Secure user access subsystem for use in a computer information database system

US 20040260952A1
Filed: 05/28/2004
Published: 12/23/2004
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A system for controlling access to computer profile data in a computer information database, the system including:

A. a group manager that groups the computers based on computer grouping criteria;

B. a user access manager that i. associates respective users with login groups, ii. associates the respective users with user types that correspond to sets of system administrative features; and

iii. restricts the access of a given user to only the administrative features associated with the given user'"'"'s user type and the profile data of only computers that are included in the group or groups of computers that are associated with the user'"'"'s login group and any subgroups thereof.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user access security subsystem of a computer information database system utilizes computer grouping criteria and user type criteria to control user access to both computer profile data and system administrative features. The computer grouping criteria determine profile data access for the respective users. The user type criteria determine which administrative features are accessible to the respective users, and thus, what administrative authority is delegated to the users. The combination of the computer grouping and the user type criteria restricts a given user to exercising the delegated administrative authority only with respect to the particular grouping of computers to which the user has been granted access through the associated login group. To maintain access security, the subsystem allows a given user to grant to another only those access rights that are equal to or more restrictive than the given users rights. Thus, the given user cannot grant access to a login group that is a peer or a superior of his own login group and/or cannot assign a user type that is associated with greater access to system administrative features than his own user type. The user access security subsystem enforces the access restrictions by tailoring the user interface presented to the user based on the associated login group and user type.

122 Citations

31 Claims

1. A system for controlling access to computer profile data in a computer information database, the system including:
- A. a group manager that groups the computers based on computer grouping criteria;
  
  B. a user access manager that i. associates respective users with login groups, ii. associates the respective users with user types that correspond to sets of system administrative features; and
  
  iii. restricts the access of a given user to only the administrative features associated with the given user'"'"'s user type and the profile data of only computers that are included in the group or groups of computers that are associated with the user'"'"'s login group and any subgroups thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1 wherein the user access manager restricts a given user from assigning to another user any access rights that the given user does not have through the given user'"'"'s association with the login groups and the user types.
  - 3. The system of claim 1 wherein the user access manager restricts a given user from assigning another user to a login group that is not associated the login group or groups associated with the given user.
  - 4. The system of claim 1 wherein the user access manager restricts a given user from assigning to another user a user type that is associated with access rights that the given user does not have through his association with a user types.
  - 5. The system of claim 1 wherein the user access manager constructs a user interface for viewing by the user and determines what to block from the view of the user based on the login group and the user type associated with the user.
  - 6. The system of claim 1 wherein the user access manager blocks functions that relate to features that are not specified by the user type associated with the user.
  - 7. The system of claim 1 wherein the user access manager inactivates user interface buttons to block access to functions that are associated with features that are not specified by the user type associated with the user.
  - 8. The system of claim 1 wherein the user access manager hides from the view of the user any user interface features and functionality that are not specified by the user type associated with the user.
  - 9. The system of claim 1 wherein the user access manager hides from view in a user interface for a given user any access to data associated with the group or groups of computers that are not associated with the login group of the user.
  - 10. The system of claim 1 wherein the system associates a given user with one or more login groups.
  - 11. The system of claim 10 wherein the respective groups of computers are in a tree-structure and a given login group provides users access to the groups of computers that are on one or more sub-trees with the groups that are associated with the login group as the respective roots of the one or more sub-trees.
  - 14. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of only allowing a given user to assign another user to a login group that is associated with the login group of the given user.
  - 15. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of determining based on the associated login group and user type what to block from the view of the user in a user interface.
  - 16. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of blocking functions that relate to features that are not specified by the user type associated with the user.
  - 17. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of inactivating user interface buttons to block access to the functions that are associated with features that are not specified by the user type associated with the user.
  - 18. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of hiding from the view of the user any interface features and functionality that are not specified by the user type associated with the user.
  - 19. The method of claim 11 wherein the step of allowing a user to use sets of administrative features further includes the step of hiding from the user interface view access to data associated with the group or groups of computers that are not associated with the login group of the user.
  - 20. The method of claim 11 further including the step of delegating particular administrative authority to a given user by assigning the user a user type that is associated with the system features that correspond to the particular administrative authority.
  - 21. The method of claim 20 further including delegating additional authority to the given user by replacing the assigned user type with a user type that is associated with the system features that correspond to the additional administrative authority.

12. A method for controlling access to computer profile data in a computer information database, the method including:
- A. grouping the computers based on computer grouping criteria;
  
  B. associating respective users with login groups;
  
  C. associating the respective users with user types that correspond to sets of system administrative features; and
  
  D. allowing a given user to utilize only the sets of administrative features specified by the associated user type on the profile data of only computers that are included in the group or groups of computers that correspond to the associated login group and any subgroups thereof.
- View Dependent Claims (13)
- - 13. The method of claim 12 wherein the step of allowing a user to use sets of administrative features further includes the step of only allowing a given user to assign to another user a user type that provides that same or more restrictive access rights than those accorded to the given user by his association with the user type.

22. A user access manager for controlling access to computer profile data provided by computers that are grouped in accordance with computer grouping criteria, the manager including:
- A. means for i. associating respective users with login groups, and ii. associating the respective users with user types that correspond to sets of system administrative features; and
  
  B. means for allowing a given user to utilize only the sets of administrative features specified by the associated user type on the profile data of only computers that are included in the group or groups of computers that are associated with the login group and any subgroups thereof.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The system of claim 22 wherein the user access manager allows a given user to assign to another user a user only type that is associated with access rights that are the same as or more restrictive than the access rights associated with the user type that is associated with the given user.
  - 24. The system of claim 22 wherein the user access manager allows the given user to assign another user only to a login group that is associated with the login group of the given user.
  - 25. The system of claim 22 wherein the user access manager constructs user interfaces and determines based on the associated login group and user type what to allow the user to view.
  - 26. The system of claim 22 wherein the access manager blocks functions that relate to features that are not specified by the user type associated with the user.
  - 27. The system of claim 22 wherein the access manager inactivates buttons to block access to functions that are associated with features that are not specified by the user type associated with the user.
  - 28. The system of claim 22 wherein the access manager hides from the view of the user any user interface features and functionality that are not specified by the user type associated with the user.
  - 29. The system of claim 22 wherein the user access manager hides from view in a user interface the access to data associated with the group or groups of computers that are not associated with the login group of the user.
  - 30. The system of claim 22 wherein the user access manager associates a given user with one or more login groups.
  - 31. The system of claim 30 wherein the respective groups of computers are in a tree-structure and a given login group provides users access to the groups of computers that are on one or more sub-trees with the groups that are associated with the login group as the respective roots of the one or more sub-trees.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belarc, Inc.
Original Assignee
Belarc, Inc.
Inventors
Franklin, James W., Newman, Gary H.

Granted Patent

US 8,161,288 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/41   where a single sign-on prov...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

Secure user access subsystem for use in a computer information database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

122 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Secure user access subsystem for use in a computer information database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others