Secure user access subsystem for use in a computer information database system

US 8,161,288 B2
Filed: 05/28/2004
Issued: 04/17/2012
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A system for managing a database and controlling access to computer profile data contained in the database, the system including:

A. a group manager server that is configured toi. group a plurality of computers into a tree structure of groups and sub-groups based upon grouping criteria with each group being a node on the tree and a top node being a root;

ii. receive computer profile data uploaded from said computers, either immediately upon human command or in accordance with a profile data upload schedule, the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded;

iii. store records of the computer profile data in the database; and

iv. dynamically group the computer profile data records based on computer grouping criteria that use selected computer configuration data; and

B. a user access manager server that is configured toi. associate respective users with login groups maintained in memory wherein the login group identifies the group of computers to which the user has access to the computer profile data of such computers, and which further provides access to sub-groups from that group;

ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying system administrative features to which the associated users have access, andiii restrict, based on the login group and user type to which a given user is assigned, the access of the given user to make changes to computer profile data, and further restricts the access of the given user to the administrative features associated with the given user'"'"'s user type and to the computer profile data records stored in the database for the computers that are included in the group or groups of computer profile data records that are in the user'"'"'s login group and the computers in any sub-group of the user'"'"'s login group, wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the re-assigned computer profile data of said computer, unless the second group is a subgroup of their login group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user access security subsystem of a computer information database system utilizes computer grouping criteria and user type criteria to control user access to both computer profile data and system administrative features. Computer grouping criteria determine profile data access for the respective users. User type criteria determine which administrative features are accessible to the respective users, thus what administrative authority is delegated to the users. Combining computer grouping and user type criteria restricts a given user to exercising the delegated administrative authority only with respect to the particular grouping of computers to which the user has been granted access through the associated login group. To maintain access security, a given user may grant to another only those access rights that are equal to or more restrictive than the given user'"'"'s rights. The subsystem enforces access restrictions by tailoring the user interface based on the associated login group and user type.

26 Citations

View as Search Results

51 Claims

1. A system for managing a database and controlling access to computer profile data contained in the database, the system including:
- A. a group manager server that is configured toi. group a plurality of computers into a tree structure of groups and sub-groups based upon grouping criteria with each group being a node on the tree and a top node being a root;
  
  ii. receive computer profile data uploaded from said computers, either immediately upon human command or in accordance with a profile data upload schedule, the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded;
  
  iii. store records of the computer profile data in the database; and
  
  iv. dynamically group the computer profile data records based on computer grouping criteria that use selected computer configuration data; and
  
  B. a user access manager server that is configured toi. associate respective users with login groups maintained in memory wherein the login group identifies the group of computers to which the user has access to the computer profile data of such computers, and which further provides access to sub-groups from that group;
  
  ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying system administrative features to which the associated users have access, andiii restrict, based on the login group and user type to which a given user is assigned, the access of the given user to make changes to computer profile data, and further restricts the access of the given user to the administrative features associated with the given user'"'"'s user type and to the computer profile data records stored in the database for the computers that are included in the group or groups of computer profile data records that are in the user'"'"'s login group and the computers in any sub-group of the user'"'"'s login group, wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the re-assigned computer profile data of said computer, unless the second group is a subgroup of their login group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1 wherein the administrative features include at least one of accessing and reporting the computer profile data records stored in the database, modifying groups, modifying grouping criteria, adding users, modifying user types, creating new user types, removing profiles, viewing reports and downloading clients to one or more additional computers, determining profile data upload schedules and altering upload schedules.
  - 3. The system of claim 1 wherein the user access manager server is further configured to restrict a given user from assigning another user to a login group that is not associated with the login group or groups associated with the given user and to restrict a given user from assigning to another user access rights that the given user does not have through the given user'"'"'s association in memory with the login groups and the user types.
  - 4. The system of claim 1 wherein the user access manager server is further configured to restrict a given user from assigning to another user a user type that is associated with access rights that the given user does not have through his association with a user type.
  - 5. The system of claim 1 wherein the user access manager server is further configured to construct a user interface for viewing by the user and determine what to block from the view of the user based on the login group and the user type associated with the user.
  - 6. The system of claim 1 wherein the user access manager server is further configured to block functions that relate to features that are not specified by the user type associated with the user.
  - 7. The system of claim 1 wherein the user access manager server is further configured to inactivate user interface buttons to block access to functions that are associated with features that are not specified by the user type associated with the user.
  - 8. The system of claim 1 wherein the user access manager server is further configured to hide from the view of the user any user interface features and functionality that are not specified by the user type associated with the user.
  - 9. The system of claim 1 wherein the user access manager server is further configured to hide from view in a user interface for a given user any access to data associated with the group or groups of computer profile data records that are not associated with the login group of the user.
  - 10. The system of claim 1 wherein the user access manager server is further configured to associate a given user with more than one login group.
  - 11. The system of claim 10 wherein the respective groups of computer profile data records are in a tree-structure in memory and a given login group provides users access to the groups of computer profile data records that are on one or more sub-trees with the groups that are associated with the login group as the respective roots of the one or more sub-trees.
  - 12. The system of claim 1 wherein the group manager server is further configured to re-group the computer profile data records when values of one or more of the profile data for one or more computers changes.
  - 13. The system of claim 1 wherein the group manager server is further configured to re-group the computer profile data records when the selection of computer configuration data used for grouping changes.
  - 14. The system of claim 1 wherein the group manager server is further configured to group computer profile data records based on manual groupings that use computer profile data.
  - 15. The system of claim 1 wherein the computer configuration data includes data that identifies the computer hardware and software.
  - 16. The system of claim 15 wherein the computer configuration data includes data selected from a group consisting of:
    - IP address, Windows Domain, Windows Login, and PC Name.
  - 17. The system of claim 1 wherein the computer profile data includes data selected from a group consisting of:
    - software license information, performance data, and user specified data.
  - 18. The system of claim 1 wherein the computer profile data is received from client profiling software executing on respective computers that collects profile data of the respective computers.
  - 19. The system of claim 1 wherein the administrative features related to reporting the profiles comprise at least one of:
    - viewing profile data records;
      
      removing profile data records from the database;
      
      generating lists and reports of the profile data records;
      
      managing the grouping of the profile data records;
      
      selecting computer configuration data used for grouping the profile data records; and
      
      managing sub-grouping of the profile data records.
  - 20. The system of claim 1 wherein the administrative features related to accessing the profiles comprise at least one of:
    - managing user rights to access the profile data records;
      
      adding or removing users;
      
      managing login groups;
      
      managing user types;
      
      managing receipt of computer profile data from the computers; and
      
      manually profiling, as a stored record in the database, computer profile data of a computer.
  - 21. The system of claim 1 wherein access to the administrative features related to accessing and reporting the profiles are restricted for a particular user by at least one of:
    - presentation of a tailored user interface related to the database;
      
      active or inactive function buttons of a user interface related to the database; and
      
      viewable web pages related to the database.

22. A method for managing a database and controlling access to computer profile data contained in the database, the method including:
- A. grouping a plurality of computers into a tree structure of groups and sub-groups based on grouping criteria, with each computer being a node on the tree and a top node begin a root;
  
  B. receiving computer profile data uploaded from computers, either immediately upon human command or in accordance with a profile data upload schedule the computer profile data including one or more computer configuration data, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data is uploaded;
  
  C. storing records of the computer profile data in the database;
  
  D. dynamically grouping the computer profile data records based on computer profile grouping criteria that use selected computer configuration data;
  
  E. associating respective users with login groups wherein the login group identifies the group of computers for which the user has access to computer profile data of such computers, which further provides access to all sub-groups from the group to which the user has access;
  
  F. associating the respective users with user types that correspond to sets of system administrative features that the user can exercise across the groups associated with the respective login group through which the user logs into the system, the user types specifying what type of access the respective users have to the computer profile data by specifying the system administrative features to which the associated users have access; and
  
  G. restricting the access of a given user from making changes to computer profile data, and further restricts the access of the given user to only the administrative features associated with the given user'"'"'s user type and the computer profile data of only computers that are included in the group of computers that are in the user'"'"'s login group and the computers that are in sub-group of the user'"'"'s login group,wherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically moved to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the moved computer with their user rights as conferred by their respective user type, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the computer profile data of said moved computer, unless the second group is a subgroup of their login group.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 23. The method of claim 22 wherein the administrative features includes at least one of accessing and reporting the computer profile data records stored in the database, modifying groups, modifying grouping criteria, adding users, modifying user types, creating new user types, removing profiles, viewing reports, downloading clients, determining profile data upload schedules and altering upload schedules.
  - 24. The method of claim 22 wherein a given user may use sets of administrative features allowing a the user to assign another user to a login group that is associated with the login group of the given user and the user may assign another user a user type that provides the same or more restrictive access rights than those accorded to the given user by his association with the user type.
  - 25. The method of claim 22 wherein a user can exercise sets of administrative features that include the step of determining based on the associated login group and user type what to block from the view of the user in a user interface.
  - 26. The method of claim 22 wherein a user can exercise sets of administrative features that include the step of blocking functions that relate to features that are not specified by the user type associated with the user.
  - 27. The method of claim 22 wherein a user can exercise sets of administrative features that include the step of inactivating user interface buttons to block access to the functions that are associated with features that are not specified by the user type associated with the user.
  - 28. The method of claim 22 wherein a user can exercise sets of administrative features that include the step of hiding from the view of the user any interface features and functionality that are not specified by the user type associated with the user.
  - 29. The method of claim 22 wherein a user can exercise sets of administrative features that include the step of hiding from the user interface view access to data associated with the group or groups of computer profile data records that are not associated with the login group of the user.
  - 30. The method of claim 22 further including the step of delegating particular administrative authority to a given user by assigning the user a user type that is associated with the system features that correspond to the particular administrative authority.
  - 31. The method of claim 30 further including delegating additional authority to the given user by replacing the assigned user type with a user type that is associated with the system features that correspond to the additional administrative authority.
  - 32. The method of claim 22 further including re-grouping the computer profile data records when values of one or more of the profile data for one or more computers changes.
  - 33. The method of claim 22 further including re-grouping the computer profile data records when the selection of computer configuration data used for grouping changes.
  - 34. The method of claim 22 further including grouping computer profile data records based on manual groupings that use computer profile data.
  - 35. The method of claim 22 wherein the administrative features related to reporting the profiles comprise at least one of:
    - viewing profile data records;
      
      removing profile data records from the database;
      
      generating lists and reports of the profile data records;
      
      managing the grouping of the profile data records;
      
      selecting computer configuration data used for grouping the profile data records; and
      
      managing sub-grouping of the profile data records.
  - 36. The method of claim 22 wherein the administrative features related to accessing the profiles comprise at least one of:
    - managing user rights to access the profile data records;
      
      adding or removing users;
      
      managing login groups;
      
      managing user types;
      
      managing receipt of computer profile data from the computers; and
      
      manually profiling, as a stored record in the database, computer profile data of a computer.
  - 37. The method of claim 22 wherein utilization of the administrative features related to accessing and reporting the profiles are allowed for a particular user by at least one of:
    - presentation of a tailored user interface related to the database;
      
      active or inactive function buttons of a user interface related to the database; and
      
      viewable web pages related to the database.
  - 38. The method as defined in claim 22 further comprising:
    - setting said user types and login groups such that a respective user needs not refer back to the user access manager prior to each time the user accesses computer profile data in the assigned login group.

39. A user access manager server that controls access to computer profile data records contained in a database, the data being provided by computers and, the profile data records being grouped in accordance with computer grouping criteria using selected computer configuration data that are part of the computer profile data received from the computers, the server being configured to:
- i. associate respective users with login groups maintained in memory, a given login group identifying the group of computers for which the user has access to the computer profile data, the login group including sub-groups thereof, said computer profile data providing information defining the computer'"'"'s state as actually operating at an instant in time at which the data are uploaded;
  
  ii. associate the respective users with user types maintained in memory, the user types corresponding to sets of system administrative features and specifying the system administrative features to which the associated users have access,iii. restrict access of a given user based on the login group and the user type to which the user is associated to prevent the given user from making changes to computer profile data, and further restricting the access of the given user to only the administrative features associated with the given user'"'"'s user type and the computer profile data of only computers that are included in the group of computers that are identified as being in the user'"'"'s login group and the computers that are in a sub-group thereof, andwherein, if one of the computers changes from meeting the grouping criteria of a first group to meeting the grouping criteria of a second group, the computer is automatically re-assigned to the second group and users whose login group provides access to computer profile data from computers in the second group will automatically gain access to the computer profile data of the re-assigned computer with their user rights as conferred by their respective user types, and users whose login group provides access to the computer profile data of the first group will automatically lose access to the computer profile data of said re-assigned computer, unless the second group is a subgroup of their login group.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 40. The user access manager server of claim 39 further configured to provide to a given user an interface through which the user instructs the server to assign to another user only a user type that is associated with access rights that are the same as or more restrictive than the access rights associated with the user type that is associated with the given user, the user type being associated with administrative features relating to at least one of accessing and reporting the computer profile data records stored in the database, modifying groups, modifying grouping criteria, adding users, modifying user types, creating new user types, removing profiles, viewing reports, downloading clients, determining profile data upload schedules and altering upload schedules.
  - 41. The user access manager server of claim 39 further configured to provide to the given user an interface through which the user instructs the server to assign another user only to a login group that is associated with the login group of the given user.
  - 42. The user access manager server of claim 39 further configured to construct user interfaces and determine based on the login group and user type associated with the user what to allow the user to view.
  - 43. The user access manager server of claim 39 further configured to block functions that relate to features that are not specified by the user type associated with the user.
  - 44. The user access manager server of claim 39 further configured to inactivate buttons to block access to functions that are associated with features that are not specified by the user type associated with the user.
  - 45. The user access manager server of claim 39 further configured to hide from the view of the user any user interface features and functionality that are not specified by the user type associated with the user.
  - 46. The user access manager server of claim 39 further configured to hide from view in a user interface the access to data associated with the group or groups of computer profile data records that are not associated with the login group of the user.
  - 47. The user access manager server of claim 39 further configured to associate a given user with more than one login group.
  - 48. The user access manager server of claim 47 wherein the respective groups of computer profile data records are in a tree-structure in memory and a given login group provides users access to the groups of computer profile data records that are on one or more sub-trees with the groups that are associated with the login group as the respective roots of the one or more sub-trees.
  - 49. The user access manager server of claim 39 wherein the administrative features related to reporting the profiles comprise at least one of:
    - viewing profile data records;
      
      removing profile data records from the database;
      
      generating lists and reports of the profile data records;
      
      managing the grouping of the profile data records;
      
      selecting computer configuration data used for grouping the profile data records; and
      
      managing sub-grouping of the profile data records.
  - 50. The user access manager server of claim 39 wherein the administrative features related to accessing the profiles comprise at least one of:
    - managing user rights to access the profile data records;
      
      adding or removing users;
      
      managing login groups;
      
      managing user types;
      
      managing receipt of computer profile data from the computers; and
      
      manually profiling, as a stored record in the database, computer profile data of a computer.
  - 51. The user access manager server of claim 39 wherein the server is further configured to provide a means for allowing utilization of the administrative features related to accessing and reporting the profiles comprising at least one of:
    - presentation of a tailored user interface related to the database;
      
      management of active or inactive function buttons of a user interface related to the database; and
      
      management of viewable web pages related to the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belarc, Inc.
Original Assignee
Belarc, Inc.
Inventors
Newman, Gary H., Franklin, James W.
Primary Examiner(s)
Lanier, Benjamin
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/856,143
Publication Number

US 20040260952A1
Time in Patent Office

2,881 Days
Field of Search

713/182
US Class Current

713/182
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/41   where a single sign-on prov...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

Secure user access subsystem for use in a computer information database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Secure user access subsystem for use in a computer information database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links