System and method for providing multi-location access management to secured items
First Claim
1. A method for providing access management through use of a plurality of server machines associated with different locations, said method comprising:
- receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine at a first location;
authenticating a user of the first client machine;
authenticating the first client machine;
retrieving at the first server machine, based on the success of said authenticating of the user and authenticating of the first client machine, a user key permitting access to an individually encrypted sub-header of the secured item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secured item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier;
permitting access to the secure item via the first location based on success of said authenticating of the user and authenticating of the first client machine, and further based on allowability by the access rules; and
permitting access to the secure item via the first server machine based on said permitting access to the secure system via the first location permitting the user to gain access to the secure item from the first location.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing access management to secured items through use of a plurality of server machines associated with different locations are disclosed. According to one embodiment, a local server can be dynamically reconfigured depending on a user'"'"'s current location. Typically, a local server services only those users that are local to the local server. When a user moves from one location to another location, upon detecting a new location of the user who has moved from a previous location, the local server for the new location can be reconfigured to add support for the user, while at the same time, the local server for the previous location is reconfigured to remove support for the user. As a result, security is enhanced while the access management can be efficiently carried out to ensure that only one access from the user is permitted at any time across an entire organization, regardless of how many locations the organization has or what access privileges the user may be granted.
698 Citations
46 Claims
-
1. A method for providing access management through use of a plurality of server machines associated with different locations, said method comprising:
-
receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine at a first location; authenticating a user of the first client machine; authenticating the first client machine; retrieving at the first server machine, based on the success of said authenticating of the user and authenticating of the first client machine, a user key permitting access to an individually encrypted sub-header of the secured item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secured item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; permitting access to the secure item via the first location based on success of said authenticating of the user and authenticating of the first client machine, and further based on allowability by the access rules; and permitting access to the secure item via the first server machine based on said permitting access to the secure system via the first location permitting the user to gain access to the secure item from the first location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for providing access management through use of a distributed network of server machines, said method comprising:
-
receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine; authenticating a user of the client machine; authenticating the first client machine; upon successfully authenticating the user and authenticating the first client machine, retrieving at the first server machine a user key permitting access to an individually encrypted sub-header of the secure item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secure item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; retrieving access privileges associated with the user; determining whether the user is permitted to gain access to the secure item via the first server machine based on success of said authenticating the user and said authenticating the first client machine, and further based on allowability by the access privileges and access rules; and permitting access to the secure item via the first server machine based on said determining whether the user is permitted to gain access to the secure item via the first server machine determining that the user is permitted to gain access to the secure item via the first server machine. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A computer-readable storage device having computer-executable instructions stored thereon to cause a computing device to perform a method for providing access management to secured content through use of a plurality of server machines associated with different locations, the method comprising:
-
receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine at a first location; authenticating a user of the first client machine; authenticating the first client machine; retrieving at the first server machine, based on the success of said authenticating of the user and authenticating of the first client machine, a user key permitting access to an individually encrypted sub-header of the secured item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secure item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; determining whether access to the secure item via the first location is permitted based on success of said authenticating the first client machine and the user, and further based on allowability by the access rules; permitting access to the secure item via the first server machine based on said determining that the user is permitted to gain access to the secure item from the first location; and preventing access to the secure item via the first server machine based on said determining that the user is not permitted to gain access to the secure item from the first location.
-
-
35. A computer-readable storage device having instructions stored thereon for providing access management through use of a distributed network of server machines, the instructions comprising:
-
instructions to receive, at first server machine of the plurality of server machines, an access request to access a secure item from a first client machine; instructions to authenticate a user of the client machine; instructions to authenticate the first client machine; instructions to retrieve at the first server machine, based on the success of said authenticating of the user and authenticating of the first client machine, a user key permitting access to an individually encrypted sub-header of the secured item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secure item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; instructions to retrieve access privileges associated with the user; instructions for determining whether the access to the secure item via the first server machine is permitted based on success of said instructions for authenticating the first client machine and the user, and further based on allowability by the access privileges and access rules; instructions to permit access to the secure item via the first server machine based on said computer program code for determining making a determination that the user is permitted to gain access to the secure item via the first server machine; and instructions to prevent access to the secure item via the first server machine based on said computer program code for determining making a determination that the user is not permitted to gain access to the secure item via the first server machine.
-
-
36. An access control system that restricts access to a secure item, said system comprising:
-
a central server having a server module that provides overall access control; and a plurality of local servers, each of said servers including a local module that provides local access control, wherein the access control, performed by said central server or said local servers, operates to permit or deny access requests to secured items by requestors, wherein, based on information stored in an individually encrypted sub-header of a secure item, a given requestor is permitted to access the secure item through one or more of said local servers, the information stored in the individually encrypted sub-header of the secure item comprising access rules applicable to the requestor or to a group to which the requestor belongs, and wherein the individually encrypted sub-header is selected for decryption by the given requestor from a group of one or more additional individually encrypted sub-headers corresponding to other requestors or groups to which the other requestors belong and comprising access rules applicable to the other users or groups, based on correspondence of the individually encrypted sub-header to a corresponding user or group identifier for the given requestor or to the group to which the requestor belongs. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
-
-
45. A method for providing access management through use of a plurality of server machines associated with different locations, said method comprising:
-
receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine at a first location; authenticating a user of the first client machine; authenticating the first client machine; retrieving at the first server machine, based on the success of said authenticating of the user and authenticating of the first client machine, a user key permitting access to an individually encrypted sub-header of the secured item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secured item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; permitting access to the secure item via the first location based on success of said authenticating of the user and authenticating of the first client machine, and further based on allowability by the access rules; and preventing access to the secure item via the first server machine based on said permitting access to the secure system via the first location not permitting the user to gain access to the secure item from the first location.
-
-
46. A method for providing access management through use of a distributed network of server machines, said method comprising:
-
receiving, at a first server machine of the plurality of server machines, an access request to access a secure item from a first client machine; authenticating a user of the client machine; authenticating the first client machine; upon successfully authenticating the user and authenticating the first client machine, retrieving at the first server machine a user key permitting access to an individually encrypted sub-header of the secure item, the encrypted sub-header including access rules applicable to the user or to a group to which the user belongs for the secure item, the sub-header selected, from a group of individually encrypted sub-headers corresponding to other users or groups and comprising access rules applicable to the other users or groups, based on the sub-header'"'"'s correspondence to the user or to the group to which the user belongs based on a corresponding user or group identifier; retrieving access privileges associated with the user; determining whether the user is permitted to gain access to the secure item via the first server machine based on success of said authenticating the user and said authenticating the first client machine, and further based on allowability by the access privileges and access rules; and preventing access to the secure item via the first server machine based on said determining whether the user is permitted to gain access to the secure item via the first server machine determining that the user is not permitted to gain access to the secure item via the first server machine.
-
Specification