Cross security-domain identity context projection within a computing environment

US 8,627,434 B2
Filed: 12/04/2009
Issued: 01/07/2014
Est. Priority Date: 12/04/2009
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the method comprising:

based on a local security manager of the first system in the first security domain determining that a local security context of a user of the first system in the first security domain is not acceptable to the second system in the second security domain, receiving at a local security manager of the second system from the local security manager of the first system a request that a runtime security context for the user be created in the second system, and that a reference to the runtime security context or a portable representation of the runtime security context be returned to the local security manager of the first system;

based on receiving the request at the local security manager of the second system from the local security manager of the first system, creating by the local security manager of the second system the runtime security context in the second system for the user of the first system, the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;

providing by the local security manager of the second system to the local security manager of the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and

receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processing within a computing environment is facilitated by: determining by a local security manager of a first system in a first security domain whether a local security context of a user is acceptable to a second system in a second security domain; responsive to the user'"'"'s security context being unacceptable to the second system, creating by a local security manager of the second system a runtime security context for the user in the second system; and providing the first system with a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system, the reference or the portable representation being subsequently returned to the second system with a request from the first system to process work at the second system.

34 Citations

18 Claims

1. A method of facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the method comprising:
- based on a local security manager of the first system in the first security domain determining that a local security context of a user of the first system in the first security domain is not acceptable to the second system in the second security domain, receiving at a local security manager of the second system from the local security manager of the first system a request that a runtime security context for the user be created in the second system, and that a reference to the runtime security context or a portable representation of the runtime security context be returned to the local security manager of the first system;
  
  based on receiving the request at the local security manager of the second system from the local security manager of the first system, creating by the local security manager of the second system the runtime security context in the second system for the user of the first system, the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;
  
  providing by the local security manager of the second system to the local security manager of the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 3. The method of claim 1, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.
  - 4. The method of claim 1, further comprising in response to ascertaining that the second system comprises a same type of security manager as the first system and to ascertaining that the local security manager of the second system employs a same or a compatible security set of credential definitions as the first system, forwarding work from the first system to the second system with the local security context of the user in the first system associated therewith for use at the second system as the runtime security context of the user in the second system, without performing the creating, the providing and the receiving.
  - 5. The method of claim 1, wherein in addition to receiving the request at the second system to create the runtime security context for the user in the second system, the second system receives from the first system neutral format security credentials for the user understandable by the local security manager of the first system and the local security manager of the second system.
  - 6. The method of claim 5, wherein the creating by the local security manager of the second system further comprises receiving the neutral format security credentials and performing a mapping thereof using rules established in the second system to derive a set of security credentials of the user acceptable to the second system, wherein the mapping comprises:
    - performing a lookup operation employing at least one of a user ID of the user in the first system and a name of the first system, and outputting in response thereto a user ID acceptable to the second system;
      
      performing a lookup operation for each group name provided in the neutral format security credentials to enable transformation thereof into a corresponding group name acceptable to the second system;
      
      ascertaining from the neutral format security credentials port-of-entry information associated with the user, if required by the second system;
      
      ascertaining from the second system a usable security label for the user, if required by the second system; and
      
      using the set of security credentials for the user acceptable to the second system in creating the runtime security context for the user in the second system.
  - 7. The method of claim 1, wherein responsive to receiving in association with the work the reference to the runtime security context for the user in the second system which is resolvable within the computing environment, the second system uses the reference to provide the runtime security context for the user in the second system for performing the received work in the second system.
  - 8. The method of claim 1, wherein responsive to receiving the portable representation of the runtime security context in association with the work, the second system directly uses the portable representation of the runtime security context of the user in the second system in performing the received work in the second system.

9. A computer system for facilitating processing within a computing environment comprising a first system in a first security domain and a second system within a second security domain, the computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is capable of performing a method, the method comprising;
  
  based on a local security manager of the first system in the first security domain determining that a local security context of a user of the first system in the first security domain is not acceptable to the second system in the second security domain, receiving at a local security manager of the second system from the local security manager of the first system a request that a runtime security context for the user be created in the second system, and that a reference to the runtime security context or a portable representation of the runtime security context be returned to the local security manager of the first system;
  
  based on receiving the request at the local security manager of the second system from the local security manager of the first system, creating by the local security manager of the second system the runtime security context in the second system for the user of the first system, the creating referencing, at least in part, security credentials of the user of the first system provided to the second system by the first system;
  
  providing by the local security manager of the second system to the local security manager of the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system, having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer system of claim 9, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 11. The computer system of claim 9, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.
  - 12. The computer system of claim 9, further comprising in response to ascertaining that the second system comprises a same type of security manager as the first system and to ascertaining that the local security manager of the second system employs a same or a compatible security set of credential definitions as the first system, forwarding work from the first system to the second system with the local security context of the user in the first system associated therewith for use at the second system as the runtime security context of the user in the second system, without performing the creating, the providing and the receiving.
  - 13. The computer system of claim 9, wherein in addition to receiving the request at the second system to create the runtime security context for the user in the second system, the second system receives from the first system neutral format security credentials for the user understandable by the local security manager of the first system and the local security manager of the second system.
  - 14. The computer system of claim 13, wherein the creating by the local security manager of the second system further comprises receiving the neutral format security credentials and performing a mapping thereof using rules established in the second system to derive a set of security credentials of the user acceptable to the second system, wherein the mapping comprises:
    - performing a lookup operation employing at least one of a user ID of the user in the first system and a name of the first system, and outputting in response thereto a user ID acceptable to the second system;
      
      performing a lookup operation for each group name provided in the neutral format security credentials to enable transformation thereof into a corresponding group name acceptable to the second system;
      
      ascertaining from the neutral format security credentials port-of-entry information associated with the user, if required by the second system;
      
      ascertaining from the second system a usable security label for the user, if required by the second system; and
      
      using the set of security credentials for the user acceptable to the second system in creating the runtime security context for the user in the second system.

15. A computer program product for facilitating processing within a computing environment comprising a first system in a first security domain and a second system in a second security domain, the computer program product comprising:
- a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  based on a local security manager of the first system in the first security domain determining that a local security context of a user of the first system in the first security domain is not acceptable to the second system in the second security domain, receiving at a local security manager of the second system from the local security manager of the first system a request that a runtime security context for the user be created in the second system, and that a reference to the runtime security context or a portable representation of the runtime security context be returned to the local security manager of the first system;
  
  based on receiving the request at the local security manager of the second system from the local security manager of the first system, creating by a local security manager of the second system the runtime security context in the second system for the user of the first system, the creating referencing at least in-part, security credentials of the user of the first system provided to the second system by the first system;
  
  providing by the local security manager of the second system to the local security manager of the first system at least one of a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system; and
  
  receiving by the second system work from the first system to be performed by the second system, the received work to be performed by the second system having associated therewith the at least one of the reference to the runtime security context for the user in the second system or the portable representation of the runtime security context for the user in the second system, thereby facilitating processing of the work by the second system.
- View Dependent Claims (16, 17, 18)
- - 16. The computer program product of claim 15, wherein the local security manager of the second system and the local security manager of the first system are different types of security managers.
  - 17. The computer program product of claim 15, wherein the local security manager of the second system and the local security manager of the first system are a same type of security manager, but reference different sets of security credential definitions in different databases.
  - 18. The computer program product of claim 15, wherein the method further comprises, in addition to receiving the request at the second system to create the runtime security context for the user in the second system, receiving by the second system from the first system neutral format security credentials for the user understandable by the local security manager of the first system and the local security manager of the second system, and wherein the creating by the local-security manager of the second system further comprises receiving the neutral format security credentials and performing a mapping thereof using rules established in the second system to derive a set of security credentials of the user acceptable to the second system, wherein the mapping comprises:
    - performing a lookup operation employing at least one of a user ID of the user in the first system and a name of the first system, and outputting in response thereto a user ID acceptable to the second system;
      
      performing a lookup operation for each group name provided in the neutral format security credentials to enable transformation thereof into a corresponding group name acceptable to the second system;
      
      ascertaining from the neutral format security credentials port-of-entry information associated with the user, if required by the second system;
      
      ascertaining from the second system a usable security label for the user, if required by the second system; and
      
      using the set of security credentials for the user acceptable to the second system in creating the runtime security context for the user in the second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Dooley, Alan P., Farrell, Walter B., Fitzpatrick, Arthur L. III, Guski, Richard H., Hardgrove, Russell D., Mapes, Deborah F., Marusek, Christine A., Nelson, Mark A., Rosenfeld, Eric
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US12/631,354
Publication Number

US 20110138452A1
Time in Patent Office

1,495 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

H04L 63/20 for managing network securi...

Cross security-domain identity context projection within a computing environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Cross security-domain identity context projection within a computing environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others