SYSTEM AND METHOD FOR SECURE MANAGEMENT OF MOBILE USER ACCESS TO NETWORK RESOURCES

US 20130029641A1
Filed: 09/24/2012
Published: 01/31/2013
Est. Priority Date: 09/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method for managing secure mobile user access from a wireless mobile device via a wireless service provider network to a plurality of network resources of a host network, by steps comprising:

in an access server comprising a mobile access control layer between the wireless service provider network and the host network,receiving, from a client of the wireless mobile device, a user request for mobile access;

authenticating the user;

determining group membership of the user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group;

determining access rules for the user based on each group membership of the user;

generating a list of accessible resources and associated operations for the user based on said access rules;

making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules, said operations on an accessible resource comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download and synchronize operations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client-server system and method is provided for secure management of mobile user access to network resources from a wireless mobile device, such as a smart phone. A mobile access control layer resides between a wireless service provider network and host network, allowing for management of mobile access without overriding internal access policies. Access rules determining accessible resources and permitted operations are determined based on a user'"'"'s group memberships, and optionally on other information received from the system, or from the mobile device, e.g. time or location. Each group is associated with a set of permitted accessible resources and operations, e.g. read or write access to a resource such as a file, list, shared calendar, et al. A list of accessible resources and permitted operations is generated, and the list is made available for subsequent processes, e.g. presented to the user for selection of an accessible resource and permitted operation.

80 Citations

37 Claims

1. A method for managing secure mobile user access from a wireless mobile device via a wireless service provider network to a plurality of network resources of a host network, by steps comprising:
- in an access server comprising a mobile access control layer between the wireless service provider network and the host network,receiving, from a client of the wireless mobile device, a user request for mobile access;
  
  authenticating the user;
  
  determining group membership of the user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group;
  
  determining access rules for the user based on each group membership of the user;
  
  generating a list of accessible resources and associated operations for the user based on said access rules;
  
  making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules, said operations on an accessible resource comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download and synchronize operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. A method according to claim 1, further comprising performing an operation on an accessible resource comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download and synchronize operations.
  - 3. A method according to claim 1, wherein said network resources comprise network resources of different resource types, and comprising generating said list of accessible resources and operations for the user comprising accessible resources of a plurality of different resource types.
  - 4. A method according to claim 1, wherein the step of authenticating the user comprises receiving from a user credentials comprising at least the user ID.
  - 5. A method according to claim 4, further comprising retrieving directory information associated with said user ID to obtain attributes of the user associated with said user ID.
  - 6. A method according to claim 5, further comprising before retrieving directory information, determining an applicable directory type of a set of possible directory types, and after retrieving said directory information, re-encoding said information to a desired format.
  - 7. A method according to claim 1, further comprising delivery of the list of accessible resources and operations to the client of the wireless mobile device.
  - 8. A method according to claim 7, wherein delivery of the list of accessible resources and operations comprises presenting the list of accessible resources and operations to the user via a user interface of the wireless mobile device.
  - 9. A method according to claim 8, further comprising presenting a list of accessible resource types, and receiving a user selection or validation of a resource type before presenting the list of accessible resource and operations.
  - 10. A method according to claim 8, wherein presenting the list of accessible resources and operations comprises presenting an indication or description of a resource type associated with an accessible resource.
  - 11. A method according to claim 8, wherein presenting comprises graphically displaying said list on the mobile device.
  - 12. A method according claim 1, further comprising validating one or more of an accessible resource, operation, or resource type before subsequent processing thereof.
  - 13. A method according to claim 1, further comprising a step of validating an accessible resource and/or operation in response to a user request before subsequent processing thereof.
  - 14. A method according to claim 1, further comprising initiating a process to respond to a user request for an operation on an accessible resource in accordance with access rules.
  - 15. A method according to claim 14, further comprising responding to a request from the user for an operation on a resource by blocking or denying access to said resource.
  - 16. A method according to claim 1, wherein said access rules are determined for a user based on a Boolean evaluation of rules for a plurality of group memberships of the user.
  - 17. A method according to claim 1, further comprising receiving additional data from at least one of the system and the mobile device, and wherein said access rules are determined based on said additional information.
  - 18. A method according to claim 1, wherein said access rules are determined dynamically based on at least one of a date and time of day and a location of the mobile device or a combination thereof.
  - 19. A method according to claim 1, wherein each access rule comprises a membership list and a resource and/or operations list.
  - 20. A method according to claim 19, wherein a membership list comprises a high level descriptor defining criteria for who may access associated resources and operations.
  - 21. A method according to claim 19, wherein a resource and/or operations list comprises high level descriptors of resources and/or operations.
  - 22. A method according to claim 1, wherein said access rule comprises a high level descriptor of one or more of a membership group, a resource, and an associated operation.
  - 23. A method according to claim 1, further comprising determining group membership of a user based on a token associated with said user ID.
  - 24. A method according to claim 8, wherein presenting said list of accessible resources and operations comprises displaying said list arranged by containers, each container containing a listing of resources and/or operations associated with a respective group membership.
  - 25. A method according to claim 8, wherein presenting said list of accessible resources and operations comprises displaying said list arranged by resource type.

26. A computer readable medium storing instructions for performing, in a mobile access control layer of an access server where the mobile access control layer is between a wireless service provider and a host network, the following method steps comprising:
- receiving, from a client of the wireless mobile device, a user request for mobile access;
  
  authenticating the user;
  
  determining group membership of the user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group;
  
  determining access rules for the user based on each group membership of the user;
  
  generating a list of accessible resources and associated operations for the user based on said access rules;
  
  making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules, said operations on an accessible resource comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download and synchronize operations.
- View Dependent Claims (37)
- - 37. A client server system according to claim 26, configured such that permissions are set initially so as to block access to all resources from all mobile users, and wherein said access rules are established to selectively enable access to groups of mobile users according to respective access policies for users based on membership of each group.

27. A client-server system for managing secure mobile user access from a wireless mobile device via a wireless service provider network to a plurality of network resources of a host network, the system comprising:
- an access server providing a mobile access control layer between the wireless service provider network and the host network;
  
  a mobile access client residing on the user'"'"'s wireless mobile device; and
  
  wherein the mobile access control layer is configured to perform the steps of;
  
  receiving, from the mobile access client, a user request for mobile access;
  
  authenticating the user;
  
  determining group membership of a user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group;
  
  determining access rules for the user based on each group membership of the user;
  
  generating a list of accessible resources and associated operations for the user based on said access rules;
  
  making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. A client-server system according to claim 27, wherein the mobile access control layer is further configured to perform the step of delivering the list of accessible resources and operations to the mobile access client.
  - 29. A client-server system according to claim 27, wherein the mobile access client is further configured to:
    - perform the step of presenting on a user interface of the wireless mobile device, said list of accessible resources of one or more resource types and permissible operations; and
      
      to receive a user request for performing a selected operation on a selected accessible resource.
  - 30. A client-server system according to claim 27 configured for operation with a wireless mobile device comprising one of a Blackberry device, an iPhone or other smart phone miming a mobile operating system comprising one of Blackberry OS, iOS, Android or other mobile operating system.
  - 31. A client-server system according to claim 27, wherein the wireless service provider network comprises a cellular voice and data network.
  - 32. A client-server system according to claim 27, wherein the wireless service provider network comprises WiFi network.
  - 33. A client-server system according to claim 27, wherein the mobile access control layer determines accessible resources and permissible operations based on information received from the mobile device, information contained in a directory and information contained in rules, and determines if a rule has been satisfied positively or negatively.
  - 34. A client-server system according to claim 27, wherein access privileges for remote access by mobile devices are managed independently of, or separately from, internal security policies of the host network.
  - 35. A client-system according to claim 27, wherein mobile access is restricted to a subset of resources accessible to a user internally within the host network, so as not to override internal network access policies, and to restrict or deny mobile access to selected resources that would be available to said user according to internal network access policies.
  - 36. A client-system according to claim 27, wherein said access rules provide for specification of subsets of existing resources within the same system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XE2 Limited
Original Assignee
XE2 Limited
Inventors
Hickie, Thomas William

Granted Patent

US 8,798,579 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/22   comprising specially adapte...

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04W 12/084   using delegated authorisati...

H04W 12/086   using security domains

H04W 12/088   using filters or firewalls

SYSTEM AND METHOD FOR SECURE MANAGEMENT OF MOBILE USER ACCESS TO NETWORK RESOURCES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURE MANAGEMENT OF MOBILE USER ACCESS TO NETWORK RESOURCES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links