Role-based access control utilizing token profiles having predefined roles

US 8,387,137 B2
Filed: 01/05/2010
Issued: 02/26/2013
Est. Priority Date: 01/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

assigning a token processing system (TPS) client a token profile for a group comprising a plurality of tokens, the token profile stored in a profile data structure, wherein the token profile specifies at least one of a plurality of predefined roles for the TPS client, and wherein each of the plurality of predefined roles is associated with predefined access to entries of a token database;

receiving, by a TPS executing on a computing system, a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, wherein the TPS is configured to communicate with the token database and configured to communicate over the network with one or more additional clients each having at least one of the plurality of tokens; and

allowing the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing role-based access control of token data using token profiles having predefined roles is described. In one method, a token processing system (TPS) assigns a TPS client a token profile for a group of multiple tokens, the token profile being stored in a profile data structure. The token profile specifies at least one of multiple predefined roles for the TPS client, each role associated with predefined access to entries of a token database. The TPS receives a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, and allows the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.

Citations

24 Claims

1. A method comprising:
- assigning a token processing system (TPS) client a token profile for a group comprising a plurality of tokens, the token profile stored in a profile data structure, wherein the token profile specifies at least one of a plurality of predefined roles for the TPS client, and wherein each of the plurality of predefined roles is associated with predefined access to entries of a token database;
  
  receiving, by a TPS executing on a computing system, a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, wherein the TPS is configured to communicate with the token database and configured to communicate over the network with one or more additional clients each having at least one of the plurality of tokens; and
  
  allowing the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the plurality of predefined roles comprise an operator role, an agent role, and an administrator role, wherein the predefined access of the operator role allows the TPS client to have read-only permissions to view token-related entries of the group, wherein the predefined access of the agent role allows the TPS client to have read and write permissions to view and modify the token-related entries of the group, and wherein the predefined access of the administrator role allows the TPS client to have read-only permissions to view the token-related entries of the group, permissions to add a token to the plurality of tokens of the group, permissions to delete a token from the plurality of tokens of the group, and permissions to add, modify, and delete one or more other TPS clients associated with the group.
  - 3. The method of claim 2, wherein the predefined access of the operator role further allows the TPS client to have read-only permissions to view and search token data of each of each of the plurality of tokens of the group, certificates associated with the plurality of tokens of the group, and activities for the plurality of tokens of the group, and wherein the predefined access of the agent role further allows the TPS client to have read and write permissions to view, search, and modify the token data, the certificates, and the activities.
  - 4. The method of claim 1, further comprising:
    - receiving a request from the TPS client to perform the operation, wherein the operation is to search or view all, some, or one of the following;
      
      token data of the plurality of tokens, certificates associated with the plurality of tokens, and activities associated with the plurality of tokens;
      
      determining the predefined role of the TPS client using the token profile to determine role-based access to the token data, certificates, and activities; and
      
      when the TPS client is determined to be one of an operator, an agent, or an administrator of the group, permitting access to allow the searching or viewing.
  - 5. The method of claim 1, further comprising:
    - receiving a request from the TPS client to perform the operation, wherein the operation is to modify all, some, or one of the following as the operation;
      
      token data of the plurality of tokens, certificates associated with the plurality of tokens, and activities associated with the plurality of tokens;
      
      determining the predefined role of the TPS client using the token profile to determine role-based access to the token data, certificates, and activities;
      
      when the TPS client is determined to be one of an operator or an administrator of the group, prohibiting access to allow the modifying; and
      
      when the TPS client is determined to be an agent, permitting access to allow the modifying.
  - 6. The method of claim 1, further comprising:
    - receiving a request from the TPS client to perform the operation, wherein the operation is to modify all, some, or one of the entries corresponding to the plurality of tokens of the group;
      
      determining the predefined role of the TPS client using the token profile to determine role-based access to the entries;
      
      when the TPS client is determined to be one of an operator or an administrator of the group, prohibiting access to allow the modifying; and
      
      when the TPS client is determined to be an agent of the group, permitting access to allow the modifying.
  - 7. The method of claim 6, wherein the request from the TPS client to modify comprises at least one of the following:
    - a request to modify token data in token-related entries corresponding to one or more of the plurality of tokens;
      
      a request to change a token status of one or more tokens in the token-related entries corresponding to one or more of the plurality of tokens; and
      
      a request to set one or more policies for one or more of the plurality of tokens in the token-related entries.
  - 8. The method of claim 1, further comprising:
    - receiving a request from the TPS client to perform the operation, wherein the operation is to delete a token from or add a token to the plurality of tokens;
      
      determining the predefined role of the TPS client using the token profile to determine role-based access to the group;
      
      when the TPS client is determined to be one of an operator or an agent of the group, prohibiting access to allow the deleting or adding; and
      
      when the TPS client is determined to be an administrator of the group, permitting access to allow the deleting or adding.
  - 9. The method of claim 1, further comprising:
    - receiving a request from the TPS client to perform the operation, wherein the operation is to create another TPS client or to modify another TPS client associated with the group;
      
      determining the predefined role of the TPS client using the token profile to determine role-based access to the group;
      
      when the TPS client is determined to be one of an operator or an agent of the group, prohibiting access to allow the creating or modifying; and
      
      when the TPS client is determined to be an administrator of the group, permitting access to allow the creating or modifying.
  - 10. The method of claim 1, further comprising assigning each of the plurality of tokens to the group based on a characteristic of each of the plurality of tokens.
  - 11. The method of claim 1, further comprising assigning a set of identification numbers to the group, wherein each of the set of identification numbers corresponding to one of the plurality of tokens.
  - 12. The method of claim 1, further comprising assigning the plurality of tokens to the group based on a range of card unique identifiers (CUIDs), each CUID corresponding to one of the plurality of tokens.
  - 13. The method of claim 1, further comprising assigning the plurality of tokens to the group based an Answer-to-Reset (ATR) manufacturing identifier for a batch of tokens.
  - 14. The method of claim 1, further comprising assigning the plurality of tokens to the group by adding a group identifier (ID) attribute to each token-related entries corresponding to the plurality of tokens of the group.
  - 15. The method of claim 1, further comprising assigning the plurality of tokens to the group by adding a token profile identifier (ID) attribute to each token-related entries of the plurality of tokens of the group, and wherein assigning the TPS client the token profile comprises adding an auxiliary class with a multi-value attribute that can be attached to a user-related entry in the token database corresponding to the TPS client.
  - 16. The method of claim 15, further comprising, when requested by the TPS client, listing the token-related entries of the token database for which the token profile ID of the TPS client matches a set of token profile IDs permitted by the group.
  - 17. The method of claim 1, wherein the profile data structure is a profile table, and the token profiles are stored as profile records in the profile table.

18. A certificate system, comprising:
- a data storage device to store a token profile assigned to a user, wherein the token profile corresponds to a group comprising a plurality of tokens, the token profile stored in a profile data structure, wherein the token profile specifies at least one of a plurality of predefined roles for the user, and wherein each of the plurality of predefined roles is associated with predefined access to entries of a token database; and
  
  a first server, comprising a token processing system (TPS), coupled to the data storage device, wherein the TPS is configured to receive a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, wherein the TPS is configured to communicate over the network with one or more additional clients each having at least one of the plurality of tokens, and wherein the TPS is configured to allow the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to a group identified by the token profile.
- View Dependent Claims (19, 20, 21)
- - 19. The certificate system of claim 18, further comprising a Lightweight Directory Access Protocol (LDAP) directory server coupled to the first server, wherein the LDAP directory server is configured to manage the entries of the token database as LDAP entries stored in a LDAP repository, and wherein the TPS is configured to manage role-based access control of the LDAP entries using the token profile and the predefined role assigned to the TPS client.
  - 20. The certificate system of claim 18, wherein the TPS comprises a role-based access control module that comprises a token database access manager coupled to the data storage device to access the token profile assigned to the TPS client to determine a role-based access of the TPS client to the entries of the token database stored in the data storage device, and wherein the token database access manager is coupled to receive a request from the TPS client via an interface to access the entries and to control access to the entries based on the role-based access of the TPS client.
  - 21. The certificate system of claim 18, wherein the token profiles are stored as profile records in a profile table.

22. A non-transitory machine-readable storage medium having instructions, which when executed, cause a computing system to perform a method, the method comprising:
- assigning a token processing system (TPS) client a token profile for a group comprising a plurality of tokens, the token profile stored in a profile data structure, wherein the token profile specifies at least one of a plurality of predefined roles for the TPS client, and wherein each of the plurality of predefined roles is associated with predefined access to entries of a token database;
  
  receiving, by a TPS executing on the computing system, a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, wherein the TPS is configured to communicate with the token database and configured to communicate over the network with one or more additional clients each having at least one of the plurality of tokens; and
  
  allowing the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.
- View Dependent Claims (23, 24)
- - 23. The non-transitory machine-readable storage medium of claim 22, wherein the plurality of predefined roles comprises an operator role, an agent role, and an administrator role, wherein the predefined access of the operator role allows the TPS client to view and search any token-related entries of the token database associated with the group, but not modify any of the token-related entries, wherein the predefined access of the agent role allows the TPS client to view, search, and modify any of the token-related entries, and wherein the predefined access of the administrator role allows the TPS client to view and search any of the token-related entries and view, search, and modify any -event entries of the token database associated with the group.
  - 24. The non-transitory machine-readable storage medium of claim 22, wherein the profile data structure is a profile table, and the token profiles are stored as profile records in the profile table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Lee, Ade, Fu, Christina
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US12/652,690
Publication Number

US 20110167483A1
Time in Patent Office

1,148 Days
Field of Search

726/28, 726/20
US Class Current

726/20
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

Role-based access control utilizing token profiles having predefined roles

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access control utilizing token profiles having predefined roles

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links