Role-based navigation of information resources
First Claim
1. In a World Wide Web computer system, a computer-implemented method of controlling access to one or more resources to which access is controlled through a Web server, the method comprising the steps of:
- the Web server receiving information describing a user;
said Web server causing transmission of said information describing said user to a Web application server;
said Web application server receiving said information describing said user;
in response to receiving said information describing said user;
said Web application server identifying a subset of the one or more resources that the user is authorized to access, based on stored information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, and said Web application server communicating information defining the subset to the Web server;
said Web server storing said information defining the subset;
communicating, to a client that is associated with the user, a Web page containing links to only those resources that the user is authorized to access, based on the user'"'"'s role within an enterprise that controls the resources;
after communicating information defining the subset, said Web server receiving one or more requests from said client to access said one or more resources; and
said Web server resolving whether to grant said one or more requests based on said information defining the subset.
7 Assignments
0 Petitions
Accused Products
Abstract
A single secure sign-on gives a user access to authorized Web resources, based on the user'"'"'s role in the organization that controls the Web resources. The information resources are stored on a protected Web server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The user is presented with a customized Web page showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources without contacting the registry server. The registry server controls a flexible, extensible, additive data model stored in a database that describes the user, the resources, roles of the user, and functional groups in the enterprise that are associated with the user.
767 Citations
30 Claims
-
1. In a World Wide Web computer system, a computer-implemented method of controlling access to one or more resources to which access is controlled through a Web server, the method comprising the steps of:
-
the Web server receiving information describing a user;
said Web server causing transmission of said information describing said user to a Web application server;
said Web application server receiving said information describing said user;
in response to receiving said information describing said user;
said Web application server identifying a subset of the one or more resources that the user is authorized to access, based on stored information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, and said Web application server communicating information defining the subset to the Web server;
said Web server storing said information defining the subset;
communicating, to a client that is associated with the user, a Web page containing links to only those resources that the user is authorized to access, based on the user'"'"'s role within an enterprise that controls the resources;
after communicating information defining the subset, said Web server receiving one or more requests from said client to access said one or more resources; and
said Web server resolving whether to grant said one or more requests based on said information defining the subset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
storing, in a database, information describing a role of the user, a person type of the user, and a functional group to which the user belongs within the enterprise; and
storing an association of the user to the role, person type, and functional group at the Web application server.
-
-
3. The method recited in claim 1, further comprising the steps of:
-
storing, in a database, information describing one or more roles and functional groups of the enterprise to which the user belongs in association with information describing the user; and
determining whether the user may access the one or more resources based on the information describing the roles and functional groups.
-
-
4. The method recited in claim 2, further comprising the steps of:
-
based on the association, automatically granting access to the one or more resources to all users who have the role when the association is stored; and
based on the association, automatically denying access to the one or more resources to all users who do not have the role when the association is un-assigned.
-
-
5. The method recited in claim 1, wherein the receiving step further comprises the steps of:
storing, in a database accessible by the Web application server, information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, wherein the roles represent the work responsibilities carried out by the user in the enterprise, and wherein the access rights represent the kinds and levels of access privileges that are held by the user in the enterprise.
-
6. The method recited in claim 2, in which the step of storing information describing a functional group further comprises the steps of storing, in the database, information identifying a department of the enterprise in which persons work who have the role associated with the user.
-
7. The method recited in claim 1, further comprising the steps of storing, in a database accessible by the Web application server, information defining the one or more resources including a resource identifier value, a location value, and a list of protected resources.
-
8. The method recited in claim 7, further comprising the steps of storing, in the database, an association of each resource to one or more of the roles.
-
9. The method recited in claim 7, further comprising the steps of assigning, by storing in the database, an association of a resource to one or more of the roles, and un-assigning the one or more resources from the roles.
-
10. The method recited in claim 1, further comprising the steps of:
-
based on the association, automatically granting access to the one or more resources to all users who have the role when the one or more resources is assigned to that role; and
based on the association, automatically denying access to the one or more resources to all users who have the role when the association is un-assigned from that role.
-
-
11. The method recited in claim 1, further comprising the steps of:
communicating, from the Web server to the client, information describing a customized display that identifies only those resources that the user may access.
-
12. A method of controlling access to Web documents that are stored on a protected Web access server, the method comprising the steps of:
-
said Web access server receiving information identifying a user;
said Web access server causing transmission of said information describing said user to a registry server;
in response to receiving said information describing said user;
said registry server identifying a subset of the Web documents that the user is authorized to access, based on stored information describing the Web documents, one or more roles, one or more functional groups, and one or more access rights of the user that are stored in association with user identifying information, and said registry server communicating information defining the subset to the Web access server;
communicating, to a client that is associated with the user, a Web page containing links to only those Web documents that the user is authorized to access, based on the user'"'"'s role within an enterprise that controls the Web documents;
after communicating information defining the subset, said Web access server receiving one or more requests from said client to access said subset of Web documents; and
said Web server resolving whether to grant said one or more requests based on said information defining the subset. - View Dependent Claims (13, 14, 15)
resolving requests from the client to access one of the Web documents based on information stored in the Web access server and without contacting the registry server.
-
-
14. The method recited in claim 12, further comprising the steps of including a link to a resource in the Web page that is communicated to the client only when the roles associated with the user satisfy an access rule.
-
15. The method recited in claim 14, further comprising the steps of storing, in a database, information that defines the access rule, associated with the user, as a Boolean expression that includes one or more roles.
-
16. A computer-readable medium carrying one or more sequences of instructions for controlling access to one or more resources to which access is controlled through a Web server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
the Web server receiving information describing a user;
said Web server causing transmission of said information describing said user to a Web application server;
said Web application server receiving said information describing said user;
in response to receiving said information describing said user;
said Web application server identifying a subset of the one or more resources that the user is authorized to access, based on stored information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, and said Web application server communicating information defining the subset to the Web server;
said Web server storing said information defining the subset;
communicating, to a client that is associated with the user, a Web page containing links to only those resources that the user is authorized to access, based on the user'"'"'s role within an enterprise that controls the resources;
after communicating information defining the subset, said Web server receiving one or more requests from said client to access said one or more resources; and
said Web server resolving whether to grant said one or more requests based on said information defining the subset. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
storing, in a database, information describing a role of the user, a person type of the user, and a functional group to which the user belongs within the enterprise; and
storing an association of the user to the role, person type, and functional group at the Web application server.
-
-
18. The computer-readable medium recited in claim 16, the steps further comprising:
-
storing, in a database, information describing one or more roles and functional groups of the enterprise to which the user belongs in association with information describing the user; and
determining whether the user may access the one or more resources based on the information describing the roles and functional groups.
-
-
19. The computer-readable medium recited in claim 17, the steps further comprising:
-
based on the association, automatically granting access to the one or more resources to all users who have the role when the association is stored; and
based on the association, automatically denying access to the one or more resources to all users who do not have the role when the association is un-assigned.
-
-
20. The computer-readable medium recited in claim 16, wherein the receiving step further comprises the steps of:
storing, in a database accessible by the Web application server, information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, wherein the roles represent the work responsibilities carried out by the user in the enterprise, and wherein the access rights represent the kinds and levels of access privileges that are held by the user in the enterprise.
-
21. The computer-readable medium recited in claim 17, in which the step of storing information describing a functional group further comprises the steps of storing, in the database, information identifying a department of the enterprise in which persons work who have the role associated with the user.
-
22. The computer-readable medium recited in claim 16, the steps further comprising:
storing, in a database accessible by the Web application server, information defining the one or more resources including a resource identifier value, a location value, and a list of protected resources.
-
23. The computer-readable medium recited in claim 22, the steps further comprising:
storing, in the database, an association of each resource to one or more of the roles.
-
24. The computer-readable medium recited in claim 22, the steps further comprising:
- assigning, by storing in the database, an association of a resource to one or more of the roles, and un-assigning the one or more resources tom the roles.
-
25. The computer-readable medium recited in claim 16, the steps further comprising:
-
based on the association, automatically granting access to the one or more resources to all users who have the role when the one or more resources is assigned to that role; and
based on the association, automatically denying access to the one or more resources to all users who have the role when the association is un-assigned from that role.
-
-
26. The computer-readable medium recited in claim 16, the steps further comprising:
communicating, from the first server to the client, information describing a customized display that identifies only those resources that the user may access.
-
27. A computer-readable medium carrying one or more sequences of instructions for controlling access to Web documents that are stored on a protected Web access server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
said Web access server receiving information identifying a user;
said Web access server causing transmission of said information describing said user to a registry server;
in response to receiving said information describing said user;
said registry server identifying a subset of the Web documents tat the user is authorized to access, based on stored information describing the Web documents, one or more roles, one or more functional groups, and one or more access rights of the user that are stored in association with user identifying information, and said registry server communicating information defining the subset to the Web access server;
communicating, to a client that is associated with the user, a Web page containing links to only those Web documents that the user is authorized to access, based on the user'"'"'s role within an enterprise that controls the Web documents;
after communicating information defining the subset, said Web access server receiving one or more requests from said client to access said subset of Web documents; and
said Web server resolving whether to grant said one or more requests based on said information defining the subset. - View Dependent Claims (28, 29, 30)
-
Specification