Systems and methods for integrating access control with a namespace
First Claim
1. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method for enforcing access control to a resource of a computer system at the security system as opposed to enforcing access control at the server, the method comprising the steps of:
- the server processing a logon request from a remote user;
the server producing a security context of the remote user based on the logon request;
assigning the security context of the remote user to the server, wherein assigning the security context of the remote user to the server includes changing a previous security context of the server and by replacing the previous security context of the server with the security context of the remote user; and
the server accessing the resource on behalf of the remote user with the assigned security context of the remote user, which replaced the previous security context of the server, so that the security system can enforce access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead were to access the resource with the server'"'"'s security context.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods and systems for integrating the access controls of computer resources into a namespace or domain. For a remote user, a computer network or system is a namespace represented by a URL. In order to enforce the access controls of the computer network being accesses, a remote user is impersonated by a server of the computer system such that access requests to the resources of a system are made by the server in the security context of the remote user. By impersonating the remote user, the actual rights of the remote user are being presented to the access controls rather than the rights of the server. In this manner, the access control of the system can be enforced directly on the remote user and the access control is effectively extended to the namespace.
82 Citations
20 Claims
-
1. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method for enforcing access control to a resource of a computer system at the security system as opposed to enforcing access control at the server, the method comprising the steps of:
-
the server processing a logon request from a remote user; the server producing a security context of the remote user based on the logon request; assigning the security context of the remote user to the server, wherein assigning the security context of the remote user to the server includes changing a previous security context of the server and by replacing the previous security context of the server with the security context of the remote user; and the server accessing the resource on behalf of the remote user with the assigned security context of the remote user, which replaced the previous security context of the server, so that the security system can enforce access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead were to access the resource with the server'"'"'s security context. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20)
-
-
9. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method of enforcing access control, by the security system, on a remote user accessing a resource, as opposed to enforcing access control at the server, the method comprising the steps of:
-
the server receiving from the remote user a request to access the resource; the server authenticating the identity of the remote user to produce a remote security context for the remote user; the server creating a process for executing the access request of the remote user, wherein the process initially has a security context of the server; changing the security context of the process to match the remote security context of the remote user; the server using the process with the remote security context to access the resource on behalf of the remote user; and the security system enforcing access control on the remote security context thereby relieving the server from having to enforce access control against the remote user, had the server instead accessed the resource with the server'"'"'s security context. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a computer program product for a method of enforcing access controls at the security system against remote users as opposed to enforcing access controls against remote users at the server, the computer program product comprising:
a computer-readable medium carrying computer-executable instructions for implementing the method wherein the computer-executable instructions comprise; program code means for receiving from a remote user a request to access a resource; program code means for authenticating the identity of the remote user at the server to produce a remote security context of the remote user; program code means for altering and replacing a previous security context of the server to match the remote security context for the remote user to allow the server to perform the access request on behalf of the remote user with the remote security context of the remote user; and program code means for accessing the resource with the server using the remote security context of the remote user, which was used to alter and replace the previous security context, so tat the security system can enforce access control against the remote security context in order to relieve the server from enforcing access control against the remote user if the server instead had accessed the resource with the server'"'"'s security context. - View Dependent Claims (16)
-
17. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a computer program product for a method of enforcing access controls on a remote user of the computer system at the server system as opposed to enforcing access control against the remote user at the server, the computer program product comprising:
a computer readable medium carrying computer-executable instructions for implementing the method wherein the computer executable instructions comprise; program code means for authenticating the identity of the remote user at a server; program code means for producing a remote security context for the remote user; program code means for changing a security context of the server to match the remote security context of the remote user for access requests of the remote user executed by the server; and program code means for executing access requests from the server with the remote security context of the remote user so that the security system enforces access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead had accessed the resource with a security context of the server. - View Dependent Claims (18, 19)
Specification