System and method for controlling access to data entities in a computer network
DCFirst Claim
1. A method for controlling user access to a plurality of data entities in a computer network, said plurality of data entities stored on a plurality of application servers, said method comprising the steps of:
- sending an access rights query from an application server to a security server, said access rights query specifying a user of the network;
at said security server, accessing a relational database in response to said access rights query to obtain an access rights list for said user, said access rights list specifying access rights of said user with respect to said plurality of data entities;
sending said access rights list from said security server to said application server;
at said application server, storing said access rights list in an access rights cache; and
accessing said cache to determine the access rights of said user with respect to a specific data entity of said plurality of data entities.
2 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Access rights of users of a computer network with respect to data entities are specified by a relational database stored on one or more security servers. Application servers on the network that provide user access to the data entities generate queries to the relational database in order to obtain access rights lists of specific users. An access rights cache on each application server caches the access rights lists of the users that are connected to the respective application server, so that user access rights to specific data entities can rapidly be determined. Each user-specific access rights list includes a series of category identifiers plus a series of access rights values. The category identifiers specify categories of data entities to which the user has access, and the access rights values specify privilege levels of the users with respect to the corresponding data entity categories. The privilege levels are converted into specific access capabilities by application programs running on the application servers.
1115 Citations
66 Claims
-
1. A method for controlling user access to a plurality of data entities in a computer network, said plurality of data entities stored on a plurality of application servers, said method comprising the steps of:
-
sending an access rights query from an application server to a security server, said access rights query specifying a user of the network; at said security server, accessing a relational database in response to said access rights query to obtain an access rights list for said user, said access rights list specifying access rights of said user with respect to said plurality of data entities; sending said access rights list from said security server to said application server; at said application server, storing said access rights list in an access rights cache; and accessing said cache to determine the access rights of said user with respect to a specific data entity of said plurality of data entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of determining the access rights of a user of a computer system with respect to a plurality of data entities of the computer system, comprising the steps of:
-
identifying at least one user group of which said user is a member, said at least one user group being part of a predefined set of user groups; and identifying at least one data entity category to which said user has access by virtue of being a member of said at least one user group, said at least one data entity category being part of a predefined set of data entity categories. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. In a computer network in which different users have different access rights with respect to different data entities, a method of efficiently specifying the access rights of users, comprising the steps of:
-
assigning each of a plurality of data entities to one of a plurality of categorical groups of data entities, each of said categorical groups containing data entities for which user access rights may be specified collectively; and assigning each of a plurality of users to at least one of a plurality of user groups, each of said user groups having a corresponding set of access rights associated therewith with respect to said plurality of categorical groups. - View Dependent Claims (38, 39, 40, 41)
-
-
42. A system for providing user access to data entities in a computer network, comprising:
-
at least one application server that stores a plurality of data entities, said data entities accessible by a plurality of users through a plurality of application programs, different of said users having different levels of access with respect to at least some of said data entities; a database which stores access rights values that specify access rights of said users with respect to said data entities; and an access rights cache on said at least one application server, said access rights cache storing access rights lists, said access rights lists obtained from said database in response to requests from said at least one application server, each of said access rights lists comprising a plurality of said access rights values and specifying access rights for a respective one of said plurality of users. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. An access rights list stored on a storage medium of a computer, said access list specifying the access rights of a user of a network with respect to a plurality of data entities of said network, said plurality of data entities subdivided into multiple categorical groups of data entities, said access rights list comprising:
-
a plurality of group identifiers, each of said group identifiers specifying one of said multiple categorical groups, said plurality of group identifiers specifying a subset of said multiple categorical groups to which said user has access rights; and a plurality of access rights values, each of said access rights values specifying access rights with respect to data entities which fall within a respective one of said categorical groups of said subset. - View Dependent Claims (55, 56, 57, 58)
-
-
59. A relational database for storing access rights data which specifies access rights of users with respect to a plurality of data entities of a computer network, said plurality of data entities subdivided into a plurality of categories, said database comprising:
-
a first table that maps users to user groups, at least one of said users being a member of multiple of said user groups; a second table which contains, for each of said user groups, a group-based access rights list that specifies group-based access rights of members of a respective user group, said group-based access rights list stored in association with a plurality of category identifiers that identify said categories of data entities; and a third table which contains, for a least one of said users, a user-specific access rights list that specifies special rights for a respective user, said user-specific access rights list stored in association with said plurality of category identifiers. - View Dependent Claims (60, 61, 62)
-
-
63. In a computer network in which different users have different access rights with respect to different data entities, a method of specifying the access rights of a user with respect to a plurality of data entities, comprising the steps of:
-
assigning a category identifier to said plurality of data entities; storing said category identifier with or in association with each data entity of said plurality of data entities; and storing an access rights value in association with said category identifier and in further association with an account number of said user, said access rights value specifying said access rights of said user with respect to said plurality of data entities. - View Dependent Claims (64, 65, 66)
-
Specification