Delegated administration for a distributed security system

US 20050081063A1
Filed: 10/08/2004
Published: 04/14/2005
Est. Priority Date: 10/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

delegating a capability from a first user to a second user;

propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources;

providing the evidence to a first security service module belonging to the plurality of security service modules;

enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and

wherein the enforcement is carried out by the first security service module.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method comprising the steps of, delegating a capability from a first user to a second user, propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources, providing the evidence to a first security service module belonging to the plurality of security service modules, enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module, and wherein the enforcement is carried out by the first security service module.

121 Citations

View as Search Results

34 Claims

1. A method comprising the steps of:
- delegating a capability from a first user to a second user;
  
  propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources;
  
  providing the evidence to a first security service module belonging to the plurality of security service modules;
  
  enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and
  
  wherein the enforcement is carried out by the first security service module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein:
    - a security service module is dynamically configurable.
  - 3. The method of claim 1 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 4. The method of claim 1 wherein:
    - the second user can delegate the capability to a third user.
  - 5. The method of claim 1 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 6. The method of claim 1 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 7. The method of claim 1 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of security service modules.
  - 8. The method of claim 1 wherein:
    - the propagation is done over one or more secure connections.
  - 9. The method of claim 1 wherein:
    - the information is propagated through an intermediate process.
  - 10. The method of claim 9 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 11. The method of claim 1 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

12. A system comprising:
- a distribution point capable of propagating information to a plurality of processes wherein the information includes evidence of a delegation from a first user to a second user;
  
  the plurality of processes wherein each one of the plurality of processes includes a security service module capable of protecting one or more resources;
  
  a first security service module belonging to a first process of the plurality of processes, wherein the evidence of delegation is provided to the first security service module;
  
  wherein the delegation is enforced when the second user attempts to access a resource of the one or more resources wherein the resource is protected by the first process; and
  
  wherein the enforcement is carried out by the first security service module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein:
    - a security service module is dynamically configurable.
  - 14. The system of claim 12 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 15. The system of claim 12 wherein:
    - the second user can delegate the capability to a third user.
  - 16. The system of claim 12 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 17. The system of claim 12 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 18. The system of claim 12 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of processes.
  - 19. The system of claim 12 wherein:
    - the propagation is done over one or more secure connections.
  - 20. The system of claim 12 wherein:
    - the information is propagated through an intermediate process.
  - 21. The system of claim 20 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 22. The system of claim 12 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

23. A machine readable medium having instructions stored thereon to cause a system to:
- delegate a capability from a first user to a second user;
  
  propagate information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources;
  
  provide the evidence to a first security service module belonging to the plurality of security service modules;
  
  enforce the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and
  
  wherein the enforcement is carried out by the first security service module.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The machine readable medium of claim 23 wherein:
    - a security service module is dynamically configurable.
  - 25. The machine readable medium of claim 23 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 26. The machine readable medium of claim 23 wherein:
    - the second user can delegate the capability to a third user.
  - 27. The machine readable medium of claim 23 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 28. The machine readable medium of claim 23 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 29. The machine readable medium of claim 23 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of processes.
  - 30. The machine readable medium of claim 23 wherein:
    - the propagation is done over one or more secure connections.
  - 31. The machine readable medium of claim 23 wherein:
    - the information is propagated through an intermediate process.
  - 32. The machine readable medium of claim 31 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 33. The machine readable medium of claim 23 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

34. A computer signal embodied in a transmission medium, comprising:
- a code segment including instructions for delegating a capability from a first user to a second user;
  
  a code segment including instructions for propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources;
  
  a code segment including instructions for providing the evidence to a first security service module belonging to the plurality of security service modules;
  
  a code segment including instructions for enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and
  
  wherein the enforcement is carried out by the first security service module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Byme, David, Xu, Mingde, Howes, Jason, Patrick, Paul, Riendeau, Richard J., Yagen, Kenneth D., Falco, Mark A.

Granted Patent

US 7,594,112 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Delegated administration for a distributed security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Delegated administration for a distributed security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links