Method and apparatus for automating security functions in a computer system

US 6,141,778 A
Filed: 06/29/1998
Issued: 10/31/2000
Est. Priority Date: 06/29/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing security in a computing system, the computing system having a plurality of accounts, each account having a level of access privilege associated therewith, the plurality of accounts being respectively assigned to a plurality of users, the method comprising:

for one of the plurality of accounts, obtaining a department identifier from a human resources database, the department identifier corresponding to a department to which the user assigned to the account is assigned; and

automatically assigning a level of access privilege to the account, the level of access privilege corresponding to a default level of access privilege associated with the department to which the department identifier corresponds.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer security system automatically updates an access status and a level of access privilege for each user based on outside feeds related to current status of the user with respect to an organization, such as a business or school and the membership of the user in a group or department within the organization. A unique user identifier is assigned to each user across all computing systems. The computing system retains the relationship between the user and the user identifier even after the user'"'"'s access to the computing system is terminated. The user may be reassigned the same user identifier should the user again be granted access to the system resources. The computing security system may be implemented as an overlay to an existing resource allocation system, such as the RACF system commonly found on many mainframe computers and may allow decentralization of certain security functions.

Citations

44 Claims

1. A method for providing security in a computing system, the computing system having a plurality of accounts, each account having a level of access privilege associated therewith, the plurality of accounts being respectively assigned to a plurality of users, the method comprising:
- for one of the plurality of accounts, obtaining a department identifier from a human resources database, the department identifier corresponding to a department to which the user assigned to the account is assigned; and
  
  automatically assigning a level of access privilege to the account, the level of access privilege corresponding to a default level of access privilege associated with the department to which the department identifier corresponds.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - periodically automatically checking the human resources database for an employment status value corresponding to an employment status of the user to which the account is assigned; and
      
      updating an access privilege for the account if the employment status value for the user that the account is assigned to has changed.
  - 3. The method of claim 1, further comprising:
    - periodically automatically checking the human resources database for an employment status value corresponding to an employment status of the user to which the account is assigned;
      
      updating an access privilege for the account if the employment status value for the user that the account is assigned to has changed; and
      
      automatically providing a notice of a change in the access privilege prior to performing the step of updating the access privilege.
  - 4. The method of claim 1, further comprising:
    - periodically automatically checking the human resources database for the department identifier corresponding to the department to which the user assigned to the account is assigned; and
      
      updating the level of access privilege for the account if the department identifier for the user to which the account is assigned has changed.
  - 5. The method of claim 1, further comprising:
    - periodically automatically checking the human resources database for the department identifier corresponding to the department to which the user assigned to the account is assigned;
      
      updating the level of access privilege for the account if the department identifier for the user to which the account is assigned has changed; and
      
      automatically providing a notice of a change in the level of access privilege prior to performing the step of updating the level of access privilege.
  - 6. The method of claim 1 wherein the one of the plurality of users is a contractor having a contract termination date, and further comprising:
    - automatically providing a notice of a termination in access privilege at a defined period prior to the contract termination date.
  - 7. The method of claim 1, further comprising:
    - assigning a unique user identifier to each of the plurality of users; and
      
      associating the assigned user identifier with the account assigned to the user.
  - 8. The method of claim 1, further comprising:
    - assigning a unique user identifier to each of the plurality of users;
      
      associating the assigned user identifier with the account assigned to the user; and
      
      maintaining the assignment between the user identifier and the user after terminating the association between the assigned user identifier and the account.
  - 9. The method of claim 1, further comprising:
    - assigning a unique user identifier to each of the plurality of users;
      
      associating the assigned user identifier with the account assigned to the user;
      
      maintaining the assignment between the user identifier and the user after terminating the association between the assigned user identifier and the account; and
      
      associating the assigned user identifier with a new account assigned to the user.
  - 10. The method of claim 1, further comprising:
    - associating a password with each of the plurality of accounts.
  - 11. The method of claim 1 wherein the one of the plurality of users comprises an individual.
  - 12. The method of claim 1 wherein the one of the plurality of users comprises a group of individuals.
  - 13. The method of claim 1 wherein the one of the plurality of users comprises a unit defined for accounting purposes based on user function.

14. A method for automatically providing security in a computing system, the computing system having a plurality of accounts, the method comprising:
- assigning a key to one of the plurality of accounts in the computing system;
  
  obtaining a group identifier from a database based on the key; and
  
  automatically assigning a level of access privilege to the one of the plurality of accounts that corresponds to a default level of access privilege that is associated with the group identifier.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14 wherein the key corresponds to a user and the step of obtaining a group identifier from a database based on the key comprises:
    - receiving a department identifier from a human resources database, the department identifier corresponding to a department to which the user is assigned.
  - 16. The method of claim 14, further comprising:
    - periodically automatically checking the database for a change in the group identifier corresponding to the key; and
      
      updating the level of access privilege of the one of the plurality of accounts corresponding to the key based on the change in the group identifier.
  - 17. The method of claim 14 wherein the key corresponds to a user, and further comprising:
    - periodically checking a human resources database for a department identifier that corresponds to a department to which the user is assigned; and
      
      updating the level of access privilege of the one of the plurality of accounts corresponding to the key based on the change in the group identifier.
  - 18. The method of claim 14, further comprising:
    - periodically checking the database for a change in an access variable that corresponds to an access status for the key assigned to the account; and
      
      updating the access status of the one of the plurality of accounts corresponding to the key based on the change in the access variable.
  - 19. The method of claim 14, further comprising:
    - periodically automatically checking the database for an access variable that corresponds to an access status for the key assigned to the account; and
      
      reassigning the key from the one of the plurality of accounts to a holding account if the access status corresponds to a terminated condition.
  - 20. The method of claim 14 wherein the key corresponds to a user, the access status corresponds to an employment status, and further comprising:
    - periodically automatically checking a human resources database for an employment status variable that corresponds to an employment status of the user; and
      
      reassigning the key from the one of the plurality of accounts to a holding account if the employment status variable corresponds to a terminated condition.
  - 21. The method of claim 14 wherein the key corresponds to a user, the access status corresponds to a status, and her comprising:
    - periodically automatically checking a database for a access status variable that corresponds to a status of the user; and
      
      reassigning the key from the one of the plurality of accounts to a holding account if the status variable corresponds to an unassigned condition.
  - 22. The method of claim 14, further comprising:
    - associating a unique user identifier with each of the plurality of accounts.
  - 23. The method of claim 14, further comprising:
    - associating a password with each of the plurality of accounts.
  - 24. The method of claim 14 wherein the one of the plurality of accounts is associated with an individual.
  - 25. The method of claim 14 wherein the one of the plurality of accounts is associated with a group of individuals.

26. A method of providing security in a computing system accessed by a plurality of users, the computing system having a plurality of accounts, the method comprising:
- assigning each user a unique user identifier;
  
  maintaining a database associating each of the plurality of users with a respective one of the assigned user identifiers;
  
  associating the user identifier with a one of the plurality of accounts;
  
  automatically terminating the association between the user identifier and the one of the plurality of accounts when an access variable corresponding to the user to whom the user identifier is assigned is equal to a first condition;
  
  continually maintaining a relationship between the user identifier and the terminated user identifier in the database after the association between the one and user identifier has been automatically terminated; and
  
  automatically reestablishing the association between the account and the user identifier if the access variable corresponding to the user that the user identifier has been assigned to is equal to a second condition.
- View Dependent Claims (27, 28)
- - 27. The method of claim 26 wherein the step of assigning each user a unique user identifier comprises:
    - searching the database for the user; and
      
      assigning the user identifier previously assigned to the user if the user exists in the database.
  - 28. The method of claim 26 wherein the step of assigning each user a unique user identifier comprises:
    - selecting a new user identifier that is unique relative to the user identifiers in the database if the database does not contain a previously assigned user identifier for the user.

29. A method of providing security in a first computing system and a second computing system, the first computing system being accessed by a first plurality of users and the second computing system accessed by a second plurality of users, each of the users in the first and the second plurality of users being respectively identified by a user key, each of the first and the second computing systems having a plurality of accounts, the method comprising:
- assigning each of the first plurality of users a unique user identifier;
  
  automatically maintaining a database associating each of the user keys with the corresponding assigned user identifier;
  
  for each user of the first plurality of users, associating the user identifier assigned with one of the plurality of accounts on the first computing system to provide access to the first computing system; and
  
  for each user of the second plurality of users, automatically searching the database for the user key identifying the user and associating a previously assigned user identifier with an account on the second computing system if the user key exists in the database, and associating a new user identifier with the account on the second computing system if the user key does not exist in the database, to provide access to the second computing system.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
- - 30. The method of claim 29 wherein the user key comprises a social security number of the user.
  - 31. The method of claim 29 wherein the user key comprises a name of the user.
  - 32. The method of claim 29 wherein the step of assigning each user a unique user identifier comprises:
    - automatically maintaining the association between the user key and the assigned user identifier after the association between the user identifier and the account on the first computing system is terminated.
  - 33. The method of claim 29 wherein the step of assigning each user a unique user identifier comprises:
    - automatically maintaining the association between the user key and the assigned user identifier after the association between the user identifier and the account on the second computing system is terminated.
  - 34. The method of claim 29 wherein the step of assigning each user a unique user identifier comprises:
    - automatically maintaining the association between the user key and the assigned user identifier after the associations between the user identifier and the account on the first computing system, and between the user identifier and the account on the second computing system are terminated.
  - 35. The method of claim 34 wherein the step of assigning each user a unique user identifier further comprises:
    - searching the database for the user key;
      
      assigning the user identifier previously assigned to the user if the user exists in the database; and
      
      selecting a new user identifier that is unique relative to the user identifiers in the database if the database does not contain a previously assigned user identifier for the user key.
  - 36. The method of claim 32 wherein the step of assigning each user a unique user identifier comprises:
    - reestablishing the association between the user identifier and the account on the first computing system.
  - 37. The method of claim 33 wherein the step of assigning each user a unique user identifier comprises:
    - reestablishing the association between the user identifier and the account on the second computing system.

38. A computer-readable medium having stored therein a computer readable program used by a computing system in providing a number of different levels of access to an account on the computing system, the computer readable program comprising the steps of:
- assigning a user identifier to an account;
  
  associating the user identifier with a user;
  
  associating the user with a predefined group; and
  
  associating the predefined group with a default level of access privilege.
- View Dependent Claims (39, 40, 41)
- - 39. The computer-readable medium of claim 38, further comprising:
    - updating the level of access each time the user is associated with a different predefined group.
  - 40. The computer-readable medium of claim 38 wherein the predefined group comprises a department and associating the user with a predefined group comprises accessing a human resources relational database containing associations between a number of users and a number of departments.
  - 41. The computer-readable medium of claim 38, further comprising:
    - associating the user with an access variable corresponding to an access status; and
      
      terminating the association between the user identifier and the account when the access status is equal to a terminated condition.

42. In a computer system having at least one data center, an apparatus comprising:
- a first data structure interrelating a user identifier and a user account;
  
  a second data structure interrelating a user and the user identifier;
  
  a third data structure interrelating the user and an assigned department;
  
  a fourth data structure interrelating department and a default level of security privilege; and
  
  a computer coupled to the first, the second, the third and the fourth data structures and being programmed for assigning a default level of access privilege corresponding to the department to which the user associated with the user identifier has been assigned.

43. A method for automatically providing security in a computing system comprising a RACF database, the method comprising:
- receiving a set of account data from the RACF database into a security database, the account data comprising a user identifier and a group identifier for each of a plurality of accounts on the computing system;
  
  receiving a set of user data into the security database, the set of user data comprising a user identifier and a group identifier for each of a plurality of users on the computing system; and
  
  for at least one of the user identifiers, comparing the group identifier of the account data with the group identifier of the user data and issuing a command against the RACF database to update a group identifier in the RACF database with the group identifier of the user data when the group identifier of the account data is different from the group identifier of the user data.
- View Dependent Claims (44)
- - 44. The method of claim 43 wherein the account data further comprises an access status and wherein the user data further comprises an access status, the method further comprising:
    - for each user identifier, comparing the access status of the account data with the access status of the user data, and issuing a RACF command against the RACF database to update an access status in the RACF database with the access status of the user data when the access status of the account data is different from the access status of the user data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
MCI Communications Corporation (Verizon Communications Inc.)
Inventors
Weedon, Eleanor P., May, Nora, Myer, Daniel E., Rutherford, Jay B., Shive, Denise B., Kane, Kevin J., Kolb, Garrett K.
Primary Examiner(s)
Le, Dieu-Minh T.
Assistant Examiner(s)
Bonzo, Bryce P.

Application Number

US09/106,726
Time in Patent Office

855 Days
Field of Search

713/200, 713/201, 713/202, 707/9, 709/225, 709/229
US Class Current

726/4
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Method and apparatus for automating security functions in a computer system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automating security functions in a computer system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links