« PreviousContinue »
SYSTEM AND METHOD FOR ACCESSING
ENTERPRISE-WIDE RESOURCES BY
PRESENTING TO THE RESOURCE A
TECHNICAL FIELD OF THE INVENTION
This invention is related in general to the field of computer software systems. More particularly, the invention is related to system and method for enterprise-wide resource access control.
BACKGROUND OF THE INVENTION
FIG. 1 illustrates a typical problem encountered in a resource security system employed by corporate entities and 15 organizations today. Access to resources 10 are provided to users via a number of interactive devices 12, including computer terminals, workstations, computers which are coupled to a network 14 or in communication therewith via a modem. Resources 10 may include mainframe computers 20 16, operating systems 18, other networks 20, computer platforms 22, other resources 24 and databases 26. Each of these interactive devices and resources may employ its own security package 30 to ensure that only the users with the proper credentials may access it. Therefore, to provide a user 25 access to five resources, for example, the resource administrators of the five resources must separately authorize clearance to the user by providing him/her with an identification number or character string and a password. Further, each resource security package must maintain an access 30 database of all of its authorized user identifications and passwords.
As a result, a user's typical log on session would require the user to enter his/her user identifier(s) and password(s) several times to gain access to a number of different 35 resources. Each resource is required to independently authenticate the user's identifier and password before entry is granted. If the user logs off a resource but later desires access to the same resource again during the same session, he/she must reenter the user identifier and password to 40 regain entry.
When the user changes responsibility, function or status with the company, the respective resource administrators must be individually notified to update the access database of each resource. However, because the access databases may not be updated (by the individual resource administrators) to reflect the change in personnel, the integrity of the entire system may be compromised.
SUMMARY OF THE INVENTION 50
Accordingly, there is a need for a system and method which provide role-based access control for resources of an entire corporate entity which eliminate or substantially reduce the disadvantages associated with prior security 55 systems and packages.
In one aspect of the invention, a resource access control system for a corporate enterprise includes many security administrators in communication with a plurality of users, each of the users having one or more assigned roles and a 60 unique user identifier. A database is coupled to the security administrator for storing the users' assigned roles and user identifiers. A temporary credential token is generated correlative to the assigned role(s) of a user by the security administrator as the user logs on by entering the assigned 65 unique user identifier and indicating a desire to access a resource. The temporary credential token is communicated
to the resource to allow access by the user, and deleted as the user logs off the resource.
In another aspect of the invention, a resource access control method provides for the steps of first assigning one or more roles to a user, and defining at least one resource accessible by the user having the role. A temporary credential token is then generated when the user begins a session and requests access to the at least one resource, presenting the temporary credential token to the at least one resource to allow entry by the user, and terminating the temporary credential token when the user terminates the session.
In yet another aspect of the invention, a resource access control method provides for the steps of beginning a session and logging on to a first resource by entering a user identifier and password, for example. The user identifier and password are then authenticated, and a role corresponding to the user identifier is determined and a temporary credential token is generated in response to the authentication and role recognition. The temporary credential token is presented to the first resource to gain entry thereto and further presented to subsequent resources for authentication and access thereto. The temporary credential token is deleted when the session is terminated.
BRIEF DESCRIPTION OF THE DRAWINGS
For a better understanding of the present invention, reference may be made to the accompanying drawings, in which:
FIG. 1 is an exemplary block diagram of a conventional implementation of resource security within an organization;
FIG. 2 is a simplified block diagram of an exemplary resource access control process according to the teachings of the present invention;
FIG. 3 is a simplified block diagram of an exemplary embodiment of a resource access control system constructed according to the teachings of the present invention; and
FIGS. 4A and 4B show a more detailed block diagram of exemplary log on and log off processes and associated access control measures according to the teachings of the present invention.
DETAILED DESCRIPTION OF THE
The preferred embodiment(s) of the present invention is (are) illustrated in FIGS. 2-4, like reference numerals being used to refer to like and corresponding parts of the various drawings.
Referring to FIG. 2, a simplified block diagram of an exemplary process for securing access to any resource according to the teachings of the present invention is shown. A user logs on and enters his/her unique user identifier (ID), password, and/or associated information at an interactive device such as a computer terminal, workstation, and computer (not shown). The user identifier and password are passed to a trusted security authentication system 40, which may check its database (not explicitly shown), validate the user's identity, and pass authenticated user information, including the user identifier, to a resource access control system 50 constructed according to the teachings of the present invention. Although the use of a password is currently the primary authentication method, this invention can interact with any authentication method. The authenticated user information passed from trusted security authentication system 40 and resource access control system 50 may be protected by encryption. System 50 receives the user infor3
mation and generates a temporary user credential token 52, which contains information such as the user's identifier authentication information, the user's role(s), and the user's access list. This token 52 represents authorization for the user to access all the resources 56 listed in the access list. 5 Thus, token 52 is presented to each resource 56 as the user attempts to log on or otherwise gain access.
Accordingly, the resource access control system and method of the present invention are role-based, i.e., the user is authorized to access one or more resources based on the 10 role(s) assigned to the user, not on the individual user. A role is defined as a job function within the organization that describes the authority and responsibility conferred on a user assigned to the role or an otherwise desired title for the user. A default role may be used to provide an employee the basic 15 clearance to limited resources without an explicit assignment. Roles may include, for example, System Analyst I, Financial Advisor, Supervisor, Test Engineer, System Administrator, etc. Associated with each defined role are the resources needed to perform the job and the degree of 20 authorized access for each resource. A resource is anything that is used or consumed while performing a function, and can be time, information, objects, or computing resources.
More specifically, token 52 preferably includes subject information, object information, and security rules permis- 25 sions with the user's role(s). Subject information are information on active entities or subjects, such as users, applications, network nodes, that cause data to flow among objects, alters an object, or changes the system state. It follows then that objects are passive entities, such as data 30 files, records, programs, that contain information and are acted upon by processes initiated by subjects. Each subject is preferably identified by a unique identifier, which is used as a key for accessing subject information. Subject information may include validation information, authorization 35 information, and general information. Validation information is used to verify the identity of a subject and may take different forms, such as a password, fingerprint, voice spectrum, signature, and other unique properties of the user. Validation information is preferably stored in an encrypted 40 format. Authorization information is used to determine whether the subject is authorized to access the selected object. Authorization information may define organizational groups, functional groups, or roles. Lastly, general information may include additional data on the user, such as name, 45 phone number, work location, e-mail address. General information is typically not used for the implementation of security or resource access control but is mainly used for problem resolution and application inquiries.
Token 52 may include object information as well. Object 50 information identifies the object owner, classification level, and object attributes. The owner of an object determines who is authorized to access the object and the type of access permitted, i.e., read, update, or delete. The classification level is the degree of protection an object is given, as defined 55 by the organization. The classification level may control the security action performed when the object is accessed, stored, or moved. Object attributes may be used to identify optional security control measures, such as encryption prior to network transmission. 60
Token 52 may also include security rules or temporary access permission, which may include configuration parameters and security controls. Configuration parameters may include global parameters that apply to an entire organization and local parameters that apply to a single domain, a 65 user group, or a single user. A domain is a grouping defined by function, physical or logical location, resources, and
other factors that cause resources to be organized in a particular way. Security controls may govern access to an object and identify actions that may be performed based on the type of audit records. Further, security controls may also describe the type of security language translation needed to communicate with security packages employed by the object. Constructed in this manner, there is no need to write and store security controls for each individual user that would be stored and remain in the language of the security package in its database. Instead, resource access control system and method of the present invention communicate with the security package of a resource only when the user desires access thereto and dynamically generate the security rule, or temporary access permission for the user's access for each session. The security permission is removed at the end of the user's session, so that there is no update required when that user no longer needs access to that particular resource or change responsibility, function, or status with the company. The security permission is also removed when the session did not end in a normal manner to prevent unauthorized access.
Referring to FIG. 3, a more detailed block diagram of resource access control system 50 is shown. System 50 includes a central security administrator 60 and one or more local security administrator 62 coupled thereto. Resource owners, defined as those users who have ownership responsibility for a specific resource, maintain and provide central security administrator 60 a list of roles that are permitted to access the resource and the degree of access authorized for each role. Central security administrator 60 preferably stores and maintains a number of databases: resource owner directory 70, role owner directory 72, audit database 74, and any other related data. Resource owner directory 70 maintains a listing of resource owners and the resources they own. Role owner directory 72 maintains a listing of roles and their owners. A resource owner is a person who is identified to be responsible for one or more resources. Role owner directory 72 is used by central security administrator 60 to ensure the names of roles between groups do not overlap, and that each role is unique. Special permission may be granted to a group requesting the use of a role definition owned by another group as coordinated by central security administrator 60. Central security administrator 60 also directs and forwards requests for accessing resource to the owner of the requested resource to seek approval. Further, resource owners are able to access audit database 74 and/or to specify and generate reports from database 74 that enable them to determine who has attempted to gain entry to their resources and other information related to user access transactions.
Local security administrator 62 is accessible by resource agents, who are defined as those persons who act on behalf of users by submitting requests for resource access. Typically, resource agents are members of a user group or project team, who make resource access requests for other members of the group. Local security administrator 62 preferably stores and maintains a database 80 of user identifiers, roles, and corresponding resource permissions, and a database 82 for recording resource access histories. Local security administrator 62 is also in communication with trusted security authentication system (TSAS) 40 to receive the user identifier and authentication information. Central security administrator 60 and local security administrator 62 may be co-located on the same computing platform.
Referring to FIGS. 4Aand 4B, a more detailed exemplary process flow diagram of the invention is shown. Across the top of the diagram, the exemplary locations of the process
steps taking place or the actor performing the process steps are identified, including a user 90, a platform 92, trusted security authentication system 40, local security administrator 62, an application program 94, and an application or platform security package 96. The exemplary process steps 5 are sequentially illustrated and described below, where the alignment of each process step with the place or actor in the top row is indicative of a possible location of the step carried out or a possible actor carrying out the step. It is important to emphasize that although the process steps and the location 10 at which they take place are shown explicitly, the invention is not so limited. FIGS. 4A and 4B provide one embodiment of the process in which a role-based temporary access token and permission are generated and used.
Beginning with block 100, user 90 first enters a unique ^ user identifier, a password, and/or any other authentication information at a computer terminal or some other form of data entry equipment. Authentication information may include fingerprints, retinal data, smart card data, and any unique information associated with the user. Platform 92 2o receives the user identifier and password in block 102, which are indicative of a request to log onto the platform, and passes them on to TSAS 40. TSAS 40 validates the identity of the user, as shown in block 104, and provides an acknowledgment of the authentication to platform 92, as shown in 25 block 106. Platform 92 then provides this information to local security administrator 62, which generates a temporary user credential token, as shown in block 108. The token is presented to platform 92, which gives user 90 the permission to gain access to a network, for example, as shown in block 30 110. Preferably, an informative screen indicative of the security clearance is displayed at the computer terminal in addition to a list of resources user 90 may now access. User 90 may then select a resource from the list, such as an application program, as shown in block 112. 35
Platform 92, upon determining the user's selection, presents the temporary user credential token to selected application program 94, as shown in block 114. Application program 94 in turn presents authentication information contained in the token to security package 96 of application 40 program 94, as shown in block 116. Security package 96 performs mutual authentication by verifying the authentication information contained in the token, as shown in block 118. It is important to distinguish this step from other conventional systems in which user identifier and password 45 are again authenticated. Here, the token is only examined to ensure it contains valid information. In block 120, application program 94 then presents the token, which includes the privilege credentials of user 90, to security package 96. In block 122, security package 96 stores the token for the life 50 of the session, and subsequently issues clearance to user 90. A screen displaying a list of application resources now available to user 90 may then be displayed to allow user 90 to make a further selection, as shown in block 124. The resources may include particular files and databases, for 55 example. Upon receiving the user's selection, security package 96 generates a temporary access permission guarding the user's access of the selected resource, as shown in block 126, and application program 94 allows the user's access to the selected resource. The user is able to read, update, or 60 delete data contained in the selected resource, depending on what actions are allowed by the temporary access permission, as shown in blocks 128-130.
When user 90 logs off from application program 94 at the end of the session, application program 94 terminates the 65 session, and security package 96 deletes the temporary user credential token and also terminates the temporary access
permission, as shown in blocks 132-136. User 90 then logs off the network in block 138, and platform 92 then deletes the temporary user credential token and terminates the session in block 140. It may be seen from the foregoing that user 90 may switch to another application and come back to the first application during the same session without its security package 96 having to re-authenticate the user's credentials. Re-authentication is not necessary as long as the security package of the first application program cached the user's credentials when the user first gained access thereto.
Constructed and operating in this manner, resource access control system 50 provides a temporary access token according to the role the user is assigned. The same token is used to gain access to all the resources at the organization, including networks, mainframe computers, computing platforms, application programs, databases, files, etc. The token, in effect, travels with the user to the various security packages of the resources he/she wishes to gain access. Therefore, the user is only required to enter one set of user identifier and password even when he/she may wish to access, for example, ten resources during a single session. Because resource access control system 50 grants entry to resources based on a user's role and the various resources need not permanently store information associated with all the users, user information may be updated quickly and efficiently at local security administrator 62.
Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
What is claimed is:
1. A resource access control method, comprising the steps
assigning at least one role to a user;
generating a temporary credential token when said user begins a session and requests access to at least one resource based on said at least one role assigned to said user, the temporary credential token allowing said user to access any resource within the enterprise based on the assigned role of the user, wherein said temporary credential token includes role information specifying at least one of said assigned user roles and resource information comprising a list of accessible resources corresponding to said assigned user role;
presenting said temporary credential token to said at least one resource to allow entry by said user;
generating a temporary access permission by said at least one resource in response to said at least one resource receiving said temporary credential token, the temporary access permission permitting said user access to said at least one resource;
terminating said temporary credential token and said temporary access permission to terminate said user's access to said at least one resource when said user terminates the session.
2. The method, as set forth in claim 1, further comprising the steps of:
assigning a user identifier to said user; and receiving said user identifier from said user and authenticating said user identifier prior to generating said temporary credential token.