Multilayer access control security system
First Claim
1. A method of controlling access to a computer system, the method comprising:
- receiving user identification information corresponding to a user;
retrieving a set of access policies corresponding to the user;
generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
distributing each generated access rule to each of the security system sublayers;
receiving, from the user, a request to access a computer system resource; and
determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.
11 Assignments
0 Petitions
Accused Products
Abstract
A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.
451 Citations
21 Claims
-
1. A method of controlling access to a computer system, the method comprising:
-
receiving user identification information corresponding to a user;
retrieving a set of access policies corresponding to the user;
generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
distributing each generated access rule to each of the security system sublayers;
receiving, from the user, a request to access a computer system resource; and
determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A carrier containing program instructions that instruct a computing device to control access to a computer system, wherein the instructions comprise instructions to:
-
receive user identification information corresponding to a user;
retrieve a set of access policies corresponding to the user;
generate, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
distribute each generated access rule to each of the security system sublayers;
receive, from the user, a request to access a computer system resource; and
determine whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules. - View Dependent Claims (12, 13, 14)
-
-
15. A computer security system, comprising:
-
means for receiving user identification information corresponding to a user;
means for retrieving a set of access policies corresponding to the user;
means for generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
means for distributing each generated access rule to each of the security system sublayers;
means for receiving, from the user, a request to access a computer system resource; and
means for determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.
-
-
16. A method of controlling access to a computer system, comprising:
-
generating, for a user, at least one access rule for each of a plurality of security system sublayers, wherein the sublayers correspond to a hierarchy of complexity;
distributing at least one of the generated access rules to at least one of the security system sublayers;
receiving, from the user, a request to access a computer system resource; and
determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules that have been distributed to the sublayers, wherein the determining is done by applying the system rules for in order of the complexity of the corresponding sublayers. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification