Delegated administration for a distributed security system

US 7,594,112 B2
Filed: 10/08/2004
Issued: 09/22/2009
Est. Priority Date: 10/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

delegating a capability from a first user to a second user;

propagating from a provisioning service provider configuration information that includes evidence of the delegation to a plurality of security service modules executing on one of a plurality of computers distributed throughout an enterprise, wherein each one of the plurality of security service modules is integrated with a different process, including applications, application servers, and web servers, executing on the computer and wherein each security service module is capable of protecting one or more resources;

providing the evidence to a first security service module belonging to the plurality of security service modules;

enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and

wherein the enforcement is carried out by the first security service module and wherein each security service module can dynamically load security providers based on the configuration information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method comprising the steps of, delegating a capability from a first user to a second user, propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources, providing the evidence to a first security service module belonging to the plurality of security service modules, enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module, and wherein the enforcement is carried out by the first security service module.

354 Citations

33 Claims

1. A method comprising the steps of:
- delegating a capability from a first user to a second user;
  
  propagating from a provisioning service provider configuration information that includes evidence of the delegation to a plurality of security service modules executing on one of a plurality of computers distributed throughout an enterprise, wherein each one of the plurality of security service modules is integrated with a different process, including applications, application servers, and web servers, executing on the computer and wherein each security service module is capable of protecting one or more resources;
  
  providing the evidence to a first security service module belonging to the plurality of security service modules;
  
  enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and
  
  wherein the enforcement is carried out by the first security service module and wherein each security service module can dynamically load security providers based on the configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein:
    - a security service module is dynamically configurable.
  - 3. The method of claim 1 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 4. The method of claim 1 wherein:
    - the second user can delegate the capability to a third user.
  - 5. The method of claim 1 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 6. The method of claim 1 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 7. The method of claim 1 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of security service modules.
  - 8. The method of claim 1 wherein:
    - the propagation is done over one or more secure connections.
  - 9. The method of claim 1 wherein:
    - the information is propagated through an intermediate process.
  - 10. The method of claim 9 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 11. The method of claim 1 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

12. A system comprising:
- a plurality of computers distributed throughout an enterprise;
  
  a provisioning service provider executing on a first computer capable of propagating configuration information to a plurality of security service modules, executing on the first computer, wherein the information includes evidence of a delegation from a first user to a second user;
  
  wherein each security service module is integrated with a different process, including applications, application servers, and web servers, executing on the first computer and wherein each security service module is capable of protecting one or more resources;
  
  a first security service module belonging to a first process of the plurality of processes, wherein the evidence of delegation is provided to the first security service module;
  
  wherein the delegation is enforced when the second user attempts to access a resource of the one or more resources wherein the resource is protected by the first process; and
  
  wherein the enforcement is carried out by the first security service module and wherein each security service module can dynamically load security providers based on the configuration information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein:
    - a security service module is dynamically configurable.
  - 14. The system of claim 12 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 15. The system of claim 12 wherein:
    - the second user can delegate the capability to a third user.
  - 16. The system of claim 12 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 17. The system of claim 12 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 18. The system of claim 12 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of processes.
  - 19. The system of claim 12 wherein:
    - the propagation is done over one or more secure connections.
  - 20. The system of claim 12 wherein:
    - the information is propagated through an intermediate process.
  - 21. The system of claim 20 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 22. The system of claim 12 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

23. A computer readable storage medium having instructions stored thereon to cause a system to:
- delegate a capability from a first user to a second user;
  
  propagate from a provisioning service provider configuration information that includes evidence of the delegation to a plurality of security service modules executing on one of a plurality of computers distributed throughout an enterprise, wherein each one of the plurality of security service modules is integrated with a different process, including applications, application servers, and web servers, executing on the computer and wherein each security service module is capable of protecting one or more resources;
  
  provide the evidence to a first security service module belonging to the plurality of security service modules;
  
  enforce the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module; and
  
  wherein the enforcement is carried out by the first security service module and wherein each security service module can dynamically load security providers based on the configuration information.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer readable storage medium of claim 23 wherein:
    - a security service module is dynamically configurable.
  - 25. The computer readable storage medium of claim 23 wherein:
    - the delegating allows the second user to have the capability when the first user would have it.
  - 26. The computer readable storage medium of claim 23 wherein:
    - the second user can delegate the capability to a third user.
  - 27. The computer readable storage medium of claim 23 wherein:
    - the evidence of the delegation only includes changes to previously propagated information.
  - 28. The computer readable storage medium of claim 23 wherein:
    - the evidence of the delegation is relevant to the resource.
  - 29. The computer readable storage medium of claim 23 wherein:
    - the evidence of the delegation is relevant to the one or more resources guarded by the plurality of processes.
  - 30. The computer readable storage medium of claim 23 wherein:
    - the propagation is done over one or more secure connections.
  - 31. The computer readable storage medium of claim 23 wherein:
    - the information is propagated through an intermediate process.
  - 32. The computer readable storage medium of claim 31 wherein the intermediate process includes:
    - a cache capable of caching the evidence of the delegation.
  - 33. The computer readable storage e medium of claim 23 wherein the plurality of processes include:
    - a cache capable of caching the evidence of the delegation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Xu, Mingde, Byrne, David, Howes, Jason, Patrick, Paul, Riendeau, Richard J., Yagen, Kenneth D., Falco, Mark A.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US10/961,839
Publication Number

US 20050081063A1
Time in Patent Office

1,810 Days
Field of Search

713/166, 713/165, 713/150
US Class Current

713/166
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Delegated administration for a distributed security system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

354 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Delegated administration for a distributed security system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

354 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others