|Publication number||US20030115292 A1|
|Application number||US 10/279,543|
|Publication date||Jun 19, 2003|
|Filing date||Oct 24, 2002|
|Priority date||Oct 24, 2001|
|Also published as||CN1647071A, CN100504853C, EP1442397A1, EP1442397A4, US7240280, US7367014, US7451163, US7451477, US7472342, US7516167, US20030105974, US20030110172, US20030110448, US20030117437, US20030126558, US20030145275, US20030149722, US20050187978, US20050187986, US20050187993, US20070214421, WO2003036481A1, WO2003036489A1, WO2003036490A1, WO2003036500A1, WO2003036505A1, WO2003036521A1, WO2003036548A1, WO2003036609A1|
|Publication number||10279543, 279543, US 2003/0115292 A1, US 2003/115292 A1, US 20030115292 A1, US 20030115292A1, US 2003115292 A1, US 2003115292A1, US-A1-20030115292, US-A1-2003115292, US2003/0115292A1, US2003/115292A1, US20030115292 A1, US20030115292A1, US2003115292 A1, US2003115292A1|
|Inventors||Philip Griffin, Manish Devgan, Christopher Bales, Chris Fregly, Dmitry Dimov|
|Original Assignee||Griffin Philip B., Manish Devgan, Bales Christopher E., Chris Fregly, Dmitry Dimov|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (5), Referenced by (52), Classifications (83), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
 This application claims priority from ENHANCED PORTALS [FLAGSTAFF RELEASE], U.S. Provisional Application No. 60/386,487, Inventors: Phil Griffin, et al., filed on Oct. 24, 2001, and which is incorporated herein by reference.
 This application is related to the following co-pending application which is hereby incorporated by reference in its entirety: SYSTEM AND METHOD FOR RULE-BASED ENTITLEMENTS, U.S. Application Serial No. ______, Inventors: Phil Griffin, et al., filed on ______.
 A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
 The present invention disclosure relates to the field of authorization in computer networks and, in particular, delegation of administrative privileges in an enterprise application.
 Administration of an enterprise application is typically carried out by a system administrator who can perform tasks that are otherwise off-limits to non-privileged users. Such tasks can include administering user accounts, altering the layout and content of pages on a website, installing applications, running diagnostics, adding or removing components to a network, or reconfiguring a network. However, as enterprise applications grow large and complex, so do the number of administrative tasks. One way to reduce the number of tasks that a system administrator is responsible for is to distribute the tasks among a number of administrators. This approach can be problematic, however, since administrators may unwittingly perform conflicting operations. Another problem with this approach is that it increases the likelihood that the security of the enterprise application will be breached since system level privileges are entrusted to more than one individual. What is needed is a means to conveniently delegate system administration privileges while at the same time limiting the scope of such privileges.
FIG. 1 illustrates delegation of capabilities in accordance to one embodiment of the invention.
FIG. 2 illustrates an administrative hierarchy in accordance to one embodiment of the invention.
FIG. 3 illustrates delegation of administrative tasks in accordance to one embodiment of the invention.
FIG. 4 illustrates a system in accordance to one embodiment of the invention.
 The invention is illustrated by way of example and not by way of limitation in the figures of the accompanying drawings in which like references indicate similar elements. It should be noted that references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean at least one.
 In one embodiment, delegated system administration involves the conveying of a capability (e.g., the ability to perform a system administration task) from one user to another, from a process to a user, from a user to a process, or from a process to a process. A process can include, for example, a thread, a distributed object, a lightweight process, or a program of any kind that is able to execute on one or more computers. In another embodiment, a process and a user are synonymous. By way of a non-limiting illustration, the conveyed capability can include any task, operation or privilege that is able to be performed on any resource available on a computer network. For example, if a resource is a computer database, capabilities can comprise creating, reading, updating or deleting data contained therein. If the resource is an administrative task, for example, capabilities can include creating a new user account, associating an existing user account with a user group, or delegating the ability to perform a system administration task to a user.
FIG. 1 illustrates delegation of capabilities in accordance to one embodiment of the invention. User 1 has capabilities A, B and C. User 1 has delegated these capabilities to user 2. In doing so, user 1 also conveyed to user 2 the ability to further delegate these capabilities to others. User 1 conveyed capabilities B and C to user 3, but with the condition that user 3 cannot further delegate C. This is indicated in FIG. 1 by an underscore beneath the letter “C”. User 2 has delegated A, B and C to user 4, and capabilities A and B to user 5 with the condition that user 5 cannot further delegate capability B. User 3 has delegated capability B to user 6. User 3 cannot delegate capability C. Thus, different levels of users can be created with varying degrees of system access. In one embodiment, each level of delegation can have the same capabilities. In another embodiment, each subsequent level of delegation can have the same or fewer capabilities.
 A portal is a feature-rich web site. It provides a point of access to enterprise data and applications, presenting a unified and potentially personalized view of that information to employees, customers and business partners. Portals allow multiple web applications within a single web interface. In addition to regular web content that appears in a portal (e.g., text or graphics), portals provide the ability to display portlets—self-contained applications or content—all in a single web interface (e.g., a web browser). Portals also support multiple pages through navigation mechanisms (e.g., tab-based navigation) with each page containing its own content and portlets. One such system is the WebLogic® Portal, available from BEA Systems, Inc. of San Jose, Calif.
 In one embodiment, a portal user can be an administrator. As such, the user can create new portals, modify the privileges of visitors and other administrators, and modify many of the attributes displayed in the portal. In another embodiment, a portal user can belong to one or more groups. Groups provide a means for organizing users with common characteristics into a single category. For example, it might be desirable to differentiate the web services offered to bank customers with large assets versus small assets in order to serve these groups better. An association between a portal and a user group is a Group portal. Group portals allow for the definition of different views of a portal for different user groups, making it seem as if users in each group are looking at completely different web sites. Multiple group portals can be created within a single portal. In one embodiment, group portals can be managed by delegated administration.
 In addition to groups, in one embodiment of the invention, users can also be organized into a hierarchy. In one embodiment, a hierarchy can include one or more users designated as system administrators (SA's), zero or more users designated as portal administrators (PA's), and zero or more users designated as group administrators (GA's). Those skilled in the art will recognize that many such hierarchies are possible. In one embodiment, an SA is able to perform all system administration tasks, whereas a PA can perform administration tasks only for a single portal, and a GA can perform administrative tasks only for a single group portal. In another embodiment, users are not organized into a hierarchy.
 In one embodiment, initially there is a single user designated as an SA. The remaining users optionally belong to an “admin eligible” group. Membership in a group can be dynamically determined by evaluating rules. Users belonging to the admin eligible group can be promoted to SA, PA or GA. In another embodiment, group membership is not a prerequisite to promotion. In one embodiment, an SA can promote users in the admin eligible group to SA, PA or GA. Once promoted to SA, a user can likewise promote others to SA, PA or GA. In another embodiment, a PA can promote other users to PA or GA, and a GA can promote other users to GA. It will be apparent to those skilled in the art that user promotion can be accomplished in a number of ways, including automatically via evaluation of rules or manually via administrative tools.
FIG. 2 illustrates an administrative hierarchy in accordance to one embodiment of the invention. SA 10 has promoted users 11 and 12 to PA and user 13 to GA. User 12 has in turn promoted user 14 to GA and user 15 to PA. User 14 in turn has promoted users 16 and 17 to GA. In one embodiment, a user cannot promote another to a role higher than itself. For example, user 14 could not promote user 16 to PA or SA. In another embodiment, users 11-17 belonged to the admin eligible group before promotion.
 In one embodiment, there are four administrative tasks that an administrator (e.g., SA, PA or GA) can potentially control: user management, portal page management, portlet management and visual appearance. In one embodiment, if an administrator has the capability of managing users, the administrator can create users and optionally store information about them. In addition, an administrator can also create groups and add users to them.
 In one embodiment, if an administrator has the capability of managing portal pages, the administrator can control behavioral aspects that a visitor experiences when accessing a portal, such as whether a portlet is viewed as a maximized presentation or a minimized presentation within the page of origin. If an administrator has the capability to alter the visual appearance, the administrator can modify a portal's look and feel, define and arrange the pages and portlets displayed in a portal, define the different views of the portal that different visitors see, and control access to pages and portlets within a group portal. By way of a non-limiting illustration, general portal visual characteristics can include header and footer graphics, content, icon graphics, color schemes, cascading style sheets and hypertext markup language (HTML) layouts. In another embodiment, an administrator can determine the appearance of a portal by selecting from the available skins. A skin is a collection of HTML code and graphics that affect the appearance of a portal, for example, the colors and fonts used.
 In one embodiment, if an administrator has the capability of managing portlets, the administrator can define and modify the resources that are available for a portlet. The administrator can also set portlet defaults, such as whether the portlet will be available to users, whether the portlet can be minimized, whether the portlet can be maximized, etc.
 Table 1 summarizes administrative tasks and their associated capabilities in one embodiment (parenthetical capability codes are provided for use in FIG. 3):
TABLE 1 Administrative Task Capabilities Task Capabilities User Management Manage (A1), Delegate (A2) Page Management Manage (B1), Delegate (B2), Set Entitlements (B3) Portlet Management Manage (C1), Delegate (C2), Set Entitlements (C3) Visual Appearance Manage (D1), Delegate (D2) Management
 In one embodiment, if an administrator possesses the “manage” capability, the administrator is permitted to manage the given task. If an administrator possesses the “delegate” capability, the administrator can delegate the capability to another. Finally, if an administrator has the capability “set entitlements”, the administrator can define roles for dynamically associating users with resources. In one embodiment, roles allow for the definition of different views of a portal for different users. By creating groupings of characteristics, such as gender, browser type, or date, any web site visitors who match those characteristics dynamically become members of the role. Such dynamic roles are used to target visitors with campaigns and personalized content, and to control the pages and portlets web site visitors can view.
FIG. 3 illustrates delegation of administrative tasks (see Table 1) in accordance to one embodiment of the invention. SA 10 possesses all administrative capabilities and can delegate all of them. SA 10 has delegated a subset of these capabilities to PA 11 and GA 13. PA 11 was granted all user, page and portlet management capabilities, but was not granted any capabilities related to visual appearance management. GA 13 was granted page and portlet management capabilities, but does not have the capability to delegate these (i.e., B2 and C2). GA 13 was not granted any capabilities related to user or visual appearance management. PA 12 was granted the full set of capabilities from SA 10 and in turn granted a subset of these to GA 14 and PA 15. GA 14 was only granted delegation capability for managing visual appearance, and thus was able to delegate this capability to GA 16 and GA 17. GA 16 and GA 17 cannot delegate D1 since they lack D2. PA 15 was delegated all capabilities except the ability to delegate user management (A2). Therefore, PA 15 can delegate B1-3, C1-3 and D1-3, but not A1.
 In one embodiment, delegated administration can be implemented using entitlements. An entitlement is a mechanism for dynamically associating capabilities with a user. In one embodiment, an entitlement includes a resource, a capability, a permission, and a role rule. For example, if evaluation of a role rule places a user in the role of SA, PA or GA, that user then possesses the capability associated with the resource, assuming that the permission allows it. A permission in one embodiment can be grant, deny or abstain. A resource can include any resource available on a computer network and, in another embodiment, a resource can include logical resources.
 In one embodiment, resource names can be arranged in a taxonomy. A taxonomy provides a means of categorizing and uniquely identifying a resource and is hierarchical in nature. For example, a resource name could be “myPortal.bankerGroup.pageMgmt.smith”. In this example, “myPortal” is the top level taxonomy name and serves to indicate that the resource is a portal named “myPortal”. The next part of the resource name, “bankerGroup”, identifies a user group associated with the portal “myPortal” consisting of bankers. The third part of the resource name indicates an administrative task (i.e., page management) for the group portal “bankerGroup”. Finally, the last part of the resource name identifies a particular user, “smith”. Thus, the resource name in this example identifies a user “smith” that has been delegated at least one capability associated with page administration, wherein the page administration is for the group portal “bankerGroup” within portal “myPortal”.
 In one embodiment, a role rule is defined in terms of one or more logical expressions. A role rule of “everyone” is provided as a default and evaluates to “true” for any user. In another embodiment, a role rule can be based on evaluation of predicates. A predicate is a rule that evaluates to true or false. By way of a non-limiting example, predicates may include other predicates, logical operators (e.g., AND, NOT and OR), mathematical operations, method calls, calls to external systems, function calls, etc. In another embodiment, rules can be specified in plain English. For example:
 When all of these conditions apply, the user is a groupAdmin:
 Administrative Skill Level at least 5
 Trustworthiness is ‘High’
 Time of day is between 12:00 am and 6:00 am.
 In the example above, the role that is being determined is “groupAdmin”. The predicate “Administrative Skill Level is at least 5” evaluates to true when a user's predefined administration level is set to five or higher. The “Trustworthiness is High” predicate evaluates to true if, for example, a predefined trustworthiness level is set to high. The “Time of day” predicate evaluates to “true” if the time of day is between 12:00 am and 6:00 am. It will be apparent to those skilled in the art that any type of predicate can be included in a role rule. To summarize, this role rule allows a user to become a group administrator if their skill level is at least five, they are trustworthy and it is the middle of the night.
TABLE 2 Administrative Task Entitlements Resource Name Capability Role Perm myPortal.bankerGroup. manage (A1) groupAdmin deny userMgmt myPortal.bankerGroup. delegate (A2) groupAdmin deny userMgmt myPortal.bankerGroup. manage (B1) groupAdmin grant pageMgmt myPortal.bankerGroup. delegate (B2) groupAdmin deny pageMgmt myPortal.bankerGroup. entitlements (B3) groupAdmin grant pageMgmt myPortal.bankerGroup. manage (C1) groupAdmin grant portletMgmt myPortal.bankerGroup. delegate (C2) groupAdmin deny portletMgmt myPortal.bankerGroup. entitlements (C3) groupAdmin grant portletMgmt myPortal.bankerGroup. manage (D1) groupAdmin deny visualMgmt myPortal.bankerGroup. delegate (D2) groupAdmin deny visualMgmt
 In one embodiment, by way of example, exemplary entitlements for GA 13 in FIG. 3 are listed in Table 2. The resource name indicates the portal, group portal, and administrative task for that group portal. The capability is a particular capability associated with the administrative task, as in Table 1. The role rule being evaluated is groupAdmin, as above. Finally, the last column in the table is the permission associated with the capability. Notice that GA 13 was not granted any capabilities related to user or visual appearance management, or delegation of portal and portlet management. These entitlements have a permission of “deny”. Thus, a user who dynamically satisfies the role rule groupAdmin will be entitled to the granted capabilities associated with this role.
 In another embodiment, by way of illustration, a user is associated with an administrative role by incorporating the user's name in the resource name. Exemplary entitlements for GA 13 in FIG. 3 in this embodiment are listed in Table 3.
TABLE 3 Administrative Task Entitlements Resource Name Capability Role Perm MyPortal.bankerGroup. manage (A1) everyone deny userMgmt.smith MyPortal.bankerGroup. delegate (A2) everyone deny userMgmt.smith MyPortal.bankerGroup. manage (B1) everyone grant pageMgmt.smith MyPortal.bankerGroup. delegate (B2) everyone deny pageMgmt.smith MyPortal.bankerGroup. entitlements (B3) everyone grant pageMgmt.smith MyPortal.bankerGroup. manage (C1) everyone grant portletMgmt.smith MyPortal.bankerGroup. delegate (C2) everyone deny portletMgmt.smith MyPortal.bankerGroup. entitlements (C3) everyone grant portletMgmt.smith MyPortal.bankerGroup. manage (D1) everyone deny visualMgmt.smith MyPortal.bankerGroup. delegate (D2) everyone deny visualMgmt.smith
 Since the role rule is “everyone”, every user will satisfy the role. Therefore, discrimination among users is based on the resource which includes a user name. When evaluating entitlements in Table 3, the resource name is incorporated with the name of the user under consideration. In this example, if the user is “smith”, the user will be entitled to the same capabilities as the groupAdmin in Table 2.
 In another embodiment, a user is associated with an administrative role (e.g., SA, PA or GA) through a mapping between users and administrators. Those skilled in the art will recognize that such a mapping can be implemented in a number of ways, including a database table, a cache, a function, or any combination thereof. In yet another embodiment, a user can be identified as an administrator based on group membership. For example, an SA belongs to the SA group, etc.
FIG. 4 illustrates a system in accordance to one embodiment of the invention. In one embodiment, by way of example, a portal user (not shown) accesses portal 40 through a web browser, such as Microsoft® Internet Explorer available from Microsoft Corp. of Redmond, Wash. The user logs into the portal by typing a login name and password. This information is sent to authorization and authentication module 44 which responds with a set of groups (not shown) for the user. Portal 40 can use the group information to customize the look and feel of the portal page(s) presented to the user. If a user is an administrator, the user can alternately log into admin tool 42 (e.g., via a web browser). Admin tool 42 allows an administrator to perform delegation, promotion, define groups, role rules and entitlements. Of course, a given administrator is limited in what they can do based on their capabilities. When an administrator logs into admin tool 42, this information is sent to the authorization module which returns a set of capabilities based on the evaluation of one or more role rules. Authorization module 44 can utilize database 46 to persist information related to users, groups, entitlements, capabilities, resources, and role rules. In one embodiment, database 46 can be a relational database, an object-oriented database, a flat file, a cache or any other data structure that allows storage and access information. In determining capabilities, authorization module 44 can evaluate one or more role rules to determine which entitlements are appropriate for a user. In another embodiment, all components in FIG. 4 may be part of the same software module. In another embodiment, the components may be arbitrarily grouped into different software modules. All components shown in FIG. 4 may reside on the same system or, in another embodiment, may be distributed in a computer network.
 The foregoing description of the preferred embodiments of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to the practitioner skilled in the art. Embodiments were chosen and described in order to best describe the principles of the invention and its practical application, thereby enabling others skilled in the art to understand the invention, the various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalents.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US2151733||May 4, 1936||Mar 28, 1939||American Box Board Co||Container|
|CH283612A *||Title not available|
|FR1392029A *||Title not available|
|FR2166276A1 *||Title not available|
|GB533718A||Title not available|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7062511||Dec 31, 2001||Jun 13, 2006||Oracle International Corporation||Method and system for portal web site generation|
|US7277924||May 7, 2002||Oct 2, 2007||Oracle International Corporation||Method and mechanism for a portal website architecture|
|US7490072||Feb 15, 2006||Feb 10, 2009||Novell, Inc.||Providing access controls|
|US7548957||May 7, 2002||Jun 16, 2009||Oracle International Corporation||Method and mechanism for a portal website architecture|
|US7565621||Feb 17, 2005||Jul 21, 2009||International Business Machines Corporation||Methods and apparatus for providing graphical indicators and inline controls for relating and managing portlets in a graphical user interface|
|US7702912||May 19, 2005||Apr 20, 2010||Novell, Inc.||Secure systems management|
|US7730480||Aug 22, 2006||Jun 1, 2010||Novell, Inc.||System and method for creating a pattern installation by cloning software installed another computer|
|US7747736 *||Jun 5, 2006||Jun 29, 2010||International Business Machines Corporation||Rule and policy promotion within a policy hierarchy|
|US7823124||Aug 29, 2006||Oct 26, 2010||Sap Ag||Transformation layer|
|US7827528||Aug 29, 2006||Nov 2, 2010||Sap Ag||Delta layering|
|US7831568||Aug 29, 2006||Nov 9, 2010||Sap Ag||Data migration|
|US7831637||Aug 29, 2006||Nov 9, 2010||Sap Ag||System on the fly|
|US7908589||Aug 29, 2006||Mar 15, 2011||Sap Ag||Deployment|
|US7992191||Mar 25, 2008||Aug 2, 2011||International Business Machines Corporation||System and method for controlling a websphere portal without the requirement of having the administrator credential ID and password|
|US8019845||Jun 5, 2006||Sep 13, 2011||International Business Machines Corporation||Service delivery using profile based management|
|US8046696||Mar 10, 2006||Oct 25, 2011||Oracle International Corporation||System and method for providing active menus in a communities framework|
|US8060931||Sep 8, 2006||Nov 15, 2011||Microsoft Corporation||Security authorization queries|
|US8065661||Aug 29, 2006||Nov 22, 2011||Sap Ag||Test engine|
|US8074214||May 19, 2005||Dec 6, 2011||Oracle International Corporation||System for creating a customized software installation on demand|
|US8095969||Sep 8, 2006||Jan 10, 2012||Microsoft Corporation||Security assertion revocation|
|US8135659||Oct 1, 2008||Mar 13, 2012||Sap Ag||System configuration comparison to identify process variation|
|US8201215||Sep 8, 2006||Jun 12, 2012||Microsoft Corporation||Controlling the delegation of rights|
|US8209259 *||Jan 24, 2003||Jun 26, 2012||Adp Dealer Services, Inc.||Software business platform with networked, association-based business entity access management|
|US8214398||Feb 15, 2006||Jul 3, 2012||Emc Corporation||Role based access controls|
|US8219807||Apr 26, 2005||Jul 10, 2012||Novell, Inc.||Fine grained access control for linux services|
|US8225378 *||Oct 12, 2010||Jul 17, 2012||Microsoft Corporation||Auditing authorization decisions|
|US8255818||Mar 9, 2006||Aug 28, 2012||Oracle International Corporation||System and method for providing drag and drop functionality in a communities framework|
|US8271785||Apr 26, 2005||Sep 18, 2012||Novell, Inc.||Synthesized root privileges|
|US8281144 *||Jan 4, 2007||Oct 2, 2012||Samsung Electronics Co., Ltd.||Ownership sharing method and apparatus using secret key in home network remote controller|
|US8352935||May 19, 2005||Jan 8, 2013||Novell, Inc.||System for creating a customized software distribution based on user requirements|
|US8396942 *||Dec 1, 2005||Mar 12, 2013||Canon Kabushiki Kaisha||Web browser operation method and operation apparatus|
|US8468518||Jul 18, 2006||Jun 18, 2013||Oracle International Corporation||System and method for creating a customized installation on demand|
|US8555055 *||Jun 2, 2009||Oct 8, 2013||Microsoft Corporation||Delegation model for role-based access control administration|
|US8584087||Dec 11, 2009||Nov 12, 2013||Sap Ag||Application configuration deployment monitor|
|US8584230||Sep 27, 2011||Nov 12, 2013||Microsoft Corporation||Security authorization queries|
|US8656503||Sep 11, 2006||Feb 18, 2014||Microsoft Corporation||Security language translations with logic resolution|
|US8676973||Mar 7, 2006||Mar 18, 2014||Novell Intellectual Property Holdings, Inc.||Light-weight multi-user browser|
|US8850561 *||Aug 25, 2008||Sep 30, 2014||International Business Machines Corporation||Associating operating system native authorizations with console roles|
|US8938783||Sep 11, 2006||Jan 20, 2015||Microsoft Corporation||Security language expressions for logic resolution|
|US20040139203 *||Jan 24, 2003||Jul 15, 2004||Graham Edward A.||Software business platform with networked, association-based business entity access management|
|US20040167989 *||Nov 4, 2003||Aug 26, 2004||Jeff Kline||Method and system for creating and managing a website|
|US20050102401 *||Oct 8, 2004||May 12, 2005||Bea Systems, Inc.||Distributed enterprise security system for a resource hierarchy|
|US20050102536 *||Oct 8, 2004||May 12, 2005||Bea Systems, Inc.||Dynamically configurable distributed security system|
|US20050125415 *||Dec 3, 2004||Jun 9, 2005||Matsushita Electric Industrial Co., Ltd.||Distribution computer system managing method|
|US20050251851 *||Oct 8, 2004||Nov 10, 2005||Bea Systems, Inc.||Configuration of a distributed security system|
|US20050251852 *||Oct 8, 2004||Nov 10, 2005||Bea Systems, Inc.||Distributed enterprise security system|
|US20050257245 *||Oct 8, 2004||Nov 17, 2005||Bea Systems, Inc.||Distributed security system with dynamic roles|
|US20100050254 *||Feb 25, 2010||International Business Machines Corporation||Associating operating system native authorizations with console roles|
|US20100306817 *||Dec 2, 2010||Microsoft Corporation||Delegation model for role-based access control administration|
|US20120222128 *||Aug 30, 2012||Google Inc, a Delaware corporation||Distribution of content document with security, customization and scalability|
|EP1544709A1 *||Dec 3, 2004||Jun 22, 2005||Matsushita Electric Industrial Co., Ltd.||Distribution computer system managing method|
|EP1650926A2 *||Oct 20, 2005||Apr 26, 2006||Novell, Inc.||Automatically granting root access to administrators, without requiring the root password|
|U.S. Classification||709/219, 707/E17.032|
|International Classification||H04L12/24, G09G5/00, G06Q10/00, G06F12/00, H04L29/06, G06F21/00, G06F17/30, H04L29/08|
|Cooperative Classification||Y10S707/99933, Y10S707/99954, Y10S707/99931, Y10S707/99953, H04L67/2819, H04L67/06, H04L67/02, H04L69/329, H04L67/2838, H04L67/2871, H04L67/34, H04L67/2842, H04L67/025, H04L69/22, H04L67/16, H04L67/36, H04L67/14, H04L67/142, H04L67/306, H04L63/0815, H04L63/102, G06F17/30896, G06F2221/2101, H04L41/18, G06F2221/2141, G06F2221/2117, G06F2221/0771, H04L29/06, G06F21/6227, G06F21/629, G06F17/30581, G06F2221/0735, H04L63/0884, G06F2221/0706, G06F21/604, G06F17/3089, G06F2221/0717, G06F2221/0766, G06F17/30908, G06F2221/2145, H04L41/22, G06F17/30873, G06F21/6218, G06F2221/2149, G06Q10/10|
|European Classification||G06Q10/10, H04L29/08N13B, H04L29/08N1A, H04L29/08N27I, H04L63/08B, G06F21/62B1, H04L63/08J, G06F21/62C, G06F17/30W3, G06F17/30S7L, G06F17/30W7, H04L29/08A7, H04L41/22, G06F21/60B, H04L29/08N5, G06F17/30W7S, H04L29/08N15, H04L41/18, H04L63/10B, H04L29/06, G06F21/62B, H04L29/06N, H04L29/08N33, H04L29/08N1, H04L29/08N29U, H04L29/08N35, H04L29/08N13, G06F17/30X|
|Feb 12, 2003||AS||Assignment|
Owner name: BEA SYSTEMS, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRIFFIN, PHILIP B.;DEVGAN, MANISH;BALES, CHRISTOPHER E.;AND OTHERS;REEL/FRAME:013757/0039;SIGNING DATES FROM 20030106 TO 20030203