Computer security system
DCFirst Claim
Patent Images
1. A security system for a computer system, comprising:
- a plurality of assets within the computer system;
a plurality of members registered to use the computer system;
a plurality of groups, each group comprising at least two of the plurality of members;
a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role;
a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; and
at least one domain being an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising;
a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets;
a subset of the plurality of roles; and
a subset of the members;
each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege;
the security system operable to authorize a particular member to perform a requested operation with respect to a requested asset within the domain when the particular member is associated with a role, in the domain, corresponding to a privilege for the requested asset.
15 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A security system for a computer system provides one or more security domains. Access to assets registered to the security system is controlled by rights and privileges. Rights are derived from roles, and each user is assigned one or more roles. Privileges are attached to assets, and an appropriate combination of rights and privileges is required before a user is granted the specified type of access to the asset.
122 Citations
46 Claims
-
1. A security system for a computer system, comprising:
-
a plurality of assets within the computer system; a plurality of members registered to use the computer system; a plurality of groups, each group comprising at least two of the plurality of members; a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role; a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; and at least one domain being an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising; a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets; a subset of the plurality of roles; and a subset of the members; each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege; the security system operable to authorize a particular member to perform a requested operation with respect to a requested asset within the domain when the particular member is associated with a role, in the domain, corresponding to a privilege for the requested asset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for providing secure access to a plurality of assets within a computer system, comprising:
-
registering a plurality of members to use the computer system; establishing a plurality of groups, each group comprising at least two of the plurality of members; providing a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role; providing a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; providing at least one domain defining an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising; a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets; a subset of the plurality of roles; and a subset of the members; each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege; when a particular member attempts to access a requested asset within the at least one domain, determining at least one role assigned to the particular member; comparing rights corresponding to the role assigned to the particular member to the privileges defined in the access control list corresponding to the particular asset; and if the attempted access is authorized for the role assigned to the particular member, allowing the particular member to access the requested asset. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. Software for providing secure access to a plurality of assets within a computer system, the software embodied in computer-readable media and when executed using one or more computer systems operable to:
-
register a plurality of members to use the computer system; establishing a plurality of groups, each group comprising at least two of the plurality of members; provide a plurality of roles defining user rights to access one or more of the plurality of assets, each member and each group associated with at least one role; provide a plurality of access control lists each corresponding to an asset and defining at least one privilege for accessing the asset corresponding to the privilege, according to a member'"'"'s role; provide at least one domain defining an administrative and access control boundary around a plurality of security entities, the security entities of the at least one domain comprising; a subset of the plurality of assets and the access control lists corresponding to the assets in the subset of the assets; a subset of the plurality of roles; and a subset of the members; each privilege defined in the access control lists of the at least one domain identifying one or more roles in the domain that may access the asset corresponding to the privilege; when a particular member attempts to access a requested asset within the at least one domain, determine at least one role assigned to the particular member; compare rights corresponding to the role assigned to the particular member to the privileges defined in the access control list corresponding to the particular asset; and if the attempted access is authorized for the role assigned to the particular member, allow the particular member to access the requested asset. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
Specification