Method for managing usage authorizations in a data processing network and a data processing network
First Claim
1. A method for managing usage authorizations in a data processing network, comprising:
- allocating at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process;
determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user;
accessing via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action;
determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and
upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action,determining that the user is allocated at least one further role in addition to the role with which the user is logged in,determining that the at least one further role has sufficient authorization to carry out the at least one application-related action,transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, andexecuting a security rule that allows the application-related action to be carried out without additional identification of the user,wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization.
2 Assignments
0 Petitions
Accused Products
Abstract
To facilitate the work of a user with a data processing network with a number of security levels of the applications and functions to be executed, a method is proposed for managing usage authorizations in this data processing network. In at least one embodiment of the method, when a user logs in at a work station, at least one role stored in a central authorization register is allocated to the user; when an application is called up a local security module of the application determines which authorizations are granted for the role of the user; and if there is no authorization for an application-related action, a central security module accesses a central collection of security rules, the security rules indicating the circumstances, in which, when a user'"'"'s authorizations are not sufficient to carry out the application-related action, the user can still carry it out and determines whether according to at least one of the security rules a usage authority is possible for the application-related action and offers this to the user.
18 Citations
15 Claims
-
1. A method for managing usage authorizations in a data processing network, comprising:
-
allocating at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process; determining, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user; accessing via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action; determining whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action, determining that the user is allocated at least one further role in addition to the role with which the user is logged in, determining that the at least one further role has sufficient authorization to carry out the at least one application-related action, transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, and executing a security rule that allows the application-related action to be carried out without additional identification of the user, wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13, 14)
-
-
11. A data processing network, comprising:
-
a plurality of individual devices, the data processing network configured to, allocate at least one role stored in a central authorization register to a user, upon a portable identification object of the user being read wirelessly by a login read device to log the user in at a work station of the data processing network, such that the user can execute a number of applications and functions without a further identification process; determine, upon an application being called up and via a local security module of the application, authorizations granted for the allocated at least one role of the user; access via a central security module, when there is not sufficient authorization granted for an application-related action, a central collection of security rules indicating circumstances in which, when the granted authorizations are not sufficient to carry out the application-related action, the user can still carry out the application-related action; determine whether, according to at least one of the security rules, a usage authority is possible for the application-related action and conveying the possibility, when determined, to the user; and upon determining that there is not sufficient authorization granted to the allocated at least one role of the user with which the user is logged in to carry out the application-related action, determining that the user is allocated at least one further role in addition to the role with which the user is logged in, determining that the at least one further role has sufficient authorization to carry out the at least one application-related action, transferring the authorization of the at least one further role to carry out the application-related action to the role with which the user is logged in, and executing a security rule that allows the application-related action to be carried out without additional identification of the user, wherein when further identification of the user is necessary for the user to carry out the application-related action and more than one security rule permits execution of the application-related action, the central security module at least one of a) selects one security rule, b) displays a list of the security rules for user selection and c) proposes a security rule determined based on a prioritization. - View Dependent Claims (12, 15)
-
Specification