Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources

US 7,702,785 B2
Filed: 01/31/2001
Issued: 04/20/2010
Est. Priority Date: 01/31/2001
Status: Active Grant

First Claim

Patent Images

1. A method for selectively allowing access to a plurality of resources in a network, the method comprising:

receiving a request originated from a user of a multi-user system to transmit a message via the multi-user system over the network to one of the plurality of resources, wherein each of the plurality of resources has been assigned to one of a plurality of security zones based on a level of security sensitivity of the resource;

identifying a one of the plurality of security zones that is associated with the one of the plurality of resources;

determining if the user of the multi-user system is authorized access to the identified one of the plurality of security zones; and

forwarding the message from the multi-user system over the network only if it is determined that the user is authorized access to the identified one of the plurality of security zones.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer program products are provided for selectively allowing a user of a multi-user system access to a plurality of resources in a network. Pursuant to these methods, systems and computer program products, a request, originated by a user of the multi-user system, may be received to transmit a message over the network to one of the plurality of resources in the network. A security zone associated with this resource may then be identified. Pursuant to the operations of the present invention, if it is determined that the user is authorized access to the identified security zone, the message may be forwarded over the network to the resource.

Citations

24 Claims

1. A method for selectively allowing access to a plurality of resources in a network, the method comprising:
- receiving a request originated from a user of a multi-user system to transmit a message via the multi-user system over the network to one of the plurality of resources, wherein each of the plurality of resources has been assigned to one of a plurality of security zones based on a level of security sensitivity of the resource;
  
  identifying a one of the plurality of security zones that is associated with the one of the plurality of resources;
  
  determining if the user of the multi-user system is authorized access to the identified one of the plurality of security zones; and
  
  forwarding the message from the multi-user system over the network only if it is determined that the user is authorized access to the identified one of the plurality of security zones.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the multi-user system comprises a mainframe computer, and wherein the request is originated on a workstation of the mainframe computer.
  - 3. The method of claim 2, wherein the mainframe computer receives the request originated from the user, identifies the one of the plurality of security zones associated with the one of the plurality of resources, and determines if the user is authorized access to the one of the plurality of resources.
  - 4. The method of claim 3, wherein the step of identifying the one of the plurality of security zone associated with the one plurality of resources comprises accessing a data structure that specifies the security zone associated with each resource in the plurality of resources.
  - 5. The method of claim 4, wherein at least one entry in the data structure specifies the security zone associated with a group of the resources in the plurality of resources, and wherein identifying the one of the plurality of security zones associated with the one of the plurality of resources comprises identifying the security zone associated with the most specific entry in the data structure that includes the resource.
  - 6. The method of claim 1, wherein the identifying and determining steps are performed within the multi-user system.
  - 7. The method of claim 1, wherein the message forwarded over the network includes a first user identification associated with the multi-user system but does not include a second user identification associated with the user of the multi-user system.
  - 8. The method of claim 1, wherein the identifying and determining steps are preformed before any data packets associated with the message are forwarded over the network.
  - 9. The method of claim 1, wherein the network is an internet protocol network.

10. A system for selectively allowing access to a plurality of resources in a network, comprising:
- means for receiving a request originated from a user to a multi-user system to transmit a message via the multi-user system over the network to one of the plurality of resources, wherein each of the plurality of resources has been assigned to one of a plurality of security zones based on a level of security sensitivity of the resource;
  
  means for identifying a one of the plurality of security zones that is associated with the one of the plurality of resources;
  
  means for determining if the user of the multi-user system is authorized access to the identified one of the plurality of security zones; and
  
  means for forwarding the message from the multi-user system over the network only if it is determined that the user is authorized access to the identified one of the plurality of security zones.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, further comprising means for associating a security zone with each of the plurality of resources.
  - 12. The system of claim 11, further comprising means for specifying in advance of receiving the request the security zones to which users of the multi-user system are authorized access.
  - 13. The system of claim 10, wherein the means for identifying the one of the plurality of security zones associated with the one of the plurality of resources comprise means for accessing a data structure that specifies the security zone associated with each resource in the plurality of resources.
  - 14. The system of claim 13, wherein at least one entry in the data structure specifics the security zone associated with a group of the resources in the plurality of resources, and wherein the means for identifying the one of the plurality of security zones associated with the one of the plurality of resources comprises means for identifying the security zone associated with the most specific entry in the data structure that includes the resource.

15. A computer program product for selectively allowing access to a plurality of resources in a network, comprising:
- a computer-readable storage medium having computer-readable program code embodied in said medium, said computer-readable program code comprising;
  
  computer program product means for receiving a request originated from a user of a multi-user system to transmit a message via the multi-user system over the network to one of the plurality of resources, wherein each of the plurality of resources has been assigned to one of a plurality of security zones based on a level of security sensitivity of the resource;
  
  computer program product means for identifying a one of the plurality of security zones that is associated with the one of the plurality of resources;
  
  computer program product means for determining if the user of the multi-user system is authorized access to the identified one of the plurality of security zones; and
  
  computer program product means for forwarding the message from the multi-user system over the network only if it is determined that the user is authorized access to the identified one of the plurality of security zones.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15, further comprising computer program product means for associating a security zone with each of the plurality of resources.
  - 17. The computer program product of claim 16, further comprising computer program product means for specifying in advance of receiving the request the security zones to which users of the multi-user system are authorized access.
  - 18. The computer program product of claim 15, wherein the computer program product means for identifying the one of the plurality of security zones associated with the one of the plurality of resources comprise computer program product means for accessing a data structure that specifies the security zone associated with each resource in the plurality of resources.
  - 19. The computer program product of claim 18, wherein at least one entry in the data structure specifies the security zone associated with a group of the resources in the plurality of resources, and wherein the computer program product means for identifying the one of the plurality of security zones associated with the one of the plurality of resources comprises computer program product means for identifying the security zone associated with the most specific entry in the data structure that includes the resource.

20. A method for selectively allowing a user of a multi-user system access to a plurality of resources in a network, the method comprising:
- receiving a message over the network from one of the plurality of resources that is addressed to a process running on the multi-user system that is associated with the user;
  
  identifying, from a plurality of security zones, a security zone associated with the one of the plurality of resources;
  
  determining if the user is authorized access to the identified security zone; and
  
  forwarding the message to the process only if it is determined that the user is authorized access to the identified security zone.
- View Dependent Claims (21)
- - 21. The method of claim 20, wherein the multi-user system identifies the security zone associated with the one of the plurality of resources and determines if the user is authorized access to the identified security zone.

22. A data processing system for selectively allowing access to a plurality of resources in a network, comprising:
- a data processing device, the data processing device connected to a first network that includes a plurality of networked resources;
  
  a plurality of workstations that are configured to execute applications on the data processing device;
  
  a first data structure that specifies at least one security zone from a plurality of security zones that is associated with each of the plurality of networked resources, wherein each of the plurality of security zones represents a distinct level of security sensitivity; and
  
  a second data structure that specifies the respective security zones to which a plurality users of the data processing device may have access.
- View Dependent Claims (23, 24)
- - 23. The data processing system of claim 22, wherein the first data structure comprises a mapping table that identifies the respective one of the plurality of security zones associated with each of the plurality of networked resources, wherein at least some of the entries in the mapping table are associated with multiple of the plurality of networked resources.
  - 24. The data processing system of claim 23, wherein entries in the mapping table include wildcard characters to specify multiple of the plurality of networked resources with a single entry in the mapping table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloud Software Group Switzerland GmbH
Original Assignee
International Business Machines Corporation
Inventors
Bruton, David Aro III, Rodriguez, Adolfo Francisco, Overby, Linwood H. Jr.
Primary Examiner(s)
Lin; Kenny S
Assistant Examiner(s)
TRUONG, LAN DAI T

Application Number

US09/773,811
Publication Number

US 20020103903A1
Time in Patent Office

3,366 Days
Field of Search

709/223, 709/225, 709/203, 709/249, 709/250
US Class Current

709/225
CPC Class Codes

H04L 63/105 Multiple levels of security

Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links