Enterprise security management system using hierarchical organization and multiple ownership structure
First Claim
1. A method comprising the steps of:
- a) providing at least one table of network resource access rules and access privileges, by assigning a user identifier and password to a network user;
assigning a group identifier to the network user;
specifying a parent group identifier for the group assigned to the network user, the parent group identifier identifying a parent group containing one or more superior network users;
storing the user identifier, password, and group identifier information for the network user in a network user descriptor table;
storing the group identifier and parent group identifier information in a group descriptor table for each group in the enterprise; and
establishing a hierarchical relationship in the group descriptor table among the groups based on the group and parent group identifier information such that members of a parent group inherit all access rights and privileges of at least the child group, and grandchild group, if any;
(b) making a network resource with a label available on the network;
(c) upon request for access to the network resource by the network user, determining whether the network user should be granted access to the network resource by comparing the network user identification data with the at least one table of access rules and access privileges including the network user'"'"'s inherited access rights and privileges under a relevant sub-tree of the hierarchy of groups, and with the network resource label;
(d) when access to the network resource is granted to the network user, determining which privileges the network user is given relative to the network resource in response to the access request by comparing the network user identification data with the at least one table of access rules and access privileges including the network user'"'"'s inherited access rights and privileges under a relevant sub-tree of the hierarchy of groups, and with the network resource label; and
,(e) providing the network user qualified in step (c) with the requested network resource according to the access privileges determined in the privilege determining step(d).
6 Assignments
0 Petitions
Accused Products
Abstract
A hierarchical security model for networked computer users is described. Files and resources are controlled or created by users within the network. Each user within the network has an account that is managed by a network administrator. The account specifies the user identifier and password. Users are grouped into organizations depending upon function or other organizational parameter. The groups within the network are organized hierarchically in terms of access and control privileges. Users within a higher level group may exercise access and control privileges over files or resources owned by users in a lower level group. The account for each user further specifies the group that the owner belongs to and an identifier for any higher level groups that have access privileges over the user'"'"'s group. All users within a group inherit the rights and restrictions of the group.
-
Citations
15 Claims
-
1. A method comprising the steps of:
-
a) providing at least one table of network resource access rules and access privileges, by assigning a user identifier and password to a network user;
assigning a group identifier to the network user;
specifying a parent group identifier for the group assigned to the network user, the parent group identifier identifying a parent group containing one or more superior network users;
storing the user identifier, password, and group identifier information for the network user in a network user descriptor table;
storing the group identifier and parent group identifier information in a group descriptor table for each group in the enterprise; and
establishing a hierarchical relationship in the group descriptor table among the groups based on the group and parent group identifier information such that members of a parent group inherit all access rights and privileges of at least the child group, and grandchild group, if any;(b) making a network resource with a label available on the network; (c) upon request for access to the network resource by the network user, determining whether the network user should be granted access to the network resource by comparing the network user identification data with the at least one table of access rules and access privileges including the network user'"'"'s inherited access rights and privileges under a relevant sub-tree of the hierarchy of groups, and with the network resource label; (d) when access to the network resource is granted to the network user, determining which privileges the network user is given relative to the network resource in response to the access request by comparing the network user identification data with the at least one table of access rules and access privileges including the network user'"'"'s inherited access rights and privileges under a relevant sub-tree of the hierarchy of groups, and with the network resource label; and
,(e) providing the network user qualified in step (c) with the requested network resource according to the access privileges determined in the privilege determining step(d). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
(a) providing a network user account for a network user on a network, the account associated with a user ID and user password, with a network user group and a parent network user group, the parent network user group inheriting all of the access rights and access privileges of at least the child network user groups, if any; (b) associating network resource access rights and network resource access privileges with the network user account based upon the user ID and user password, upon the network user group and upon the child network user group, directly or indirectly; (c) making a network resource with label available on the network; (d) requesting access to the network resource with label available on the network; (e) determining a response to the request for access to the network resource by comparing the label associated with the network resource to the access rights associated with that user account;
in the event that access is grantable in response to the request, determining the access privileges associated with the user account relative to the network resource with label; and
,(f) providing access to the network resource to a network user qualified in accordance with step (e) with the access privileges determined in step (f). - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
Specification