EP1430379A2 - Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants - Google Patents

Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants

Info

Publication number
EP1430379A2
EP1430379A2 EP02776706A EP02776706A EP1430379A2 EP 1430379 A2 EP1430379 A2 EP 1430379A2 EP 02776706 A EP02776706 A EP 02776706A EP 02776706 A EP02776706 A EP 02776706A EP 1430379 A2 EP1430379 A2 EP 1430379A2
Authority
EP
European Patent Office
Prior art keywords
user
data processing
assigned
processing system
entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02776706A
Other languages
German (de)
English (en)
Inventor
Harald Kopper
Rudolf Wöhrl
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of EP1430379A2 publication Critical patent/EP1430379A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Definitions

  • a user role determines the function of a user within an organizational unit and serves to define the scope of his operational responsibility.
  • a user role access control comprises one or more user roles and access authorizations, by means of which a feasibility of actions on computer-based objects is determined.
  • User role access control is used to grant a request from a user when user access roles grant a user access permissions that authorize him to perform special actions on a computer-based object.
  • the present invention is based on the object of specifying a method, a data processing system and a computer program for automatically assigning access authorizations to users in role-based resource access control systems.
  • An essential aspect of the present invention is that role hierarchies can be mapped, for example, organization-wide in a data processing system by successively determining access rights assigned to user roles, hierarchically dependent user roles and assigned access rights. These successively determined serve as the basis for a system-wide automatic creation or adaptation of user access rights management lists in resource-providing data processing systems of the data processing system.
  • Figure 1 is a schematic representation of the operation of a role-based resource access control system
  • Figure 2 shows a data processing system with several data processing systems and role-based resource access control.
  • Figure 3 is a schematic representation of a user role hierarchy
  • FIG. 4 shows a flowchart for a method for role-based resource access control in the case of hierarchically dependent user roles
  • FIG. 1 shows the environment in which a role-based resource access control system is embedded.
  • Roles R1-R4 can be defined or derived for business processes P1-P4. Access rights to resources of an organization-wide data processing system with numerous data processing systems TSYSl-TSYSp are controlled via the defined or derived roles R1-R4.
  • the data processing systems TSYSl-TSYSp form target systems for role-based resource access control.
  • users U1-U3 are assigned to roles R1-R4, roles R1-R4 to authorizations and authorizations for resources of target systems TSYSl-TSYSp. Further details on role-based access control systems are described in David Ferraiolo, Richard Kuhn: "Role Based Access Control", Proceedings of the 15th National Computer Security Conference, 1992, Vol. II, pp. 554-563.
  • the data processing system shown in FIG. 2 has a plurality of databases DB1-DBn with user-specific data such as organization, locations, areas of responsibility, personnel master data and available services.
  • the user-specific data are not necessarily stored in the individual databases DB1-DBn in accordance with a uniform data structure.
  • the individual databases are linked with one another to form a single resulting user database MDIR, hereinafter referred to as a meta-directory.
  • data stored in the individual databases DB1-DBn is modeled in accordance with a total data. Any data redundancies in the individual databases DB1-DBn are eliminated during a data migration to the metadirectory MDIR.
  • the individual databases DB1-DBn and the meta-directory MDIR are synchronized.
  • the synchronization requirements REQ are transmitted via a data network NET, which connects the database server DBS1-DBSn with the metadirectory server MDS.
  • the metadirectory MDIR has memory areas M1-M3 with user master data, role definitions and access rights for resources.
  • the resources include program applications APPll-APPpn and memory areas MEMl-MEMp, which are provided by data processing systems TSYSl-TSYSp.
  • the resource-providing data processing systems TSYSl-TSYSp are referred to below as target systems.
  • the access authorizations for the resources provided by the target systems TSYSl-TSYSp are assigned using the predefined user roles stored in the MDIR meta-directory. Access rights and the access rights resources of the target systems TSYSl-TSYSp are assigned to the predefined user roles. Furthermore, assignments of users to roles are stored in the MDIR meta-directory, whereby the respective users are granted the access rights assigned to the respective roles. The assignments of users to roles are saved in the MDIR meta-directory, for example, as part of the HR master data.
  • the predefined user roles are advantageously made available for assignment by means of a role catalog stored in the MDIR meta-directory.
  • the metadirectory server MDS is connected to the target systems TSYSl-TSYSp via interface devices TSAl-TSAm.
  • the interface devices TSAl-TSAm are called target system agents below.
  • the target system agents TSAl-TSAm resolve user roles assigned to users of the data processing system into application-specific or operating system-specific access authorizations for program applications APPll-APPpn and memory areas MEMl-MEMp, which are provided by the target systems TSYSl-TSYSp.
  • Such application or operating system-specific access authorizations correspond, for example, to user authorizations or user access rights management lists ACL (Access Control List) in the target systems TSYSl-TSYSp managed authorizations.
  • the target system agents TSAl-TSAm thus have coordination functions with regard to program access control and data storage in the target systems TSYSl-TSYSp.
  • the target system agents TSAl-TSAm in FIG. 2 have LDAP converters (Lightweight Directory Access Protocol) and API access interfaces (application) which are not explicitly shown Programming Interface) and resolve the user roles in command sequences that can be interpreted by the respective target systems TSYSl-TSYSp.
  • LDAP converters Lightweight Directory Access Protocol
  • API access interfaces application
  • access authorizations 311-314 are inherited from hierarchically dependent, subordinate user roles 302-303, 304-307 to hierarchically superior user roles 301, 302-303.
  • user roles 301-307 are assigned to different levels 308-310.
  • the access authorizations 311-314 at a lowest level 310 contain specific access authorizations for resources provided by the target systems TSYS1-TSYS7. For the sake of simplicity, it is assumed for the sake of simplicity that the specific authorizations are all from a target system TSYS1-TSYS7 Program applications and memory areas provided by
  • An arrow pointing to a target system TSYS1-TSYS7 in FIG. 3 symbolizes a write right, while one of the respective
  • Target system TSYS1-TSYS7 pioneering arrow symbolizes read access.
  • a combined read and write right is symbolized by a double arrow.
  • the access authorizations 311-314 which are assigned to user roles 304-307 at the lowest level 310 of the role hierarchy, are subsequently passed on to user roles 302, 303 at a middle level 309. All authorizations 311-314 are passed on to a user role 301 at a top level 308 of the user role hierarchy.
  • the flowchart shown in FIG. 4 for a method for role-based resource access control in the case of hierarchically dependent user roles serves to explain the functionality of a target system agent TSAl-TSAm.
  • the starting point of the method is an assignment 401 of at least one user role to a user of the data processing system.
  • the access authorizations assigned to the at least one user role on resources provided by the target systems TSYS1-TSYS7 are then determined 402. These access authorizations are specific authorizations which are assigned directly to the respective user role.
  • hierarchically dependent user roles are determined 403 from the at least one user role. Access rights that represent specific authorizations and are assigned to the hierarchically dependent user roles are then determined 404.
  • the determination 403 dependent user roles roll and the determination 404 of access rights, which are assigned to the dependent user roles, is carried out iteratively. For this purpose, it is checked 405 whether there are further dependent user roles. If this is the case, a new determination 403 of dependent user roles and a new determination 404 of access authorizations assigned to these user roles takes place. Otherwise, it is checked 406 whether there are entries for the respective user in the user access rights management lists ACL, which are stored in the target systems TSYS1-TSYS7.
  • a primary entry is present. If a primary entry is present, the determined access authorizations are assigned 408 to the primary entry in the respective user access rights management list ACL. If there is no primary entry, it is checked 409 whether there is exactly one entry in the user access rights management lists ACL for the respective user. If there is exactly one entry in the user access rights management lists ACL, this entry is declared 410 as a primary entry and the determined access authorizations are assigned to it. If, on the other hand, there is more than one entry for the respective user in the user access rights management lists ACL, a new entry is created 411 for this user in the respective user access rights management list and the determined access authorizations are assigned 412.
  • a message MSG is transmitted to the respective target system agent TSAl-TSAm (see also FIG. 2).
  • the respective target system agent TSAl-TSAm checks the message MSG for a change in application or operating system-specific access authorizations, which may have to be signaled to the respective target systems TSYSl-TSYSp.
  • the resource access control method described above is implemented by a computer program which can be loaded into a RAM of the metadirectory server MDS and which has software code sections, the execution of which initiates the steps described above.
  • the metadirectory server MDS has a non-volatile storage medium MEM for the permanent storage of the computer program and a central processing unit CPU for its execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Dans un système de traitement de données comportant au moins une installation de traitement de données, une pluralité de banques de données affectées aux système de traitement de données sont combinées avec des données propres à l'utilisateur, afin de former à l'arrivée, une seule banque de données utilisateur. Les autorisations d'accès à des ressources mises à disposition par l'installation de traitement de données (au moins au nombre de une), sont attribuées au moyen de rôles d'utilisateur prédéfinis. Au moins un rôle d'utilisateur est attribué à au moins un utilisateur du système de traitement de données.
EP02776706A 2001-09-26 2002-09-23 Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants Withdrawn EP1430379A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10147466 2001-09-26
DE10147466 2001-09-26
PCT/DE2002/003589 WO2003027834A2 (fr) 2001-09-26 2002-09-23 Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants

Publications (1)

Publication Number Publication Date
EP1430379A2 true EP1430379A2 (fr) 2004-06-23

Family

ID=7700353

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02776706A Withdrawn EP1430379A2 (fr) 2001-09-26 2002-09-23 Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants

Country Status (3)

Country Link
EP (1) EP1430379A2 (fr)
AU (1) AU2002339318A1 (fr)
WO (1) WO2003027834A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8993943B2 (en) 2010-10-20 2015-03-31 Trumpf Huettinger Gmbh + Co. Kg Systems for operating multiple plasma and/or induction heating systems and related methods
US9503006B2 (en) 2010-10-20 2016-11-22 Trumpf Huettinger Gmbh + Co. Kg Plasma and induction heating power supply systems and related methods

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9697373B2 (en) * 2004-11-05 2017-07-04 International Business Machines Corporation Facilitating ownership of access control lists by users or groups

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001041039A2 (fr) * 1999-12-02 2001-06-07 Secure Computing Corporation Schema de gestion de la securite adaptable au niveau local destine a des reseaux

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03027834A3 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8993943B2 (en) 2010-10-20 2015-03-31 Trumpf Huettinger Gmbh + Co. Kg Systems for operating multiple plasma and/or induction heating systems and related methods
US9503006B2 (en) 2010-10-20 2016-11-22 Trumpf Huettinger Gmbh + Co. Kg Plasma and induction heating power supply systems and related methods

Also Published As

Publication number Publication date
WO2003027834A2 (fr) 2003-04-03
WO2003027834A3 (fr) 2004-04-08
AU2002339318A1 (en) 2003-04-07

Similar Documents

Publication Publication Date Title
DE69635469T2 (de) Synchronisierung zwischen verschiedenen Computeranbieterumgebungen
DE69530128T2 (de) Sicherheit für rechnerbetriebsmittel
DE69630480T2 (de) Verfahren, Vorrichtung und Datenstrukturen zur Objektverwaltung
DE69930855T2 (de) Verfahren und vorrichtung zur durchführung einer deterministischen speicherzuordnungsantwort in einem computer-system
DE69403192T2 (de) Vorrichtung und verfahren zur datensicherung von speichereinheiten in einem rechnernetzwerk
DE69907919T2 (de) Mehrsprachige benutzeroberfläche für ein betriebssystem
DE69427347T2 (de) Verfahren und System zur verbesserten Zugriffssteuerung auf Basis der Rollen in verteilten und zentralisierten Rechnersystemen
EP1258812B1 (fr) Base de données virtuelle de structures de données hétérogènes
EP0829046B1 (fr) Methode et systeme d'actualisation des programmes-utilisateurs ainsi que des ordinateurs utilisateurs dans un reseau d'ordinateurs
DE112013002542T5 (de) Cloud-basierte Anwendungsressourcendateien
EP1298515A2 (fr) Procédé de contrôle d'accès à des ressources d'un système de traitement de données
DE69936257T2 (de) Erzeugen und uberprüfen von referenz-adresszeigern
EP0959588A2 (fr) Elément de réseau avec le dispositif de commande et la méthode de contrÔle
DE102005021854B4 (de) Eigenschaften-basierte Zuweisung von Ressourcen zu Sicherheitsdomänen
EP2250588B1 (fr) Procédé et programme de fourniture de cohérence de données dans des réseaux
EP2163961B1 (fr) Procédé de concession d'une justification d'accès sur un objet informatique dans un système d'automatisation, programme informatique et système d'automatisation
EP1166228B1 (fr) Utilisation de reseaux semantiques fractals pour tous types d'applications de base de donnees
EP1430379A2 (fr) Procede de commande sur la base de roles, de l'acces aux ressources d'un systeme de traitement de donnees, systeme de donnees et programme informatique correspondants
DE69838366T2 (de) Fädensynchronisierung durch selektive Objektverriegelung
DE102004004101A1 (de) Verfahren und System zum Schutz elektronischer Datenobjekte vor unberechtigtem Zugriff
WO2018130426A1 (fr) Anonymisation d'une chaîne de blocs
DE112007002327T5 (de) Persistente Sperren auf Ressourcen zur Steuerung der Nebenläufigkeit
DE102005033231A1 (de) Verfahren zur dynamischen Dienstekonfiguration eines technischen Systems
WO2010026151A1 (fr) Procédé d'attribution d'une autorisation d'accès à un objet informatisé dans un système d'automatisation, programme informatique et système d'automatisation
DE102005056357A1 (de) Multithreading-fähige virtuelle Maschine

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040326

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20040715

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20050127