CROSS SECURITY-DOMAIN IDENTITY CONTEXT PROJECTION WITHIN A COMPUTING ENVIRONMENT

US 20110138452A1
Filed: 12/04/2009
Published: 06/09/2011
Est. Priority Date: 12/04/2009
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the method comprising:

creating by a local security manager of the second system a runtime security context in the second system for a user of the first system, the creating being responsive to receipt of a request at the second system from the first system for the runtime security context at the second system and the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;

sending by the second system to the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and

receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processing within a computing environment is facilitated by: determining by a local security manager of a first system in a first security domain whether a local security context of a user is acceptable to a second system in a second security domain; responsive to the user'"'"'s security context being unacceptable to the second system, creating by a local security manager of the second system a runtime security context for the user in the second system; and providing the first system with a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system, the reference or the portable representation being subsequently returned to the second system with a request from the first system to process work at the second system.

Citations

20 Claims

1. A method of facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the method comprising:
- creating by a local security manager of the second system a runtime security context in the second system for a user of the first system, the creating being responsive to receipt of a request at the second system from the first system for the runtime security context at the second system and the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;
  
  sending by the second system to the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising initially determining by a local security manager of the first system in the first security domain of the computing environment whether a local security context of the user in the first domain is acceptable to the second system in the second domain, and if not, sending the request to the second system for the runtime security context for the user in the second system.
  - 3. The method of claim 2, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 4. The method of claim 2, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.
  - 5. The method of claim 2, further comprising in response to ascertaining that the second system comprises a same type of security manager as the first system and to ascertaining that the local security manager of the second system employs a same or a compatible security set of credential definitions as the first system, forwarding work from the first system to the second system with the local security context of the user in the first system associated herewith for use at the second system as the runtime security context of the user in the second system, without performing the creating, the sending and the receiving.
  - 6. The method of claim 1, wherein in addition to receiving the request at the second system to create the runtime security context for the user in the second system, the second system receives from the first system neutral format security credentials for the user understandable by the local security manager of the first system and the local security manager of the second system.
  - 7. The method of claim 6, wherein the creating by the local security manager of the second system further comprises receiving the neutral format security credentials and performing a mapping thereof using rules established in the second system to derive a set of security credentials of the user acceptable to the second system, wherein the mapping comprises:
    - performing a lookup operation employing at least one of a user ID of the user in the first system and a name of the first system, and outputting in response thereto a user ID acceptable to the second system;
      
      performing a lookup operation for each group name provided in the neutral format security credentials to enable transformation thereof into a corresponding group name acceptable to the second system;
      
      ascertaining from the neutral format security credentials port-of-entry information associated with the user, if required by the second system;
      
      ascertaining from the second system a usable security label for the user, if required by the second system; and
      
      using the set of security credentials for the user acceptable to the second system increating the runtime security context for the user in the second system.
  - 8. The method of claim 1, wherein responsive to receiving in association with the work the reference to the runtime security context for the user in the second system which is resolvable within the computing environment, the second system uses the reference to provide the runtime security context for the user in the second system for performing the received work in the second system.
  - 9. The method of claim 1, wherein responsive to receiving the portable representation of the runtime security context in association with the work, the second system directly uses the portable representation of the runtime security context of the user in the second system in performing the received work in the second system.

10. A computer system for facilitating processing within a computing environment comprising a first system in a first security domain and a second system within a second security domain, the computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is capable of performing a method, the method comprising;
  
  creating by a local security manager of the second system a runtime security context in the second system for a user of the first system, the creating being responsive to receipt of a request at the second system from the first system for the runtime security context at the second system and the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first sytem;
  
  sending by the second system to the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system, having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer system of claim 10, further comprising initially determining by a local security manager of the first system in the first security domain of the computing environment whether a local security context of the user in the first domain is acceptable to the second system in the second domain, and if not, sending the request to the second system for the runtime security context for the user in the second system.
  - 12. The computer system of claim 11, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 13. The computer system of claim 11, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.
  - 14. The computer system of claim 11, further comprising in response to ascertaining that the second system comprises a same type of security manager as the first system and to ascertaining that the local security manager of the second system employs a same or a compatible security set of credential definitions as the first system, forwarding work from the first system to the second system with the local security context of the user in the first system associated herewith for use at the second system as the runtime security context of the user in the second system, without performing the creating, the sending and the receiving.
  - 15. The computer system of claim 10, wherein in addition to receiving the request at the second system to create the runtime security context for the user in the second system, the second system receives from the first system neutral format security credentials for the user understandable by the local security manager of the first system and the local security manager of the second system.
  - 16. The computer system of claim 15, wherein the creating by the local security manager of the second system further comprises receiving the neutral format security credentials and performing a mapping thereof using rules established in the second system to derive a set of security credentials of the user acceptable to the second system, wherein the mapping comprises:
    - performing a lookup operation employing at least one of a user ID of the user in the first system and a name of the first system, and outputting in response thereto a user ID acceptable to the second system;
      
      performing a lookup operation for each group name provided in the neutral format security credentials to enable transformation thereof into a corresponding group name acceptable to the second system;
      
      ascertaining from the neutral format security credentials port-of-entry information associated with the user, if required by the second system;
      
      ascertaining from the second system a usable security label for the user, if required by the second system; and
      
      using the set of security credentials for the user acceptable to the second system increating the runtime security context for the user in the second system.

17. A computer program product for facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the computer program product comprising:
- a storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  creating by a local security manager of the second system a runtime security context in the second system for a user of the first system, the creating being responsive to receipt of a request at the second system from the first system for the runtime security context at the second system and the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;
  
  sending by the second system to the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, further comprising initially determining by a local security manager of the first system in the first security domain of the computing environment whether a local security context of the user in the first domain is acceptable to the second system in the second domain, and if not, sending the request to the second system for the runtime security context for the user in the second system.
  - 19. The computer program product of claim 18, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 20. The computer program product of claim 18, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Rosenfeld, Eric, Dooley, Alan P., Guski, Richard H., Mapes, Deborah F., Nelson, Mark A., Hardgrove, Russell D., Fitzpatrick, Arthur L. III, Farrell, Walter B., Marusek, Christine A.

Granted Patent

US 8,627,434 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/20 for managing network securi...

CROSS SECURITY-DOMAIN IDENTITY CONTEXT PROJECTION WITHIN A COMPUTING ENVIRONMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CROSS SECURITY-DOMAIN IDENTITY CONTEXT PROJECTION WITHIN A COMPUTING ENVIRONMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links