Keyring metaphor for user's security keys on a distributed multiprocess data system
First Claim
1. A computer-implemented method for associating protection mechanism codes ("locks") for securing the utilization of protected processes, available for use in a data processing system by users of said system, with utilization permission codes ("keys") presented to said protected processes when said users require use of said protected processes, wherein,an active store of said system holds a respective list of keysauthorized to each active user, said lists being indexed in saidactive store by unique identifiers associated with said users;
- said method being characterized by;
when one of said active users makes a request for use of one of said protected processes, a first process operating in said system appends the identifier of said user to said request and forwards the request, with accompanying identifier, to said one protected process;
a second process, in response to receipt of said accompanying identifier, accesses said active store and retrieves the respective key list from said active store;
said second process performs a comparison of the individual keys of said retrieved key list with the lock of said one protected process to determine whether any key of said retrieved key list matches said lock of said one protected process; and
if said comparison determines a match between the keys compared, said one protected process is placed into execution;
butif said comparison determines no match between the keys compared, said one protected process is not placed into execution.
1 Assignment
0 Petitions
Accused Products
Abstract
In a distributed data system in which processes running in trusted systems whose results may be proprietary or sensitive in nature may be invoked by operators at remote, untrusted workstations, and in which said processes are provided with locks which do not permit proprietary or sensitive actions unless a request includes a key matching the lock, a method of associating keys with operators is based on each operator'"'"'s presenting his ID and a valid password at the workstation at the time he logs on to the system, verifying his password in a trusted system, correlating his ID with a role or group of roles he is authorized to fulfill, and retrieving and storing in the memory of the trusted system, associated with the operator'"'"'s ID, a list of keys (a "keyring") for each of those roles. The operator'"'"'s ID is appended to every request he invokes, a process containing a lock interrogates the stored list and will not grant a proprietary action unless the stored list contains a key matching the lock.
-
Citations
4 Claims
-
1. A computer-implemented method for associating protection mechanism codes ("locks") for securing the utilization of protected processes, available for use in a data processing system by users of said system, with utilization permission codes ("keys") presented to said protected processes when said users require use of said protected processes, wherein,
an active store of said system holds a respective list of keys authorized to each active user, said lists being indexed in said active store by unique identifiers associated with said users; - said method being characterized by;
when one of said active users makes a request for use of one of said protected processes, a first process operating in said system appends the identifier of said user to said request and forwards the request, with accompanying identifier, to said one protected process; a second process, in response to receipt of said accompanying identifier, accesses said active store and retrieves the respective key list from said active store; said second process performs a comparison of the individual keys of said retrieved key list with the lock of said one protected process to determine whether any key of said retrieved key list matches said lock of said one protected process; and if said comparison determines a match between the keys compared, said one protected process is placed into execution;
butif said comparison determines no match between the keys compared, said one protected process is not placed into execution. - View Dependent Claims (2)
- said method being characterized by;
-
3. A computer-implemented method for associating protection mechanism codes ("locks") for securing the utilization of protected processes, available for use in a data processing system by users of said system, with utilization permission codes ("keys") presented to said protected processes when said users require use of said protected processes, wherein,
a backing store of said system holds a plurality of different lists of keys to be authorized to the active users, said method being characterized by: -
when one of said users logs on said system by providing information, including a unique identifier of said one user, to said system, a first process operating in said system, in response to receipt of said identifier, accesses said backing store, retrieves at least one of said key lists from said backing store, and enters said retrieved key lists into an active store of said system, said retrieved lists being indexed in said active store by said unique identifier; when said one user subsequently makes a request for use of one of said protected processes, a second process operating in said system appends the identifier of said user to said request and forwards the request, with accompanying identifier, to said one protected process; a third process in response to receipt of said accompanying identifier, accesses said active store and retrieves the respective key lists from said active store; said third process performs a comparison of the individual keys of said retrieved key lists with the lock of said one protected process to determine whether any key of said retrieved key lists matches said lock of said one protected process; and if said comparison determines a match between the keys compared, said one protected process is placed into execution;
butif said comparison determines no match between the keys compared, said one protected process is not placed into execution. - View Dependent Claims (4)
-
Specification