CN103944883A - System and method for cloud application access control under cloud computing environment - Google Patents
System and method for cloud application access control under cloud computing environment Download PDFInfo
- Publication number
- CN103944883A CN103944883A CN201410101018.0A CN201410101018A CN103944883A CN 103944883 A CN103944883 A CN 103944883A CN 201410101018 A CN201410101018 A CN 201410101018A CN 103944883 A CN103944883 A CN 103944883A
- Authority
- CN
- China
- Prior art keywords
- application
- cloud
- user
- service module
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a system and method for cloud application access control under cloud computing environment. A gateway agency interacts with a client to receive a link request of a user for a cloud application or to feed back an authorized cloud application to the user. Validity of user authority is verified through a user application authority service module interacting with the gateway agency. A valid application route address is found in a route table through an application route service module interacting with the gateway agency. The cloud application running environment matched with authority information is provided through a cloud application service module intersecting with the gateway agency. According to the system and method for cloud application access control under the cloud computing environment, routing and authentication can be completed between internal services through the gateway agency, the application authority is managed in a unified mode, control is flexible, and the probability of information leakage is shielded.
Description
Technical field
The invention belongs to cloud computing field, be specifically related to use and the access authorization control technology of cloud application.
Background technology
Cloud computing is a kind of dynamic, easily expansion, based on virtualized Resource Calculation mode, normally provide by the Internet, user does not need to understand the details of cloud inside.Cloud computing service comprises 3 layers, and infrastructure serve (IaaS), basic platform serves (PaaS) and software serve (SaaS).Infrastructure serve is to manage for basic resources such as network, main frame, storages, is the foundation stone of cloud computing system, is the first step that realizes cloud computing; Basic platform serves is to manage for middleware, database; Software served for user's application and managed.
Cloud is applied in and under cloud computing environment, mainly contains two kinds of ways of realization: one, the mode of application service trustship, and being applied in client has local runnable interface, but inner involved data and the calculating section of application all gathers in backstage cloud data center.Two, the mode of remote application, makes you serve remote access process by remote desktop, just looks like that they move the same on end user's local computer.These programs are called cloud application program, can the multiple application examples of operation on same application server when ordinary circumstance.But, for the second way, because application is that actual motion is in far-end computer, so in the time that multiple application are used by multiple users, there is the risk of information leakage each other between the application of the same race of different application or different user.
Information leakage risk is mainly reflected in, and 1. application access record is residual, exposes access footprint; 2. memory buffers is easily obtained by follow-up registrant; 3. application is in service can monitor other processes at the corresponding levels; 4. cannot accomplish effective isolation.
Summary of the invention
The invention provides the system and method for cloud application access control under a kind of cloud computing environment, cloud application permission is controlled, support flexible application isolation, make physical isolation for high level of security application, to solve the problem of information leakage.
In order to achieve the above object, a technical scheme of the present invention is to provide the system of cloud application access control under a kind of cloud computing environment, and it comprises:
Gateway proxy, as with the interface of client, receive the linking request of user to cloud application, or send the cloud application of mandate or the information of refusal linking request to user;
User's application permission service module, manages maintenance to user right information, also according to the mutual reception user authentication information of gateway proxy, and the validity of user right is verified to rear feedback authorization identifying result is to gateway proxy;
Application route service module, safeguards and upgrades for the routing table that records cloud application service assignment information, goes back according to finding in routing table and effectively apply routing address and feed back to gateway proxy with the mutual of gateway proxy;
Cloud application service module, by mutual with gateway proxy, provides the running environment of the cloud application matching with authority information.
Alternatively, described application route service module further comprises:
State update module is upgraded the information of application server, the service condition of application in routing table;
Check correction verification module, for whether there being available inspection of application routing address matching with linking request in routing table.
Another technical scheme of the present invention is to provide the method for cloud application access control under a kind of cloud computing environment, and it comprises following steps:
A. user initiates the linking request for cloud application by client, and this linking request is sent to gateway proxy together with user authentication information;
B. gateway proxy is resolved relevant information, and carrys out authentication of users authority by user's application permission service module;
C. when receiving that user right is verified as after effective information, gateway proxy is searched qualified application routing address by application route service module in routing table;
D. according to the application routing address searching, gateway proxy links to the cloud application server of this application routing address of coupling by cloud application service module;
The running environment of the cloud application matching with user right is provided by cloud application service module, is fed back to user's client by gateway proxy.
Alternatively, before steps A, also by application route service module, routing table is carried out to initialization, upgrade the information of all application servers, the service condition of all application.
Alternatively, in step D, application route service module is also upgraded the information of the application server distributing according to this linking request in routing table.
Alternatively, after step D, be also included in cloud application use exit after or link when invalid, upgrade routing table state by application route service module, application link next time can be used.
Alternatively, in step C, in the time searching application routing address, can supply the application server of deployment according to whether mutual exclusion is determined between user right.
Alternatively, in step D, when gateway proxy links to cloud application server by cloud application service module, also send the use control information of the application matching with user right simultaneously.
Compared with prior art, the system and method for cloud application access control under cloud computing environment provided by the invention, its advantage is: the mode by gateway proxy completes route and certification between internal services: safeguard and upgrade routing table for the inquiry of cloud application choice, jointly determine by application permission service module and route service module the cloud application address that service is provided, to the cloud matching with authority application is provided, thereby complete the access control of application.
The present invention supports the cloud application mode of remote application, is also applicable to the cloud application that local client mode creates simultaneously.The present invention can, according to routing policy, operate in different application on uniform machinery, or operates in same session, or operates in different main frames, or operates in different sub-network, etc.The present invention, to application permission unified management, controls flexibly, has shielded the possibility of information leakage.
Brief description of the drawings
Fig. 1 is the schematic diagram that in the present invention, routing table generates.
Fig. 2 is the schematic diagram of cloud application access control system of the present invention.
Fig. 3 is the schematic diagram that client of the present invention uses cloud application process.
Fig. 4 is the sequential chart of cloud application link of the present invention access control.
Embodiment
Application scenarios of the present invention comprises user and cloud application provider.User is mainly the promoter of application link, may also have third-party desktop programs auxiliary in client, and for obtaining user's basic logon information, these information are also the call parameters that creates cloud application link.Cloud application provider, can provide the function that administers and maintains of user right information, and these user right information are stored in user's application permission service module.Cloud application can operate in cloud application server, is generally the server with many sessions (session) login function at actual deployment medium cloud application server, can be that virtual machine can be also physical machine.
Cloud application provider realizes the access control to cloud application based on the present invention at the following service role shown in Fig. 2, comprising: gateway proxy, route service module, user's application permission service module, cloud application service module.
Gateway proxy: as with user's interface, receive user's linking request or send the information of cloud application or the refusal request of mandate to user; And, this gateway proxy in different service stages by obtaining alternately relevant information with other each service modules: for example, the cloud application of authorization identifying information to user right, effectively routing address, mandate or the information of refusal request, etc.
User's application permission service module: user right information is managed and safeguarded, which application recording user has, and the application having can have rights of using and other associated rights of which peripheral hardware; And, after indicating the validity of user right is verified according to gateway proxy, feed back corresponding authorization identifying information to gateway proxy.
Application route service module: safeguard and upgrade routing table, recording the assignment information relevant to cloud application service; And, feed back to gateway proxy after indicating to find available routing address according to gateway proxy.
Cloud application service module: the running environment of cloud application is provided to provide according to gateway proxy, and according to authority configuration information, the use of cloud application is limited.
The schematic diagram that routing table generates as shown in Figure 1.Application route service module is further provided with state update module and checks correction verification module:
State update module, can all be updated to the service condition of the information of all application servers, all application in routing table.For example, initiate after linking request user, or according to authority and safety principle to user assignment after available application server, or application disconnect or link invalid after, this state update module all can be upgraded accordingly to routing table information.
Check correction verification module, in the time that user applies for creating the routing iinformation of new application, be used for whether routing table is had to available inspection of legal effective routing address.
Coordinate referring to shown in Fig. 3, Fig. 4, after the complete deployment of above-mentioned service role of the present invention, when user creates cloud application link by client, comprise following process for the method for cloud application access control:
1. routing table initialization.Application route service module to routing table, is still updated to the service condition of all application the information updating of all application servers in routing table.
2. user initiates the linking request for cloud application by client, wherein includes the application message that will link; This linking request and user authentication information by together be sent to gateway proxy.
3. gateway proxy is resolved relevant information, and linking request is translated into concrete application and application mandate peripheral hardware information; And this gateway proxy is also mutual with user's application permission service module, further confirm that by authentication query server whether user right is effective by user's application permission service module, if be verified as the invalid failure of returning.
4. in the time receiving that user right is verified effective information, gateway proxy is mutual with application route service module, further in routing table, searches qualified application routing address by application route service module.Routing policy during for searching application routing address, need to be according between user right, whether mutual exclusion is determined, mutual exclusion represents cannot be deployed in same application server.
5. application route service module searches out behind available effective routing address, is fed back to gateway proxy, turns to real cloud application server to link by gateway proxy according to this routing address; The information of the application server that now, application route service module also can be distributed according to this linking request is upgraded in routing table.
Gateway proxy is by mutual with cloud application service module, obtains the client that sends it to user after the cloud application of mandate.In the present invention due to the use control information for preserved application in authorization service, and creating cloud when link at gateway proxy can be sending in the information of cloud application service module, carry the use control information of the described application matching with user right, thereby can limit the use of cloud application according to the use control information of described application in the time that cloud application service module provides the running environment of cloud application.
Cloud application use exit or link invalid after, application route service module can further be upgraded routing table state, and application link next time can be used.
In sum, the method of cloud application access control under a kind of cloud computing environment provided by the invention, mode by gateway proxy completes route and certification between internal services: safeguard and upgrade routing table for the inquiry of cloud application choice, jointly determine by application permission service module and route service module the cloud application address that service is provided, to the cloud matching with authority application is provided, thereby complete the access control of application.
The present invention supports the cloud application mode of remote application, is also applicable to the cloud application that local client mode creates simultaneously.The present invention can, according to routing policy, operate in different application on uniform machinery, or operates in same session, or operates in different main frames, or operates in different sub-network, etc.The present invention, to application permission unified management, controls flexibly, has shielded the possibility of information leakage.
Although content of the present invention has been done detailed introduction by above preferred embodiment, will be appreciated that above-mentioned description should not be considered to limitation of the present invention.Read after foregoing those skilled in the art, for multiple amendment of the present invention and substitute will be all apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (8)
1. a system for cloud application access control under cloud computing environment, is characterized in that, comprises:
Gateway proxy, as with the interface of client, receive the linking request of user to cloud application, or send the cloud application of mandate or the information of refusal linking request to user;
User's application permission service module, manages maintenance to user right information, also according to the mutual reception user authentication information of gateway proxy, and the validity of user right is verified to rear feedback authorization identifying result is to gateway proxy;
Application route service module, safeguards and upgrades for the routing table that records cloud application service assignment information, goes back according to finding in routing table and effectively apply routing address and feed back to gateway proxy with the mutual of gateway proxy;
Cloud application service module, by mutual with gateway proxy, provides the running environment of the cloud application matching with authority information.
2. the system as claimed in claim 1, is characterized in that,
Described application route service module further comprises:
State update module is upgraded the information of application server, the service condition of application in routing table;
Check correction verification module, for whether there being available inspection of application routing address matching with linking request in routing table.
3. a method for cloud application access control under cloud computing environment, is characterized in that, comprises following steps:
A. user initiates the linking request for cloud application by client, and this linking request is sent to gateway proxy together with user authentication information;
B. gateway proxy is resolved relevant information, and carrys out authentication of users authority by user's application permission service module;
C. when receiving that user right is verified as after effective information, gateway proxy is searched qualified application routing address by application route service module in routing table;
D. according to the application routing address searching, gateway proxy links to the cloud application server of this application routing address of coupling by cloud application service module;
The running environment of the cloud application matching with user right is provided by cloud application service module, is fed back to user's client by gateway proxy.
4. method as claimed in claim 3, is characterized in that,
Before steps A, also by application route service module, routing table is carried out to initialization, upgrade the information of all application servers, the service condition of all application.
5. method as claimed in claim 3, is characterized in that,
In step D, application route service module is also upgraded the information of the application server distributing according to this linking request in routing table.
6. method as claimed in claim 3, is characterized in that,
After step D, be also included in cloud application use exit after or link when invalid, upgrade routing table state by application route service module, application link next time can be used.
7. method as claimed in claim 3, is characterized in that,
In step C, in the time searching application routing address, can supply the application server of deployment according to whether mutual exclusion is determined between user right.
8. method as claimed in claim 3, is characterized in that,
In step D, when gateway proxy links to cloud application server by cloud application service module, also send the use control information of the application matching with user right simultaneously.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410101018.0A CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410101018.0A CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103944883A true CN103944883A (en) | 2014-07-23 |
CN103944883B CN103944883B (en) | 2017-08-11 |
Family
ID=51192367
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410101018.0A Active CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103944883B (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104158879A (en) * | 2014-08-18 | 2014-11-19 | 浪潮(北京)电子信息产业有限公司 | Cloud management platform architecture system and method for distributed data center |
CN105657033A (en) * | 2016-02-02 | 2016-06-08 | 明博教育科技股份有限公司 | User isolated resource access method and system |
CN106850838A (en) * | 2017-03-06 | 2017-06-13 | 深圳铂睿智恒科技有限公司 | The control method and system of mobile terminal cloud application |
CN107249209A (en) * | 2017-06-09 | 2017-10-13 | 苏州汉明科技有限公司 | wireless local area network gateway management method and system |
CN107707641A (en) * | 2017-09-25 | 2018-02-16 | 睿哲科技股份有限公司 | A kind of method and apparatus by IPv4 terminal maintenance IPv6 cloud main frames |
CN107707522A (en) * | 2017-08-14 | 2018-02-16 | 北京奇安信科技有限公司 | A kind of authority control method and device based on cloud agency |
CN108139722A (en) * | 2015-08-05 | 2018-06-08 | Abb瑞士股份有限公司 | The safety moving of automated system is accessed |
CN108206803A (en) * | 2016-12-16 | 2018-06-26 | 腾讯科技(深圳)有限公司 | Business acts on behalf processing method and processing device |
CN109391683A (en) * | 2018-09-26 | 2019-02-26 | 上海超算科技有限公司 | A kind of data and service convergence agency plant and its implementation of network-oriented application authorization |
CN110661747A (en) * | 2018-06-28 | 2020-01-07 | 南京南瑞继保工程技术有限公司 | Terminal safety control method for rail transit cloud |
CN111193720A (en) * | 2019-12-16 | 2020-05-22 | 中国电子科技集团公司第三十研究所 | Trust service adaptation method based on security agent |
CN111314130A (en) * | 2020-02-13 | 2020-06-19 | 浪潮软件股份有限公司 | Service management and control device and method |
CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
CN112329034A (en) * | 2020-11-02 | 2021-02-05 | 杭州当虹科技股份有限公司 | Application proxy method capable of controlling access policy based on application platform |
CN113378254A (en) * | 2021-07-13 | 2021-09-10 | 重庆云图软件科技有限公司 | Three-dimensional CAD cloud engine system |
CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
WO2024001642A1 (en) * | 2022-06-28 | 2024-01-04 | 中兴通讯股份有限公司 | Management and control method for usb device, cloud device, terminal device, and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101132344A (en) * | 2007-08-24 | 2008-02-27 | 上海可鲁系统软件有限公司 | Safe intercommunication method and apparatus between two isolated networks |
CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
WO2011050703A1 (en) * | 2009-11-02 | 2011-05-05 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
-
2014
- 2014-03-19 CN CN201410101018.0A patent/CN103944883B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101132344A (en) * | 2007-08-24 | 2008-02-27 | 上海可鲁系统软件有限公司 | Safe intercommunication method and apparatus between two isolated networks |
CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
WO2011050703A1 (en) * | 2009-11-02 | 2011-05-05 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104158879B (en) * | 2014-08-18 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of distributive data center cloud management platform architecture system and method |
CN104158879A (en) * | 2014-08-18 | 2014-11-19 | 浪潮(北京)电子信息产业有限公司 | Cloud management platform architecture system and method for distributed data center |
CN108139722B (en) * | 2015-08-05 | 2020-06-05 | Abb瑞士股份有限公司 | Industrial automation system and safe mobile access method thereof |
US10862886B2 (en) | 2015-08-05 | 2020-12-08 | Abb Schweiz Ag | Secure mobile access for automation systems |
CN108139722A (en) * | 2015-08-05 | 2018-06-08 | Abb瑞士股份有限公司 | The safety moving of automated system is accessed |
CN105657033A (en) * | 2016-02-02 | 2016-06-08 | 明博教育科技股份有限公司 | User isolated resource access method and system |
CN108206803B (en) * | 2016-12-16 | 2021-02-05 | 腾讯科技(深圳)有限公司 | Service agency processing method and device |
CN108206803A (en) * | 2016-12-16 | 2018-06-26 | 腾讯科技(深圳)有限公司 | Business acts on behalf processing method and processing device |
CN106850838A (en) * | 2017-03-06 | 2017-06-13 | 深圳铂睿智恒科技有限公司 | The control method and system of mobile terminal cloud application |
CN107249209A (en) * | 2017-06-09 | 2017-10-13 | 苏州汉明科技有限公司 | wireless local area network gateway management method and system |
CN107707522A (en) * | 2017-08-14 | 2018-02-16 | 北京奇安信科技有限公司 | A kind of authority control method and device based on cloud agency |
CN107707641B (en) * | 2017-09-25 | 2020-12-25 | 睿哲科技股份有限公司 | Method and equipment for maintaining IPv6 cloud host through IPv4 terminal |
CN107707641A (en) * | 2017-09-25 | 2018-02-16 | 睿哲科技股份有限公司 | A kind of method and apparatus by IPv4 terminal maintenance IPv6 cloud main frames |
CN110661747B (en) * | 2018-06-28 | 2022-06-28 | 南京南瑞继保工程技术有限公司 | Terminal safety control method for rail transit cloud |
CN110661747A (en) * | 2018-06-28 | 2020-01-07 | 南京南瑞继保工程技术有限公司 | Terminal safety control method for rail transit cloud |
CN109391683A (en) * | 2018-09-26 | 2019-02-26 | 上海超算科技有限公司 | A kind of data and service convergence agency plant and its implementation of network-oriented application authorization |
CN109391683B (en) * | 2018-09-26 | 2021-04-02 | 上海超算科技有限公司 | Data and service fusion agent system facing network application authorization and implementation method thereof |
CN111193720A (en) * | 2019-12-16 | 2020-05-22 | 中国电子科技集团公司第三十研究所 | Trust service adaptation method based on security agent |
CN111314130A (en) * | 2020-02-13 | 2020-06-19 | 浪潮软件股份有限公司 | Service management and control device and method |
CN111314130B (en) * | 2020-02-13 | 2022-09-13 | 浪潮软件股份有限公司 | Service management and control device and method |
CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
CN111488595B (en) * | 2020-03-27 | 2023-03-28 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
CN112329034A (en) * | 2020-11-02 | 2021-02-05 | 杭州当虹科技股份有限公司 | Application proxy method capable of controlling access policy based on application platform |
CN112329034B (en) * | 2020-11-02 | 2024-02-23 | 杭州当虹科技股份有限公司 | Application proxy method capable of controlling access policy based on application platform |
CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
CN113378254A (en) * | 2021-07-13 | 2021-09-10 | 重庆云图软件科技有限公司 | Three-dimensional CAD cloud engine system |
WO2024001642A1 (en) * | 2022-06-28 | 2024-01-04 | 中兴通讯股份有限公司 | Management and control method for usb device, cloud device, terminal device, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN103944883B (en) | 2017-08-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103944883A (en) | System and method for cloud application access control under cloud computing environment | |
US9614875B2 (en) | Scaling a trusted computing model in a globally distributed cloud environment | |
KR101507919B1 (en) | Method and apparatus for virtual desktop service | |
US9935934B1 (en) | Token management | |
US9491183B1 (en) | Geographic location-based policy | |
CN112035215B (en) | Node autonomous method, system and device of node cluster and electronic equipment | |
US9021005B2 (en) | System and method to provide remote device management for mobile virtualized platforms | |
EP2715971B1 (en) | Automating cloud service reconnections | |
CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
US9197644B1 (en) | System and method for multitenant management of domains | |
WO2017139140A1 (en) | Container credentialing by host | |
CN107480509A (en) | O&M safety auditing system logs in vessel process, system, equipment and storage medium | |
CN103916395A (en) | Method, device and system for service calling | |
US11368462B2 (en) | Systems and method for hypertext transfer protocol requestor validation | |
CN104954330A (en) | Method of accessing data resources, device and system | |
CN105100034A (en) | Method and apparatus for an access function in network applications | |
CN103780396A (en) | Token obtaining method and device | |
CN112788031A (en) | Envoy architecture-based micro-service interface authentication system, method and device | |
US11334661B1 (en) | Security credential revocations in a cloud provider network | |
US11805182B2 (en) | User profile distribution and deployment systems and methods | |
US11477183B1 (en) | Application-based management of security credential revocations | |
CN107276966B (en) | Control method and login system of distributed system | |
CN104935576A (en) | Data safe divided storage and assigned user sharing system | |
JP7134362B2 (en) | Tracking tainted connection agents | |
JP2023538870A (en) | Techniques for persisting data across cloud shell instances |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |