Method and system for displaying and managing security information

US 7,383,576 B2
Filed: 04/23/2004
Issued: 06/03/2008
Est. Priority Date: 04/23/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a computer system for displaying allowed-to-authenticate information, the method comprising:

a. receiving a selection of a security object that is an entity;

b. retrieving allowed-to-authenticate information for the selected security object, the information identifying the entity, a resource, and an action wherein when the entity attempts to authenticate to the resource the action indicates whether to allow or deny the attempt to authenticate to the resource; and

c. displaying an indication of the selected security object along with the retrieved allowed-to-authenticate information;

d. wherein the allowed-to-authenticate information is retrieved from an auxiliary security store that is used when providing a user interface for viewing the allowed-to-authenticate information and that is separate from a main security store used by a security mechanism when an entity attempts to authenticate to a resource, the auxiliary security store and the master security store having different data organizations that are adapted for accessing the allowed-to authenticate information, the auxiliary security store adapted for accessing allowed-to authenticate information for an entity and the master security store adapted for accessing allowed-to authenticate information for a resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing security information for a domain of computer systems is provided. The security system displays security information for a selected security object, such as a user or a computer system. The security system initially retrieves security information that includes security specifications that each has the identification of an entity, a resource, and an access right for the selected security object. The security system then displays an identification of the entity and the resource along with the access right for each security specification. When the security information is stored in a security store (i.e., the main security store) by resource and, for each resource, the entities that have access rights to that resource, the security system may use an auxiliary security store to facilitate the retrieval of the security information.

3 Citations

View as Search Results

31 Claims

1. A method in a computer system for displaying allowed-to-authenticate information, the method comprising:
- a. receiving a selection of a security object that is an entity;
  
  b. retrieving allowed-to-authenticate information for the selected security object, the information identifying the entity, a resource, and an action wherein when the entity attempts to authenticate to the resource the action indicates whether to allow or deny the attempt to authenticate to the resource; and
  
  c. displaying an indication of the selected security object along with the retrieved allowed-to-authenticate information;
  
  d. wherein the allowed-to-authenticate information is retrieved from an auxiliary security store that is used when providing a user interface for viewing the allowed-to-authenticate information and that is separate from a main security store used by a security mechanism when an entity attempts to authenticate to a resource, the auxiliary security store and the master security store having different data organizations that are adapted for accessing the allowed-to authenticate information, the auxiliary security store adapted for accessing allowed-to authenticate information for an entity and the master security store adapted for accessing allowed-to authenticate information for a resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 including modifying the action associated with an entity and resource.
  - 3. The method of claim 1 including creating new allowed-to-authenticate information that specifies whether an entity is allowed to authenticate to a resource.
  - 4. The method of claim 1 including when the selected security object is a user, identifying all groups of which the user is a member and retrieving allowed-to-authenticate information for the identified groups.
  - 5. The method of claim 1 wherein the entities are represented as sources and the resources are represented as destinations.
  - 6. The method of claim 1 wherein the resources are in one domain and the entities are in another domain and the one domain has an incoming trust relationship with the other domain.

7. A method in a computer system for maintaining security information, the method comprising:
- e. providing a main security store for a domain, the main security store containing entries for resources of the domain, each entry for a resource identifying entities and an access right of each entity to the resource;
  
  f. providing an auxiliary security store for the domain, the auxiliary security store containing entries for entities, each entry for an entity identifying a resource and access right of the entity to the resource;
  
  g. receiving from a user a selection of a security object;
  
  h. retrieving from the auxiliary security store entries relating to the selected security object; and
  
  i. displaying the entities, resources, and access rights of the retrieved entriesj. wherein the provided main security store is used when verifying access rights of an entity to a resource andk. wherein the auxiliary security store and the main security store have different data organizations that are adapted for accessing the security information, the auxiliary security store adapted for accessing security information for an entity and the main security store adapted for accessing security information for a resource.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7 including receiving an indication to change access rights of an entity to a resource and updating entries of both the main security store and the auxiliary security store.
  - 9. The method of claim 7 including initially generating the auxiliary security store from the entries of the main security store.
  - 10. The method of claim 7 wherein the access right is whether an entity is allowed to authenticate to a resource.
  - 11. The method of claim 7 wherein the main security store is implemented using a directory service of the domain.
  - 12. The method of claim 11 wherein the auxiliary security store is implemented using the directory service of the domain.
  - 13. The method of claim 7 including, when the selected security object is an entity, identifying groups of which the entity is a member and retrieving from the auxiliary security store entries relating to the identified groups.
  - 14. The method of claim 7 wherein the entities are represented as sources and the resources are represented as destinations.
  - 15. The method of claim 7 wherein the resources are in one domain and the entities are in another domain and the one domain has an incoming trust relationship with the other domain.

16. A computer system for displaying security information, comprising:
- l. a component that receives a selection of a security object that is a source;
  
  m. a component that retrieves security information for the selected security object, the security information identifying the source, a destination, and an access right wherein when the source attempts to access to the destination, the access right is used to control access to the destination; and
  
  n. a component that displays an indication of the source, destination, and access right of the retrieved security information;
  
  o. wherein the security information is retrieved from an auxiliary security store that is used when providing a user interface for viewing the security information and that is separate from a main security store used by a security mechanism when a source attempts to authenticate to a destination, the auxiliary security store and the master security store having different data organizations that are adapted for accessing the security information, the auxiliary security store being adapted for accessing security information for a source and the main security store being adapted for accessing security information for a destination.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer system of claim 16 wherein the security information is allowed-to-authenticate information.
  - 18. The computer system of claim 16 including a component that modifies the access right associated with a source and a destination.
  - 19. The computer system of claim 16 including a component that creates new security information that specifies an access right of a source to a destination.
  - 20. The computer system of claim 16 including, when the selected security object is a user, identifying all groups of which the user is a member and retrieving security information for the identified groups.
  - 21. The computer system of claim 16 wherein the sources are entities and the destinations are resources.
  - 22. The computer system of claim 16 wherein the destinations are in one domain and the sources are in another domain and the one domain has an incoming trust relationship with the other domain.

23. A computer system for maintaining security information, comprising:
- p. a main security store for a domain, the main security store containing entries for resources of the domain, each entry for a resource identifying entities and an access right of each entity to the resource;
  
  q. an auxiliary security store for the domain, the auxiliary security store containing entries for entities of the domain, each entry for an entity having security specifications that each identify an access right of the entity to a resource;
  
  r. a component that displays entities, resources, and access rights retrieved from the auxiliary security store; and
  
  s. a component that uses the main security store to verify access rights when an entity attempts to access a resourcet. wherein the auxiliary security store and the main security store have different data organizations that are adapted for accessing the security information, the auxiliary security store adapted for accessing security information for an entity and the main security store adapted for accessing security information for a resource.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The computer system of claim 23 including a component that receives an indication to change access rights of an entity to a resource and a component that updates both the main security store and the auxiliary security store.
  - 25. The computer system of claim 23 including a component that generates the auxiliary security store from the main security store.
  - 26. The computer system of claim 23 wherein an access right is whether an entity is allowed to authenticate to a resource.
  - 27. The computer system of claim 23 wherein the main security store is implemented using a directory service of the domain.
  - 28. The computer system of claim 27 wherein the auxiliary security store is implemented using the directory service of the domain.
  - 29. The computer system of claim 23 including a component that identifies a group of which the entity is a member and retrieves from the auxiliary security store entries relating to the identified groups.
  - 30. The computer system of claim 23 wherein the entities are represented as sources and the resources are represented as destinations.
  - 31. The computer system of claim 23 wherein the resources are in one domain and the entities are in another domain and the one domain has an incoming trust relationship with the other domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hitchcock, Daniel Wade
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/830,741
Publication Number

US 20050240996A1
Time in Patent Office

1,502 Days
Field of Search

726/17
US Class Current

726/17
CPC Class Codes

G06F 21/31   User authentication

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

Method and system for displaying and managing security information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for displaying and managing security information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links