ROLE-BASED ACCESS CONTROL UTILIZING TOKEN PROFILES

US 20110167256A1
Filed: 01/05/2010
Published: 07/07/2011
Est. Priority Date: 01/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a token processing system (TPS) of a computing system programmed to perform operations, comprising:

receiving, by the TPS, a request of a TPS user to perform an operation on entries of a token database, wherein each of the entries of the token database is associated with a token assigned to one of a plurality of groups;

identifying a subset of the plurality of groups that corresponds to the token entries indicated in the request of the TPS user;

determining to which of the identified groups the TPS user belongs;

for each group the TPS user belongs, determining a corresponding role for the TPS user, wherein the corresponding role defines the TPS user'"'"'s access privileges to the entries corresponding to tokens in the respective group; and

for each group the TPS user belongs, allowing the TPS user access to the entries of the respective group to perform the operation when the TPS user has the appropriate role assigned within the respective group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing role-based access control of token data using token profiles is described.

44 Citations

View as Search Results

20 Claims

1. A method, implemented by a token processing system (TPS) of a computing system programmed to perform operations, comprising:
- receiving, by the TPS, a request of a TPS user to perform an operation on entries of a token database, wherein each of the entries of the token database is associated with a token assigned to one of a plurality of groups;
  
  identifying a subset of the plurality of groups that corresponds to the token entries indicated in the request of the TPS user;
  
  determining to which of the identified groups the TPS user belongs;
  
  for each group the TPS user belongs, determining a corresponding role for the TPS user, wherein the corresponding role defines the TPS user'"'"'s access privileges to the entries corresponding to tokens in the respective group; and
  
  for each group the TPS user belongs, allowing the TPS user access to the entries of the respective group to perform the operation when the TPS user has the appropriate role assigned within the respective group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising assigning a plurality of tokens to the plurality of groups based on identification numbers, and wherein said assigning the plurality of tokens to the plurality of groups comprises assigning each of the plurality of groups a set of identification numbers, wherein each of the identification numbers of each set corresponds to a unique one of the tokens of the respective group.
  - 3. The method of claim 1, further comprising assigning a plurality of tokens to the plurality of groups based on ranges of card unique identifiers (CUIDs), each range corresponding to one of the plurality of groups and each CUID corresponding to one of the plurality of tokens of the plurality of groups.
  - 4. The method of claim 1, further comprising assigning a plurality of tokens to the plurality of groups based on Answer-to-Reset (ATR) manufacturing identifiers, each ATR manufacturing identifier corresponding to one of the plurality of groups.
  - 5. The method of claim 1, further comprising assigning a plurality of tokens to the plurality of groups by, for each of the plurality of groups, adding a group identifier (ID) attribute, corresponding to the particular group, to each of the entries corresponding to the plurality of tokens of the particular group.
  - 6. The method of claim 1, further comprising assigning a plurality of tokens to the plurality of groups by, for each of the plurality of groups, adding a token profile identifier (ID) attribute, corresponding to the particular token profile, to each token-related entry corresponding to the plurality of tokens of the particular group, and wherein assigning the TPS user the token profile comprises adding an auxiliary class with a multi-value attribute that can be attached to a user-related entry in the token database to identify that the TPS user belongs to the particular group.
  - 7. The method of claim 6, further comprising, when requested by the TPS user, listing the token-related entries of the token database for each of the plurality of groups for which the token profile ID of the TPS user matches a set of token profile IDs permitted by each of the plurality of groups.
  - 8. The method of claim 1, further comprising:
    - assigning the TPS user a first role for a first group of the plurality of groups, wherein the first group comprises a first set of identification numbers, wherein each of the first set of identification numbers corresponds to a unique one of a plurality of tokens in the first group; and
      
      assigning the TPS user a second role for a second group of the plurality of groups, wherein the second group comprises a second set of identification numbers, wherein each of the second set of identification numbers corresponds to a unique one of a plurality of tokens in the second group, and wherein the first and second roles define access privileges for the TPS user in each of the first and second groups, respectively.
  - 9. The method of claim 8, wherein the first role has different access privileges than the second role.
  - 10. The method of claim 1, further comprising:
    - assigning the TPS user to the plurality of groups; and
      
      for each group the TPS user belongs, assigning the TPS user one of a plurality of roles, wherein each of the plurality of roles defines different access privileges to the entries for the respective group.
  - 11. The method of claim 10, wherein the plurality of roles comprise:
    - a first role that grants read-only permissions to view and search token-related entries of the respective group;
      
      a second role that grants read and write permissions to view, search, and modify the token-related entries of the respective group; and
      
      a third role that grants read-only permissions to view and search the token-related entries of the respective group, permissions to add a token to the respective group, permissions to delete a token from the respective group, permissions to add, modify, and delete one or more TPS users associated with the respective group.
  - 12. The method of claim 11, wherein the first role further grants read-only permissions to view and search token-related entries comprising certificates associated with tokens of the respective group and activities for the tokens of the respective group, and wherein the second role further grants read and write permissions to view, search, and modify the token-related entries comprising the certificates and the activities.
  - 13. The method of claim 1, wherein at least one of the plurality of groups is a default top-level group, and wherein at least one role of the default top-level group is an administrator role that allows the TPS user having been assigned the administrator role to create a new group.
  - 14. The method of claim 13, wherein the administrator role further allows the TPS user having been assigned the administrator role to list all groups and create other TPS users in any of these groups.

15. A certificate system, comprising:
- a data storage device to store a plurality of token profiles, wherein each of the plurality of token profiles corresponds to one of a plurality of groups, each of the plurality of groups having a plurality of tokens, and wherein each of the plurality of token profiles specifies a role that defines the TPS user'"'"'s access privileges to entries of a token database corresponding to the tokens in the respective group; and
  
  a first server, comprising a token processing system (TPS), coupled to the data storage device, wherein the TPS is configured to receive a request of a TPS user to perform an operation on the entries of the token database, to identify a subset of the plurality of groups that corresponds to the token entries indicated in the request of the TPS user, and to determine to which of the identified groups the TPS user belongs, and for each group the TPS user belongs, the TPS is configured to determine a corresponding role for the TPS user and to allow the TPS user access to entries of the respective group to perform the operation when the TPS user has the appropriate role assigned within the respective group.
- View Dependent Claims (16, 17)
- - 16. The certificate system of claim 15, further comprising a Lightweight Directory Access Protocol (LDAP) directory server coupled to the first server, wherein the LDAP directory server is configured to manage the entries of the token database as LDAP entries stored in a LDAP repository, and wherein the TPS is configured to manage role-based access control of the LDAP entries using the token profiles assigned to the TPS user and the corresponding roles assigned to the respective token profile.
  - 17. The certificate system of claim 15, wherein the TPS comprises a role-based access control module that comprises a token database access manager coupled to the data storage device to access the token profiles assigned to the TPS user to determine a role-based access of the TPS user to the entries of the token database stored in the data storage device, and wherein the token database access manager is coupled to receive the request from the TPS user via an interface and is configured to control access to the entries of the token database based on the role-based access of the TPS user.

18. A machine-readable storage medium having instructions, which when executed, cause a token processing system (TPS) of a computing system to perform a method, the method comprising:
- receiving, by the TPS, a request of a TPS user to perform an operation on entries of a token database, wherein each of the entries of the token database is associated with a token assigned to one of a plurality of groups;
  
  identifying a subset of the plurality of groups that corresponds to the token entries indicated in the request of the TPS user;
  
  determining to which of the identified groups the TPS user belongs;
  
  for each group the TPS user belongs, determining a corresponding role for the TPS user, wherein the corresponding role defines the TPS user'"'"'s access privileges to the entries corresponding to tokens in the respective group; and
  
  for each group the TPS user belongs, allowing the TPS user access to the entries of the respective group to perform the operation when the TPS user has the appropriate role assigned within the respective group.
- View Dependent Claims (19, 20)
- - 19. The machine-readable storage medium of claim 18, wherein at least one of the plurality of groups is a default top-level group, and wherein at least one role of the default top-level group is an administrator role that allows the TPS user having been assigned the administrator role to create a new group.
  - 20. The machine-readable storage medium of claim 19, wherein the administrator role further allows the TPS user having been assigned the administrator role to list all groups and create other TPS users in any of these groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Lee, Ade

Granted Patent

US 8,387,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

ROLE-BASED ACCESS CONTROL UTILIZING TOKEN PROFILES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ROLE-BASED ACCESS CONTROL UTILIZING TOKEN PROFILES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links