System and method for permission-based access using a shared account

US 20060161783A1
Filed: 01/14/2005
Published: 07/20/2006
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A system for providing permission-based access to an existing logon session, comprising:

a storage location holding a plurality of sets of interactive user credentials, each set of credentials associated with a different interactive user and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted domain;

a server in connection with a client, the server hosting a session for a first local interactive user of the client, the client executing an active operating system logon session for a shared account, the active operating system logon session established with a default user profile not associated with a particular interactive user;

a credential delivery application communicating with the server and the client, the credential delivery application receiving an identifier identifying the first local interactive user via the client and using the identifier to retrieve a first set of credentials for the first local interactive user from the storage location, the first set of credentials delivered by the credential delivery application to the server, the first set of credentials used to map the first local interactive user to the server-hosted session for the first local interactive user.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for rapidly authenticating an interactive user in an operating system logon session based on a shared account by using a credential delivery application to enable permission-based access to a user'"'"'s remote session from the shared account is disclosed. The present invention provides the ability to switch local interactive users, authenticate the new interactive user, and switch the remote session without requiring the client to first establish a new logon session tied to the new local interactive user. The present invention also alters the normal locking mechanism found in operating system logon sessions so as to restrict access to an interactive local user'"'"'s applications (both local and remote) while still allowing the rapid switching of interactive users at the client device.

Citations

32 Claims

1. A system for providing permission-based access to an existing logon session, comprising:
- a storage location holding a plurality of sets of interactive user credentials, each set of credentials associated with a different interactive user and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted domain;
  
  a server in connection with a client, the server hosting a session for a first local interactive user of the client, the client executing an active operating system logon session for a shared account, the active operating system logon session established with a default user profile not associated with a particular interactive user;
  
  a credential delivery application communicating with the server and the client, the credential delivery application receiving an identifier identifying the first local interactive user via the client and using the identifier to retrieve a first set of credentials for the first local interactive user from the storage location, the first set of credentials delivered by the credential delivery application to the server, the first set of credentials used to map the first local interactive user to the server-hosted session for the first local interactive user.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein the server is remotely located from the client.
  - 3. The system of claim 1, comprising further:
    - a smart card reader located at the client for receiving the identifier from the first local interactive user via a smart card.
  - 4. The system of claim 1, comprising further:
    - an input device communicating with the client and used to receive the identifier via one of a retinal scan, a fingerprint analysis, a software-based facial recognition process and a proximity sensing process.

5. In an electronic device, a method of providing permission-based access to an active operating system logon session, comprising the steps of:
- hosting on an electronic device an active operating system logon session for a shared account, the electronic device in communication with a server, the shared account established with a default user profile not associated with a particular interactive user;
  
  receiving a first identifier identifying a first local interactive user via the electronic device;
  
  using the first identifier to retrieve a first set of credentials for the first local interactive user, the first set of credentials stored in a location accessible to the electronic device and the server and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted session associated with the first local interactive user; and
  
  mapping the first local interactive user to the server-hosted session for the first local interactive user using the first set of credentials.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 6. The method of claim 5 wherein the server-hosted session is initiated based upon the receipt of the first set of credentials for the first local interactive user.
  - 7. The method of claim 5 wherein the server-hosted session that the first local interactive user is mapped into is a previously-saved session associated with the first local interactive user.
  - 8. The method of claim 5, comprising the further steps of:
    - locking the active operating system logon session on the electronic device;
      
      receiving a second identifier identifying a second local interactive user via the electronic device; and
      
      unmapping the first local interactive user from the server-hosted session for the first local interactive user upon receiving the second identifier, the first local interactive user being unmapped while the operating system logon session is still active.
  - 9. The method of claim 8, comprising the further steps of:
    - using the second identifier to retrieve a second set of credentials for the second local interactive user, the second set of credentials stored in a location accessible to the electronic device and the server and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted session for the second local interactive user;
      
      mapping the second local interactive user into the server-hosted session for the second interactive user using the second set of credentials; and
      
      unlocking the constantly active operating session on the electronic device subsequent to the mapping of the second local interactive user into the server-hosted session for the second interactive user.
  - 10. The method of claim 8 wherein the active operating system logon session is locked following a receipt of an indication from the first local interactive user.
  - 11. The method of claim 8 wherein the active operating system logon session is locked following the expiration of a time parameter.
  - 12. The method of claim 8 wherein the active operating system logon session is locked upon receiving notice from a proximity sensor that the first local interactive user has moved a pre-determined distance from the electronic device.
  - 13. The method of claim 5 wherein the first identifier is transmitted from a smart card.
  - 14. The method of claim 13 wherein the first identifier is received by the smart card in encrypted form and at least partially decrypted by the smart card.
  - 15. The method of claim 5, wherein the first identifier is encrypted and further comprising the steps of:
    - storing the plurality of sets of interactive user credentials in encrypted form;
      
      decrypting the first identifier;
      
      retrieving an encrypted set of credentials from the storage location; and
      
      using the decrypted first identifier to decrypt the encrypted set of credentials retrieved from the storage location.
  - 16. The method of claim 5 wherein the first identifier is received using one of a retinal scan, a fingerprint analysis, a software-based facial recognition system and a proximity sensor.
  - 17. The method of claim 5 wherein the first set of credentials includes different permission levels for different applications.
  - 18. The method of claim 5, wherein following the mapping of the first local interactive user into the server-hosted session associated with the first local interactive user, the method comprises the further steps of:
    - receiving additional identifiers from the first local interactive user prior to allowing the first local interactive user to run a local application hosted by the electronic device.
  - 19. The method of claim 5 wherein the access level for the server-hosted session is one of read and read-write.
  - 20. The method of claim 5 wherein the server and electronic device communicate over a network.

21. In an electronic device, a method of providing permission-based access to an existing operating system logon session, comprising the steps of:
- hosting on an electronic device an active operating system logon session for a shared account, the shared account originally established with a default user profile not associated with a particular interactive user;
  
  receiving a first identifier identifying a first local interactive user;
  
  using the first identifier to retrieve a first set of credentials for the first local interactive user, the first set of credentials indicating at least one permission level for at least one of at least one application; and
  
  accessing the at least one application using the first set of credentials.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, comprising the further steps of:
    - locking the active operating system logon session on the electronic device; and
      
      receiving an identifier identifying a second local interactive user via the electronic device;
      
      using the identifier to retrieve a second set of credentials for the second local interactive user, the second set of credentials stored in a location accessible to the electronic device and indicating at least one permission level for at least one application;
      
      unlocking the active operating system logon session on the electronic device subsequent to receiving the identifier for the second local interactive user; and
      
      accessing the at least one application using the second set of credentials.
  - 23. The method of claim 21 wherein the first set of credentials includes different permission levels for different applications.

24. An article of manufacture having embodied thereon computer-readable program means for providing permission-based access to an existing session, the article of manufacture comprising:
- computer-readable program means for hosting on an electronic device an active operating system logon session for a shared account, the electronic device in communication with a server, the shared account established with a default user profile not associated with a particular interactive user;
  
  computer-readable program means receiving a first identifier identifying a first local interactive user via the electronic device;
  
  computer-readable program means for using the first identifier to retrieve a first set of credentials for the first local interactive user, the first set of credentials stored in a location accessible to the electronic device and the server and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted session associated with the first local interactive user; and
  
  computer-readable program means for mapping the first local interactive user to the server-hosted session for the first local interactive user using the first set of credentials.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The article of manufacture of claim 24, further comprising:
    - computer-readable program means for locking the active operating system logon session on the electronic device;
      
      computer-readable program means for receiving a second identifier identifying a second local interactive user via the electronic device; and
      
      computer-readable program means for unmapping the first local interactive user from the server-hosted session for the first local interactive user upon receiving the second identifier, the first local interactive user being unmapped while the operating system logon session is still active.
  - 26. The article of manufacture of claim 25, further comprising:
    - computer-readable program means for using the second identifier to retrieve a second set of credentials for the second local interactive user, the second set of credentials stored in a location accessible to the electronic device and the server and indicating at least one permission level for at least one of at least one application and an access level for a server-hosted session for the second local interactive user;
      
      computer-readable program means for mapping the second local interactive user into the server-hosted session for the second interactive user using the second set of credentials; and
      
      computer-readable program means for unlocking the constantly active operating session on the electronic device subsequent to the mapping of the second local interactive user into the server-hosted session for the second interactive user.
  - 27. The article of manufacture of claim 24 wherein the first set of credentials includes different permission levels for different applications.
  - 28. The article of manufacture of claim 24, further comprising:
    - computer readable program means for receiving an identifier via one of a retinal scan, a fingerprint analysis, a software-based facial recognition process and a proximity sensor.
  - 29. The article of manufacture of claim 24, further comprising:
    - computer readable program means for receiving at a smart card in communication with the electronic device the first identifier in encrypted form.
  - 30. The article of manufacture of claim 29 wherein the smart card at least partially decrypts the identifier.
  - 31. The article of manufacture of claim 30 wherein a decrypted identifier is used to decrypt an encrypted set of interactive user credentials.
  - 32. The article of manufacture of claim 24, wherein the first identifier is encrypted and further comprising:
    - computer-readable program means for storing the plurality of sets of interactive user credentials in encrypted form;
      
      computer-readable program means for decrypting the first identifier;
      
      computer-readable program means for retrieving an encrypted set of credentials from the storage location; and
      
      computer-readable program means for using the decrypted first identifier to decrypt the encrypted set of credentials retrieved from the storage location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Gaylor, Timothy R., Dills, Thomas B., Aiken, David

Granted Patent

US 7,562,226 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/335 for accessing specific reso...

G06F 2221/2147 Locking files

System and method for permission-based access using a shared account

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for permission-based access using a shared account

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links