Hierarchical security domain model
First Claim
1. A method comprising:
- requesting authentication of a user attempting to access a first resource through a session, the first resource being within a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains;
identifying the session as having access to the first security domain;
granting the user access to a second resource without requesting authentication of the user for access to a second security domain based on said identification, the second resource being within the second security domain, the second security domain related to the first security domain and having a lower relative security level than the first security domain within the hierarchy of security domains; and
not granting the user access to the second resource without requesting authentication of the user for access to the second security domain if the second security domain;
is unrelated to the first security domain, oris related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains.
2 Assignments
0 Petitions
Accused Products
Abstract
According to one aspect of the invention, a hierarchy of security domains and a method for granting a user access to the security domains are provided. The hierarchy of security domains includes multiple security levels and relationships between particular security domains. When a user is authenticated and/or authorized for access to a first security domain, the user is tagged as having been granted access to that security domain. If the user attempts to access a related security domain with a lower security level, the user is granted access without having to be re-authenticated and/or re-authorized. If the user attempts to access a related security domain with a higher security level, the user must be re-authenticated and/or re-authorized be access is granted to the security domain with the higher security level.
54 Citations
28 Claims
-
1. A method comprising:
-
requesting authentication of a user attempting to access a first resource through a session, the first resource being within a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains; identifying the session as having access to the first security domain; granting the user access to a second resource without requesting authentication of the user for access to a second security domain based on said identification, the second resource being within the second security domain, the second security domain related to the first security domain and having a lower relative security level than the first security domain within the hierarchy of security domains; and not granting the user access to the second resource without requesting authentication of the user for access to the second security domain if the second security domain; is unrelated to the first security domain, or is related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An article of manufacture including program code stored on a machine-readable medium which, when executed by a machine, causes the machine to perform a method, the method comprising:
-
authenticating a user attempting to access a first resource through a session, the first resource being within a first security domain and stored on a computing system, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains; identifying the session as having access to the first security domain; granting the user access to a second resource without authenticating the user for access to the second security domain based on said identification, the second resource being within a second security domain and stored on the computing system, if the second security domain is related to the first security domain and has a lower relative security level than the first security domain within the hierarchy of security domains; and not granting the user access to the second resource without authenticating the user for access to the second security domain based on said identification, if the second security domain; is unrelated to the first security domain, or is related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing system comprising:
-
a collection of resources accessible to clients via a network, a resource in the collection of resources belonging to a security domain; a database having authorization information for determining a user to whom access to a security domain may be granted; a processor having a security enforcement logic protecting the collection of resources, the security enforcement logic programmed to recognize a hierarchy of security domains, the hierarchy including the security domain to which the resource belongs, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains, wherein the security enforcement logic uses authorization information from the database to authenticate a user attempting to access a first resource through a session, the first resource belonging to a first security domain within the hierarchy of security domains, the security enforcement logic further; identifying the session as having access to the first security domain based at least in part on the authentication of the user attempting to access the first resource, granting the user access to a second resource belonging to a second security domain without authenticating the user for access to the second security domain based on said identification if the second security domain is related to the first security domain and has a lower relative security level than the first security domain within the hierarchy of security domains, and not granting the user access to the second resource without authenticating the user for access to the second security domain based on said identification if the second security domain; is unrelated to the first security domain, or is related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method comprising:
-
authenticating a user for access to a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains; granting the user access to a second security domain without authenticating the user for access to the second security domain if the second security domain is within the hierarchy of security domains, is related to the first security domain, and has a lower relative security level than the first security domain; identifying the user as having been authenticated for access to the first security domain; and not granting access to the second security domain without authenticating the user for access to the second security domain if the second security domain; is not within the hierarchy of security domains, or is within the hierarchy of security domains but is unrelated to the first security domain, or is within the hierarchy of security domains and related to the first security domain but has a higher relative security level than the first security domain.
-
Specification