Distributed access management of information resources
First Claim
1. A method of controlling access to one or more information resources stored on a first server, the method comprising the steps of:
- receiving information describing a user at the first server;
identifying, at a second server coupled to the first server, a subset of the resources that the user is authorized to access, based on one or more roles that are stored in association with user identifying information;
communicating information defining the subset to the first server;
storing first information defining the sub set, and second information defining the rules, in one or more tokens;
communicating the one or more tokens to a client that is associated with the user; and
thereafter resolving requests to use the resources at the first server by performing, for each request of said requests to use the resources at the first server, one or more steps that include examining one or more copies of said one or more tokens.
6 Assignments
0 Petitions
Accused Products
Abstract
Using a method for controlling access to information resources, a single secure sign-on gives the user access to authorized resources, based on the user'"'"'s role in the organization. The information resources are stored on a protected server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The access server passes encrypted tokens that define the user'"'"'s roles and authorization rights to the browser or client, which stores the tokens in memory. The user is presented with a customized display showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources based on the tokens without contacting the registry server.
1049 Citations
34 Claims
-
1. A method of controlling access to one or more information resources stored on a first server, the method comprising the steps of:
-
receiving information describing a user at the first server;
identifying, at a second server coupled to the first server, a subset of the resources that the user is authorized to access, based on one or more roles that are stored in association with user identifying information;
communicating information defining the subset to the first server;
storing first information defining the sub set, and second information defining the rules, in one or more tokens;
communicating the one or more tokens to a client that is associated with the user; and
thereafter resolving requests to use the resources at the first server by performing, for each request of said requests to use the resources at the first server, one or more steps that include examining one or more copies of said one or more tokens. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15, 16)
defining a role of the user; and
storing an association of the user to the role at the second server.
-
-
3. The method recited in claim 1, further comprising the steps of:
-
defining one or more roles and functional groups of an organization to which the user belongs;
storing information describing the roles and functional groups in association with information describing the user; and
determining whether the user may access the resource based on the information describing the roles and functional groups.
-
-
4. The method recited in claim 1, in which the identifying step further comprises the steps of:
-
connecting the first server to the second server, in which the second server stores information describing the user, one or more roles, one or more functional groups, the resources, and associations among them; and
communicating a request for a profile of the user from the first server to the second server.
-
-
5. The method recited in claim 1, wherein the receiving step further comprises the step of:
receiving the information describing the user at a runtime module on the first server that also intercepts requests to access the resource.
-
6. The method recited in claim 1, in which the step of identifying further comprises the step of determining whether the user is authentic.
-
7. The method recited in claim 1, in which the step of identifying further comprises the step of communicating encrypted information between the first server and the second server describing resources that the user is authorized to use.
-
8. The method recited in claim 7, in which the step of communicating further comprises the step of passing one or more encrypted tokens that define the user'"'"'s roles and authorization rights from the second server to the first server.
-
9. The method recited in claim 7, in which the step of communicating further comprises the steps of:
-
passing one or more encrypted tokens that define the user'"'"'s roles and authorization rights from the second server to the client;
storing the tokens in a memory of the client.
-
-
10. The method recited in claim 1, further comprising the steps of:
-
communicating, from the first server to the client, a customized display identifying only those resources that the user may access, whereby a single secure sign-on gives a user access to one or more of the resources.
-
-
11. The method recited in claim 1, further comprising the step of:
communicating, from the first server to the client, information describing a customized display that identifies only those resources that the user may access.
-
15. The method recited in claim 1, further comprising the step of granting access to the resource only when the roles associated with the user satisfy an access rule.
-
16. The method recited in claim 15, further comprising the steps of defining the access rule, associated with the user, as a Boolean expression that includes one or more roles.
-
12. A method of controlling access to one or more information resources stored on a protected server, the method comprising the steps of:
-
receiving, at the protected server, login information describing a user who desires to access one of the resources;
determining that the user is authentic and permitted to access one of the resources;
identifying, at a second server coupled to the protected server, a subset of the resources that the user is authorized to access, based on at least one role that is stored in association with user information;
communicating information defining the subset to the protected server;
storing first information defining the subset, and second information defining the roles, in one or more tokens;
communicating the one or more tokens to a client that is associated with the user; and
thereafter resolving requests to use the resources at the protected server based on the one or more tokens by performing, for each request of said requests to use the resources at the protected server, one or more steps that include examining one or more copies of said one or more tokens, whereby a single secure sign-on gives the user access to the one of the resources. - View Dependent Claims (13, 14)
receiving a request from the client to access one of the resources;
determining, based on the one or more tokens, whether the client is authorized to use the one of the resources; and
granting access to the one of the resources to the client.
-
-
14. The method recited in claim 12, further comprising the step of intercepting the request from the client at a runtime module of the protected server.
-
17. An apparatus for controlling access to an information resource, comprising:
-
a first server at which the information resource is stored and having an element that intercepts a request of a client to use the information resource;
a second server, coupled to the first server, having an element that generates a customized access menu in response to the request, and an element that determines whether the client is authentic and may access the resource; and
a third server, coupled to the second server, having a data store that defines at least one role of the user and that defines whether the user may use the resource based on the role. - View Dependent Claims (18)
a plurality of information resources stored in the first server; one or more tokens that score first information defining a subset of the plurality of information resources that the user may access, and second information defining the at least one role;
means for communicating the one or more tokens to a client that is associated with the user; and
means for resolving requests to use the information resources at the first server by performing, for each request of said requests to use the information resources, one or more steps that include examining one or more copies of said one or more tokens.
-
-
19. A computer-readable medium carrying one or more sequences of instructions for controlling access to information resources, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving information describing a user at the first server;
identifying, at a second server coupled to the first server, a subset of the resources that the user is authorized to access, based on one or more roles that are stored in association with user identifying information;
communicating information defining the subset to the first server;
storing first information defining the subset, and second information defining the roles, in one or more tokens;
communicating the tokens to a client that is associated with the user; and
thereafter resolving requests to use the resources at the first server based on the tokens. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
defining a role of the user; and
storing an association of the user to the role at the second server.
-
-
23. The computer-readable media recited in claim 19, further comprising sequences of instructions for performing the steps of:
-
defining one or more roles and functional groups of an organization to which the user belongs;
storing information describing the roles and functional groups in association with information describing the user; and
determining whether the user may access the resource based on the information describing the roles and functional groups.
-
-
24. The computer-readable media recited in claim 19, in which the identifying step further comprises the steps of:
-
connecting the first server to the second server, in which the second server stores information describing the user, one or more roles, one or more functional groups, the resources, and associations among them; and
communicating a request for a profile of the user from the first server to the second server.
-
-
25. The computer-readable media recited in claim 19, wherein the receiving step further comprises the step of:
receiving the information describing the user at a runtime module on the first server that also intercepts request to access the resource.
-
26. The computer-readable media recited in claim 19, in which the step of identifying further comprises the step of determining whether the user is authentic.
-
27. The computer-readable media recited in claim 19, in which the step of identifying further comprises the step communicating encrypted information between the first server and the second server describing resources that the user is authorized to use.
-
28. The computer-readable media recited in claim 27, in which the step of communicating further comprises the step of passing one or more encrypted tokens that define the user'"'"'s roles and authorization rights from the second server to the first server.
-
29. The computer-readable media recited in claim 27, in which the step of communicating further comprises the steps of:
-
passing one or more encrypted tokens that define the user'"'"'s roles and authorization rights from the second server to the client;
storing the tokens in a memory of the client.
-
-
30. The computer-readable media recited in claim 19, further comprising sequences of instructions for performing the steps:
-
communicating, from the first server to the client, a customized display identifying only those resources that the user may access, whereby a single secure sign-on gives a user access to one or more of the resources.
-
-
31. The computer-readable media recited in claim 19, further comprising sequences of instructions for performing the step of:
communicating, from the first server to the client, information describing a customized display that identifies only those resources that the user may access.
-
32. A computer-readable carrying one or more sequences of instructions for controlling access to one or more information resources stored on a protected server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving, at the protected server, login information describing a user who desires to access one of the resources;
determining that the user is authentic and permitted to access one of the resources;
identifying, at a second server coupled to the protected server, a subset of the resources that the user is authorized to access, based on at least one role that is stored in association with user information;
communicating information defining the subset to the protected server;
storing first information defining the subset and second information defining the roles, in one or more tokens;
communicating the one or more tokens to a client that is associated with the user; and
thereafter resolving requests to use the resources at the protected server based on the one or more tokens by performing, for each request of said requests to use the information resources, one or more steps that include examining one or more copies of said one or more tokens, whereby a single secure sign-on gives the user access to the one of the resources. - View Dependent Claims (33, 34)
receiving a request from the client to access one of the resources;
determining, based on the one tokens, whether the client is authorized to use the one of the resources; and
granting access to the one of the resources to the client.
-
-
34. The computer-readable media recited in claim 32, further comprising sequences of instructions for performing the step of intercepting the request from the client at a runtime module of the protected server.
Specification