Computer security system

US 7,013,485 B2
Filed: 03/05/2001
Issued: 03/14/2006
Est. Priority Date: 03/06/2000
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A security system for a computer system, comprising:

a plurality of assets within the computer system;

a plurality of members registered to use the computer system;

a plurality of groups, each group comprising at least two of the plurality of members;

a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role;

a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; and

at least one domain being an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising;

a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets;

a subset of the plurality of roles; and

a subset of the members;

each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege;

the security system operable to authorize a particular member to perform a requested operation with respect to a requested asset within the domain when the particular member is associated with a role, in the domain, corresponding to a privilege for the requested asset.

View all claims

15 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A security system for a computer system provides one or more security domains. Access to assets registered to the security system is controlled by rights and privileges. Rights are derived from roles, and each user is assigned one or more roles. Privileges are attached to assets, and an appropriate combination of rights and privileges is required before a user is granted the specified type of access to the asset.

122 Citations

46 Claims

1. A security system for a computer system, comprising:
- a plurality of assets within the computer system;
  
  a plurality of members registered to use the computer system;
  
  a plurality of groups, each group comprising at least two of the plurality of members;
  
  a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role;
  
  a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; and
  
  at least one domain being an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising;
  
  a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets;
  
  a subset of the plurality of roles; and
  
  a subset of the members;
  
  each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege;
  
  the security system operable to authorize a particular member to perform a requested operation with respect to a requested asset within the domain when the particular member is associated with a role, in the domain, corresponding to a privilege for the requested asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein:
    - the privileges for each asset include operations that can be performed on that asset; and
      
      the security system is operable to authorize access to the requested asset when a requested access by the particular member includes an operation to be performed from the access control list and the particular member is associated with a role, in the domain, corresponding to a privilege for the requested asset.
  - 3. The system of claim 1, wherein the at least one privilege includes one or more of:
    - a read privilege;
      
      a modify privilege; and
      
      a delete privilege.
  - 4. The system of claim 1, wherein the system includes at least two domains.
  - 5. The system of claim 4, wherein the plurality of roles comprise one or more of:
    - a domain role defining user rights within a single domain; and
      
      a universal role defining user rights across a plurality of domains.
  - 6. The system of claim 4, wherein a first domain and a second domain are joined by a unidirectional trust relationship, allowing privileges associated with the first domain'"'"'s assets to be delegated to the second domain.
  - 7. The system of claim 4, wherein a first domain and a second domain are joined by a bidirectional trust relationship, allowing:
    - privileges associated with the first domain'"'"'s assets to be delegated to the second domain; and
      
      privileges associated with the second domain'"'"'s assets to be delegated to the first domain.
  - 8. The system of claim 4, wherein a first domain owns a second domain such that the first domain can create and destroy the second domain.
  - 9. The system of claim 1, wherein the plurality of roles are assigned to a plurality of user groups, each user group comprising one or more of the plurality of members.
  - 10. The system of claim 1, wherein each of the plurality of access control lists comprises a plurality of access control entries, each comprising:
    - a domain identifier;
      
      a role identifier; and
      
      one or more privileges.
  - 11. The system of claim 1, wherein:
    - the system comprises at least two domains; and
      
      the system is further operable to grant the particular member, which is assigned a particular domain/role combination, ownership of a particular operation on a particular access control list, ownership over of the particular access control list allowing the particular member to grant rights to perform the operation to one or more members in a different domain than the particular member that are assigned the same role as the particular member.
  - 12. The system of claim 1, wherein:
    - one or more of the plurality of assets each comprise a registered asset, a registered asset being a resource that is protected by the security system; and
      
      each registered asset is classified according to a corresponding asset type, which determines how its corresponding registered assets are identified and what operations may be performed on its corresponding registered assets.
  - 13. The system of claim 1, wherein the security system is operable to authorize access to the requested asset by:
    - receiving from the particular member a request to access the requested asset, the request comprising;
      
      an identification of the requested asset;
      
      an identification of an operation to perform with respect to the requested asset; and
      
      an identification of the domain and role assigned to the particular member;
      
      determining, based at least in part on the access control list corresponding to the requested asset and the domain and role assigned to the particular member, whether the particular member may perform the identified operation with respect to the requested asset; and
      
      initiating an appropriate action based on the authorization determination.
  - 14. The system of claim 1, wherein the security system is operable to:
    - receive from the particular member a request comprising;
      
      one or more query criteria specifying one or more assets; and
      
      an identification of the domain and role assigned to the particular member;
      
      add appropriate security-related criteria to the request;
      
      execute a query to determine one or more assets satisfying the query criteria towhich the particular member has read access; and
      
      initiate an appropriate action based on results of the executed query.
  - 15. The system of claim 1, further operable to:
    - receive a request to define a new asset type, the request comprising one or more of a name of the new asset type, a description of the new asset type; and
      
      a format of the new asset type;
      
      enable determination of one or more operations that should apply to the new asset type; and
      
      enable association of the determined one or more operations with the new asset type.
  - 16. The system of claim 1, further operable to, prior to the particular member attempting to access the requested asset:
    - authenticate the particular member'"'"'s identification; and
      
      assign at least one role to the particular member.

17. A method for providing secure access to a plurality of assets within a computer system, comprising:
- registering a plurality of members to use the computer system;
  
  establishing a plurality of groups, each group comprising at least two of the plurality of members;
  
  providing a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role;
  
  providing a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role;
  
  providing at least one domain defining an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising;
  
  a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets;
  
  a subset of the plurality of roles; and
  
  a subset of the members;
  
  each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege;
  
  when a particular member attempts to access a requested asset within the at least one domain, determining at least one role assigned to the particular member;
  
  comparing rights corresponding to the role assigned to the particular member to the privileges defined in the access control list corresponding to the particular asset; and
  
  if the attempted access is authorized for the role assigned to the particular member, allowing the particular member to access the requested asset.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The method of claim 17, wherein a requested access is one from the types read, modify, or delete.
  - 19. The method of claim 17, further comprising, prior to the particular member attempting to access the requested asset:
    - authenticating the particular member'"'"'s identification; and
      
      assigning at least one role to the particular member.
  - 20. The method of claim 17, further comprising providing at least two domains.
  - 21. The method of claim 20, wherein the plurality of roles comprise one or more of:
    - a domain role defining user rights within a single domain; and
      
      a universal role defining user rights across a plurality of domains.
  - 22. The method of claim 20, wherein a first domain and a second domain are joined by a unidirectional trust relationship, allowing privileges associated with the first domain'"'"'s assets to be delegated to the second domain.
  - 23. The method of claim 20, wherein a first domain and a second domain are joined by a bidirectional trust relationship, allowing:
    - privileges associated with the first domain'"'"'s assets to be delegated to the second domain; and
      
      privileges associated with the second domain'"'"'s assets to be delegated to the first domain.
  - 24. The method of claim 20, wherein a first domain owns a second domain such that the first domain can create and destroy the second domain.
  - 25. The method of claim 17, wherein the plurality of roles are assigned to a plurality of user groups, each user group comprising one or more of the plurality of members.
  - 26. The method of claim 17, wherein each of the plurality of access control lists comprises a plurality of access control entries, each comprising:
    - a domain identifier;
      
      a role identifier; and
      
      one or more privileges.
  - 27. The method of claim 17, further comprising:
    - providing at least two domains; and
      
      granting the particular member, which is assigned a particular domain/role combination, ownership of a particular operation on a particular access control list, ownership over of the particular access control list allowing the particular member to grant rights to perform the operation to one or more members in a different domain than the particular member that are assigned the same role as the particular member.
  - 28. The method of claim 17, wherein:
    - one or more of the plurality of assets each comprise a registered asset, a registered asset being a resource for which secure access is provided; and
      
      each registered asset is classified according to a corresponding asset type, which determines how its corresponding registered assets are identified and what operations may be performed on its corresponding registered assets.
  - 29. The method of claim 17, further comprising authorizing access to the requested asset by:
    - receiving from the particular member a request to access the requested asset, the request comprising;
      
      an identification of the requested asset;
      
      an identification of an operation to perform with respect to the requested asset; and
      
      an identification of the domain and role assigned to the particular member;
      
      determining, based at least in part on the access control list corresponding to the requested asset and the domain and role assigned to the particular member, whether the particular member may perform the identified operation with respect to the requested asset; and
      
      initiating an appropriate action based on the authorization determination.
  - 30. The method of claim 17, further comprising:
    - receiving from the particular member a request comprising;
      
      one or more query criteria specifying one or more assets; and
      
      an identification of the domain and role assigned to the particular member;
      
      adding appropriate security-related criteria to the request;
      
      executing a query to determine one or more assets satisfying the query criteria to which the particular member has read access; and
      
      initiating an appropriate action based on results of the executed query.
  - 31. The method of claim 17, further comprising:
    - receiving a request to define a new asset type, the request comprising one or more of a name of the new asset type, a description of the new asset type; and
      
      a format of the new asset type;
      
      enabling determination of one or more operations that should apply to the new asset type; and
      
      enabling association of the determined one or more operations with the new asset type.

32. Software for providing secure access to a plurality of assets within a computer system, the software embodied in computer-readable media and when executed using one or more computer systems operable to:
- register a plurality of members to use the computer system;
  
  establishing a plurality of groups, each group comprising at least two of the plurality of members;
  
  provide a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role;
  
  provide a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role;
  
  provide at least one domain defining an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising;
  
  a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets;
  
  a subset of the plurality of roles; and
  
  a subset of the members;
  
  each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege;
  
  when a particular member attempts to access a requested asset within the at least one domain, determine at least one role assigned to the particular member;
  
  compare rights corresponding to the role assigned to the particular member to the privileges defined in the access control list corresponding to the particular asset; and
  
  if the attempted access is authorized for the role assigned to the particular member, allow the particular member to access the requested asset.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 33. The software of claim 32, wherein a requested access is one from the types read, modify, or delete.
  - 34. The software of claim 32, further operable to, prior to the particular member attempting to access the requested asset:
    - authenticate the particular member'"'"'s identification; and
      
      assign at least one role to the particular member.
  - 35. The software of claim 32, operable to provide at least two domains.
  - 36. The software of claim 35, wherein the plurality of roles comprise one or more of:
    - a domain role defining user rights within a single domain; and
      
      a universal role defining user rights across a plurality of domains.
  - 37. The software of claim 35, wherein a first domain and a second domain are joined by a unidirectional trust relationship, allowing privileges associated with the first domain'"'"'s assets to be delegated to the second domain.
  - 38. The software of claim 35, wherein a first domain and a second domain are joined by a bidirectional trust relationship, allowing:
    - privileges associated with the first domain'"'"'s assets to be delegated to the second domain; and
      
      privileges associated with the second domain'"'"'s assets to be delegated to the first domain.
  - 39. The software of claim 35, wherein a first domain owns a second domain such that the first domain can create and destroy the second domain.
  - 40. The software of claim 32, wherein the plurality of roles are assigned to a plurality of user groups, each user group comprising one or more of the plurality of members.
  - 41. The software of claim 32, wherein each of the plurality of access control lists comprises a plurality of access control entries, each comprising:
    - a domain identifier;
      
      a role identifier; and
      
      one or more privileges.
  - 42. The software of claim 32, further operable to:
    - provide at least two domains; and
      
      grant the particular member, which is assigned a particular domain/role combination, ownership of a particular operation on a particular access control list, ownership over of the particular access control list allowing the particular member to grant rights to perform the operation to one or more members in a different domain than the particular member that are assigned the same role as the particular member.
  - 43. The software of claim 32, wherein:
    - one or more of the plurality of assets each comprise a registered asset, a registered asset being a resource for which secure access is provided; and
      
      each registered asset is classified according to a corresponding asset type, which determines how its corresponding registered assets are identified and what operations may be performed on its corresponding registered assets.
  - 44. The software of claim 32, further operable to authorize access to the requested asset by:
    - receiving from the particular member a request to access the requested asset, the request comprising;
      
      an identification of the requested asset;
      
      an identification of an operation to perform with respect to the requested asset; and
      
      an identification of the domain and role assigned to the particular member;
      
      determining, based at least in part on the access control list corresponding to the requested asset and the domain and role assigned to the particular member, whether the particular member may perform the identified operation with respect to the requested asset; and
      
      initiating an appropriate action based on the authorization determination.
  - 45. The software of claim 32, further operable to:
    - receive from the particular member a request comprising;
      
      one or more query criteria specifying one or more assets; and
      
      an identification of the domain and role assigned to the particular member;
      
      add appropriate security-related criteria to the request;
      
      execute a query to determine one or more assets satisfying the query criteria to which the particular member has read access; and
      
      initiate an appropriate action based on results of the executed query.
  - 46. The software of claim 32, further operable to:
    - receive a request to define a new asset type, the request comprising one or more of a name of the new asset type, a description of the new asset type; and
      
      a format of the new asset type;
      
      enable determination of one or more operations that should apply to the new asset type; and
      
      enable association of the determined one or more operations with the new asset type.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
JDA Software Group Incorporated (RedPrairie Holding Incorporated)
Original Assignee
i2 Technologies US Incorporated (Panasonic Holdings Corporation)
Inventors
Brown, Daniel, Zapata, Fernando
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/800,168
Publication Number

US 20010047485A1
Time in Patent Office

1,835 Days
Field of Search

713200-202, 713/166, 707/9, 707/8, 726 1- 36
US Class Current

726/27
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

Computer security system

First Claim

15 Assignments

Litigations

0 Petitions

Accused Products

Abstract

122 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system

First Claim

15 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links