Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20030115292 A1
Publication typeApplication
Application numberUS 10/279,543
Publication dateJun 19, 2003
Filing dateOct 24, 2002
Priority dateOct 24, 2001
Also published asCN1647071A, CN100504853C, EP1442397A1, EP1442397A4, US7240280, US7367014, US7451163, US7451477, US7472342, US7516167, US20030105974, US20030110172, US20030110448, US20030117437, US20030126558, US20030145275, US20030149722, US20050187978, US20050187986, US20050187993, US20070214421, WO2003036481A1, WO2003036489A1, WO2003036490A1, WO2003036500A1, WO2003036505A1, WO2003036521A1, WO2003036548A1, WO2003036609A1
Publication number10279543, 279543, US 2003/0115292 A1, US 2003/115292 A1, US 20030115292 A1, US 20030115292A1, US 2003115292 A1, US 2003115292A1, US-A1-20030115292, US-A1-2003115292, US2003/0115292A1, US2003/115292A1, US20030115292 A1, US20030115292A1, US2003115292 A1, US2003115292A1
InventorsPhilip Griffin, Manish Devgan, Christopher Bales, Chris Fregly, Dmitry Dimov
Original AssigneeGriffin Philip B., Manish Devgan, Bales Christopher E., Chris Fregly, Dmitry Dimov
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
System and method for delegated administration
US 20030115292 A1
Abstract
A system and method for delegating administration tasks comprising determining at least one capability for a first user based on evaluation of at least one role rule and delegating the at least one capability to a second user.
Images(4)
Previous page
Next page
Claims(124)
What is claimed is:
1. A method for delegating portal administrative authority, comprising:
determining at least one capability for a first user based on evaluation of at least one role rule; and
delegating the at least one capability to a second user; and
wherein the delegation establishes whether or not the second user can delegate the capability.
2. The method of claim 1 wherein:
the delegated at least one capability is a subset of the at least one capability for the first user.
3. The method of claim 1 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
4. The method of claim 1 wherein:
the first user and the second user have a hierarchical relationship and the second user is hierarchically equal or subordinate to the first user.
5. The method of claim 1 wherein:
the second user is promoted by the first user.
6. The method of claim 1 wherein:
the at least one role rule defaults to everyone.
7. The method of claim 1 wherein:
the at least one role rule is associated with an entitlement.
8. The method of claim 7 wherein:
the entitlement includes a resource name and a permission.
9. The method of claim 8 wherein:
the resource name is part of a taxonomy.
10. The method of claim 8 wherein:
the resource name identifies the first user.
11. The method of claim 1 wherein:
the at least one role rule includes at least one predicate.
12. The method of claim 1 wherein:
the at least one role rule is specified in plain language.
13. The method of claim 1 wherein:
the at least one role rule associates the first user with a role.
14. The method of claim 13 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
15. The method of claim 1 wherein:
the second user belongs to a group whose members can be promoted.
16. A method for delegating portal administrative authority, comprising:
determining at least one capability for a first user based on evaluation of at least one role rule; and
delegating the at least one capability to a second user; and
wherein the delegated at least one capability is a subset of the at least one capability of the first user.
17. The method of claim 16 wherein:
the first user controls whether the second user can delegate the at least one capability to a third user.
18. The method of claim 16 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
19. The method of claim 16 wherein:
the first user and the second user have a hierarchical relationship and the second user is hierarchically equal or subordinate to the first user.
20. The method of claim 16 wherein:
the second user is promoted by the first user.
21. The method of claim 16 wherein:
the at least one role rule defaults to everyone.
22. The method of claim 16 wherein:
the at least one role rule is associated with an entitlement.
23. The method of claim 22 wherein:
the entitlement includes a resource name and a permission.
24. The method of claim 23 wherein:
the resource name is part of a taxonomy.
25. The method of claim 23 wherein:
the resource name identifies the first user.
26. The method of claim 16 wherein:
the at least one role rule includes at least one predicate.
27. The method of claim 16 wherein:
the at least one role rule is specified in plain language.
28. The method of claim 16 wherein:
the at least one role rule associates the first user with a role.
29. The method of claim 28 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
30. The method of claim 16 wherein:
the second user belongs to a group whose members can be promoted.
31. A method for delegating portal administrative authority, comprising:
determining for a first user at least one task having at least one capability; and
delegating the at least one capability from the first user to at least one other user; and
wherein the delegated at least one capability is a subset of the at least one capability of the first user.
32. The method of claim 31 wherein:
determining for a first user at least one task having at least one capability includes evaluting at least one role rule.
33. The method of claim 31 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
34. The method of claim 31 wherein:
the first user and the at least one other user have a hierarchical relationship and the at least one other user is hierarchically equal or subordinate to the first user.
35. The method of claim 31 wherein:
the at least one other user is promoted by the first user.
36. The method of claim 32 wherein:
the at least one role rule defaults to everyone.
37. The method of claim 32 wherein:
the at least one role rule is associated with an entitlement.
38. The method of claim 37 wherein:
the entitlement includes a resource name and a permission.
39. The method of claim 38 wherein:
the resource name is part of a taxonomy.
40. The method of claim 38 wherein:
the resource name identifies the first user.
41. The method of claim 32 wherein:
the at least one role rule includes at least one predicate.
42. The method of claim 32 wherein:
the at least one role rule is specified in plain language.
43. The method of claim 32 wherein:
the at least one role rule associates the first user with a role.
44. The method of claim 43 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
45. The method of claim 31 wherein:
the at least one other user belongs to a group whose members can be promoted.
46. A method for delegating authority, comprising:
determining for a first user at least one task having at least one capability based on at least one entitlement; and
delegating the at least one capability from the first user to at least one other user; and
wherein the delegated at least one capability is a subset of the first user's capabilities.
47. The method of claim 46 wherein:
determining for a first user at least one task having at least one capability includes evaluating at least one role rule.
48. The method of claim 46 wherein:
the delegated at least one capability is a subset of the at least one capability for the first user.
49. The method of claim 46 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
50. The method of claim 46 wherein:
the first user and the at least one other user have a hierarchical relationship and the at least one other user is hierarchically equal or subordinate to the first user.
51. The method of claim 46 wherein:
the at least one other user is promoted by the first user.
52. The method of claim 47 wherein:
the at least one role rule defaults to everyone.
53. The method of claim 46 wherein:
the entitlement includes a resource name and a permission.
54. The method of claim 53 wherein:
the resource name is part of a taxonomy.
55. The method of claim 53 wherein:
the resource name identifies the first user.
56. The method of claim 47 wherein:
the at least one role rule includes at least one predicate.
57. The method of claim 47 wherein:
the at least one role rule is specified in plain language.
58. The method of claim 47 wherein:
the at least one role rule associates the first user with a role.
59. The method of claim 58 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
60. The method of claim 46 wherein:
the at least one other user belongs to a group whose members can be promoted.
61. A system for delegating authority, comprising:
an authorization module to determine at least one capability associated with a first user based on evaluation of at least one role rule; and
an administration tool coupled to the authorization module, the administration tool to delegate the at least one capability from the first user to a second user.
62. The system of claim 61 wherein:
the first user controls whether the second user can delegate the at least one capability to a third user.
63. The system of claim 61 wherein:
the delegated at least one capability is a subset of the at least one capability for the first user.
64. The system of claim 61 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
65. The system of claim 61 wherein:
the first user and the second user have a hierarchical relationship and the second user is hierarchically equal or subordinate to the first user.
66. The system of claim 61 wherein:
the second user is promoted by the first user.
67. The system of claim 61 wherein:
the at least one role rule defaults to everyone.
68. The system of claim 61 wherein:
the at least one role rule is associated with an entitlement.
69. The system of claim 68 wherein:
the entitlement includes a resource name and a permission.
70. The system of claim 69 wherein:
the resource name is part of a taxonomy.
71. The system of claim 68 wherein:
the resource name identifies the first user.
72. The system of claim 61 wherein:
the at least one role rule includes at least one predicate.
73. The system of claim 61 wherein:
the at least one role rule is specified in plain language.
74. The system of claim 61 wherein:
the at least one role rule associates the first user with a role.
75. The system of claim 74 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
76. The system of claim 61 wherein:
the second user belongs to a group whose members can be promoted.
77. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
determine at least one capability for a first user based on evaluation of at least one role rule; and
delegate the at least one capability to a second user.
78. The machine readable medium of claim 77 wherein:
the first user controls whether the second user can delegate the at least one capability to a third user.
79. The machine readable medium of claim 77 wherein:
the delegated at least one capability is a subset of the at least one capability for the first user.
80. The machine readable medium of claim 77 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
81. The machine readable medium of claim 77 wherein:
the first user and the second user have a hierarchical relationship and the second user is hierarchically equal or subordinate to the first user.
82. The machine readable medium of claim 77 wherein:
the second user is promoted by the first user.
83. The machine readable medium of claim 77 wherein:
the at least one role rule defaults to everyone.
84. The machine readable medium of claim 77 wherein:
the at least one role rule is associated with an entitlement.
85. The machine readable medium of claim 84 wherein:
the entitlement includes a resource name and a permission.
86. The machine readable medium of claim 85 wherein:
the resource name is part of a taxonomy.
87. The machine readable medium of claim 85 wherein:
the resource name identifies the first user.
88. The machine readable medium of claim 77 wherein:
the at least one role rule includes at least one predicate.
89. The machine readable medium of claim 77 wherein:
the at least one role rule is specified in plain language.
90. The machine readable medium of claim 77 wherein:
the at least one role rule associates the first user with a role.
91. The machine readable medium of claim 90 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
92. The machine readable medium of claim 77 wherein:
the second user belongs to a group whose members can be promoted.
93. The method of claims 77 wherein:
the step of delegating can limit the scope of the capability delegated.
94. The method of claims 77 wherein:
the delegating step can limit the capability delegated to one or more of a manage capability, a delegate capability and a set entitlements capability.
95. A system for delegating authority, comprising:
an authorization module to determine at least one capability associated with a first user based on evaluation of at least one role rule; and
an administration tool coupled to the authorization module, the administration tool to delegate the at least one capability from the first user to a second user; and
wherein the first user controls whether the second user can delegate the at least one capability to a third user; and
wherein the at least one role rule is associated with an entitlement.
96. The system of claim 95 wherein:
the delegated at least one capability is a subset of the at least one capability for the first user.
97. The system of claim 95 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
98. The system of claim 95 wherein:
the first user and the second user have a hierarchical relationship and the second user is hierarchically equal or subordinate to the first user.
99. The system of claim 95 wherein:
the second user is promoted by the first user.
100. The system of claim 95 wherein:
the at least one role rule defaults to everyone.
101. The system of claim 95 wherein:
the entitlement includes a resource name and a permission.
102. The system of claim 101 wherein:
the resource name is part of a taxonomy.
103. The system of claim 101 wherein:
the resource name identifies the first user.
104. The system of claim 95 wherein:
the at least one role rule includes at least one predicate.
105. The system of claim 95 wherein:
the at least one role rule is specified in plain language.
106. The system of claim 95 wherein:
the at least one role rule associates the first user with a role.
107. The system of claim 106 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
108. The system of claim 95 wherein:
the second user belongs to a group whose members can be promoted.
109. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
determine for a first user at least one task having at least one capability based on at least one entitlement; and
delegate the at least one capability from the first user to at least one other user; and
wherein the delegated at least one capability is a subset of the first user's capabilities.
110. The machine readable medium of claim 109 wherein:
the first user controls whether the at least one other user can delegate the at least one capability to a third user.
111. The machine readable medium of claim 109 wherein:
the at least one capability is one of: user management, page management, portlet management, portal entitlement management, portlet entitlement management, and visual appearance management.
112. The machine readable medium of claim 109 wherein:
the first user and the at least one other user have a hierarchical relationship and the at least one other user is hierarchically equal or subordinate to the first user.
113. The machine readable medium of claim 109 wherein:
the at least one other user is promoted by the first user.
114. The machine readable medium of claim 109 wherein:
the at least one entitlement includes a resource name and a permission.
115. The machine readable medium of claim 114 wherein:
the resource name is part of a taxonomy.
116. The machine readable medium of claim 114 wherein:
the resource name identifies the first user.
117. The machine readable medium of claim 109 wherein:
the at least one entitlement includes at least one role rule.
118. The machine readable medium of claim 117 wherein:
the at least one role rule includes at least one predicate.
119. The machine readable medium of claim 117 wherein:
the at least one role rule is specified in plain language.
120. The machine readable medium of claim 117 wherein:
the at least one role rule associates the first user with a role.
121. The machine readable medium of claim 120 wherein:
the role is one of System Administrator, Portal Administrator, and Group Administrator.
122. The machine readable medium of claim 109 wherein:
the at least one other user belongs to a group whose members can be promoted.
123. The method of claims 109 wherein:
the step of delegating can limit the scope of the capability delegated.
124. The method of claims 109 wherein:
the delegating step can limit the capability delegated to one or more of a manage capability, a delegate capability and a set entitlements capability.
Description
    CLAIM OF PRIORITY
  • [0001]
    This application claims priority from ENHANCED PORTALS [FLAGSTAFF RELEASE], U.S. Provisional Application No. 60/386,487, Inventors: Phil Griffin, et al., filed on Oct. 24, 2001, and which is incorporated herein by reference.
  • CROSS REFERENCES
  • [0002]
    This application is related to the following co-pending application which is hereby incorporated by reference in its entirety: SYSTEM AND METHOD FOR RULE-BASED ENTITLEMENTS, U.S. Application Serial No. ______, Inventors: Phil Griffin, et al., filed on ______.
  • COPYRIGHT NOTICE
  • [0003]
    A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
  • FIELD OF THE DISCLOSURE
  • [0004]
    The present invention disclosure relates to the field of authorization in computer networks and, in particular, delegation of administrative privileges in an enterprise application.
  • BACKGROUND
  • [0005]
    Administration of an enterprise application is typically carried out by a system administrator who can perform tasks that are otherwise off-limits to non-privileged users. Such tasks can include administering user accounts, altering the layout and content of pages on a website, installing applications, running diagnostics, adding or removing components to a network, or reconfiguring a network. However, as enterprise applications grow large and complex, so do the number of administrative tasks. One way to reduce the number of tasks that a system administrator is responsible for is to distribute the tasks among a number of administrators. This approach can be problematic, however, since administrators may unwittingly perform conflicting operations. Another problem with this approach is that it increases the likelihood that the security of the enterprise application will be breached since system level privileges are entrusted to more than one individual. What is needed is a means to conveniently delegate system administration privileges while at the same time limiting the scope of such privileges.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0006]
    [0006]FIG. 1 illustrates delegation of capabilities in accordance to one embodiment of the invention.
  • [0007]
    [0007]FIG. 2 illustrates an administrative hierarchy in accordance to one embodiment of the invention.
  • [0008]
    [0008]FIG. 3 illustrates delegation of administrative tasks in accordance to one embodiment of the invention.
  • [0009]
    [0009]FIG. 4 illustrates a system in accordance to one embodiment of the invention.
  • DETAILED DESCRIPTION
  • [0010]
    The invention is illustrated by way of example and not by way of limitation in the figures of the accompanying drawings in which like references indicate similar elements. It should be noted that references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean at least one.
  • [0011]
    In one embodiment, delegated system administration involves the conveying of a capability (e.g., the ability to perform a system administration task) from one user to another, from a process to a user, from a user to a process, or from a process to a process. A process can include, for example, a thread, a distributed object, a lightweight process, or a program of any kind that is able to execute on one or more computers. In another embodiment, a process and a user are synonymous. By way of a non-limiting illustration, the conveyed capability can include any task, operation or privilege that is able to be performed on any resource available on a computer network. For example, if a resource is a computer database, capabilities can comprise creating, reading, updating or deleting data contained therein. If the resource is an administrative task, for example, capabilities can include creating a new user account, associating an existing user account with a user group, or delegating the ability to perform a system administration task to a user.
  • [0012]
    [0012]FIG. 1 illustrates delegation of capabilities in accordance to one embodiment of the invention. User 1 has capabilities A, B and C. User 1 has delegated these capabilities to user 2. In doing so, user 1 also conveyed to user 2 the ability to further delegate these capabilities to others. User 1 conveyed capabilities B and C to user 3, but with the condition that user 3 cannot further delegate C. This is indicated in FIG. 1 by an underscore beneath the letter “C”. User 2 has delegated A, B and C to user 4, and capabilities A and B to user 5 with the condition that user 5 cannot further delegate capability B. User 3 has delegated capability B to user 6. User 3 cannot delegate capability C. Thus, different levels of users can be created with varying degrees of system access. In one embodiment, each level of delegation can have the same capabilities. In another embodiment, each subsequent level of delegation can have the same or fewer capabilities.
  • [0013]
    A portal is a feature-rich web site. It provides a point of access to enterprise data and applications, presenting a unified and potentially personalized view of that information to employees, customers and business partners. Portals allow multiple web applications within a single web interface. In addition to regular web content that appears in a portal (e.g., text or graphics), portals provide the ability to display portlets—self-contained applications or content—all in a single web interface (e.g., a web browser). Portals also support multiple pages through navigation mechanisms (e.g., tab-based navigation) with each page containing its own content and portlets. One such system is the WebLogic® Portal, available from BEA Systems, Inc. of San Jose, Calif.
  • [0014]
    In one embodiment, a portal user can be an administrator. As such, the user can create new portals, modify the privileges of visitors and other administrators, and modify many of the attributes displayed in the portal. In another embodiment, a portal user can belong to one or more groups. Groups provide a means for organizing users with common characteristics into a single category. For example, it might be desirable to differentiate the web services offered to bank customers with large assets versus small assets in order to serve these groups better. An association between a portal and a user group is a Group portal. Group portals allow for the definition of different views of a portal for different user groups, making it seem as if users in each group are looking at completely different web sites. Multiple group portals can be created within a single portal. In one embodiment, group portals can be managed by delegated administration.
  • [0015]
    In addition to groups, in one embodiment of the invention, users can also be organized into a hierarchy. In one embodiment, a hierarchy can include one or more users designated as system administrators (SA's), zero or more users designated as portal administrators (PA's), and zero or more users designated as group administrators (GA's). Those skilled in the art will recognize that many such hierarchies are possible. In one embodiment, an SA is able to perform all system administration tasks, whereas a PA can perform administration tasks only for a single portal, and a GA can perform administrative tasks only for a single group portal. In another embodiment, users are not organized into a hierarchy.
  • [0016]
    In one embodiment, initially there is a single user designated as an SA. The remaining users optionally belong to an “admin eligible” group. Membership in a group can be dynamically determined by evaluating rules. Users belonging to the admin eligible group can be promoted to SA, PA or GA. In another embodiment, group membership is not a prerequisite to promotion. In one embodiment, an SA can promote users in the admin eligible group to SA, PA or GA. Once promoted to SA, a user can likewise promote others to SA, PA or GA. In another embodiment, a PA can promote other users to PA or GA, and a GA can promote other users to GA. It will be apparent to those skilled in the art that user promotion can be accomplished in a number of ways, including automatically via evaluation of rules or manually via administrative tools.
  • [0017]
    [0017]FIG. 2 illustrates an administrative hierarchy in accordance to one embodiment of the invention. SA 10 has promoted users 11 and 12 to PA and user 13 to GA. User 12 has in turn promoted user 14 to GA and user 15 to PA. User 14 in turn has promoted users 16 and 17 to GA. In one embodiment, a user cannot promote another to a role higher than itself. For example, user 14 could not promote user 16 to PA or SA. In another embodiment, users 11-17 belonged to the admin eligible group before promotion.
  • [0018]
    In one embodiment, there are four administrative tasks that an administrator (e.g., SA, PA or GA) can potentially control: user management, portal page management, portlet management and visual appearance. In one embodiment, if an administrator has the capability of managing users, the administrator can create users and optionally store information about them. In addition, an administrator can also create groups and add users to them.
  • [0019]
    In one embodiment, if an administrator has the capability of managing portal pages, the administrator can control behavioral aspects that a visitor experiences when accessing a portal, such as whether a portlet is viewed as a maximized presentation or a minimized presentation within the page of origin. If an administrator has the capability to alter the visual appearance, the administrator can modify a portal's look and feel, define and arrange the pages and portlets displayed in a portal, define the different views of the portal that different visitors see, and control access to pages and portlets within a group portal. By way of a non-limiting illustration, general portal visual characteristics can include header and footer graphics, content, icon graphics, color schemes, cascading style sheets and hypertext markup language (HTML) layouts. In another embodiment, an administrator can determine the appearance of a portal by selecting from the available skins. A skin is a collection of HTML code and graphics that affect the appearance of a portal, for example, the colors and fonts used.
  • [0020]
    In one embodiment, if an administrator has the capability of managing portlets, the administrator can define and modify the resources that are available for a portlet. The administrator can also set portlet defaults, such as whether the portlet will be available to users, whether the portlet can be minimized, whether the portlet can be maximized, etc.
  • [0021]
    Table 1 summarizes administrative tasks and their associated capabilities in one embodiment (parenthetical capability codes are provided for use in FIG. 3):
    TABLE 1
    Administrative Task Capabilities
    Task Capabilities
    User Management Manage (A1), Delegate (A2)
    Page Management Manage (B1), Delegate (B2), Set Entitlements (B3)
    Portlet Management Manage (C1), Delegate (C2), Set Entitlements (C3)
    Visual Appearance Manage (D1), Delegate (D2)
    Management
  • [0022]
    In one embodiment, if an administrator possesses the “manage” capability, the administrator is permitted to manage the given task. If an administrator possesses the “delegate” capability, the administrator can delegate the capability to another. Finally, if an administrator has the capability “set entitlements”, the administrator can define roles for dynamically associating users with resources. In one embodiment, roles allow for the definition of different views of a portal for different users. By creating groupings of characteristics, such as gender, browser type, or date, any web site visitors who match those characteristics dynamically become members of the role. Such dynamic roles are used to target visitors with campaigns and personalized content, and to control the pages and portlets web site visitors can view.
  • [0023]
    [0023]FIG. 3 illustrates delegation of administrative tasks (see Table 1) in accordance to one embodiment of the invention. SA 10 possesses all administrative capabilities and can delegate all of them. SA 10 has delegated a subset of these capabilities to PA 11 and GA 13. PA 11 was granted all user, page and portlet management capabilities, but was not granted any capabilities related to visual appearance management. GA 13 was granted page and portlet management capabilities, but does not have the capability to delegate these (i.e., B2 and C2). GA 13 was not granted any capabilities related to user or visual appearance management. PA 12 was granted the full set of capabilities from SA 10 and in turn granted a subset of these to GA 14 and PA 15. GA 14 was only granted delegation capability for managing visual appearance, and thus was able to delegate this capability to GA 16 and GA 17. GA 16 and GA 17 cannot delegate D1 since they lack D2. PA 15 was delegated all capabilities except the ability to delegate user management (A2). Therefore, PA 15 can delegate B1-3, C1-3 and D1-3, but not A1.
  • [0024]
    In one embodiment, delegated administration can be implemented using entitlements. An entitlement is a mechanism for dynamically associating capabilities with a user. In one embodiment, an entitlement includes a resource, a capability, a permission, and a role rule. For example, if evaluation of a role rule places a user in the role of SA, PA or GA, that user then possesses the capability associated with the resource, assuming that the permission allows it. A permission in one embodiment can be grant, deny or abstain. A resource can include any resource available on a computer network and, in another embodiment, a resource can include logical resources.
  • [0025]
    In one embodiment, resource names can be arranged in a taxonomy. A taxonomy provides a means of categorizing and uniquely identifying a resource and is hierarchical in nature. For example, a resource name could be “myPortal.bankerGroup.pageMgmt.smith”. In this example, “myPortal” is the top level taxonomy name and serves to indicate that the resource is a portal named “myPortal”. The next part of the resource name, “bankerGroup”, identifies a user group associated with the portal “myPortal” consisting of bankers. The third part of the resource name indicates an administrative task (i.e., page management) for the group portal “bankerGroup”. Finally, the last part of the resource name identifies a particular user, “smith”. Thus, the resource name in this example identifies a user “smith” that has been delegated at least one capability associated with page administration, wherein the page administration is for the group portal “bankerGroup” within portal “myPortal”.
  • [0026]
    In one embodiment, a role rule is defined in terms of one or more logical expressions. A role rule of “everyone” is provided as a default and evaluates to “true” for any user. In another embodiment, a role rule can be based on evaluation of predicates. A predicate is a rule that evaluates to true or false. By way of a non-limiting example, predicates may include other predicates, logical operators (e.g., AND, NOT and OR), mathematical operations, method calls, calls to external systems, function calls, etc. In another embodiment, rules can be specified in plain English. For example:
  • [0027]
    When all of these conditions apply, the user is a groupAdmin:
  • [0028]
    Administrative Skill Level at least 5
  • [0029]
    Trustworthiness is ‘High’
  • [0030]
    Time of day is between 12:00 am and 6:00 am.
  • [0031]
    In the example above, the role that is being determined is “groupAdmin”. The predicate “Administrative Skill Level is at least 5” evaluates to true when a user's predefined administration level is set to five or higher. The “Trustworthiness is High” predicate evaluates to true if, for example, a predefined trustworthiness level is set to high. The “Time of day” predicate evaluates to “true” if the time of day is between 12:00 am and 6:00 am. It will be apparent to those skilled in the art that any type of predicate can be included in a role rule. To summarize, this role rule allows a user to become a group administrator if their skill level is at least five, they are trustworthy and it is the middle of the night.
    TABLE 2
    Administrative Task Entitlements
    Resource Name Capability Role Perm
    myPortal.bankerGroup. manage (A1) groupAdmin deny
    userMgmt
    myPortal.bankerGroup. delegate (A2) groupAdmin deny
    userMgmt
    myPortal.bankerGroup. manage (B1) groupAdmin grant
    pageMgmt
    myPortal.bankerGroup. delegate (B2) groupAdmin deny
    pageMgmt
    myPortal.bankerGroup. entitlements (B3) groupAdmin grant
    pageMgmt
    myPortal.bankerGroup. manage (C1) groupAdmin grant
    portletMgmt
    myPortal.bankerGroup. delegate (C2) groupAdmin deny
    portletMgmt
    myPortal.bankerGroup. entitlements (C3) groupAdmin grant
    portletMgmt
    myPortal.bankerGroup. manage (D1) groupAdmin deny
    visualMgmt
    myPortal.bankerGroup. delegate (D2) groupAdmin deny
    visualMgmt
  • [0032]
    In one embodiment, by way of example, exemplary entitlements for GA 13 in FIG. 3 are listed in Table 2. The resource name indicates the portal, group portal, and administrative task for that group portal. The capability is a particular capability associated with the administrative task, as in Table 1. The role rule being evaluated is groupAdmin, as above. Finally, the last column in the table is the permission associated with the capability. Notice that GA 13 was not granted any capabilities related to user or visual appearance management, or delegation of portal and portlet management. These entitlements have a permission of “deny”. Thus, a user who dynamically satisfies the role rule groupAdmin will be entitled to the granted capabilities associated with this role.
  • [0033]
    In another embodiment, by way of illustration, a user is associated with an administrative role by incorporating the user's name in the resource name. Exemplary entitlements for GA 13 in FIG. 3 in this embodiment are listed in Table 3.
    TABLE 3
    Administrative Task Entitlements
    Resource Name Capability Role Perm
    MyPortal.bankerGroup. manage (A1) everyone deny
    userMgmt.smith
    MyPortal.bankerGroup. delegate (A2) everyone deny
    userMgmt.smith
    MyPortal.bankerGroup. manage (B1) everyone grant
    pageMgmt.smith
    MyPortal.bankerGroup. delegate (B2) everyone deny
    pageMgmt.smith
    MyPortal.bankerGroup. entitlements (B3) everyone grant
    pageMgmt.smith
    MyPortal.bankerGroup. manage (C1) everyone grant
    portletMgmt.smith
    MyPortal.bankerGroup. delegate (C2) everyone deny
    portletMgmt.smith
    MyPortal.bankerGroup. entitlements (C3) everyone grant
    portletMgmt.smith
    MyPortal.bankerGroup. manage (D1) everyone deny
    visualMgmt.smith
    MyPortal.bankerGroup. delegate (D2) everyone deny
    visualMgmt.smith
  • [0034]
    Since the role rule is “everyone”, every user will satisfy the role. Therefore, discrimination among users is based on the resource which includes a user name. When evaluating entitlements in Table 3, the resource name is incorporated with the name of the user under consideration. In this example, if the user is “smith”, the user will be entitled to the same capabilities as the groupAdmin in Table 2.
  • [0035]
    In another embodiment, a user is associated with an administrative role (e.g., SA, PA or GA) through a mapping between users and administrators. Those skilled in the art will recognize that such a mapping can be implemented in a number of ways, including a database table, a cache, a function, or any combination thereof. In yet another embodiment, a user can be identified as an administrator based on group membership. For example, an SA belongs to the SA group, etc.
  • [0036]
    [0036]FIG. 4 illustrates a system in accordance to one embodiment of the invention. In one embodiment, by way of example, a portal user (not shown) accesses portal 40 through a web browser, such as Microsoft® Internet Explorer available from Microsoft Corp. of Redmond, Wash. The user logs into the portal by typing a login name and password. This information is sent to authorization and authentication module 44 which responds with a set of groups (not shown) for the user. Portal 40 can use the group information to customize the look and feel of the portal page(s) presented to the user. If a user is an administrator, the user can alternately log into admin tool 42 (e.g., via a web browser). Admin tool 42 allows an administrator to perform delegation, promotion, define groups, role rules and entitlements. Of course, a given administrator is limited in what they can do based on their capabilities. When an administrator logs into admin tool 42, this information is sent to the authorization module which returns a set of capabilities based on the evaluation of one or more role rules. Authorization module 44 can utilize database 46 to persist information related to users, groups, entitlements, capabilities, resources, and role rules. In one embodiment, database 46 can be a relational database, an object-oriented database, a flat file, a cache or any other data structure that allows storage and access information. In determining capabilities, authorization module 44 can evaluate one or more role rules to determine which entitlements are appropriate for a user. In another embodiment, all components in FIG. 4 may be part of the same software module. In another embodiment, the components may be arbitrarily grouped into different software modules. All components shown in FIG. 4 may reside on the same system or, in another embodiment, may be distributed in a computer network.
  • [0037]
    The foregoing description of the preferred embodiments of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to the practitioner skilled in the art. Embodiments were chosen and described in order to best describe the principles of the invention and its practical application, thereby enabling others skilled in the art to understand the invention, the various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalents.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US5173939 *Oct 28, 1991Dec 22, 1992Digital Equipment CorporationAccess control subsystem and method for distributed computer system using compound principals
US5237614 *Jun 7, 1991Aug 17, 1993Security Dynamics Technologies, Inc.Integrated network security system
US5335345 *Apr 11, 1990Aug 2, 1994Bell Communications Research, Inc.Dynamic query optimization using partial information
US5347653 *Jun 28, 1991Sep 13, 1994Digital Equipment CorporationSystem for reconstructing prior versions of indexes using records indicating changes between successive versions of the indexes
US5355474 *Sep 27, 1991Oct 11, 1994Thuraisngham Bhavani MSystem for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification
US5369702 *Oct 18, 1993Nov 29, 1994Tecsec IncorporatedDistributed cryptographic object method
US5426747 *Mar 22, 1991Jun 20, 1995Object Design, Inc.Method and apparatus for virtual memory mapping and transaction management in an object-oriented database system
US5480700 *Jun 14, 1994Jan 2, 1996Nitto Denko CorporationLabel, and label sheet and ink therefor
US5544322 *May 9, 1994Aug 6, 1996International Business Machines CorporationSystem and method for policy-based inter-realm authentication within a distributed processing system
US5627886 *Sep 15, 1995May 6, 1997Electronic Data Systems CorporationSystem and method for detecting fraudulent network usage patterns using real-time network monitoring
US5757669 *May 31, 1995May 26, 1998Netscape Communications CorporationMethod and apparatus for workgroup information replication
US5797128 *May 14, 1997Aug 18, 1998Sun Microsystems, Inc.System and method for implementing a hierarchical policy for computer system administration
US5826000 *Feb 29, 1996Oct 20, 1998Sun Microsystems, Inc.System and method for automatic configuration of home network computers
US5826268 *Dec 23, 1996Oct 20, 1998Ontos, Inc.Secure multilevel object oriented database management system
US5867667 *Mar 24, 1997Feb 2, 1999Pfn, Inc.Publication network control system using domain and client side communications resource locator lists for managing information communications between the domain server and publication servers
US5872928 *May 25, 1995Feb 16, 1999Cabletron Systems, Inc.Method and apparatus for defining and enforcing policies for configuration management in communications networks
US5918210 *Jun 7, 1996Jun 29, 1999Electronic Data Systems CorporationBusiness query tool, using policy objects to provide query responses
US5941947 *Aug 18, 1995Aug 24, 1999Microsoft CorporationSystem and method for controlling access to data entities in a computer network
US5950195 *Sep 18, 1996Sep 7, 1999Secure Computing CorporationGeneralized security policy management system and method
US5954798 *Oct 6, 1997Sep 21, 1999Ncr CorporationMechanism for dependably managing web synchronization and tracking operations among multiple browsers
US5956400 *Jul 19, 1996Sep 21, 1999Digicash IncorporatedPartitioned information storage systems with controlled retrieval
US5966707 *Dec 2, 1997Oct 12, 1999International Business Machines CorporationMethod for managing a plurality of data processes residing in heterogeneous data repositories
US5987469 *May 13, 1997Nov 16, 1999Micro Logic Corp.Method and apparatus for graphically representing information stored in electronic media
US5987611 *May 6, 1997Nov 16, 1999Zone Labs, Inc.System and methodology for managing internet access on a per application basis for client computers connected to the internet
US5991877 *Apr 3, 1997Nov 23, 1999Lockheed Martin CorporationObject-oriented trusted application framework
US6005571 *Sep 30, 1997Dec 21, 1999Softline, Inc.Graphical user interface for managing security in a database system
US6006194 *Oct 1, 1997Dec 21, 1999Merel; Peter A.Computer-implemented system for controlling resources and policies
US6029144 *Aug 29, 1997Feb 22, 2000International Business Machines CorporationCompliance-to-policy detection method and system
US6029196 *Jun 18, 1997Feb 22, 2000Netscape Communications CorporationAutomatic client configuration system
US6054910 *Mar 2, 1999Apr 25, 2000Murata Manufacturing Co., Ltd.Dielectric filter having an inner conductor with two open-circuited inner ends
US6055515 *Jul 30, 1996Apr 25, 2000International Business Machines CorporationEnhanced tree control system for navigating lattices data structures and displaying configurable lattice-node labels
US6058392 *May 12, 1998May 2, 2000Wesley C. Sampson Revocable TrustMethod for the organizational indexing, storage, and retrieval of data according to data pattern signatures
US6073242 *Mar 19, 1998Jun 6, 2000Agorics, Inc.Electronic authority server
US6083276 *Jun 11, 1998Jul 4, 2000Corel, Inc.Creating and configuring component-based applications using a text-based descriptive attribute grammar
US6088679 *Dec 1, 1997Jul 11, 2000The United States Of America As Represented By The Secretary Of CommerceWorkflow management employing role-based access control
US6098173 *Nov 3, 1998Aug 1, 2000Security-7 (Software) Ltd.Method and system for enforcing a communication security policy
US6105027 *Mar 4, 1998Aug 15, 2000Internet Dynamics, Inc.Techniques for eliminating redundant access checking by access filters
US6108687 *Mar 2, 1998Aug 22, 2000Hewlett Packard CompanySystem and method for providing a synchronized display to a plurality of computers over a global computer network
US6122647 *May 19, 1998Sep 19, 2000Perspecta, Inc.Dynamic generation of contextual links in hypertext documents
US6141686 *Jun 23, 1998Oct 31, 2000Deterministic Networks, Inc.Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control
US6148333 *May 13, 1998Nov 14, 2000Mgi Software CorporationMethod and system for server access control and tracking
US6154844 *Dec 22, 1997Nov 28, 2000Finjan Software, Ltd.System and method for attaching a downloadable security profile to a downloadable
US6158010 *Feb 12, 1999Dec 5, 2000Crosslogix, Inc.System and method for maintaining security in a distributed computer network
US6161139 *Feb 12, 1999Dec 12, 2000Encommerce, Inc.Administrative roles that govern access to administrative functions
US6167407 *Jun 3, 1998Dec 26, 2000Symantec CorporationBacktracked incremental updating
US6170009 *Jul 17, 1998Jan 2, 2001Kallol MandalControlling devices on a network through policies
US6182226 *Mar 18, 1998Jan 30, 2001Secure Computing CorporationSystem and method for controlling interactions between networks
US6182277 *Apr 15, 1998Jan 30, 2001Oracle CorporationMethods and apparatus for declarative programming techniques in an object oriented environment
US6185587 *Jun 19, 1998Feb 6, 2001International Business Machines CorporationSystem and method for building a web site with automated help
US6202157 *Dec 8, 1997Mar 13, 2001Entrust Technologies LimitedComputer network security system and method having unilateral enforceable security policy provision
US6209101 *Jul 17, 1998Mar 27, 2001Secure Computing CorporationAdaptive security system having a hierarchy of security servers
US6216231 *Apr 25, 1997Apr 10, 2001At & T Corp.Specifying security protocols and policy constraints in distributed systems
US6226745 *Mar 16, 1998May 1, 2001Gio WiederholdInformation sharing system and method with requester dependent sharing and security rules
US6243747 *Feb 12, 1999Jun 5, 2001Cabletron Systems, Inc.Method and apparatus for defining and enforcing policies for configuration management in communications networks
US6253321 *Jun 19, 1998Jun 26, 2001Ssh Communications Security Ltd.Method and arrangement for implementing IPSEC policy management using filter code
US6269456 *Jan 11, 2000Jul 31, 2001Network Associates, Inc.Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6275941 *Mar 27, 1998Aug 14, 2001Hiatchi, Ltd.Security management method for network system
US6292900 *Nov 30, 1998Sep 18, 2001Sun Microsystems, Inc.Multilevel security attribute passing methods, apparatuses, and computer program products in a stream
US6308163 *Mar 16, 1999Oct 23, 2001Hewlett-Packard CompanySystem and method for enterprise workflow resource management
US6317868 *Oct 7, 1998Nov 13, 2001University Of WashingtonProcess for transparently enforcing protection domains and access control as well as auditing operations in software components
US6327594 *Jan 29, 1999Dec 4, 2001International Business Machines CorporationMethods for shared data management in a pervasive computing environment
US6339423 *Mar 23, 2000Jan 15, 2002Entrust, Inc.Multi-domain access control
US6339826 *May 5, 1998Jan 15, 2002International Business Machines Corp.Client-server system for maintaining a user desktop consistent with server application user access permissions
US6341352 *Oct 15, 1998Jan 22, 2002International Business Machines CorporationMethod for changing a security policy during processing of a transaction request
US6353886 *Nov 24, 1998Mar 5, 2002Alcatel Canada Inc.Method and system for secure network policy implementation
US6360363 *Dec 30, 1998Mar 19, 2002Eternal Systems, Inc.Live upgrade process for object-oriented programs
US6377973 *Sep 30, 1998Apr 23, 2002Emrys Technologies, Ltd.Event management in a system with application and graphical user interface processing adapted to display predefined graphical elements resides separately on server and client machine
US6381579 *Jun 17, 1999Apr 30, 2002International Business Machines CorporationSystem and method to provide secure navigation to resources on the internet
US6385627 *Nov 24, 1997May 7, 2002International Business Machines CorporationMethod, apparatus and computer program product for providing document user role indication
US6393474 *Dec 31, 1998May 21, 20023Com CorporationDynamic policy management apparatus and method using active network devices
US6397231 *Aug 31, 1998May 28, 2002Xerox CorporationVirtual documents generated via combined documents or portions of documents retrieved from data repositories
US6412070 *Sep 21, 1998Jun 25, 2002Microsoft CorporationExtensible security system and method for controlling access to objects in a computing environment
US6412077 *Jan 14, 1999Jun 25, 2002Cisco Technology, Inc.Disconnect policy for distributed computing systems
US6418448 *Dec 6, 1999Jul 9, 2002Shyam Sundar SarkarMethod and apparatus for processing markup language specifications for data and metadata used inside multiple related internet documents to navigate, query and manipulate information from a plurality of object relational databases over the web
US6430556 *Nov 1, 1999Aug 6, 2002Sun Microsystems, Inc.System and method for providing a query object development environment
US6460141 *Oct 28, 1998Oct 1, 2002Rsa Security Inc.Security and access management system for web-enabled and non-web-enabled applications and content on a computer network
US6571247 *Nov 2, 1999May 27, 2003Hitachi, Ltd.Object oriented technology analysis and design supporting method
US6668354 *Jan 5, 1999Dec 23, 2003International Business Machines CorporationAutomatic display script and style sheet generation
US6735586 *Feb 8, 2001May 11, 2004Sybase, Inc.System and method for dynamic content retrieval
US6738789 *Jan 2, 2001May 18, 2004Fusionone, Inc.Data package including synchronization data
US6772157 *Jan 16, 2001Aug 3, 2004General Electric CompanyDelegated administration of information in a database directory
US6779002 *Jun 13, 2000Aug 17, 2004Sprint Communications Company L.P.Computer software framework and method for synchronizing data across multiple databases
US6922695 *Sep 5, 2002Jul 26, 2005Initiate Systems, Inc.System and method for dynamically securing dynamic-multi-sourced persisted EJBS
US6934934 *Jan 12, 2000Aug 23, 2005Empirix Inc.Method and system for software object testing
US7093285 *Jan 31, 2001Aug 15, 2006International Business Machines CorporationSupplier portal for global procurement e-business applications
US7415498 *Dec 10, 2003Aug 19, 2008International Business Machines CorporationTime limited collaborative community role delegation policy
US20010009016 *Jan 12, 2001Jul 19, 2001Sun Microsystems, Inc.Computer-based presentation manager and method for individual user-device data representation
US20010034771 *Jan 12, 2001Oct 25, 2001Sun Microsystems, Inc.Network portal system and methods
US20010047485 *Mar 5, 2001Nov 29, 2001Daniel BrownComputer security system
US20020005867 *May 22, 2001Jan 17, 2002Yaniv GvilySnippet selection
US20020019827 *Jun 5, 2001Feb 14, 2002Shiman Leon G.Method and apparatus for managing documents in a centralized document repository system
US20020059394 *Jun 29, 2001May 16, 2002Seachange International, Inc., A Delaware CorporationContent propagation in interactive television
US20020062451 *May 16, 2001May 23, 2002Scheidt Edward M.System and method of providing communication security
US20020067370 *Sep 17, 2001Jun 6, 2002Forney Paul W.Extensible manufacturing/process control information portal server
US20020087571 *Oct 19, 2001Jul 4, 2002Kevin StapelSystem and method for dynamic generation of structured documents
US20020103818 *Apr 30, 2001Aug 1, 2002Kirkfire, Inc.Information repository system and method for an internet portal system
US20020107913 *Mar 16, 2001Aug 8, 2002Rivera Gustavo R.System and method for rendering documents in a user-familiar format
US20030131113 *Jan 4, 2002Jul 10, 2003Reeves Drue A.Method and apparatus for increasing the functionality and ease of use of lights out management in a directory enabled environment
US20030229623 *May 30, 2002Dec 11, 2003International Business Machines CorporationFine grained role-based access to system resources
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7062511Dec 31, 2001Jun 13, 2006Oracle International CorporationMethod and system for portal web site generation
US7277924May 7, 2002Oct 2, 2007Oracle International CorporationMethod and mechanism for a portal website architecture
US7490072Feb 15, 2006Feb 10, 2009Novell, Inc.Providing access controls
US7548957May 7, 2002Jun 16, 2009Oracle International CorporationMethod and mechanism for a portal website architecture
US7565621Jul 21, 2009International Business Machines CorporationMethods and apparatus for providing graphical indicators and inline controls for relating and managing portlets in a graphical user interface
US7702912May 19, 2005Apr 20, 2010Novell, Inc.Secure systems management
US7730480Aug 22, 2006Jun 1, 2010Novell, Inc.System and method for creating a pattern installation by cloning software installed another computer
US7747736 *Jun 5, 2006Jun 29, 2010International Business Machines CorporationRule and policy promotion within a policy hierarchy
US7823124Aug 29, 2006Oct 26, 2010Sap AgTransformation layer
US7827528Aug 29, 2006Nov 2, 2010Sap AgDelta layering
US7831568Nov 9, 2010Sap AgData migration
US7831637Aug 29, 2006Nov 9, 2010Sap AgSystem on the fly
US7908589Aug 29, 2006Mar 15, 2011Sap AgDeployment
US7992191Aug 2, 2011International Business Machines CorporationSystem and method for controlling a websphere portal without the requirement of having the administrator credential ID and password
US8019845Jun 5, 2006Sep 13, 2011International Business Machines CorporationService delivery using profile based management
US8046696Mar 10, 2006Oct 25, 2011Oracle International CorporationSystem and method for providing active menus in a communities framework
US8060931Sep 8, 2006Nov 15, 2011Microsoft CorporationSecurity authorization queries
US8065661Aug 29, 2006Nov 22, 2011Sap AgTest engine
US8074214May 19, 2005Dec 6, 2011Oracle International CorporationSystem for creating a customized software installation on demand
US8078597Dec 13, 2011Oracle International CorporationSystem and method for providing extensible controls in a communities framework
US8095969Sep 8, 2006Jan 10, 2012Microsoft CorporationSecurity assertion revocation
US8131644Aug 29, 2006Mar 6, 2012Sap AgFormular update
US8135659Oct 1, 2008Mar 13, 2012Sap AgSystem configuration comparison to identify process variation
US8185643May 22, 2012Oracle International CorporationSystem and method for providing security in a communities framework
US8201215Jun 12, 2012Microsoft CorporationControlling the delegation of rights
US8209259 *Jun 26, 2012Adp Dealer Services, Inc.Software business platform with networked, association-based business entity access management
US8214398Feb 15, 2006Jul 3, 2012Emc CorporationRole based access controls
US8219807Apr 26, 2005Jul 10, 2012Novell, Inc.Fine grained access control for linux services
US8225378 *Jul 17, 2012Microsoft CorporationAuditing authorization decisions
US8255429Dec 17, 2008Aug 28, 2012Sap AgConfiguration change without disruption of incomplete processes
US8255818Aug 28, 2012Oracle International CorporationSystem and method for providing drag and drop functionality in a communities framework
US8271785Sep 18, 2012Novell, Inc.Synthesized root privileges
US8281144 *Jan 4, 2007Oct 2, 2012Samsung Electronics Co., Ltd.Ownership sharing method and apparatus using secret key in home network remote controller
US8352935May 19, 2005Jan 8, 2013Novell, Inc.System for creating a customized software distribution based on user requirements
US8396893Dec 11, 2008Mar 12, 2013Sap AgUnified configuration of multiple applications
US8396942 *Dec 1, 2005Mar 12, 2013Canon Kabushiki KaishaWeb browser operation method and operation apparatus
US8468518Jun 18, 2013Oracle International CorporationSystem and method for creating a customized installation on demand
US8555055 *Jun 2, 2009Oct 8, 2013Microsoft CorporationDelegation model for role-based access control administration
US8584087Dec 11, 2009Nov 12, 2013Sap AgApplication configuration deployment monitor
US8584230Sep 27, 2011Nov 12, 2013Microsoft CorporationSecurity authorization queries
US8656503Sep 11, 2006Feb 18, 2014Microsoft CorporationSecurity language translations with logic resolution
US8676973Mar 7, 2006Mar 18, 2014Novell Intellectual Property Holdings, Inc.Light-weight multi-user browser
US8850561 *Aug 25, 2008Sep 30, 2014International Business Machines CorporationAssociating operating system native authorizations with console roles
US8938783Sep 11, 2006Jan 20, 2015Microsoft CorporationSecurity language expressions for logic resolution
US9282121Feb 13, 2014Mar 8, 2016Microsoft Technology Licensing, LlcSecurity language translations with logic resolution
US9317187Feb 6, 2013Apr 19, 2016Canon Kabushiki KaishaWeb browser operation method and operation apparatus
US20040139203 *Jan 24, 2003Jul 15, 2004Graham Edward A.Software business platform with networked, association-based business entity access management
US20040167989 *Nov 4, 2003Aug 26, 2004Jeff KlineMethod and system for creating and managing a website
US20050102401 *Oct 8, 2004May 12, 2005Bea Systems, Inc.Distributed enterprise security system for a resource hierarchy
US20050102536 *Oct 8, 2004May 12, 2005Bea Systems, Inc.Dynamically configurable distributed security system
US20050125415 *Dec 3, 2004Jun 9, 2005Matsushita Electric Industrial Co., Ltd.Distribution computer system managing method
US20050251851 *Oct 8, 2004Nov 10, 2005Bea Systems, Inc.Configuration of a distributed security system
US20050251852 *Oct 8, 2004Nov 10, 2005Bea Systems, Inc.Distributed enterprise security system
US20050257245 *Oct 8, 2004Nov 17, 2005Bea Systems, Inc.Distributed security system with dynamic roles
US20060047777 *Sep 1, 2004Mar 2, 2006International Business Machines CorporationEnhancing portlet run-time display with dynamically applied portlet skins
US20060136576 *Dec 1, 2005Jun 22, 2006Canon Kabushiki KaishaWeb browser operation method and operation apparatus
US20060137000 *Dec 20, 2004Jun 22, 2006Isaacson Scott AMethod binding network administrators as the root user on linux
US20060143287 *Feb 13, 2004Jun 29, 2006Katsuyoshi TanakaMethod for managing distributed system and distributed computer managing system
US20060184882 *Feb 17, 2005Aug 17, 2006International Business Machines CorporationMethods and apparatus for providing graphical indicators and inline controls for relating and managing portlets in a graphical user interface
US20060265597 *May 19, 2005Nov 23, 2006Carey Jon MSecure systems management
US20060277542 *Jul 18, 2006Dec 7, 2006Novell, Inc.System and method for creating a customized installation on demand
US20070016857 *Jun 30, 2005Jan 18, 2007International Business Machines CorporationMethod and system for non-intrusive portlet rendering for printing
US20070112799 *Mar 8, 2006May 17, 2007Bales Christopher ESystem and method for providing resource interlinking for a communities framework
US20070112835 *Mar 2, 2006May 17, 2007Mcmullen CindySystem and method for providing extensible controls in a communities framework
US20070112913 *Mar 9, 2006May 17, 2007Bales Christopher ESystem and method for displaying HTML content from portlet as a page element in a communites framework
US20070113187 *Feb 28, 2006May 17, 2007Bea Systems, Inc.System and method for providing security in a communities framework
US20070113201 *Mar 10, 2006May 17, 2007Bales Christopher ESystem and method for providing active menus in a communities framework
US20070162762 *Jan 4, 2007Jul 12, 2007Samsung Electronics Co., Ltd.Ownership sharing method and apparatus using secret key in home network remote controller
US20070208751 *Nov 22, 2006Sep 6, 2007David CowanPersonalized content control
US20070214272 *Mar 7, 2006Sep 13, 2007Novell, Inc.Light-weight multi-user browser
US20070282985 *Jun 5, 2006Dec 6, 2007Childress Rhonda LService Delivery Using Profile Based Management
US20070282986 *Jun 5, 2006Dec 6, 2007Childress Rhonda LRule and Policy Promotion Within A Policy Hierarchy
US20070300150 *Jun 22, 2006Dec 27, 2007Lantronix, Inc.Building rich web site applications with an embedded device
US20080046825 *May 16, 2007Feb 21, 2008International Business Machines CorporationMethod, Apparatus or Software for Providing a Portal Comprising One or More Portlets for Displaying Data
US20080052706 *Aug 22, 2006Feb 28, 2008Novell, Inc.System and method for creating a pattern installation by cloning software installed another computer
US20080059630 *Aug 29, 2006Mar 6, 2008Juergen SattlerAssistant
US20080065899 *Sep 8, 2006Mar 13, 2008Microsoft CorporationVariable Expressions in Security Assertions
US20080066147 *Sep 11, 2006Mar 13, 2008Microsoft CorporationComposable Security Policies
US20080066158 *Sep 8, 2006Mar 13, 2008Microsoft CorporationAuthorization Decisions with Principal Attributes
US20080066159 *Sep 8, 2006Mar 13, 2008Microsoft CorporationControlling the Delegation of Rights
US20080066160 *Sep 11, 2006Mar 13, 2008Microsoft CorporationSecurity Language Expressions for Logic Resolution
US20080066169 *Sep 8, 2006Mar 13, 2008Microsoft CorporationFact Qualifiers in Security Scenarios
US20080066170 *Sep 8, 2006Mar 13, 2008Microsoft CorporationSecurity Assertion Revocation
US20080066171 *Sep 11, 2006Mar 13, 2008Microsoft CorporationSecurity Language Translations with Logic Resolution
US20080066175 *Sep 8, 2006Mar 13, 2008Microsoft CorporationSecurity Authorization Queries
US20080071555 *Aug 29, 2006Mar 20, 2008Juergen SattlerApplication solution proposal engine
US20080071828 *Aug 29, 2006Mar 20, 2008Juergen SattlerFormular update
US20080071839 *Aug 29, 2006Mar 20, 2008Juergen SattlerContent authoring
US20080126375 *Aug 29, 2006May 29, 2008Juergen SattlerData migration
US20080126448 *Aug 29, 2006May 29, 2008Juergen SattlerTest engine
US20080127082 *Aug 29, 2006May 29, 2008Miho Emil BirimisaSystem and method for requirements-based application configuration
US20080127084 *Aug 29, 2006May 29, 2008Sap AgDeployment
US20080127085 *Aug 29, 2006May 29, 2008Juergen SattlerSystem on the fly
US20080127086 *Aug 29, 2006May 29, 2008Juergen SattlerDelta layering
US20080127123 *Aug 29, 2006May 29, 2008Juergen SattlerTransformation layer
US20080201476 *Apr 24, 2008Aug 21, 2008Shankar RamaswamyPersistence Of Inter-Application Communication Patterns And Behavior Under User Control
US20080306955 *Mar 26, 2008Dec 11, 2008Lehman Brothers Inc.Content management system and method
US20090187440 *Jul 23, 2009Binny Gopinath SreevasMethod and system for facilitating security management in an electronic network
US20090249450 *Mar 25, 2008Oct 1, 2009Dejana Ryan GSystem and method for controlling a websphere portal without the requirement of having the administrator credential id and password
US20100023690 *Jul 22, 2008Jan 28, 2010International Business Machines CorporationCaching dynamic contents and using a replacement operation to reduce the creation/deletion time associated with html elements
US20100050254 *Feb 25, 2010International Business Machines CorporationAssociating operating system native authorizations with console roles
US20100082518 *Oct 1, 2008Apr 1, 2010Joachim GaffgaSystem configuration comparison to identify process variation
US20100153443 *Dec 11, 2008Jun 17, 2010Sap AgUnified configuration of multiple applications
US20100153468 *Dec 17, 2008Jun 17, 2010Sap AgConfiguration change without disruption of incomplete processes
US20100306817 *Dec 2, 2010Microsoft CorporationDelegation model for role-based access control administration
US20110030038 *Oct 12, 2010Feb 3, 2011Microsoft CorporationAuditing Authorization Decisions
US20120222128 *Aug 30, 2012Google Inc, a Delaware corporationDistribution of content document with security, customization and scalability
EP1544709A1 *Dec 3, 2004Jun 22, 2005Matsushita Electric Industrial Co., Ltd.Distribution computer system managing method
EP1650926A2 *Oct 20, 2005Apr 26, 2006Novell, Inc.Automatically granting root access to administrators, without requiring the root password
Classifications
U.S. Classification709/219, 707/E17.032
International ClassificationH04L12/24, G09G5/00, G06Q10/00, G06F12/00, H04L29/06, G06F21/00, G06F17/30, H04L29/08
Cooperative ClassificationY10S707/99933, Y10S707/99954, Y10S707/99931, Y10S707/99953, H04L67/2819, H04L67/06, H04L67/02, H04L69/329, H04L67/2838, H04L67/2871, H04L67/34, H04L67/2842, H04L67/025, H04L69/22, H04L67/16, H04L67/36, H04L67/14, H04L67/142, H04L67/306, H04L63/0815, H04L63/102, G06F17/30896, G06F2221/2101, H04L41/18, G06F2221/2141, G06F2221/2117, G06F2221/0771, H04L29/06, G06F21/6227, G06F21/629, G06F17/30581, G06F2221/0735, H04L63/0884, G06F2221/0706, G06F21/604, G06F17/3089, G06F2221/0717, G06F2221/0766, G06F17/30908, G06F2221/2145, H04L41/22, G06F17/30873, G06F21/6218, G06F2221/2149, G06Q10/10
European ClassificationG06Q10/10, H04L29/08N13B, H04L29/08N1A, H04L29/08N27I, H04L63/08B, G06F21/62B1, H04L63/08J, G06F21/62C, G06F17/30W3, G06F17/30S7L, G06F17/30W7, H04L29/08A7, H04L41/22, G06F21/60B, H04L29/08N5, G06F17/30W7S, H04L29/08N15, H04L41/18, H04L63/10B, H04L29/06, G06F21/62B, H04L29/06N, H04L29/08N33, H04L29/08N1, H04L29/08N29U, H04L29/08N35, H04L29/08N13, G06F17/30X
Legal Events
DateCodeEventDescription
Feb 12, 2003ASAssignment
Owner name: BEA SYSTEMS, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRIFFIN, PHILIP B.;DEVGAN, MANISH;BALES, CHRISTOPHER E.;AND OTHERS;REEL/FRAME:013757/0039;SIGNING DATES FROM 20030106 TO 20030203