Integrated security roles

US 8,572,694 B2
Filed: 03/14/2008
Issued: 10/29/2013
Est. Priority Date: 03/27/2003
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing a client'"'"'s request at a first downstream application, said method comprising:

at runtime, prior to receiving the client'"'"'s request;

identifying a role mapping requirement included in an upstream application, the role mapping requirement corresponding to an upstream security role; and

in response to identifying the role mapping requirement, adding an upstream security role identifier corresponding to the upstream security role into a downstream authorization table;

receiving, at the first downstream application, a first application request from the upstream application, wherein the first application request is derived from the client'"'"'s request and includes the upstream security role identifier that was determined by the upstream application;

matching the upstream security role identifier included in the first application request with the upstream security role identifier included in the downstream authorization table; and

authorizing the client'"'"'s request at the downstream application in response to the matching.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach to handling integrated security roles is presented. An upstream application includes one or more role-mapping requirements that correspond to an upstream security role and a downstream security role. The upstream security role is expanded by adding an upstream security role identifier in a downstream application'"'"'s role-mapping table or by adding upstream user-to-role mappings to a downstream application'"'"'s role-mapping table. When an upstream security role is expanded, a user assigned to the upstream security role automatically has access to role-mapped downstream applications.

Citations

19 Claims

1. A method of authorizing a client'"'"'s request at a first downstream application, said method comprising:
- at runtime, prior to receiving the client'"'"'s request;
  
  identifying a role mapping requirement included in an upstream application, the role mapping requirement corresponding to an upstream security role; and
  
  in response to identifying the role mapping requirement, adding an upstream security role identifier corresponding to the upstream security role into a downstream authorization table;
  
  receiving, at the first downstream application, a first application request from the upstream application, wherein the first application request is derived from the client'"'"'s request and includes the upstream security role identifier that was determined by the upstream application;
  
  matching the upstream security role identifier included in the first application request with the upstream security role identifier included in the downstream authorization table; and
  
  authorizing the client'"'"'s request at the downstream application in response to the matching.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as described in claim 1 further comprising:
    - identifying one or more required downstream security roles, wherein each authorization table entry included in the downstream authorization table corresponds to at least one of the required downstream security roles.
  - 3. The method as described in claim 2 further comprising:
    - selecting the required downstream security role that corresponds to the matched upstream security role identifier;
      
      including the selected required downstream security role in a second application request; and
      
      sending the second application request to a second downstream application.
  - 4. The method as described in claim 1 further comprising:
    - determining whether the upstream security role and the downstream security role are equivalent; and
      
      configuring the upstream security role and the downstream security role such that they are equivalent.
  - 5. The method as described in claim 1 wherein the first application request is received over a computer network.

6. A method comprising:
- expanding, at runtime, an upstream security role to include a downstream application, the method further comprising;
  
  identifying a role mapping requirement included in an upstream application corresponding to the upstream security role;
  
  in response to identifying the role mapping requirement, selecting an upstream authorization table that corresponds to the upstream application, wherein the upstream authorization table includes one or more upstream authorization table entries that correspond to the upstream security role;
  
  selecting a downstream security role included in a downstream authorization table, the downstream security role corresponding to the role mapping requirement and the downstream application; and
  
  adding one or more downstream authorization table entries to the downstream authorization table, wherein the one or more added downstream authorization table entries match the one or more upstream authorization entries corresponding to the upstream security role.
- View Dependent Claims (7, 8, 9)
- - 7. The method as described in claim 6 wherein at least one of the added downstream authorization table entries is selected from the group consisting of a user identifier, a group identifier, and an upstream security role identifier.
  - 8. The method as described in claim 6 further comprising:
    - determining whether the upstream security role and the downstream security role are equivalent; and
      
      configuring the downstream authorization table entries and one or more of the upstream authorization table entries such that they are equivalent, the upstream authorization table entries corresponding to the upstream security role.
  - 9. The method as described in claim 6 further comprising:
    - receiving an application request from the upstream application, wherein the request includes a user identifier;
      
      matching the user identifier with one or more of the downstream authorization table entries; and
      
      authorizing the application request in response to the matching.

10. An information handling system comprising:
- one or more processors;
  
  a memory accessible by the processors;
  
  one or more nonvolatile storage devices accessible by the processors; and
  
  a client authorization tool to authorize a client'"'"'s request at a first downstream application, the client authorization tool including a set of instructions stored in the memory and executed by at least one of the processors in order to perform actions of;
  
  at runtime, prior to receiving the client'"'"'s request;
  
  identifying a role mapping requirement included in an upstream application, the role mapping requirement corresponding to an upstream security role; and
  
  in response to identifying the role mapping requirement, adding an upstream security role identifier corresponding to the upstream security role into a downstream authorization table;
  
  receiving, at the first downstream application, a first application request from the upstream application, wherein the first application request is derived from the client'"'"'s request and includes the upstream security role identifier that was determined by the upstream application;
  
  matching the upstream security role identifier included in the first application request with the upstream security role identifier included in the downstream authorization table; and
  
  authorizing the client'"'"'s request at the downstream application in response to the matching.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The information handling system as described in claim 10 wherein the set of instructions, when executed by one of the processors, further performs actions of:
    - identifying one or more required downstream security roles located in one of the nonvolatile storage devices wherein each authorization table entry included in the downstream authorization table corresponds to at least one of the required downstream security roles.
  - 12. The information handling system as described in claim 11 wherein the set of instructions, when executed by one of the processors, further performs actions of:
    - selecting the required downstream security role that corresponds to the matched upstream security role identifier;
      
      including the selected required downstream security role in a second application request; and
      
      sending the second application request to a second downstream application.
  - 13. The information handling system as described in claim 10 wherein the set of instructions, when executed by one of the processors, further performs actions of:
    - determining whether the upstream security role and the downstream security role are equivalent; and
      
      configuring the upstream security role and the downstream security role such that they are equivalent.
  - 14. The information handling system as described in claim 10 wherein the first application request is received over a computer network.

15. A computer program product stored on a computer operable storage medium for authorizing a client'"'"'s request at a first downstream application, said computer program product comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions that include:
- at runtime, prior to receiving the client'"'"'s request;
  
  identifying a role mapping requirement included in an upstream application, the role mapping requirement corresponding to an upstream security role; and
  
  in response to identifying the role mapping requirement, adding an upstream security role identifier corresponding to the upstream security role into a downstream authorization table;
  
  receiving, at the first downstream application, a first application request from the upstream application, wherein the first application request is derived from the client'"'"'s request and includes the upstream security role identifier that was determined by the upstream application;
  
  matching the upstream security role identifier included in the first application request with the upstream security role identifier included in the downstream authorization table; and
  
  authorizing the client'"'"'s request at the downstream application in response to the matching.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product as described in claim 15 wherein the functional descriptive material that, when executed by the information handling system, causes the information handling system to further perform actions that include:
    - identifying one or more required downstream security roles wherein each authorization table entry included in the downstream authorization table corresponds to at least one of the required downstream security roles.
  - 17. The computer program product as described in claim 16 wherein the functional descriptive material that, when executed by the information handling system, causes the information handling system to further perform actions that include:
    - selecting the required downstream security role that corresponds to the matched upstream security role identifier;
      
      including the selected required downstream security role in a second application request; and
      
      sending the second application request to a second downstream application.
  - 18. The computer program product as described in claim 15 wherein the functional descriptive material that, when executed by the information handling system, causes the information handling system to further perform actions that include:
    - determining whether the upstream security role and the downstream security role are equivalent; and
      
      configuring the upstream security role and the downstream security role such that they are equivalent.
  - 19. The computer program product as described in claim 15 wherein the first application request is received over a computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chang, David Yu, Chao, Ching-Yun
Primary Examiner(s)
Gregory, Shaun

Application Number

US12/049,139
Publication Number

US 20080295147A1
Time in Patent Office

2,055 Days
Field of Search

726/4, 726/14
US Class Current

726/4
CPC Class Codes

G06F 21/6236 between heterogeneous systems

H04L 63/102 Entity profiles

Integrated security roles

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated security roles

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links