Secure user access subsystem for use in a computer information database system
First Claim
1. A system for managing a database and controlling access to computer profile data contained in the database, the system including:
- A. a group manager server that is configured toi. group a plurality of computers into a tree structure of groups and sub-groups based upon grouping criteria with each group being a node on the tree and a top node being a root;
ii. receive computer profile data uploaded from said computers, either immediately upon human command or in accordance with a profile data upload schedule, the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded;
iii. store records of the computer profile data in the database; and
iv. dynamically group the computer profile data records based on computer grouping criteria that use selected computer configuration data; and
B. a user access manager server that is configured toi. associate respective users with login groups maintained in memory wherein the login group identifies the group of computers to which the user has access to the computer profile data of such computers, and which further provides access to sub-groups from that group;
ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying system administrative features to which the associated users have access, andiii restrict, based on the login group and user type to which a given user is assigned, the access of the given user to make changes to computer profile data, and further restricts the access of the given user to the administrative features associated with the given user'"'"'s user type and to the computer profile data records stored in the database for the computers that are included in the group or groups of computer profile data records that are in the user'"'"'s login group and the computers in any sub-group of the user'"'"'s login group, wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the re-assigned computer profile data of said computer, unless the second group is a subgroup of their login group.
1 Assignment
0 Petitions
Accused Products
Abstract
A user access security subsystem of a computer information database system utilizes computer grouping criteria and user type criteria to control user access to both computer profile data and system administrative features. Computer grouping criteria determine profile data access for the respective users. User type criteria determine which administrative features are accessible to the respective users, thus what administrative authority is delegated to the users. Combining computer grouping and user type criteria restricts a given user to exercising the delegated administrative authority only with respect to the particular grouping of computers to which the user has been granted access through the associated login group. To maintain access security, a given user may grant to another only those access rights that are equal to or more restrictive than the given user'"'"'s rights. The subsystem enforces access restrictions by tailoring the user interface based on the associated login group and user type.
-
Citations
51 Claims
-
1. A system for managing a database and controlling access to computer profile data contained in the database, the system including:
-
A. a group manager server that is configured to i. group a plurality of computers into a tree structure of groups and sub-groups based upon grouping criteria with each group being a node on the tree and a top node being a root; ii. receive computer profile data uploaded from said computers, either immediately upon human command or in accordance with a profile data upload schedule, the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded; iii. store records of the computer profile data in the database; and iv. dynamically group the computer profile data records based on computer grouping criteria that use selected computer configuration data; and B. a user access manager server that is configured to i. associate respective users with login groups maintained in memory wherein the login group identifies the group of computers to which the user has access to the computer profile data of such computers, and which further provides access to sub-groups from that group; ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying system administrative features to which the associated users have access, and iii restrict, based on the login group and user type to which a given user is assigned, the access of the given user to make changes to computer profile data, and further restricts the access of the given user to the administrative features associated with the given user'"'"'s user type and to the computer profile data records stored in the database for the computers that are included in the group or groups of computer profile data records that are in the user'"'"'s login group and the computers in any sub-group of the user'"'"'s login group, wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the re-assigned computer profile data of said computer, unless the second group is a subgroup of their login group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for managing a database and controlling access to computer profile data contained in the database, the method including:
-
A. grouping a plurality of computers into a tree structure of groups and sub-groups based on grouping criteria, with each computer being a node on the tree and a top node begin a root; B. receiving computer profile data uploaded from computers, either immediately upon human command or in accordance with a profile data upload schedule the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded; C. storing records of the computer profile data in the database; D. dynamically grouping the computer profile data records based on computer profile grouping criteria that use selected computer configuration data; E. associating respective users with login groups wherein the login group identifies the group of computers for which the user has access to computer profile data of such computers, which further provides access to all sub-groups from the group to which the user has access; F. associating the respective users with user types that correspond to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying the system administrative features to which the associated users have access; and G. restricting the access of a given user from making changes to computer profile data, and further restricts the access of the given user to only the administrative features associated with the given user'"'"'s user type and the computer profile data of only computers that are included in the group of computers that are in the user'"'"'s login group and the computers that are in sub-group of the user'"'"'s login group, wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically moved to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the moved computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the computer profile data of said moved computer, unless the second group is a subgroup of their login group. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A user access manager server that controls access to computer profile data records contained in a database, the data being provided by computers and, the profile data records being grouped in accordance with computer grouping criteria using selected computer configuration data that are part of the computer profile data received from the computers, the server being configured to:
-
i. associate respective users with login groups maintained in memory, a given login group identifying the group of computers for which the user has access to the computer profile data, the login group including sub-groups thereof, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data are uploaded; ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features and specifying the system administrative features to which the associated users have access, iii. restrict access of a given user based on the login group and the user type to which the user is associated to prevent the given user from making changes to computer profile data, and further restricting the access of the given user to only the administrative features associated with the given user'"'"'s user type and the computer profile data of only computers that are included in the group of computers that are identified as being in the user'"'"'s login group and the computers that are in a sub-group thereof, and wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user types, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the computer profile data of said re-assigned computer, unless the second group is a subgroup of their login group. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
Specification