Access Control in a Computer System

US 20180255043A1
Filed: 03/06/2017
Published: 09/06/2018
Est. Priority Date: 03/06/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory, the apparatus comprising at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to apparatuses and methods for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory. The apparatus comprises at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.

44 Citations

View as Search Results

20 Claims

1. An apparatus for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory, the apparatus comprising at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus according to claim 1, configured to manage the filtering based on two matrices, wherein a first matrix is configured for mapping hosts to sets of filtering rules and a second matrix is configured for mapping the sets of filtering rules to at least one of directory, attribute and user.
  - 3. The apparatus according to claim 1, configured to collect information of the configurations for filtering access requests by directory users and maintain the collected configuration information separately from the user information directory.
  - 4. The apparatus according to claim 1, further configured to control access of the directory users to at least one host by filtering access requests containing user identity information of the requesting directory user, wherein the filtering is based on directory user specific filtering information stored in a memory for controlling access of individual directory users to the at least one host.
  - 5. The apparatus according to claim 4, wherein the user identity information is arranged to indicate the user as a user defined in a user information directory.
  - 6. The apparatus according to claim 4, wherein the user identity information is arranged to identify the user information directory where the user is defined.
  - 7. The apparatus according to claim 1, wherein the apparatus is configured to require a key for granting a requested access to the at least one host in addition to user specific filtering information stored in a memory.
  - 8. The apparatus according to claim 7, wherein the key is an identity key arranged for authorizing a user to access a host having a corresponding authorized key configured as an access granting key.
  - 9. The apparatus according to claim 7, further configured to use information about at least one use of the key, wherein the information comprises information of at least one ofthe time of use or times of use of the key,identity of at least one host on which the key has been used,identity of at least one host to which the key has been used to authenticate the user, andidentity of at least one user for whom the key has been used for authentication.
  - 10. The apparatus according to claim 1, further configured to use information of authentications or logins as an indication of a directory user.
  - 11. The apparatus according to claim 10, wherein information about authentications or logins comprises at least one ofan indication of at least one time of authentication or login,an indication of the time of last authentication or login,at least one identification of a SSH key used for at least one authentication or login, andat least one identification of a host from which at least one authentication connection was made.

12. A method for managing access information in a computer network where user information for directory users is stored in a user information directory, the method comprising maintaining, for a plurality of hosts in a storage and separately from the user information directory, information regarding configurations for attribute based filtering of access requests to each of the host by the directory users.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method according to claim 12, comprising maintaining the information regarding the configurations in two matrices, wherein a first matrix is for mapping hosts to sets of filtering rules and a second matrix is for mapping the sets of filtering rules to at least one directory, attribute and user.
  - 14. The method according to claim 12, further comprising collecting information of the configurations for filtering access requests by directory users and maintaining the collected configuration information separately from the user information directory and the hosts.
  - 15. The method according to claim 14, wherein the collecting comprises scanning the hosts and/or monitoring traffic in the computer network.
  - 16. The method according to claim 12, comprising filtering access requests based on said information regarding the configurations for attribute based filtering.
  - 17. The method according to claim 16, further comprisingreceiving an access request containing user identity information for a directory user, andcontrolling access of the directory user to at least one host by filtering the access request by an access request filtering entity based on the identity information and said configurations for attribute based filtering.
  - 18. The method according to claim 16, further comprising identifying a user as a directory user.

19. A data structure stored in a non-transitory computer readable media for use in access control in a computer network, comprisinga first data record associating hosts with configuration information records of configurations for attribute based filtering of access requests to the hosts by directory users, anda second data record associating the configuration information records with sets of attributes, related users and directories.
- View Dependent Claims (20)
- - 20. A data structure according to claim 19, wherein information of the configurations for filtering access requests by directory users is collected from the computer network and the data structure is configured to maintain the collected configuration information separately from the user information directory and the hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Teiste, Marko, Mononen, Tero, Linnakangas, Tommi, Pakkanen, Jussi, Ylonen, Tatu J., Jaaskelainen, Kalle, Rossi, Markku

Granted Patent

US 10,880,295 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/45545   Guest-host, i.e. hypervisor...

H04L 41/08   Configuration management of...

H04L 43/08   Monitoring or testing based...

H04L 63/0245   Filtering by information in...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

Access Control in a Computer System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Access Control in a Computer System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others