Hierarchical security domain model

US 7,490,347 B1
Filed: 04/30/2004
Issued: 02/10/2009
Est. Priority Date: 04/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

requesting authentication of a user attempting to access a first resource through a session, the first resource being within a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains;

identifying the session as having access to the first security domain;

granting the user access to a second resource without requesting authentication of the user for access to a second security domain based on said identification, the second resource being within the second security domain, the second security domain related to the first security domain and having a lower relative security level than the first security domain within the hierarchy of security domains; and

not granting the user access to the second resource without requesting authentication of the user for access to the second security domain if the second security domain;

is unrelated to the first security domain, oris related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect of the invention, a hierarchy of security domains and a method for granting a user access to the security domains are provided. The hierarchy of security domains includes multiple security levels and relationships between particular security domains. When a user is authenticated and/or authorized for access to a first security domain, the user is tagged as having been granted access to that security domain. If the user attempts to access a related security domain with a lower security level, the user is granted access without having to be re-authenticated and/or re-authorized. If the user attempts to access a related security domain with a higher security level, the user must be re-authenticated and/or re-authorized be access is granted to the security domain with the higher security level.

54 Citations

View as Search Results

28 Claims

1. A method comprising:
- requesting authentication of a user attempting to access a first resource through a session, the first resource being within a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains;
  
  identifying the session as having access to the first security domain;
  
  granting the user access to a second resource without requesting authentication of the user for access to a second security domain based on said identification, the second resource being within the second security domain, the second security domain related to the first security domain and having a lower relative security level than the first security domain within the hierarchy of security domains; and
  
  not granting the user access to the second resource without requesting authentication of the user for access to the second security domain if the second security domain;
  
  is unrelated to the first security domain, oris related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the session is a HTTP session.
  - 3. The method of claim 2, wherein the authentication if performed comprises requesting and receiving authentication information from the user.
  - 4. The method of claim 3, wherein the first resource is stored in a first container and the second resource is stored in a second container.
  - 5. The method of claim 4, wherein the first container is in a first computer system and the second container is in a second computer system.
  - 6. The method of claim 5, wherein the HTTP session is redirected between the first computer system to the second computer system when the user attempts to access the second resource.
  - 7. The method of claim 6, the first and second computer systems recognize the hierarchy of security domains.
  - 8. The method of claim 7, wherein said requesting and receiving authentication information from the user is performed by a centralized security manager being shared by both the first and second computer systems.
  - 9. The method of claim 8, wherein the security manager retrieves authorization information from a database based on the received authentication information.

10. An article of manufacture including program code stored on a machine-readable medium which, when executed by a machine, causes the machine to perform a method, the method comprising:
- authenticating a user attempting to access a first resource through a session, the first resource being within a first security domain and stored on a computing system, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains;
  
  identifying the session as having access to the first security domain;
  
  granting the user access to a second resource without authenticating the user for access to the second security domain based on said identification, the second resource being within a second security domain and stored on the computing system, if the second security domain is related to the first security domain and has a lower relative security level than the first security domain within the hierarchy of security domains; and
  
  not granting the user access to the second resource without authenticating the user for access to the second security domain based on said identification, if the second security domain;
  
  is unrelated to the first security domain, oris related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The article of manufacture of claim 10, wherein the session is a HTTP session.
  - 12. The article of manufacture of claim 11, wherein the authenticating comprises requesting and receiving authentication information from the user.
  - 13. The article of manufacture of claim 12, wherein the first resource is stored in a first container and the second resource is stored in a second container.
  - 14. The article of manufacture of claim 13, wherein the first container is in a first computer system and the second container is in a second computer system.
  - 15. The article of manufacture of claim 14, wherein the HTTP session jumps between the first computer system and the second computer system when the user attempts to access the second resource.
  - 16. The article of manufacture of claim 15, wherein the first and second computer systems recognize the hierarchy of security domains.
  - 17. The article of manufacture of claim 16, wherein said requesting and receiving authentication information from the user is performed by a centralized security manager being shared by both the first and second computer systems.
  - 18. The article of manufacture of claim 17, wherein the security manager retrieves authorization information from a database based on the received authentication information.

19. A computing system comprising:
- a collection of resources accessible to clients via a network, a resource in the collection of resources belonging to a security domain;
  
  a database having authorization information for determining a user to whom access to a security domain may be granted;
  
  a processor having a security enforcement logic protecting the collection of resources, the security enforcement logic programmed to recognize a hierarchy of security domains, the hierarchy including the security domain to which the resource belongs, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains, wherein the security enforcement logic uses authorization information from the database to authenticate a user attempting to access a first resource through a session, the first resource belonging to a first security domain within the hierarchy of security domains, the security enforcement logic further;
  
  identifying the session as having access to the first security domain based at least in part on the authentication of the user attempting to access the first resource,granting the user access to a second resource belonging to a second security domain without authenticating the user for access to the second security domain based on said identification if the second security domain is related to the first security domain and has a lower relative security level than the first security domain within the hierarchy of security domains, andnot granting the user access to the second resource without authenticating the user for access to the second security domain based on said identification if the second security domain;
  
  is unrelated to the first security domain, oris related to the first security domain but has a higher relative security level than first security domain within the hierarchy of security domains.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computing system of claim 19, wherein the session is a HTTP session.
  - 21. The computing system of claim 20, wherein to authenticate the user attempting to access the first resource through the session, the security enforcement logic further obtains authentication information from the user.
  - 22. The computing system of claim 21, wherein the first resource is stored in a first container and the second resource is stored in a second container.
  - 23. The computing system of claim 22, wherein the first container is in a first computer system and the second container is in a second computer system.
  - 24. The computing system of claim 23, wherein the HTTP session jumps between the first computer system and the second computer system when the user attempts to access the second resource.
  - 25. The computing system of claim 24, wherein the security enforcement logic of the first and second computer systems are each programmed to recognize the hierarchy of security domains.
  - 26. The computing system of claim 25, wherein to authenticate the user attempting to access the first resource through the session, a centralized security manager being shared by both the first and second computer systems obtains the authentication information from the user.
  - 27. The computing system of claim 26, wherein to authenticate the user attempting to access the first resource through the session, the centralized security manager further retrieves the authorization information from the database based on the authentication information obtained from the user.

28. A method comprising:
- authenticating a user for access to a first security domain, the first security domain being within a hierarchy of security domains, the hierarchy defining related and unrelated security domains and a relative security level of one or more related security domains;
  
  granting the user access to a second security domain without authenticating the user for access to the second security domain if the second security domain is within the hierarchy of security domains, is related to the first security domain, and has a lower relative security level than the first security domain;
  
  identifying the user as having been authenticated for access to the first security domain; and
  
  not granting access to the second security domain without authenticating the user for access to the second security domain if the second security domain;
  
  is not within the hierarchy of security domains, oris within the hierarchy of security domains but is unrelated to the first security domain, oris within the hierarchy of security domains and related to the first security domain but has a higher relative security level than the first security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Schneider, Juergen, Zlatarev, Stephan H., Jurova, Maria, Jaeschke, Hiltrud
Primary Examiner(s)
Smithers; Matthew B

Application Number

US10/837,397
Time in Patent Office

1,747 Days
Field of Search

713/166
US Class Current

726/2
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

Hierarchical security domain model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical security domain model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links