Method for controlling access to the resources of a data processing system, data processing system, and computer program

US 7,730,093 B2
Filed: 09/26/2002
Issued: 06/01/2010
Est. Priority Date: 09/26/2001
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to resources of a data processing system with at least one data processing device, comprising:

linking together a plurality of databases having user-specific data and being allocated to the data processing system to form a single resulting metadirectory database;

eliminating redundant user-specific data among the plurality of databases during the linking together;

predefining user roles using memberships of users in organization units or regions of responsibility of the users for business processes;

awarding access permissions for resources provided by the at least one data processing device by the predefined user roles stored in the single resulting metadirectory database; and

allocating at least one user role to at least one user of the data processing system according to at least one of the predefined user roles.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a data processing system with at least one data processing device, a large number of databases allocated to the data processing system and having user-specific data are linked together for forming a single resulting user database. Access permissions for resources provided by the at least one data processing device are awarded by predefined user roles. At least one user role is allocated to at least one user of the data processing system.

Citations

15 Claims

1. A method for controlling access to resources of a data processing system with at least one data processing device, comprising:
- linking together a plurality of databases having user-specific data and being allocated to the data processing system to form a single resulting metadirectory database;
  
  eliminating redundant user-specific data among the plurality of databases during the linking together;
  
  predefining user roles using memberships of users in organization units or regions of responsibility of the users for business processes;
  
  awarding access permissions for resources provided by the at least one data processing device by the predefined user roles stored in the single resulting metadirectory database; and
  
  allocating at least one user role to at least one user of the data processing system according to at least one of the predefined user roles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - determining responsibility regions of users in business processes by the predefined user roles; and
      
      allocating at least one user role to at least one user of the data processing system according to at least one of the responsibility regions.
  - 3. The method of claim 2, wherein the user-specific data includes the at least one user role allocated to the at least one user.
  - 4. The method of claim 3, further comprising:
    - making the predefined user roles available for allocation by a role catalog.
  - 5. The method of claim 4, further comprising:
    - using an interface provided at the data processing device,converting each user role into a plurality of access permissions; and
      
      providing access to designated memory regions of the data processing device to the user allocated to the user role.
  - 6. The method of claim 5, further comprising:
    - resolving the at least one user role allocated to the at least one user by an interface device allocated to one of the data processing devices into application-specific access permissions for a program application provided by the data processing device.
  - 7. The method of claim 6, further comprising:
    - when a change of role-defined user-specific data in the metadirectory database occurs, sending a message comprising the changed role-defined user-specific data to the interface device and inspecting for a change of application-specific or operating system-specific access permissions.
  - 8. The method of claim 1, wherein the user-specific data includes the at least one user role allocated to the at least one user.
  - 9. The method of claim 1, further comprising:
    - making the predefined user roles available for allocation by a role catalog.
  - 10. The method of claim 1, further comprising:
    - using an interface provided at the data processing device,converting each user role into a plurality of access permissions; and
      
      providing access to designated memory regions of the data processing device to the user allocated to the user role.
  - 11. The method of claim 1, further comprising:
    - resolving the at least one user role allocated to the at least one user by an interface device allocated to one of the data processing devices into application-specific access permissions for a program application provided by the data processing device.
  - 12. The method of claim 11, further comprising:
    - when a change of role-defined user-specific data in the metadirectory database occurs, sending a message comprising the changed role-defined user-specific data to the interface device and inspecting for a change of application-specific or operating system-specific access permissions.

13. A data processing system, comprising:
- at least one data processing device;
  
  a plurality of databases, in which user-specific data is stored, each of the plurality being linked together to form a single resulting metadirectory database;
  
  an award unit to award, by predefined user roles stored in the single resulting metadirectory database, access permissions for resources provided by the at least one data processing device; and
  
  an allocation unit to allocate at least one user role to at least one user of the data processing system according to at least one of the predefined user roles;
  
  wherein redundant user-specific data among the plurality of databases are eliminated when they are linked together; and
  
  wherein the user roles are predefined using memberships of users in organization units or regions of responsibility of the users for business processes.

14. A machine-readable storage medium that stores instructions executable by a machine to perform operations comprising:
- linking together a plurality of databases having user-specific data and being allocated to a data processing system to form a single resulting metadirectory database;
  
  eliminating redundant user-specific data among the plurality of databases during the linking together;
  
  predefining user roles using memberships of users in organization units or regions of responsibility of the users for business processes;
  
  awarding access permissions for resources provided by the at least one data processing device by the predefined user roles stored in the single resulting metadirectory database; and
  
  allocating at least one user role to at least one user of the data processing system according to at least one of the predefined user roles.

15. A method for controlling access to resources of at least one data processing device, comprising:
- linking together a plurality of databases containing user-specific data for users of the data processing device, to thereby form a metadirectory database;
  
  eliminating redundant user-specific data among the plurality of databases during the linking together;
  
  predefining user roles using memberships of users in organization units or regions of responsibility of the users for business processes;
  
  allocating a user role to each user of the data processing device, based on the user-specific data for the user according to at least one predefined user role; and
  
  selecting access permissions to the resources of the data processing device to award using user roles stored in the single resulting metadirectory database, each user role encompassing a plurality of access permissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens It Solutions and Services GmbH (Atos SE)
Original Assignee
Siemens AG
Inventors
Kopper, Harald, Kaiserwerth, Rudolf, Weidinger, Rupert, Woehrl, Rudolf, Wildgruber, Rudolf, Wagner, Hermann Josef
Primary Examiner(s)
Breene; John E
Assistant Examiner(s)
Kerzhner; Aleksandr

Application Number

US10/255,078
Publication Number

US 20030078932A1
Time in Patent Office

2,805 Days
Field of Search

707 1-1041, 705 35- 37, 705/42, 709/229
US Class Current

707/784
CPC Class Codes

G06F 16/25 Integrating or interfacing ...

G06F 21/6218 to a system of files or obj...

Method for controlling access to the resources of a data processing system, data processing system, and computer program

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for controlling access to the resources of a data processing system, data processing system, and computer program

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links