Identity vectoring via chained mapping records

US 6,993,653 B1
Filed: 02/22/2000
Issued: 01/31/2006
Est. Priority Date: 02/22/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authorizing a user on a computer network using chained mapping records, the method including:

receiving a digital certificate for a user requesting access to said computer network;

comparing a distinguished name or a partial distinguished name corresponding to the digital certificate with a plurality of mapping records;

replacing a variable from a first matching mapping record with an environmental factor to create a first search criteria, the first matching mapping record indicating the distinguished name or the partial distinguished name, wherein the environmental factor includes one or more system or application statuses in effect at the time the user signs-on the computer network, operable for enabling the first matching mapping record to point to multiple user identifications;

comparing the first search criteria with the plurality of mapping records; and

generating an authorization indicator responsive to at least one of comparing the distinguished name or a partial distinguished name and comparing the first search criteria with the plurality of mapping records.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity vectoring method is accomplished by matching a distinguished name or partial distinguished name from a digital certificate with a distinguished name mapping record. A data field in the distinguished name mapping record includes either a variable name or a user ID. The variable name corresponds to any environmental factor. The next mapping record to be considered, the criteria mapping record, is determined by substituting the environmental factor for the variable name in the data field. A data field in the criteria mapping record includes either a variable name or a user ID. The process completes when a mapping record containing only a user ID is encountered or when no matching criteria mapping records are found.

62 Citations

View as Search Results

24 Claims

1. A method for authorizing a user on a computer network using chained mapping records, the method including:
- receiving a digital certificate for a user requesting access to said computer network;
  
  comparing a distinguished name or a partial distinguished name corresponding to the digital certificate with a plurality of mapping records;
  
  replacing a variable from a first matching mapping record with an environmental factor to create a first search criteria, the first matching mapping record indicating the distinguished name or the partial distinguished name, wherein the environmental factor includes one or more system or application statuses in effect at the time the user signs-on the computer network, operable for enabling the first matching mapping record to point to multiple user identifications;
  
  comparing the first search criteria with the plurality of mapping records; and
  
  generating an authorization indicator responsive to at least one of comparing the distinguished name or a partial distinguished name and comparing the first search criteria with the plurality of mapping records.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the generating an authorization indicator includes generating a security context control block using a user identification from a second matching mapping record, the second matching mapping record indicating the first search criteria.
  - 3. The method of claim 1, further including:
    - replacing a variable from a second matching mapping record with the environmental factor to create a second search criteria, the second matching mapping record indicating the first search criteria.
  - 4. The method of claim 3, wherein the generating an authorization indicator includes generating a security context control block using a user identification from a third matching mapping record, the third matching mapping record indicating the second search criteria.
  - 5. The method of claim 1, further including:
    - eliminating a portion of an X.500 distinguished name to create the partial distinguished name used in said comparing the partial distinguished name with the plurality of mapping records.
  - 6. The method of claim 1, wherein the generating an authorization indicator includes generating a security context control block using a user identification from the first matching mapping record if the first matching mapping record includes the user identification.
  - 7. The method of claim 1, wherein comparing the distinguished name or the partial distinguished name corresponding to the user with a plurality of mapping records includes comparing an X.500 distinguished name of the user with the plurality of mapping records.
  - 8. The method of claim 1, wherein the environmental factor includes a system status existing at the time the user signs-on the computer network and replacing a variable includes replacing the variable from the first matching mapping record with said system status.

9. A system for authorizing a user on a computer network using chained mapping records, the system including:
- a digital certificate means for receiving a distinguished name over said computer network, said distinguished name corresponding to the user;
  
  a distinguished name mapping record within a directory database, said distinguished name mapping record indicative of at least a portion of said distinguished name, said distinguished name mapping record including a first data field, said first data field including a first variable indicative of a first environmental factor, wherein the first environmental factor includes one or more system or application statuses in effect at the time said digital certificate is received the user signs-on the computer network, operable for enabling said first matching mapping record to point to multiple user identities;
  
  a first criteria mapping record corresponding to a first state of said first environmental factor, said first criteria mapping record including a second data field, said second data field including a first user identity; and
  
  a mapping process configured to receive said digital certificate, wherein said mapping process generates a security context control block using said first user identity in response to said first state of said first environmental factor,wherein said digital certificate means is on a computer readable medium.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further including:
    - a second criteria mapping record corresponding to a second state of said first environmental factor, said second criteria mapping record including a third data field, said third data field including a second user identity; and
      
      wherein said mapping process is further configured to generate a security context control block using said second user identity in response to said second state of said first environmental factor.
  - 11. The system of claim 9, further including:
    - a second criteria mapping record corresponding to a second state of said first environmental factor, said second criteria mapping record including a third data field, said third data field including a second variable indicative of a second environmental factor;
      
      a third criteria mapping record corresponding to said second environmental factor, said third criteria mapping record including a fourth data field, said fourth data field including a second user identity; and
      
      wherein said mapping process is further configured to generate a security context control block using said second user identity in response to said second state of said first environmental factor and said third environmental factor.
  - 12. The system of claim 9, wherein said distinguished name is an X.500 distinguished name.
  - 13. The system of claim 10, wherein said first user identity represents a first level of network authorization, and said second user identity represents a second level of network authorization.
  - 14. The system of claim 9, wherein said first environmental factor is a network status at the time said digital certificate is received by said mapping process.
  - 15. The system of claim 9, wherein said first environmental factor is an application status at the time said digital certificate is received by said mapping process.
  - 16. The system of claim 9, wherein said first environmental factor is included in said digital certificate.

17. A storage medium encoded with machine-readable computer program code for authorizing a user on a computer network using chained mapping records, the storage medium including instructions for causing a computer to implement a method comprising:
- comparing a distinguished name or a partial distinguished name corresponding to the user with a plurality of mapping records;
  
  replacing a variable from a first matching mapping record with an environmental factor to create a first search criteria, the first matching mapping record indicating the distinguished name or the partial distinguished name, wherein the environmental factor includes one or more system or application statuses in effect at the time the user signs-on on the computer network, operable for enabling the first matching mapping record to point to multiple user identifications;
  
  comparing the first search criteria with the plurality of mapping records; and
  
  generating an authorization indicator responsive to at least one of comparing the distinguished name or a partial distinguished name and comparing the first search criteria with the plurality of mapping records.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The storage medium of claim 17, wherein the generating an authorization indicator includes generating a security context control block using a user identification from a second matching mapping record, the second matching mapping record indicating the first search criteria.
  - 19. The storage medium of claim 17, further comprising instructions for causing a computer to implement:
    - replacing a variable from a second matching mapping record with the environmental factor to create a second search criteria, the second matching mapping record indicating the first search criteria.
  - 20. The storage medium of claim 19, wherein the generating an authorization indicator includes generating a security context control block using a user identification from a third matching mapping record, the third matching mapping record indicating the second search criteria.
  - 21. The storage medium of claim 17 further comprising instructions for causing a computer to implement:
    - eliminating a portion of an X.500 distinguished name to create the partial distinguished name used in said comparing the partial distinguished name with the plurality of mapping records.
  - 22. The storage medium of claim 17, wherein the generating an authorization indicator includes generating a security context control block using a user identification from the first matching mapping record if the first matching mapping record includes the user identification.
  - 23. The storage medium of claim 17, wherein comparing the distinguished name or the partial distinguished name corresponding to the user with a plurality of mapping records includes comparing an X.500 distinguished name of the user with the plurality of mapping records.
  - 24. The storage medium of claim 17, wherein the environmental factor includes a system status existing at the time the user signs-on the computer network and replacing a variable includes replacing the variable from the first matching mapping record with said system status.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Guski, Richard H., Farrell, Walter B., Sweeny, James W., Thompson, John M., Szczygielski, Thomas J.
Primary Examiner(s)
Caldwell, Andrew
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/507,882
Time in Patent Office

2,170 Days
Field of Search

707/10, 707/200, 713155-157, 713/178
US Class Current

713/157
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

Identity vectoring via chained mapping records

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Identity vectoring via chained mapping records

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links