System and method of controlling access to information in a virtual computing environment

US 8,510,806 B2
Filed: 10/22/2009
Issued: 08/13/2013
Est. Priority Date: 10/22/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling access to information in a virtual computing environment comprising:

storing authorization data on a first client computer system, wherein the authorization data comprises a public key certificate and an attribute certificate for a user of a plurality of users;

accessing virtual computing software from the first client computer system;

accessing a virtual object in the virtual computing software in response to instructions received from the first client computer system;

sending the authorization data from the first client computer system to a second computer system, wherein the authorization data specifies access rights on the second computer system;

accessing the second computer system using the authorization data and determining access rights to data related to accessing the virtual object on the second computer system based on said authorization data; and

determining authorization rights in the virtual computing software based on the public key certificate and the attribute certificate of the user, wherein different attribute certificates are issued to different users based on a location of a virtual object in a hierarchically organized virtual space, and wherein the virtual object is located in the hierarchically organized virtual space, including;

granting the user access to a first portion of the data according to the access rights of the user according to the authorization data, anddenying the user access to the data other than the first portion according to the access rights of the user according to the authorization data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment the present invention includes a computer-implemented method comprising storing authorization data on a first client computer system, accessing virtual computing software from the first client computer system, accessing a virtual object in the virtual computing software in response to instructions received from the first client computer system, sending the authorization data from the first client computer system to a second computer system, wherein the authorization data specifies access rights on the second computer system, and accessing the second computer system using the authorization data and determining access rights on the second computer system based on said authorization data.

Citations

19 Claims

1. A computer-implemented method of controlling access to information in a virtual computing environment comprising:
- storing authorization data on a first client computer system, wherein the authorization data comprises a public key certificate and an attribute certificate for a user of a plurality of users;
  
  accessing virtual computing software from the first client computer system;
  
  accessing a virtual object in the virtual computing software in response to instructions received from the first client computer system;
  
  sending the authorization data from the first client computer system to a second computer system, wherein the authorization data specifies access rights on the second computer system;
  
  accessing the second computer system using the authorization data and determining access rights to data related to accessing the virtual object on the second computer system based on said authorization data; and
  
  determining authorization rights in the virtual computing software based on the public key certificate and the attribute certificate of the user, wherein different attribute certificates are issued to different users based on a location of a virtual object in a hierarchically organized virtual space, and wherein the virtual object is located in the hierarchically organized virtual space, including;
  
  granting the user access to a first portion of the data according to the access rights of the user according to the authorization data, anddenying the user access to the data other than the first portion according to the access rights of the user according to the authorization data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the authorization data is sent to the second computer system without being received by the virtual computing software.
  - 3. The method of claim 1 wherein the authorization data is sent based on a first location of the virtual object and a second location of a virtual representation of a user in the virtual computing software.
  - 4. The method of claim 3 wherein the authorization data is sent if the virtual object and the virtual representation of the user are both in a predefined space in the virtual computing software.
  - 5. The method of claim 3 wherein the authorization data is sent if a personal space associated with the virtual representation of the user encompasses the virtual object in the virtual computing software.
  - 6. The method of claim 1 wherein the authorization data is sent based on authorization rights for a user in the virtual computing software that are associated with a particular virtual space in the virtual computing software.
  - 7. The method of claim 6 wherein the authorization data is sent if a virtual representation of the user has associated authorization rights in the virtual computing software to enter a particular virtual space and if the virtual object is in the particular virtual space.
  - 8. The method of claim 6 wherein the authorization data is sent if authorization rights associated with a first personal space for a first virtual representation of the user allow a second virtual representation of a second user to enter the first personal space.
  - 9. The method of claim 1 further comprising sending the attribute certificate to a certificate authority, wherein the certificate authority authorizes users to enter virtual spaces in the hierarchically organized virtual space to access virtual objects.

10. A non-transitory computer-readable medium containing instructions for controlling a computer system to execute processing comprising:
- storing authorization data on a first client computer system, wherein the authorization data comprises a public key certificate and an attribute certificate for a user of a plurality of users;
  
  accessing virtual computing software from the first client computer system;
  
  accessing a virtual object in the virtual computing software in response to instructions received from the first client computer system;
  
  sending the authorization data from the first client computer system to a second computer system, wherein the authorization data specifies access rights on the second computer system; and
  
  accessing the second computer system using the authorization data and determining access rights to data related to accessing the virtual object on the second computer system based on said authorization data; and
  
  determining authorization rights in the virtual computing software based on the public key certificate and the attribute certificate of the user, wherein different attribute certificates are issued to different users based on a location of a virtual object in a hierarchically organized virtual space, and wherein the virtual object is located in the hierarchically organized virtual space, including;
  
  granting the user access to a first portion of the data according to the access rights of the user according to the authorization data, anddenying the user access to the data other than the first portion according to the access rights of the user according to the authorization data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable medium of claim 10 wherein the authorization data is sent to the second computer system without being received by the virtual computing software.
  - 12. The non-transitory computer-readable medium of claim 10 wherein the authorization data is sent based on a first location of the virtual object and a second location of a virtual representation of a user in the virtual computing software.
  - 13. The non-transitory computer-readable medium of claim 12 wherein the authorization data is sent if the virtual object and the virtual representation of the user are both in a predefined virtual space in the virtual computing software.
  - 14. The non-transitory computer-readable medium of claim 12 wherein the authorization data is sent if a personal space associated with the virtual representation of the user encompasses the virtual object in the virtual computing software.
  - 15. The non-transitory computer-readable medium of claim 10 wherein the authorization data is sent based on authorization rights for a user in the virtual computing software that are associated with a particular virtual space in the virtual computing software.
  - 16. The non-transitory computer-readable medium of claim 15 wherein the authorization data is sent if a virtual representation of the user has associated authorization rights in the virtual computing software to enter a particular virtual space and if the virtual object is in the particular virtual space.
  - 17. The non-transitory computer-readable medium of claim 15 wherein the authorization data is sent if authorization rights associated with a first personal space for a first virtual representation of the user allow a second virtual representation of a second user to enter the first personal space.
  - 18. The non-transitory computer-readable medium of claim 10 further comprising sending the attribute certificate to a certificate authority, wherein the certificate authority authorizes users to enter virtual spaces in the hierarchically organized virtual space to access virtual objects.

19. A system for controlling access to information in a virtual computing environment, comprising:
- a first client computer system that is configured to store authorization data and to communicate with a first computer system and a second computer system, wherein the authorization data comprises a public key certificate and an attribute certificate for a user of a plurality of users, wherein the first computer system is configured to execute virtual computing software to implement the virtual computing environment, and wherein the second computer system is configured to store data,wherein the first client computer system is further configured to access the virtual computing software, to access a virtual object in the virtual computing software, and to send the authorization data from the first client computer system to the second computer system, wherein the authorization data specifies access rights on the second computer system,wherein the first client computer system is further configured to access the second computer system using the authorization data, wherein the second computer system is configured to determine access rights to data related to accessing the virtual object on the second computer system based on said authorization data, wherein different attribute certificates are issued to different users based on a location of a virtual object in a hierarchically organized virtual space, and wherein the virtual object is located in the hierarchically organized virtual space,wherein the second computer system is configured to determine access rights including;
  
  granting the user access to a first portion of the data according to the access rights of the user according to the authorization data, anddenying the user access to the data other than the first portion according to the access rights of the user according to the authorization data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Queck, Tobias, Steinhauer, Sebastian
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
VOSTAL, ONDREJ C

Application Number

US12/604,170
Publication Number

US 20110099608A1
Time in Patent Office

1,391 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/6209 to a single file or object,...

System and method of controlling access to information in a virtual computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of controlling access to information in a virtual computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links