System and method for secure management of mobile user access to enterprise network resources
First Claim
1. A method for managing user access from a wireless mobile device to a plurality of network resources comprising documents and files within an enterprise network, wherein the enterprise network comprises a security infrastructure for managing internal user access from within the enterprise network according to an internal access policy, and wherein for access from a wireless mobile user device the method comprises the steps of:
- determining group membership of a user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group;
determining access rules for the user based on each group membership of the user;
generating a list of accessible resources and associated operations for the user based on said access rules; and
making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download, and synchronize operations.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for managing mobile user access to enterprise network resources from a wireless mobile device, such as a smart phone or mobile computer, with improved security and access control. Access rules determining accessible resources and associated permitted operations are determined based on membership of an authenticated user to each of one or more groups, each group being associated with a set of permitted accessible resources and operations. For each user, based on membership of a group, or a Boolean evaluation of memberships of two or more groups, a list of accessible resources and permitted operations is generated, and the list is made available for subsequent processes, e.g. presentation to the user on an interface of the mobile device. Access rules may also be defined dependent on other information received from the system, or from the mobile device, such as time or location. Requests for an operation such as read access or write access to a network resource, such as a file, lists, shared calendars et al., may thus be readily controlled by an IT manager for multiple users of an enterprise network. Since the application resides in an application layer between the mobile device and existing security infrastructure, mobile access may be set without overriding internal access policies.
112 Citations
40 Claims
-
1. A method for managing user access from a wireless mobile device to a plurality of network resources comprising documents and files within an enterprise network, wherein the enterprise network comprises a security infrastructure for managing internal user access from within the enterprise network according to an internal access policy, and wherein for access from a wireless mobile user device the method comprises the steps of:
-
determining group membership of a user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group; determining access rules for the user based on each group membership of the user; generating a list of accessible resources and associated operations for the user based on said access rules; and making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download, and synchronize operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A client server system for managing access to a plurality of network resources comprising documents and files within an enterprise network from a wireless mobile device, wherein the enterprise network comprises a security infrastructure for managing internal user access according to internal access policies, and the client server system comprises:
-
a server within the enterprise network for managing wireless mobile access by performing the steps of; receiving identification from a user of a wireless mobile device; retrieving from a directory attributes of said user based on a user ID of the user; determining group membership of the user based on said user ID and said attributes, each group having associated therewith a set of access rules defining accessible resources and associated permitted operations for members of the group; resolving access rules for the user based on group membership and generating a list of accessible resources and operations for the user based on said access rules; and making said list available for subsequent processing comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download, and synchronize operations. - View Dependent Claims (30, 31, 32, 33, 34)
-
-
35. A system comprising an access control layer for an access server managing mobile user access to network resources comprising documents and files within an enterprise network comprising processing means for performing the steps of:
-
determining group membership of a user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group; determining access rules for the user based on each group membership of the user; generating a list of accessible resources and associated operations for the user based on said access rules; and making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download, and synchronize operations. - View Dependent Claims (36, 37, 38)
-
-
39. A non-transitory computer readable medium comprising executable program instructions for carrying out a method of managing user access to a plurality of network resources comprising documents and files within an enterprise network from a wireless mobile device, by steps comprising:
-
determining group membership of a user based on a user ID and attributes of the user, each group having associated therewith a set of resources and associated operations for members of the group; determining access rules for the user based on each group membership of the user; generating a list of accessible resources and associated operations for the user based on said access rules; making said list available to a subsequent process for performing an operation on an accessible resource in accordance with said access rules comprising one or more of displaying and otherwise interfacing said resource to the user for one or more of read, write, execute, modify, delete, email, download, and synchronize operations. - View Dependent Claims (40)
-
Specification