Network system and method for limiting the execution of commands
First Claim
1. A network system including a first computer system, a second computer system, and communication lines to connect said first and second computer systems,said first computer system comprising:
- a first memory for storing a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
a first authorization unit for referencing, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and judging whether or not the operator is to be authorized to execute the command; and
a first execution unit for augmenting, if said first authorization unit judges that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and transmitting the augmented command to said second computer system as a request from the group to execute the command; and
said second computer system comprising;
a second memory for storing a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
a second authorization unit for referencing, when the command is received from said first computer system, said second set of authorization data and judging whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
a second execution unit for executing the command, if said second authorization unit judges that the command is to be authorized for execution, in response to the execution request from the group.
1 Assignment
0 Petitions
Accused Products
Abstract
In an issuing subsystem is stored a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group. As an operator enters a command, the issuing subsystem references the first set of authorization data, judges whether or not the operator is to be authorized to execute the command and, if it is judged that he or she is to be authorized, augments the command with information identifying the group to which the operator belongs, the augmented command being transmitted to an executing subsystem. The executing subsystem stores a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group. The executing subsystem, upon receiving a transaction command from the issuing subsystem, references the second set of authorization data, judges whether or not the command is to be authorized for execution in response to the request from the group whose command is augmented with identifying information and, if it is judged that it is to be authorized, executes the command.
49 Citations
23 Claims
-
1. A network system including a first computer system, a second computer system, and communication lines to connect said first and second computer systems,
said first computer system comprising: -
a first memory for storing a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
a first authorization unit for referencing, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and judging whether or not the operator is to be authorized to execute the command; and
a first execution unit for augmenting, if said first authorization unit judges that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and transmitting the augmented command to said second computer system as a request from the group to execute the command; and
said second computer system comprising;
a second memory for storing a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
a second authorization unit for referencing, when the command is received from said first computer system, said second set of authorization data and judging whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
a second execution unit for executing the command, if said second authorization unit judges that the command is to be authorized for execution, in response to the execution request from the group. - View Dependent Claims (2, 3, 4, 5)
said second set of authorization data further includes information on matching between a group and data to which access is to be authorized in response to the execution request from the group;
said second authorization unit references said second set of authorization data and judges whether or not the data to be accessed by the command are to be allowed access to in response to the request from the group whose command is augmented with identifying information; and
said second execution unit, if said second authorization unit judges that the data may be allowed access to in response to the request from the group, executes the command.
-
-
3. A network system, as claimed in claim 1, wherein:
-
said first execution unit further augments the command with operator identifying information and transmits it to said second computer system;
said second memory further stores a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands;
said second authorization unit refers to said list of unauthorized operators and judges whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
said second execution unit, if said second authorization unit judges that the operator is not be authorized to execute the command, does not execute the command.
-
-
4. A network system, as claimed in claim 1, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
-
5. A network system, as claimed in claim 4, wherein the identifying information augmented with the command, as received by the second authorization unit, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.
-
6. A method to limit the execution of commands, comprising:
-
a first registration step to register with a first computer system a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
a second registration step to register with a second computer system a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
a first authorization step to reference, when a command to be executed by said second computer system is entered by an operator into said first computer system, the first set of authorization data and to judge whether or not the operator is to be authorized to execute the command; and
a first execution step to augment, if it is judged at said first authorization step that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command from said first computer system to said second computer system as a request from the group to execute the command; and
a second authorization step to reference, when said second computer system receives said command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
a second execution step to have the command executed by said second computer system, if it is judged at said second authorization step that the command is to be authorized for execution, in response to the execution request from the group. - View Dependent Claims (7, 8, 9, 10)
said second set of authorization data further includes information on matching between a group and data to which access is to be authorized in response to the execution request from the group;
at said second authorization step it is judged whether or not the data to be accessed by the command are to be allowed access to in response to the request from the group whose command is augmented with identifying information; and
at said second execution step, if it is judged at said second authorization step that the data may be allowed access to in response to the request from the group, the command is executed.
-
-
8. A method, as claimed in claim 6, wherein:
-
at said first execution step, the command is further augmented with operator identifying information and transmitted to the second computer system;
at said second registration step, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
at said second authorization step, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
at said second execution step, if it is judged at said second authorization step that the operator is not be authorized to execute the command, the command is not executed.
-
-
9. A method, as claimed in claim 6, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
-
10. A method, as claimed in claim 9, wherein the identifying information augmented with the command, as received in the second authorization step, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.
-
11. A storage medium recording thereon a program enabling:
-
a first computer system to execute first registration processing to register a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group;
a second computer system to execute second registration processing to register a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
said first computer system to execute first authorization processing to reference, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and to judge whether or not the operator is to be authorized to execute the command;
said first computer system to execute first execution processing to augment, if it is judged by said first authorization processing that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command to said second computer system as a request from the group to execute the command;
said second computer system to execute second authorization processing to reference, when the command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
said second computer system to execute second execution processing to execute the command, if it is judged at said second authorization processing that the command is to be authorized for execution, in response to the execution request from the group. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
said second set of authorization data further includes information on matching between a group and data to which access is to be authorized in response to the execution request from the group;
by said second authorization processing it is judged whether or not the data to be accessed by the command are to be allowed access to in response to the request from the group whose command is augmented with identifying information; and
by said second execution processing, if it is judged by said second authorization processing that the data may be allowed access to in response to the request from the group, the command is executed.
-
-
13. A storage medium, as claimed in claim 11, wherein:
-
in said first execution processing, the command is further augmented with operator identifying information and transmitted to said second computer system;
in said second registration processing, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
in said second authorization processing, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
in said second execution processing, if it is judged by said second authorization processing that the operator is not be authorized to execute the command, the command is not executed.
-
-
14. A group of storage media wherein said program, as claimed in claim 11, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
-
15. A group of storage media wherein said program, as claimed in claim 12, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
-
16. A group of storage media wherein said program, as claimed in claim 13, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
-
17. A storage medium, as claimed in claim 11, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
-
18. A storage medium, as claimed in claim 17, wherein the identifying information augmented with the command, as received by the second computer system and as processed by the second authorization processing, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.
-
19. A program embodied in electric signals, said program enabling:
-
a first computer system to execute first registration processing to register a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group;
a second computer system to execute second registration processing to register a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
said first computer system to execute first authorization processing to reference, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and to judge whether or not the operator is to be authorized to execute the command;
said first computer system to execute first execution processing to augment, if it is judged by said first authorization processing that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command to said second computer system as a request from the group to execute the command;
said second computer system to execute second authorization processing to reference, when the command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
said second computer system to execute second execution processing to execute the command, if it is judged by said second authorization processing that the command is to be authorized for execution, in response to the execution request from the group. - View Dependent Claims (20, 21, 22, 23)
said second set of authorization data further includes information on matching between a group and data to which access is to be authorized in response to the execution request from the group;
by said second authorization processing it is judged whether or not the data to be accessed by the command are to be allowed access to in response to the request from the group whose command is augmented with identifying information; and
by said second execution processing, if it is judged by said second authorization processing that the data may be allowed access to in response to the request from the group, the command is executed.
-
-
21. A program, as claimed in claim 19, wherein:
-
in said first execution processing, the command is further augmented with operator identifying information and transmitted to said second computer system;
in said second registration processing, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
in said second authorization processing, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
in said second execution processing, if it is judged by said second authorization processing that the operator is not be authorized to execute the command, the command is not executed.
-
-
22. A program, as claimed in claim 19, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
-
23. A program, as claimed in claim 22, wherein the identifying information augmented with the command, as received by the second computer system, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.
Specification