Method for managing usage authorizations in a data processing network and a data processing network

US 20090183228A1
Filed: 12/30/2008
Published: 07/16/2009
Est. Priority Date: 01/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method for managing usage authorizations in a data processing network, comprising:

allocating to a user, upon the user logging in at a work station of the data processing network, at least one role stored in a central authorization register;

determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;

accessing via a central security module, if there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;

determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, if determined, to the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To facilitate the work of a user with a data processing network with a number of security levels of the applications and functions to be executed, a method is proposed for managing usage authorizations in this data processing network. In at least one embodiment of the method, when a user logs in at a work station, at least one role stored in a central authorization register is allocated to the user; when an application is called up a local security module of the application determines which authorizations are granted for the role of the user; and if there is no authorization for an application-related action, a central security module accesses a central collection of security rules, the security rules indicating the circumstances, in which, when a user'"'"'s authorizations are not sufficient to carry out the application-related action, the user can still carry it out and determines whether according to at least one of the security rules a usage authority is possible for the application-related action and offers this to the user.

Citations

21 Claims

1. A method for managing usage authorizations in a data processing network, comprising:
- allocating to a user, upon the user logging in at a work station of the data processing network, at least one role stored in a central authorization register;
  
  determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;
  
  accessing via a central security module, if there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;
  
  determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, if determined, to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method as claimed in claim 1, wherein the security rules are configurable.
  - 3. The method as claimed in claim 1, wherein data from a portable identification object of the user is read wirelessly by use of a login read device to log in at the work station.
  - 4. The method as claimed in claim 3, wherein an RFID chip is used as the identification object.
  - 5. The method as claimed in claim 1, wherein where a number of security rules are determined, which allow the application-related action to be carried out, the central security module selects one security rule automatically.
  - 6. The method as claimed in claim 5, wherein if a security rule allows the application-related action to be carried out without additional identification of the user, this is executed automatically by the central security module.
  - 7. The method as claimed in claim 6, wherein the central security module determines whether the user can assume more than one role and if one further role has the authorization to carry out the application-related action, the authorization is automatically transferred to the current role, with which the user logged in.
  - 8. The method as claimed in claim 5, wherein if a number of security rules are determined, with the aid of which the application-related action can be carried out after further identification of the user, the central security module displays a list of these security rules for selection.
  - 9. The method as claimed in claim 8, wherein for the additional identification of the user, at least one of a chip card is read by a card reader, the user is requested to input a password, and the user is requested to input a PIN number.
  - 10. The method as claimed in claim 8, wherein the central security module proposes a security rule, determined based on a prioritization.
  - 11. The method as claimed in claim 8, wherein when the security rules are output, the central security module determines which devices required for execution of the security rules are connected to the work station.
  - 12. The method as claimed in claim 1, wherein the user is automatically logged off after a defined inactive time period.
  - 13. The method as claimed in claim 12, wherein different time periods are defined for the various roles.
  - 14. The method as claimed in claim 1, wherein for the application-related action to be carried out by way of a temporary login of a further user at the work station, the user'"'"'s role and the assigned authorizations of the further user are taken over.
  - 15. The method as claimed in claim 14, wherein after the application-related action has been carried out, the further user is automatically logged off.
  - 16. The method as claimed in claim 1, wherein after a further user logs in at the work station, roles are switched, with the settings of the first user being maintained.
  - 17. A data processing network, comprising:
    - a plurality of individual devices, set up in respect of data to implement the method according to claim 1.
  - 18. A method, comprising:
    - using the data processing network as claimed in claim 17 for processing medical engineering data, in particular image data.
  - 19. The method as claimed in claim 2, wherein data from a portable identification object of the user is read wirelessly by use of a login read device to log in at the work station.
  - 20. The method as claimed in claim 19, wherein an RFID chip is used as the identification object.
  - 21. A method, comprising:
    - using the data processing network as claimed in claim 17 for processing image data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens Healthcare GMBH (Siemens AG)
Original Assignee
Siemens AG
Inventors
Dominick, Lutz, Dasch, Thomas

Granted Patent

US 8,365,263 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/105   Multiple levels of security

H04L 9/321   involving a third party or ...

H04L 9/3231   Biological data, e.g. finge...

Method for managing usage authorizations in a data processing network and a data processing network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method for managing usage authorizations in a data processing network and a data processing network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links