Method for managing usage authorizations in a data processing network and a data processing network

US 8,365,263 B2
Filed: 12/30/2008
Issued: 01/29/2013
Est. Priority Date: 01/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method for managing usage authorizations in a data processing network, comprising:

allocating at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process;

determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;

accessing via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;

determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and

upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action,determining that the user is allocated at least one further role in addition to the role with which the user is logged in,determining that the at least one further role has sufficient authorization to carry out the at least one application-related action,transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, andexecuting a security rule that allows the application-related action to be carried out without additional identification of the user,wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To facilitate the work of a user with a data processing network with a number of security levels of the applications and functions to be executed, a method is proposed for managing usage authorizations in this data processing network. In at least one embodiment of the method, when a user logs in at a work station, at least one role stored in a central authorization register is allocated to the user; when an application is called up a local security module of the application determines which authorizations are granted for the role of the user; and if there is no authorization for an application-related action, a central security module accesses a central collection of security rules, the security rules indicating the circumstances, in which, when a user'"'"'s authorizations are not sufficient to carry out the application-related action, the user can still carry it out and determines whether according to at least one of the security rules a usage authority is possible for the application-related action and offers this to the user.

18 Citations

View as Search Results

15 Claims

1. A method for managing usage authorizations in a data processing network, comprising:
- allocating at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process;
  
  determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;
  
  accessing via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;
  
  determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and
  
  upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action,determining that the user is allocated at least one further role in addition to the role with which the user is logged in,determining that the at least one further role has sufficient authorization to carry out the at least one application-related action,transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, andexecuting a security rule that allows the application-related action to be carried out without additional identification of the user,wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13, 14)
- - 2. The method as claimed in claim 1, wherein the security rules are configurable.
  - 3. The method as claimed in claim 1, wherein a Radio Frequency Identification (RFID) chip is used as the identification object.
  - 4. The method as claimed in claim 1, wherein for the further identification of the user, at least one of a) a chip card is read by a card reader, b) the user is requested to input a password and c) the user is requested to input a PIN number.
  - 5. The method as claimed in claim 1, wherein when the security rules are accessed, the central security module determines which devices required for execution of the security rules are connected to the work station.
  - 6. The method as claimed in claim 1, wherein the user is automatically logged off after an inactive time period.
  - 7. The method as claimed in claim 6, wherein different time periods are defined for each of the at least one role and the at least one further role.
  - 8. The method as claimed in claim 1, wherein for the application-related action to be carried out by way of a temporary login of a further user at the work station, the further user'"'"'s role and the assigned authorizations are taken over.
  - 9. The method as claimed in claim 8, wherein after the application-related action has been carried out, the further user is automatically logged off.
  - 10. The method as claimed in claim 1, wherein after a further user logs in at the work station, roles are switched, with settings of the user being maintained.
  - 13. The method as claimed in claim 2, wherein data from a portable identification object of the user is read wirelessly by use of a login read device to log in at the work station.
  - 14. The method as claimed in claim 13, wherein an RFID chip is used as the identification object.

11. A data processing network, comprising:
- a plurality of individual devices, the data processing network configured to,allocate at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process;
  
  determine, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;
  
  access via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;
  
  determine whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and
  
  upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action,determining that the user is allocated at least one further role in addition to the role with which the user is logged in,determining that the at least one further role has sufficient authorization to carry out the at least one application-related action,transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, andexecuting a security rule that allows the application-related action to be carried out without additional identification of the user,wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization.
- View Dependent Claims (12, 15)
- - 12. The data processing network as claimed in claim 11, wherein the plurality of individual devices are further configured to process medical engineering data, in particular image data.
  - 15. The data processing network as claimed in claim 11, wherein the plurality of individual devices are further configured to process image data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens Healthcare GMBH (Siemens AG)
Original Assignee
Siemens AG
Inventors
Dominick, Lutz, Dasch, Thomas
Primary Examiner(s)
Schwartz, Darren B

Application Number

US12/318,454
Publication Number

US 20090183228A1
Time in Patent Office

1,491 Days
Field of Search

713/150, 713164-167, 713182-186, 726 2- 10, 726 16- 21, 726 26- 30, 707/999.009, 705 50- 51, 705/57, 705/59, 705/1.1, 705/2, 705/3
US Class Current

726/7
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/105   Multiple levels of security

H04L 9/321   involving a third party or ...

H04L 9/3231   Biological data, e.g. finge...

Method for managing usage authorizations in a data processing network and a data processing network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Method for managing usage authorizations in a data processing network and a data processing network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others