system recognizes a first set of user roles, and wherein the first determining means comprises means for identifying the role from among a second set of roles that is independent of the first set of roles.
  - 38. The system of claim 34, further comprising:
    - second determining means for determining whether role verification is required; and
      
      means for performing steps (C), (D), and (E) only if it is determined that role verification is required.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMD Millipore Corporation (Merck & Co., Inc.)
Original Assignee
Thomas Steven Hirsch
Inventors
Hirsch, Thomas Steven

Granted Patent

US 7,661,127 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

Instrument access control system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Instrument access control system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links