Method and apparatus for securely and dynamically managing user roles in a distributed system

US 6,871,279 B2
Filed: 03/20/2001
Issued: 03/22/2005
Est. Priority Date: 03/20/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for managing user attributes in a distributed computing system, wherein user attributes determine access rights to a computer application:

the method comprising;

modifying an attribute database in order to create modifications, wherein the attribute database includes a plurality of possible user attributes and a data structure identifying a plurality of users;

obtaining an identity certificate from a certificate authority;

associating the identity certificate with a user from the plurality of users within the attribute database, thus creating more of the modifications;

assigning an attribute from the plurality of possible user attributes to the user;

storing the attribute assigned to the user into the attribute database, thus creating more of the modifications; and

distributing the modifications to the attribute database to a plurality of hosts coupled together by a networks;

wherein the user is granted access rights based on the attribute and the identity certificate.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for managing user attributes that determines access rights in a distributed computing system. The system modifies an attribute database, wherein the attribute database includes a plurality of possible user attributes and a plurality of users. Next, for a given user the system obtains an identity certificate from a certificate authority. This identity certificate is associated with a user from the attribute database. The system also assigns an attribute to the user from the possible user attributes, whereby the user is granted access rights based on the attribute and the identity certificate. This attribute is stored in the attribute database. Finally, modifications to the attribute database are distributed to a plurality of hosts coupled together by a network.

79 Citations

View as Search Results

24 Claims

1. A method for managing user attributes in a distributed computing system, wherein user attributes determine access rights to a computer application:
- the method comprising;
  
  modifying an attribute database in order to create modifications, wherein the attribute database includes a plurality of possible user attributes and a data structure identifying a plurality of users;
  
  obtaining an identity certificate from a certificate authority;
  
  associating the identity certificate with a user from the plurality of users within the attribute database, thus creating more of the modifications;
  
  assigning an attribute from the plurality of possible user attributes to the user;
  
  storing the attribute assigned to the user into the attribute database, thus creating more of the modifications; and
  
  distributing the modifications to the attribute database to a plurality of hosts coupled together by a networks;
  
  wherein the user is granted access rights based on the attribute and the identity certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - assigning a second attribute from the plurality of possible user attributes to the user, in addition to said attribute; and
      
      storing the second attribute assigned to the user into the attribute database, thus creating more of the modifications.
  - 3. The method of claim 1, further comprising using secure communications when distributing the modifications to the attribute database to the plurality of hosts.
  - 4. The method of claim 1, further comprising signing the attribute database with a cryptographic signature prior to the distributing to allow detection of unauthorized changes to the attribute database.
  - 5. The method of claim 1, wherein a host of the plurality of hosts can distribute the modifications to the attribute database to a subordinate host in a tree architecture.
  - 6. The method of claim 1, further comprising allowing the user to assume any attribute stored into the attribute database that is assigned to the user during the assigning.
  - 7. The method of claim 1, further comprising:
    - deleting the attribute assigned to the user from the attribute database, after the distributing, thus creating more of the modifications; and
      
      redistributing the modifications to the attribute database to the plurality of hosts.
  - 8. The method of claim 1, wherein modifying the attribute database includes creating the attribute database.

9. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing user attributes in a distributed computing system, wherein user attributes determine access rights to a computer application:
- the method comprising;
  
  modifying an attribute database in order to create modifications, wherein the attribute database includes a data structure identifying a plurality of possible user attributes and a plurality of users;
  
  obtaining an identity certificate from a certificate authority;
  
  associating the identity certificate with a user from the plurality of users within the attribute database, thus creating more of the modifications;
  
  assigning an attribute from the plurality of possible user attributes to the user;
  
  storing the attribute assigned to the user into the attribute database, thus creating more of the modifications; and
  
  distributing the modifications to the attribute database to a plurality of hosts coupled together by a network;
  
  wherein the user is granted access rights based on the attribute and the identity certificate.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, the method further comprising:
    - assigning a second attribute from the plurality of possible user attributes to the user, in addition to said attribute; and
      
      storing the second attribute assigned to the user into the attribute database, thus creating more of the modifications.
  - 11. The computer-readable storage medium of claim 9, the method further comprising using secure communications when distributing the modifications to the attribute database to the plurality of hosts.
  - 12. The computer-readable storage medium of claim 9, the method further comprising signing the attribute database with a cryptographic signature prior to the distributing to allow detection of unauthorized changes to the attribute database.
  - 13. The computer-readable storage medium of claim 9, wherein a host of the plurality of hosts can distribute the modifications to the attribute database to a subordinate host in a tree architecture.
  - 14. The computer-readable storage medium of claim 9, the method further comprising allowing the user to assume any attribute stored into the attribute database that is assigned to the user during the assigning.
  - 15. The computer-readable storage medium of claim 9, the method further comprising:
    - deleting the attribute assigned to the user from the attribute database, after the distributing, thus creating more of the modifications; and
      
      redistributing the modifications to the attribute database to the plurality of hosts.
  - 16. The computer-readable storage medium of claim 9, wherein modifying the attribute database includes creating the attribute database.

17. An apparatus that facilitates managing user attributes in a distributed computing system, wherein user attributes determine access rights to a computer application:
- the apparatus comprising;
  
  a modifying mechanism configured to modify an attribute database in order to create modifications, wherein the attribute database includes a data structure identifying a plurality of possible user attributes and a plurality of users;
  
  an identity certificate obtaining mechanism configured to obtain an identity certificate from a certificate authority;
  
  an associating mechanism configured to associated the identity certificate with a user from the plurality of users within the attribute database, thus creating more of the modifications;
  
  an assigning mechanism configured to assign an attribute from the plurality of possible user attributes to the user;
  
  a storing mechanism configured to store the attribute assigned to the user into the attribute database, thus creating more of the modifications; and
  
  a distributing mechanism that is configured to distribute the modifications to the attribute database to a plurality of hosts coupled together by a network;
  
  wherein the user is granted access rights based on the attribute and the identity certificate.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, further comprising:
    - the assigning mechanism that is further configured to assign a second attribute from the plurality of possible user attributes to the user, in addition to said attribute; and
      
      the storing mechanism that is further configured to store the second attribute assigned to the user into the attribute database, thus creating more of the modifications.
  - 19. The apparatus of claim 17, further comprising a secure communications mechanism configured to distribute the modifications to the attribute database to the plurality of hosts, during the distributing.
  - 20. The apparatus of claim 17, further comprising a signing mechanism that is configured to sign the attribute database with a cryptographic signature prior to the distributing to allow detection of unauthorized changes to the attribute database.
  - 21. The apparatus of claim 17, wherein the communications mechanism associated with a host of the plurality of hosts is configured to distribute the modifications to the attribute database to a subordinate host in a tree architecture.
  - 22. The apparatus of claim 17, further comprising an authorization mechanism that is configured to authorize the user to assume any attribute stored into the attribute database that is assigned to the user during the assigning.
  - 23. The apparatus of claim 17, further comprising:
    - a deleting mechanism that as configured to delete the attribute assigned to the user from the attribute database, after the distributing, thus creating more of the modifications; and
      
      a redistributing mechanism that is configured to redistribute the modifications to the attribute database to the plurality of hosts.
  - 24. The apparatus of claim 17, wherein the modifying mechanism is further configured to create the attribute database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Tally, Gregg W., Sames, David L.
Primary Examiner(s)
HUA, LY

Application Number

US09/813,419
Publication Number

US 20020138738A1
Time in Patent Office

1,463 Days
Field of Search

713/185, 713/166, 713/165, 713/156, 713/155, 713/164, 713/200, 713/201, 713/182, 707/9, 707/10, 707/104.1, 707/200, 380/277, 380/278
US Class Current

713/185
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Y10S 707/99945   Object-oriented database st...

Method and apparatus for securely and dynamically managing user roles in a distributed system

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for securely and dynamically managing user roles in a distributed system

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others