SYSTEM AND METHOD FOR SELECTIVE AUTHENTICATION WHEN ACQUIRING A ROLE

US 20090007249A1
Filed: 06/29/2007
Published: 01/01/2009
Est. Priority Date: 06/29/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a role request for a user of a computer system, wherein the role request corresponds to a role which is selected from a plurality of roles previously established on the computer system, and wherein each of the plurality of roles corresponds to one or more functions performed by the computer system;

retrieving an authentication mode corresponding to the role request, wherein the retrieved authentication mode either indicates a role-based authentication requirement or a user-based authentication requirement;

in response to the retrieved authentication mode indicating the role-based authentication requirement;

receiving a role-based authentication token from the user;

granting the user access to the requested role in response to the received role-based authentication token matching an expected role-based authentication token; and

denying the user access to the requested role in response to the received role-based authentication token not matching the expected role-based authentication token; and

in response to the retrieved authentication mode indicating the user-based authentication requirement;

receiving a user-based authentication token from the user;

granting the user access to the requested role in response to the received user-based authentication token matching an expected user-based authentication token; and

denying the user access to the requested role in response to the received user-based authentication token not matching the expected user-based authentication token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and program product is provided that provides authentication on a per-role basis in a Role-Based Access Control (RBAC) environment. When a user attempts to acquire a role, the improved RBAC system determines whether (a) no authentication is required (e.g., for a non-sensitive role such as accessing a company'"'"'s product catalog), (b) a user-based authentication (e.g., password) is required, or (c) a role-based authentication (e.g., role-specific password is required).

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving a role request for a user of a computer system, wherein the role request corresponds to a role which is selected from a plurality of roles previously established on the computer system, and wherein each of the plurality of roles corresponds to one or more functions performed by the computer system;
  
  retrieving an authentication mode corresponding to the role request, wherein the retrieved authentication mode either indicates a role-based authentication requirement or a user-based authentication requirement;
  
  in response to the retrieved authentication mode indicating the role-based authentication requirement;
  
  receiving a role-based authentication token from the user;
  
  granting the user access to the requested role in response to the received role-based authentication token matching an expected role-based authentication token; and
  
  denying the user access to the requested role in response to the received role-based authentication token not matching the expected role-based authentication token; and
  
  in response to the retrieved authentication mode indicating the user-based authentication requirement;
  
  receiving a user-based authentication token from the user;
  
  granting the user access to the requested role in response to the received user-based authentication token matching an expected user-based authentication token; and
  
  denying the user access to the requested role in response to the received user-based authentication token not matching the expected user-based authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - receiving a function request from the user to execute one of the functions that corresponds to one of the plurality of roles, wherein the role request is automatically received in response to receiving the function request.
  - 3. The method of claim 1 wherein the retrieved authentication mode further indicates a nonexistent role requirement in addition to the role-based authentication requirement or the user-based authentication requirement, the method further comprising:
    - automatically granting the user access to the requested role in response to the retrieved authentication mode indicating the nonexistent role authentication requirement.
  - 4. The method of claim 1 further comprising:
    - retrieving a second authentication mode corresponding to the role request;
      
      in response to retrieving two authentication modes corresponding to the role request;
      
      receiving both the role-based authentication token and the user-based authentication token from the user;
      
      granting the user access to the requested role in response to the received role-based authentication token matching the expected role-based authentication token and the received user-based authentication token matching the expected user-based authentication token;
      
      denying the user access to the requested role in response to either the received role-based authentication token not matching the expected role-based authentication token or the received user-based authentication token not matching the expected user-based authentication token.
  - 5. The method of claim 1 wherein the user-based authentication token is a user password and wherein the role-based authentication token is a shared role password.
  - 6. The method of claim 1 wherein the retrieval of the authentication mode further comprises:
    - sending a query request to a secured authentication process, wherein the query request includes the role being requested;
      
      locating the role being requested in a data store that includes the plurality of roles and at least role authentication modes corresponding to each of the plurality of roles; and
      
      returning, from the secure authentication process, at least one role authentication mode that corresponds to the role being requested, wherein the at least one returned role authentication mode is the retrieved authentication mode.
  - 7. The method of claim 1 wherein the role request corresponds to a plurality of roles being requested by the user, the method further comprising:
    - retrieving a plurality of authentication modes corresponding to the plurality of roles being requested by the user; and
      
      in response to a plurality of the authentication modes indicating the user-based authentication requirement, receiving a single user-based authentication token from the user, the single user-based authentication token being the user-based authentication token.

8. A information handling system comprising:
- one or more processors;
  
  a memory accessible by at least one of the processors;
  
  a nonvolatile storage area accessible by at least one of the processors;
  
  a set of instructions stored in the memory and executed by at least one of the processors in order to perform actions of;
  
  receiving a role request for a user of a computer system, wherein the role request corresponds to a role which is selected from a plurality of roles previously established on the computer system, and wherein each of the plurality of roles corresponds to one or more functions performed by the computer system;
  
  retrieving an authentication mode corresponding to the role request, wherein the retrieved authentication mode either indicates a role-based authentication requirement or a user-based authentication requirement;
  
  in response to the retrieved authentication mode indicating the role-based authentication requirement;
  
  receiving a role-based authentication token from the user;
  
  granting the user access to the requested role in response to the received role-based authentication token matching an expected role-based authentication token; and
  
  denying the user access to the requested role in response to the received role-based authentication token not matching the expected role-based authentication token; and
  
  in response to the retrieved authentication mode indicating the user-based authentication requirement;
  
  receiving a user-based authentication token from the user;
  
  granting the user access to the requested role in response to the received user-based authentication token matching an expected user-based authentication token; and
  
  denying the user access to the requested role in response to the received user-based authentication token not matching the expected user-based authentication token.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The information handing system of claim 8 wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - receiving a function request from the user to execute one of the functions that corresponds to one of the plurality of roles, wherein the role request is automatically received in response to receiving the function request.
  - 10. The information handling system of claim 8 wherein the retrieved authentication mode further indicates a nonexistent role requirement in addition to the role-based authentication requirement or the user-based authentication requirement, wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - automatically granting the user access to the requested role in response to the retrieved authentication mode indicating the nonexistent role authentication requirement.
  - 11. The information handing system of claim 8 wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - retrieving a second authentication mode corresponding to the role request;
      
      in response to retrieving two authentication modes corresponding to the role request;
      
      receiving both the role-based authentication token and the user-based authentication token from the user;
      
      granting the user access to the requested role in response to the received role-based authentication token matching the expected role-based authentication token and the received user-based authentication token matching the expected user-based authentication token;
      
      denying the user access to the requested role in response to either the received role-based authentication token not matching the expected role-based authentication token or the received user-based authentication token not matching the expected user-based authentication token.
  - 12. The information handling system of claim 8 wherein the retrieval of the authentication mode further comprises additional instructions that, when executed, cause at least one of the processors to perform further actions comprising:
    - sending a query request to a secured authentication process, wherein the query request includes the role being requested;
      
      locating the role being requested in a data store that includes the plurality of roles and at least role authentication modes corresponding to each of the plurality of roles; and
      
      returning, from the secure authentication process, at least one role authentication mode that corresponds to the role being requested, wherein the at least one returned role authentication mode is the retrieved authentication mode.
  - 13. The information handling system of claim 8 wherein the role request corresponds to a plurality of roles being requested by the user, wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - retrieving a plurality of authentication modes corresponding to the plurality of roles being requested by the user; and
      
      in response to a plurality of the authentication modes indicating the user-based authentication requirement, receiving a single user-based authentication token from the user, the single user-based authentication token being the user-based authentication token.

14. A computer program product stored in a computer readable medium, comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions comprising:
- receiving a role request for a user of a computer system, wherein the role request corresponds to a role which is selected from a plurality of roles previously established on the computer system, and wherein each of the plurality of roles corresponds to one or more functions performed by the computer system;
  
  retrieving an authentication mode corresponding to the role request, wherein the retrieved authentication mode either indicates a role-based authentication requirement or a user-based authentication requirement;
  
  in response to the retrieved authentication mode indicating the role-based authentication requirement;
  
  receiving a role-based authentication token from the user;
  
  granting the user access to the requested role in response to the received role-based authentication token matching an expected role-based authentication token; and
  
  denying the user access to the requested role in response to the received role-based authentication token not matching the expected role-based authentication token; and
  
  in response to the retrieved authentication mode indicating the user-based authentication requirement;
  
  receiving a user-based authentication token from the user;
  
  granting the user access to the requested role in response to the received user-based authentication token matching an expected user-based authentication token; and
  
  denying the user access to the requested role in response to the received user-based authentication token not matching the expected user-based authentication token.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14 further comprising functional descriptive material that causes the data processing system to perform additional actions comprising:
    - receiving a function request from the user to execute one of the functions that corresponds to one of the plurality of roles, wherein the role request is automatically received in response to receiving the function request.
  - 16. The computer program product of claim 14 wherein the retrieved authentication mode further indicates a nonexistent role requirement in addition to the role-based authentication requirement or the user-based authentication requirement and the functional descriptive material that causes the data processing system to perform additional actions comprising:
    - automatically granting the user access to the requested role in response to the retrieved authentication mode indicating the nonexistent role authentication requirement.
  - 17. The computer program product of claim 14 further comprising functional descriptive material that causes the data processing system to perform additional actions comprising:
    - retrieving a second authentication mode corresponding to the role request;
      
      in response to retrieving two authentication modes corresponding to the role request;
      
      receiving both the role-based authentication token and the user-based authentication token from the user;
      
      granting the user access to the requested role in response to the received role-based authentication token matching the expected role-based authentication token and the received user-based authentication token matching the expected user-based authentication token;
      
      denying the user access to the requested role in response to either the received role-based authentication token not matching the expected role-based authentication token or the received user-based authentication token not matching the expected user-based authentication token.
  - 18. The computer program product of claim 14 wherein the user-based authentication token is a user password and wherein the role-based authentication token is a shared role password.
  - 19. The computer program product of claim 14 wherein the retrieval of the authentication mode further comprises additional functional descriptive material that causes the data processing system to perform additional actions comprising:
    - sending a query request to a secured authentication process, wherein the query request includes the role being requested;
      
      locating the role being requested in a data store that includes the plurality of roles and at least role authentication modes corresponding to each of the plurality of roles; and
      
      returning, from the secure authentication process, at least one role authentication mode that corresponds to the role being requested, wherein the at least one returned role authentication mode is the retrieved authentication mode.
  - 20. The computer program product of claim 14 wherein the role request corresponds to a plurality of roles being requested by the user, and the functional descriptive material causes the data processing system to perform additional actions comprising:
    - retrieving a plurality of authentication modes corresponding to the plurality of roles being requested by the user; and
      
      in response to a plurality of the authentication modes indicating the user-based authentication requirement, receiving a single user-based authentication token from the user, the single user-based authentication token being the user-based authentication token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lu, Yantian Tom, Drew, Thomas Walters

Granted Patent

US 7,890,998 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

SYSTEM AND METHOD FOR SELECTIVE AUTHENTICATION WHEN ACQUIRING A ROLE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SELECTIVE AUTHENTICATION WHEN ACQUIRING A ROLE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links