Network system and method for limiting the execution of commands

US 6,574,656 B1
Filed: 10/19/1999
Issued: 06/03/2003
Est. Priority Date: 10/19/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A network system including a first computer system, a second computer system, and communication lines to connect said first and second computer systems,said first computer system comprising:

a first memory for storing a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;

a first authorization unit for referencing, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and judging whether or not the operator is to be authorized to execute the command; and

a first execution unit for augmenting, if said first authorization unit judges that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and transmitting the augmented command to said second computer system as a request from the group to execute the command; and

said second computer system comprising;

a second memory for storing a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;

a second authorization unit for referencing, when the command is received from said first computer system, said second set of authorization data and judging whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and

a second execution unit for executing the command, if said second authorization unit judges that the command is to be authorized for execution, in response to the execution request from the group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an issuing subsystem is stored a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group. As an operator enters a command, the issuing subsystem references the first set of authorization data, judges whether or not the operator is to be authorized to execute the command and, if it is judged that he or she is to be authorized, augments the command with information identifying the group to which the operator belongs, the augmented command being transmitted to an executing subsystem. The executing subsystem stores a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group. The executing subsystem, upon receiving a transaction command from the issuing subsystem, references the second set of authorization data, judges whether or not the command is to be authorized for execution in response to the request from the group whose command is augmented with identifying information and, if it is judged that it is to be authorized, executes the command.

49 Citations

View as Search Results

23 Claims

1. A network system including a first computer system, a second computer system, and communication lines to connect said first and second computer systems,said first computer system comprising:
- a first memory for storing a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
  
  a first authorization unit for referencing, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and judging whether or not the operator is to be authorized to execute the command; and
  
  a first execution unit for augmenting, if said first authorization unit judges that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and transmitting the augmented command to said second computer system as a request from the group to execute the command; and
  
  said second computer system comprising;
  
  a second memory for storing a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
  
  a second authorization unit for referencing, when the command is received from said first computer system, said second set of authorization data and judging whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
  
  a second execution unit for executing the command, if said second authorization unit judges that the command is to be authorized for execution, in response to the execution request from the group.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A network system, as claimed in claim 1, wherein:
3. A network system, as claimed in claim 1, wherein:
- said first execution unit further augments the command with operator identifying information and transmits it to said second computer system;
  
  said second memory further stores a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands;
  
  said second authorization unit refers to said list of unauthorized operators and judges whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
  
  said second execution unit, if said second authorization unit judges that the operator is not be authorized to execute the command, does not execute the command.
4. A network system, as claimed in claim 1, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
5. A network system, as claimed in claim 4, wherein the identifying information augmented with the command, as received by the second authorization unit, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.

6. A method to limit the execution of commands, comprising:
- a first registration step to register with a first computer system a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group to execute;
  
  a second registration step to register with a second computer system a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
  
  a first authorization step to reference, when a command to be executed by said second computer system is entered by an operator into said first computer system, the first set of authorization data and to judge whether or not the operator is to be authorized to execute the command; and
  
  a first execution step to augment, if it is judged at said first authorization step that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command from said first computer system to said second computer system as a request from the group to execute the command; and
  
  a second authorization step to reference, when said second computer system receives said command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
  
  a second execution step to have the command executed by said second computer system, if it is judged at said second authorization step that the command is to be authorized for execution, in response to the execution request from the group.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A method, as claimed in claim 6, wherein:
8. A method, as claimed in claim 6, wherein:
- at said first execution step, the command is further augmented with operator identifying information and transmitted to the second computer system;
  
  at said second registration step, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
  
  at said second authorization step, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
  
  at said second execution step, if it is judged at said second authorization step that the operator is not be authorized to execute the command, the command is not executed.
9. A method, as claimed in claim 6, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
10. A method, as claimed in claim 9, wherein the identifying information augmented with the command, as received in the second authorization step, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.

11. A storage medium recording thereon a program enabling:
- a first computer system to execute first registration processing to register a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group;
  
  a second computer system to execute second registration processing to register a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
  
  said first computer system to execute first authorization processing to reference, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and to judge whether or not the operator is to be authorized to execute the command;
  
  said first computer system to execute first execution processing to augment, if it is judged by said first authorization processing that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command to said second computer system as a request from the group to execute the command;
  
  said second computer system to execute second authorization processing to reference, when the command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
  
  said second computer system to execute second execution processing to execute the command, if it is judged at said second authorization processing that the command is to be authorized for execution, in response to the execution request from the group.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. A storage medium, as claimed in claim 11, wherein:
13. A storage medium, as claimed in claim 11, wherein:
- in said first execution processing, the command is further augmented with operator identifying information and transmitted to said second computer system;
  
  in said second registration processing, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
  
  in said second authorization processing, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
  
  in said second execution processing, if it is judged by said second authorization processing that the operator is not be authorized to execute the command, the command is not executed.
14. A group of storage media wherein said program, as claimed in claim 11, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
15. A group of storage media wherein said program, as claimed in claim 12, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
16. A group of storage media wherein said program, as claimed in claim 13, is divided into a plurality of portions, each of which is recorded on one of the plurality of recording media.
17. A storage medium, as claimed in claim 11, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
18. A storage medium, as claimed in claim 17, wherein the identifying information augmented with the command, as received by the second computer system and as processed by the second authorization processing, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.

19. A program embodied in electric signals, said program enabling:
- a first computer system to execute first registration processing to register a first set of authorization data including information on matching between an operator and a group the operator belongs to, and information on matching between a group and commands authorized for operators belonging to the group;
  
  a second computer system to execute second registration processing to register a second set of authorization data including information on matching between a group and commands authorized for execution in response to an execution request from the group;
  
  said first computer system to execute first authorization processing to reference, when a command to be executed by said second computer system is entered by an operator, said first set of authorization data and to judge whether or not the operator is to be authorized to execute the command;
  
  said first computer system to execute first execution processing to augment, if it is judged by said first authorization processing that the operator is to be authorized to execute the command, the command with information to identify the group to which the operator belongs, and to transmit the augmented command to said second computer system as a request from the group to execute the command;
  
  said second computer system to execute second authorization processing to reference, when the command is received from said first computer system, said second set of authorization data and to judge whether or not the command is to be authorized for execution in response to the execution request from the group whose command is augmented with identifying information; and
  
  said second computer system to execute second execution processing to execute the command, if it is judged by said second authorization processing that the command is to be authorized for execution, in response to the execution request from the group.
- View Dependent Claims (20, 21, 22, 23)
- - 20. A program, as claimed in claim 19, wherein:
21. A program, as claimed in claim 19, wherein:
- in said first execution processing, the command is further augmented with operator identifying information and transmitted to said second computer system;
  
  in said second registration processing, a list of unauthorized operators matching commands and operators unauthorized to execute the respective commands is further registered;
  
  in said second authorization processing, said list of unauthorized operators is referenced, and it is judged whether or not the operator whose command is augmented with identifying information is to be authorized to execute the command; and
  
  in said second execution processing, if it is judged by said second authorization processing that the operator is not be authorized to execute the command, the command is not executed.
22. A program, as claimed in claim 19, wherein the operator that entered the command to be executed by the second computer system is an operator of the first computer system.
23. A program, as claimed in claim 22, wherein the identifying information augmented with the command, as received by the second computer system, does not include any information identifying the operator but rather only identifies the group that the operator of the first computer system is a member of.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Nagaoka, Akihiro, Nishimura, Mitsuhiko
Primary Examiner(s)
Najjar, Saleh

Application Number

US09/420,550
Time in Patent Office

1,323 Days
Field of Search

709/201, 709/203, 709/224, 709/225
US Class Current

709/201
CPC Class Codes

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

H04L 63/104   Grouping of entities

Network system and method for limiting the execution of commands

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Network system and method for limiting the execution of commands

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links