Domain aware time-based logins

US 8,375,439 B2
Filed: 04/29/2011
Issued: 02/12/2013
Est. Priority Date: 04/29/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

determining, in an operating system instance, that a first login access is being attempted by a first user at a first access time on an object and that a second login access is being attempted by a second user at a second access time on the object;

determining a first domain identifier associated with the first user and a second domain identifier associated with the second user, wherein the first domain identifier identifies a first domain and the second domain identifier identifies a second domain, the first and second domains respectively representing a first organizational entity and a second organization entity of a plurality of domains representing a plurality of organizational entities;

accessing a set of one or more domain identifiers associated with the object, wherein the set identifies one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;

accessing one or more domain isolation rules associated with the operating system instance for permitting an attempted login access to the object during at least a first time period of a plurality of time periods by one or more domains based on whether a domain identifier associated with the first user is one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period;

evaluating the one or more domain isolation rules to determine whether the first login access is permitted on the object at the first access time;

returning a permit indication that the first login access is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object at the first access time and if the first access time is during the first time period, andreturning a deny indication that the first login access is not permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object at the first access time and if the first access time is during a second time period different from the first time period and the first domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period;

evaluating the one or more domain isolation rules to determine whether the second login access is permitted on the object at the second access time;

returning the permit indication for the second user if the second access time is during the second time period and the second domain identifier is one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period, andreturning the deny indication if the second access time is during the first time period and the second domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may comprise determining, in an operating system instance, that a login access is being attempted by a user at an access time on an object. A domain identifier associated with the user may be determined. A set of one or more domain identifiers may be accessed that may be associated with the object and that identify one or more domains. One or more domain isolation rules may be accessed and evaluated that may be associated with the operating system instance for permitting an attempted login access to the object based on whether a domain identifier associated with the user is one of the domain identifiers in the set of domain identifiers associated with the object for during a time period. A permit or deny indication may be returned based on whether or not login access is permitted on the object at the access time.

50 Citations

View as Search Results

25 Claims

1. A method comprising:
- determining, in an operating system instance, that a first login access is being attempted by a first user at a first access time on an object and that a second login access is being attempted by a second user at a second access time on the object;
  
  determining a first domain identifier associated with the first user and a second domain identifier associated with the second user, wherein the first domain identifier identifies a first domain and the second domain identifier identifies a second domain, the first and second domains respectively representing a first organizational entity and a second organization entity of a plurality of domains representing a plurality of organizational entities;
  
  accessing a set of one or more domain identifiers associated with the object, wherein the set identifies one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
  
  accessing one or more domain isolation rules associated with the operating system instance for permitting an attempted login access to the object during at least a first time period of a plurality of time periods by one or more domains based on whether a domain identifier associated with the first user is one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period;
  
  evaluating the one or more domain isolation rules to determine whether the first login access is permitted on the object at the first access time;
  
  returning a permit indication that the first login access is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object at the first access time and if the first access time is during the first time period, andreturning a deny indication that the first login access is not permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object at the first access time and if the first access time is during a second time period different from the first time period and the first domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period;
  
  evaluating the one or more domain isolation rules to determine whether the second login access is permitted on the object at the second access time;
  
  returning the permit indication for the second user if the second access time is during the second time period and the second domain identifier is one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period, andreturning the deny indication if the second access time is during the first time period and the second domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the object comprises at least one of a workload partition and a logical partition running the operating system instance.
  - 3. The method of claim 1, wherein the domain isolation rules are stored in a kernel of the operating system instance.
  - 4. The method of claim 1, wherein said determining the first domain identifier associated with the first user further comprises determining that the first domain identifier is indicated in user data that represents a user account logged into a computer system that hosts the operating system instance.
  - 5. The method of claim 1, further comprising accessing a policy database that has a mapping of accounts of users permitted to log into a computer system hosting the operating system instance with the associated domain identifiers of each user and the associated time periods of the plurality of time periods of each domain identifier.
  - 6. The method of claim 5, further comprising dynamically assigning domains to the accounts of users to different ones of the domains at different ones of the plurality of time periods based on login time entitlement rules in the policy database.
  - 7. The method of claim 1, wherein one or more attributes of the domains in the set of domains are stored in a kernel of the operating system instance.
  - 8. The method of claim 7, further comprising retrieving the one or more attributes from the kernel of the operating system instance for validations of users logging into the system.
  - 9. The method of claim 1, wherein the number of users logging into a computer system hosting the operating system instance is limited based on the domain isolation rules containing the mapping across one or more users, one or more domains, and one or more time periods.
  - 10. The method of claim 1, wherein the object is a file system, a file, a disk, a hardware component, or a software component on which timed access can be applied such that the first user gains access to the object after the first user logs into a computer system hosting the operating system instance.
  - 11. The method of claim 1, wherein the first user is also associated with a second domain identifier that identifies a second domain of the plurality of domains representing a second organizational entity of the plurality of organizational entities, and further comprising:
    - returning a permit indication that the first login access is permitted on the object if the first access time is during the first time period, and the domain isolation rules indicate that the first domain identifier is permitted for the object during the first time period; and
      
      returning a permit indication that the first login access is permitted on the object if the first access time is during a second time period different from the first time period, and the domain isolation rules indicate that the second domain identifier is permitted for the object during the second time period.
  - 12. The method of claim 11, wherein the domain isolation rules are stored in a kernel of the operating system instance.

13. A method comprising:
- determining, in an operating system instance, that a first login access is being attempted by a first user at a first access time on an object;
  
  determining a first domain identifier associated with the first user, wherein the first domain identifier identifies a first domain representing a first organizational entity of a plurality of domains representing a plurality of organizational entities;
  
  accessing a set of one or more domain identifiers associated with the object, wherein the set identifies one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
  
  accessing one or more domain isolation rules associated with the operating system instance for permitting an attempted login access to the object during at least a first time period of a plurality of time periods by one or more domains based on whether a domain identifier associated with the first user is one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period;
  
  evaluating the one or more domain isolation rules to determine whether the first login access is permitted on the object at the first access time;
  
  returning a permit indication that the first login access is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object at the first access time; and
  
  returning a deny indication that the first login access is not permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object at the first access time;
  
  wherein the first user is also associated with a second domain identifier that identifies a second domain of the plurality of domains representing a second organizational entity of the plurality of organizational entities and,returning a permit indication that the first login access is permitted on the object if the first access time is during the first time period, and the domain isolation rules indicate that the first domain identifier is permitted for the object during the first time period; and
  
  returning a permit indication that the first login access is permitted on the object if the first access time is during a second time period different from the first time period, and the domain isolation rules indicate that the second domain identifier is permitted for the object during the second time period.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising returning a deny indication if the first access time is at a time not during the first and second time periods.
  - 15. The method of claim 13, wherein the domain isolation rules are stored in a kernel of the operating system instance.
  - 16. The method of claim 13, determining, in the operating system instance, that a second login access is being attempted on the object at a second access time by a second user associated with a second domain identifier of the plurality of domain identifiers representing a second organizational entity of the plurality of organizational entities;
    - returning the permit indication for the second user if the second access time is during the second time period and the second domain identifier is one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period; and
      
      returning the deny indication if the second access time is during the first time period and the second domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the first time period.

17. A system for determining login access, comprising:
- a processing device;
  
  a memory; and
  
  a records display program including a plurality of instructions stored in the memory that, in response to selection of an attribute, are executed by the processing device to;
  
  determine, in an operating system instance, that a login access is being attempted by a user at an access time on an object,determine, in an operating system instance, that a second login access is being attempted by a second user at a second access time on the object,determine a domain identifier associated with the user, wherein the domain identifier identifies a domain representing an organizational entity of a plurality of domains representing a plurality of organizational entities,determine a second domain identifier associated with the second user, wherein the second domain identifier identifies a second domain representing a second organizational entity of the plurality of domains representing the plurality of organizational entities,access a set of one or more domain identifiers associated with the object, wherein the set identifies one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities,access one or more domain isolation rules associated with the operating system instance for permitting an attempted login access to the object during a time period of a plurality of time periods by one or more domains based on whether the domain identifier associated with the user is one of the domain identifiers in the set of domain identifiers associated with the object for during the time period,evaluate the one or more domain isolation rules to determine whether the login access attempted by the user is permitted on the object at the access time,return a permit indication that the login access is permitted on the object if the domain isolation rules indicate that the domain identifier represents a domain that is permitted for the object at the access time and if the access time is during the time period, andreturn a deny indication that the login access is not permitted on the object if the domain isolation rules indicate that the domain identifier represents a domain that is not permitted for the object at the access time and if the access time is during a second time period different from the time period and the domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period;
  
  evaluate the one or more domain isolation rules to determine whether the second login access is permitted on the object at the second access time;
  
  return the permit indication for the second user if the second access time is during the second time period and the second domain identifier is one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period, andreturn the deny indication if the second access time is during the time period and the second domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the time period.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the object comprises at least one of a workload partition and a logical partition running an operating system instance.
  - 19. The system of claim 17, wherein the domain isolation rules and one or more attributes of the set of domains are stored in a kernel of the operating system instance.
  - 20. The system of claim 19, wherein the instructions include for retrieval of the one or more attributes of the set of domains from the kernel of the operating system instance for validations of users logging into the system.

21. A computer program product for determining login access, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code executable by a computer device to;
  
  determine, by the computer device, in an operating system instance, that a login access is being attempted by a user at an access time on an object,determine by the computer device a domain identifier associated with the user, wherein the domain identifier identifies a domain representing an organizational entity of a plurality of domains representing a plurality of organizational entities,access by the computer device a set of one or more domain identifiers associated with the object, wherein the set identifies one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities,access by the computer device one or more domain isolation rules associated with the operating system instance for permitting an attempted login access to the object during a time period of a plurality of time periods by one or more domains based on whether the domain identifier associated with the user is one of the domain identifiers in the set of domain identifiers associated with the object for during the time period,evaluate by the computer device the one or more domain isolation rules to determine whether the login access attempted by the user is permitted on the object at the access time,return by the computer device a permit indication that the login access is permitted on the object if the domain isolation rules indicate that the domain identifier represents a domain that is permitted for the object at the access time, andreturn by the computer device a deny indication that the login access is not permitted on the object if the domain isolation rules indicate that the domain identifier represents a domain that is not permitted for the object at the access time,wherein the user is also associated with a second domain identifier that identifies a second domain of the plurality of domains representing a second organizational entity of the plurality of organizational entities, andreturn by the computer device a permit indication that the login access is permitted on the object if the access time is during the time period, and the domain isolation rules indicate that the domain identifier is permitted for the object during the time period; and
  
  return by the computer device a permit indication that the first login access is permitted on the object if the access time is during a second time period different from the time period, and the domain isolation rules indicate that the second domain identifier is permitted for the object during the second time period.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer program product of claim 21, wherein the computer readable program code is further executable by the computer device to dynamically assign by the computer device domains to the accounts of users to different ones of the domains at different ones of the plurality of time periods based on login time permission rules in a policy database.
  - 23. The computer program product of claim 21, wherein the domain isolation rules and one or more attributes of the set of domains are stored in a kernel of the operating system instance.
  - 24. The computer program product of claim 23, wherein the computer readable program code is further executable by the computer device to retrieve by the computer device the one or more attributes of the set of domains from the kernel of the operating system instance for validations of users logging into the system.
  - 25. The computer program product of claim 21, wherein the computer readable program code is further configured to:
    - determine, by the computer device, in the operating system instance, that a second login access is being attempted on the object at a second access time by a second user associated with a second domain identifier of the plurality of domain identifiers representing a second organizational entity of the plurality of organizational entities;
      
      return by the computer device the permit indication for the second user if the second access time is during the second time period and the second domain identifier is one of the domain identifiers in the set of domain identifiers associated with the object for during the second time period; and
      
      return by the computer device the deny indication if the second access time is during the time period and the second domain identifier is not one of the domain identifiers in the set of domain identifiers associated with the object for during the time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mann, Vijay, Vidya, Ranganathan
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/098,328
Publication Number

US 20120278881A1
Time in Patent Office

655 Days
Field of Search

726/17, 713/151
US Class Current

726/17
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

Domain aware time-based logins

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Domain aware time-based logins

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links