Method and system for management of access information

US 7,865,959 B1
Filed: 02/27/2002
Issued: 01/04/2011
Est. Priority Date: 02/28/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing user access information for access to one or more database network nodes by a user, the method comprising:

storing database user authorization in a central directory that is associated with one or more network nodes, the database user authorization comprising a user role associated with a collection of locally defined roles and associated users, wherein the user role in the central directory assigns user privileges to the user as defined by the locally defined roles contained within the user role, wherein the database user authorization is stored as one or more data objects in the central directory;

storing database user authentication information;

receiving the user role at a local database network node from the central directory;

locally defining, by using a processor, a locally defined role for assigning the user privileges specific to a local database network node for a local scope of access at the local database network node, wherein the locally defined role is locally defined by processing at the local database network node the user role that is received from the central directory, and the user privileges granted by the locally defined role are given to the user based at least in part upon the user'"'"'s association with the user role such that the locally defined role has a different scope of access than another locally defined role defined by processing the same user role at another local database network node;

receiving an access request from the user for the local database network node;

authenticating the user using a shared schema based at least in part upon the database user authentication information, wherein the shared schema comprises a schema that is accessible by a plurality of users and the plurality of users are mapped to the shared schema on the local database network node such that the plurality of users do not need their own accounts on the local database network node;

granting the user privileges on the local database network node based at least in part upon the shared schema and the locally defined role; and

storing the user privileges in a volatile or non-volatile computer-usable medium or displaying the user privileges on a display device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing access information for users and other entities in a distributed computing system is disclosed. In one approach, information relating to user access is stored in a centralized directory while user roles are locally defined at a networked node. When the user connects to the system, the system looks up the necessary information about the user in the central directory to authorize the user. Thereafter, the user'"'"'s privileges are determined by the user'"'"'s assigned roles.

99 Citations

View as Search Results

53 Claims

1. A computer-implemented method for managing user access information for access to one or more database network nodes by a user, the method comprising:
- storing database user authorization in a central directory that is associated with one or more network nodes, the database user authorization comprising a user role associated with a collection of locally defined roles and associated users, wherein the user role in the central directory assigns user privileges to the user as defined by the locally defined roles contained within the user role, wherein the database user authorization is stored as one or more data objects in the central directory;
  
  storing database user authentication information;
  
  receiving the user role at a local database network node from the central directory;
  
  locally defining, by using a processor, a locally defined role for assigning the user privileges specific to a local database network node for a local scope of access at the local database network node, wherein the locally defined role is locally defined by processing at the local database network node the user role that is received from the central directory, and the user privileges granted by the locally defined role are given to the user based at least in part upon the user'"'"'s association with the user role such that the locally defined role has a different scope of access than another locally defined role defined by processing the same user role at another local database network node;
  
  receiving an access request from the user for the local database network node;
  
  authenticating the user using a shared schema based at least in part upon the database user authentication information, wherein the shared schema comprises a schema that is accessible by a plurality of users and the plurality of users are mapped to the shared schema on the local database network node such that the plurality of users do not need their own accounts on the local database network node;
  
  granting the user privileges on the local database network node based at least in part upon the shared schema and the locally defined role; and
  
  storing the user privileges in a volatile or non-volatile computer-usable medium or displaying the user privileges on a display device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 in which the central directory comprises a LDAP-compatible directory.
  - 3. The method of claim 1 in which the database user authentication information is stored at the central directory.
  - 4. The method of claim 1 in which the database user authorization is stored in a schema having a hierarchy of schema objects.
  - 5. The method of claim 4 in which the hierarchy of schema objects comprises an enterprise role, wherein the enterprise role is associated with one or more users and one or more locally defined roles.
  - 6. The method of claim 5 in which the one or more privileges are assigned to the one or more users.
  - 7. The method of claim 4 in which the hierarchy of schema objects comprises a enterprise domain, wherein the enterprise domain comprises one or more enterprise roles.
  - 8. The method of claim 7 in which each of the one or more enterprise roles is associated with one or more users and one or more locally defined roles.
  - 9. The method of claim 7 in which the enterprise domain is associated with one or more network nodes.
  - 10. The method of claim 1 in which the one or more objects are stored in a security subtree in the central directory.
  - 11. The method of claim 1 in which administrative access is controlled to one or more data objects in the central directory.
  - 12. The method of claim 11 in which access control is implemented using an access control point associated with the one or more data objects in the central directory.
  - 13. The method of claim 12 in which the access control point is associated with access policies for a subtree of the one or more database objects in the central directory.
  - 14. The method of claim 12 in which the access control point is associated with access policies for a single entry for the one or more database objects in the central directory.
  - 15. The method of claim 12 in which the access control point is associated with individually named users.
  - 16. The method of claim 12 in which the access control point is associated with a group of users.
  - 17. The method of claim 16 in which members of the group are associated with a set of access privileges associated with the access control point.
  - 18. The method of claim 1, wherein one of the one or more data objects comprises a distinguished name, wherein the distinguished name comprises a common name having a value for identifying a database.
  - 19. The method of claim 1, wherein one of the one or more data objects comprises a distinguished name, wherein the distinguished name comprises a common name having a value for representing an administrative context, a root context, or a user-fined context.
  - 20. The method of claim 1, wherein the one or more privileges are locally defined at the one of the network nodes.
  - 21. The method of claim 20, wherein the database user authorization is stored in the central directory such that central management of the user role may be performed.
  - 22. The method of claim 20, wherein the one or more privileges are not centrally defined at the central directory.

23. A computer system including a processor for managing user access information for access to one or more database network nodes by an enterprise user, comprising:
- a LDAP directory;
  
  one or more local database network nodes for which user access is sought, wherein the one or more local database network nodes are associated with the LDAP directory;
  
  a volatile or non-volatile computer-usable medium for storing user access information data objects in the LDAP directory, the user access information data objects comprising authentication and authorization information, wherein the authorization information comprises an enterprise role associated with a collection of locally defined roles and associated users, wherein the enterprise role in the LDAP directory assigns user privileges to the enterprise user as defined by the locally defined roles contained within the enterprise role; and
  
  the processor for locally defining a locally defined role for assigning the user privileges specific to a local database network node for a local scope of access at the local database network node, wherein the locally defined role is locally defined by processing at the local database network node the enterprise role that is received from the LDAP directory, and the user privileges granted by the locally defined role are given to the enterprise user based at least in part upon the enterprise user'"'"'s association with the enterprise role such that the locally defined role has a different scope of access than another locally defined role defined by processing the same enterprise role at another local database network node.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 24. The system of claim 23 in which the user access information data objects comprise a domain object that is associated with the one or more database network nodes.
  - 25. The system of claim 24 in which the domain object is associated with the enterprise role.
  - 26. The system of claim 25 in which the enterprise role is associated with a local database role.
  - 27. The system of claim 26 in which the scope of the local database role is locally defined at a local database network node.
  - 28. The system of claim 25 in which the enterprise role is associated with another user.
  - 29. The system of claim 25 in which the enterprise role is associated with local database roles from a plurality of database nodes.
  - 30. The system of claim 23 in which the user access information data objects comprise an access control point attribute.
  - 31. The system of claim 30 in which the access control point attribute is established only if access control polices are established for a corresponding object.
  - 32. The system of claim 30 in which the access control point attribute is associated with access policies for a subtree in the user access information data objects stored in the LDAP directory.
  - 33. The system of claim 30 in which the access control point attribute is associated with access policies for a single entry in the user access information data objects stored in the LDAP directory.
  - 34. The system of claim 30 in which the access control point attribute is associated with individually named users.
  - 35. The system of claim 30 in which the access control point attribute is associated with a group of users.
  - 36. The system of claim 35 in which members of the group are associated with a set of access privileges associated with the access control.
  - 37. The system of claim 23 in which the users access information data objects comprise a mapping object that maps an database user to a database schema.
  - 38. The system of claim 37 in which the mapping object affects a single user.
  - 39. The system of claim 38 in which the mapping object is associated with a full distinguished name.
  - 40. The system of claim 37 in which the mapping object is associated with a plurality of users.

41. The system of clam 38 in which the mapping object is associated with a partial distinguished name.

42. A computer program product that includes a volatile or non-volatile non-transitory computer-usable medium usable by a processor, the medium having stored thereon a sequence of instructions which, when executed by said processor, causes said processor to execute a process for managing user access information for access to one or more database network nodes by a user, the process comprising:
- storing database user authorization in a central directory that is associated with one or more network nodes, the database user authorization comprising a user role associated with a collection of locally defined roles and associated users, wherein the user role in the central directory assigns user privileges to the user as defined by the locally defined roles contained within the user role, wherein the database user authorization is stored as one or more data objects in the central directory;
  
  storing database user authentication information;
  
  receiving the user role at a local database network node from the central directory;
  
  locally defining a locally defined role for assigning the user privileges specific to a local database network node for a local scope of access at the local database network node, wherein the locally defined role is locally defined by processing at the local database network node the user role that is received from the central directory, and the user privileges granted by the locally defined role are given to the user based at least in part upon the user'"'"'s association with the user role such that the locally defined role has a different scope of access than another locally defined role defined by processing the same user role at another local database network node;
  
  receiving an access request from the user for the local database network node;
  
  authenticating the user using a shared schema based at least in part upon the database user authentication information, wherein the shared schema comprises a schema that is accessible by a plurality of users and the plurality of users are mapped to the shared schema on the local database network node such that the plurality of users do not need their own accounts on the local database network node;
  
  granting the user privileges on the local database network node based at least in part upon the shared schema and the locally defined role; and
  
  storing the user privileges or displaying the user privileges on a display device.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 43. The computer program product of claim 42 in which the central directory comprises a LDAP-compatible directory.
  - 44. The computer program product of claim 42 in which the database user authentication information is stored at the central directory.
  - 45. The computer program product of claim 42 in which the database user authorization is stored in a schema having a hierarchy of schema objects.
  - 46. The computer program product of claim 42 in which the one or more objects are stored in a security subtree in the central directory.
  - 47. The computer program product of claim 42 in which administrative access is controlled to one or more data objects in the central directory.
  - 48. The computer program product of claim 47 in which access control is implemented using an access control point associated with the one or more data objects in the central directory.
  - 49. The computer program product of claim 48 in which the access control point is associated with access policies for a subtree of the one or more database objects in the central directory.
  - 50. The computer program product of claim 48 in which the access control point is associated with access policies for a single entry for the one or more database objects in the central directory.
  - 51. The computer program product of claim 48 in which the access control point is associated with individually named users.
  - 52. The computer program product of claim 48 in which the access control point is associated with a group of users.
  - 53. The computer program product of claim 52 in which members of the group are associated with a set of access privileges associated with the access control point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Lewis, Nina
Primary Examiner(s)
Gaffin; Jeffrey A
Assistant Examiner(s)
GANDHI, DIPAKKUMAR B

Application Number

US10/084,880
Time in Patent Office

3,233 Days
Field of Search

713/1, 713/200, 713/201, 713/182, 713/167, 713/166, 713/165, 714/8, 709/225, 709/229, 707/9
US Class Current

726/26
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Method and system for management of access information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

53 Claims

Specification

Use Cases

Quick Links

Others

Method and system for management of access information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

53 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others