TW493122B - Computer security system - Google Patents

Abstract

A security system for a computer system provides one or more security domains. Access to assets registered to the security system is controlled by rights and privileges. Rights are derived from roles, and each user is assigned one or more roles. Privileges are attached to assets, and an appropriate combination of rights and privileges is required before a user is granted the specified type of access to the asset.

Description

V. Explanation of the invention (1) Cross-reference of related applications The present invention was issued on the 6th of March 2000   the benefit of US Provisional Application No. 60/1 87375. BACKGROUND OF THE INVENTION 1. Field of Invention. Field: The present invention relates generally to computer systems, and more particularly to security systems and methods for controlling and authorizing access to computer systems. 2 · Previous technical descriptions:. Once security is important for a computer system that allows multiple users to access it, accessibility is restricted; k outside the restricted area, such as systems and systems usually available through the Internet, this Especially for real. This problem arises as systems become more complex and access requires more widely distributed data, and security systems tend to become more complex in the context of different companies sharing data and processes through decentralized computer systems. Security will be more important from more than one location: Furthermore, since different companies speak business in different ways, the security systems intended to be used by different enterprises must be flexible and able to accommodate different security implementations (implemenUti). Existing security systems are usually inconvenient and do not have the required bullets. It is necessary to provide a computer security system that is flexible, extensible, and allows multiple managers to operate simultaneously to provide the required security. For example, a system that allows managers to define new types of security and supply security to new types of objects compared to what was originally provided is needed. SUMMARY OF THE INVENTION The paper dimensions are applicable to the Chinese National Standard -4- (CNS) A4 specification (210 X 297 mm). 5 Description of the invention (According to the present invention, one use # 人 ^ 禋 用 万 "疋 Supply-one or more security fields Electric 脗 Xuan Zang Queen ㈣. Access has been controlled within the limits of security. Power from the peak of the role while Yamaha's Hachiya has the power and power needed. "Access ... The right combination of power and authority is

Brief description of the illustrations: Ming: The characteristics and believed characteristics are described in the attached application. However, the present invention itself, as well as the more suitable mode and the associated tunnel pattern, can be best understood by referring to the subsequent detailed description of the present and post examples, where: Figure 1 is a block diagram of a system that provides security to a computer system. Figure 2 is a structural diagram of a computer security system displayed according to the present invention. Figures # 4a-b show a domain relationship according to a more specific embodiment. ) Figures; '', ▲ Figure 5 is a diagram showing the appropriate steps to consent to access and authorization to the user. Figure 6 is a diagram showing the use of roles in a more secure system and system; Printed by the property bureau employee consumer cooperative Figure 7 shows the relationship between power and authority in a more suitable embodiment Figures 8 and 9 show an access control list (ACL) ) Is more suitable for use; Figure 10 is a diagram showing the use of bidirectional transfer of authority; and Figures 11 and 12 are block diagrams showing a more suitable user authorization method.

This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) A7

-~ ----- gZ V. Description of the invention (3) It is more suitable for specific examples. Those skilled in the art will understand that the following description can be easily implemented on many different underlying systems. The system describes a special set of techniques and methods for granting users access to various files, executables, and other system assets available on the protected system. The security system, washing method, and method are not limited to complete system security, but can be supplemented by other widely available products to provide complete security. As those skilled in the relevant art will recognize, the following description indicates where and how to implement on any desired system. FIG. 1 is a block diagram of a security system implemented according to a more suitable embodiment of the present invention. Figure 1 shows the architecture of a more suitable system with a particular focus on secure services. The first host machine 10 includes a web server application 12 and a servlet engine 14. The application logic (appiicatiónogic) located in the servo applet 14 makes an in-process call to an available secure application program interface (API). This security service communicates with database 18, which can be an Oracle database via a JDBC link 20. Printed by the Consumers' Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs. The main unit 22 contains the functions of the application 2 to be accessed. Application 24 relies on security services 26 in order to access control information. In a specific embodiment, the B0 server 24 is a C ++ engine, and uses a CORBA server called a DNA bridge 28 (bridge) to communicate with the security 26. The DNA bridge 28 is responsible for transmitting the raw permissibility data to the B0 server 24, which then handles the enforcement. The security model is located at the center of the domain 29 concept, as shown in FIG. 2. -6- _ This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 mm 7 493122 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs V. Invention Description (4) The field is around a group of security entities (Security entity) management and access control boundaries. These entities include: 1 • members 30, 31, which are users who have been authenticated in the field; 2 • group 32, which is a group Members used to facilitate management; 3 · Roles 34, which represent the responsibilities that members can assume; 4 · Registered assets 36 (registered assets), which are the resources that the system is responsible for protecting;. 5 · ACL (Access control list, Access control list) 38, which defines the permissions that a role can have when accessing assets. The realm is used to provide members with sandboxes. The box controls which members can control the system over a period of time. Which asset. The system has many domains, and its domain or all domains can be used at any given point in time. Domains can be mapped to secure external entities, but many applications have only found general Mapping to the needs of the enterprise / company. For a period of time, most entities are located in a single domain, but there are some special entities with visibility across several domains. One of these, the comprehensive security manager 40 ( universal security admmiStrator, also known as super user "), is a special member that allows management of the entire security model, including all entities located in any domain. Other special entities are roles. Security uses roles to implement Declarative and programmatic security. There are two roles in the system: 1. Domain role 34 (d〇main role), which is visible only in the single-domain

(Please read the notes on the back __ · I I page) Order --line-

5. Description of the invention (5); and 2. Universal role 42 (universal role), which is visible across all fields. The global role 4 2 represents the user rights and responsibilities shared by several collaborative areas (c〇Uab〇rating as old). It exists, so the workflow of a shared application is consistent—and understood—for all its users. The domain role 34 is meaningful only if it is within the domain in which it is defined. During the initial period of the connection, the user announces the roles he can use to the authentication domain. The following examples show: 1 · Xiang field is Acme Computers (Acme Computers) and Beta Bank (Beta Bank) 2. Trace members are "jsmith," 3 · Far global role is "manager" ( Administrator) and, Purchaser 4 · Let the field role of Beta Bank be, Teller ', (Teller) 5 · Let the field role of Vertex Computer be, Assembler 6 · Let jsmith Designated to be printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs of the two fields. 7. Let j smith be assigned to the roles of manager, purchaser, and teller. If jsmith logs into the vertex computer field, his active role set includes: manager, If jsmith logs into the field of beta bank, its active role set includes: · manager, purchaser, teller 豸 pea into the top computer 'Chengbei jsrnith does not have the role of combiner, because it has not been granted this role. -8 -This paper size_Applicable to China National Standard (CNS) A4 specification (21G X 297 public love 493122 A7

V. Description of the invention (6) The two fields can be joined by a trust relationship. Reliance determines how authority is delegated from one domain to another. Trust can be one-way or two-way, as shown in Figure 3. For example, domain ABC 50 has a one-way trust relationship with domain DEF 54 (ABC trust DEF) 'which means that the authority of assets on ABC's can be delegated from a, BC to DEF. ABC 50 has a two-way trust relationship with χγζ 52, which means that the rights of assets on abc, s can flow to XYZ, and the reverse is also true. A realm can also have another realm, which is responsible for its generation and destruction. As shown in Figure 4, a parent-chiid topology is used to represent domain ownership and when there is a lack of ownership between the two domains, a peer-to-peer topology is used. Trust and ownership can be combined. For example, a group of fields can be connected together in a parent-child topology graph, and each connection is also a one-way trust. This means that authority can be delegated from the top-level realm to the lower-level realm. It also means that each field produces a field below it. The model described in the previous paragraph can be shown using an example. Suppose a customer uses this model for his catalog and category. The customer generates subordinate fields and then gives each subordinate access to a subset of its green and species. Its subordinates in turn generate distributor domains and allow distributors to access directories and more recent subsets of categories. As demand arises, additional domain relationships and topology maps will be added. Security heads combined with a user "SeCudty ρΓίη (: ίρΑ " includes fields and roles-determine what users can access. As shown by ^, a security head is required after a user is authenticated. Authentication establishes the identity of the user, Its (please read the precautions on the back of the page II · II page) Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs-9- 493122 A7 B7 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs Can be used to obtain information about the user's level of involvement in the business sector (such as the company they are employed in and the portal they are logged in to). These "business leaders" (business Pdncipais) It is subsequently used to derive security heads that should be effective for that member. The system uses these security heads to determine authentication decisions. As indicated in Figure 6, role 62 can be directly granted to member 63, or it can be 64 Granted to group 66. Any member assigned to the group will receive the privileges enjoyed by group role 64 in sequence. The relationship between members and roles will be updated at login Determined. Member 63 can be granted multiple roles, but only its subset can be useful in a particular domain. For example, as shown in Figure 6, member 63 is granted role 1 62 and role 2 64, but domain a 68 only allows them to use roles 1 62, but domain b 70 allows them to use roles i and 2. Whether a role is useful in the domain depends on the role's voice (ie, global role or domain role). As shown in Figure 7, a member The authorized role ultimately decides what kind of asset 74 the member can access. The access control decision is made by combining authority and authority. 〃 1 · Authority 76 is attached to role 72 and authority over the asset. For example, global security Supervisors (super users) 40 have special powers that allow them to manage any asset in the system, regardless of the authority specified on the asset. The global security manager is an example of the power defined by the security system, but the power is still Can be defined by the application. The application based on the control workflow of the special role implicitly attaches full force to that role. -1 0-Home Standard (CNS) A4 Specification Coffee X 29 7mm) (Please read the precautions on the back of this page 丨 • 丨 I on this page) Order ·; Line _ π 122 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economy ($ 8), Invention Description (8) 2 · Authority 78 additional To the asset 74 and is used to consent to access to the degree of refinement of the asset. A single authority identifies which jobs can be performed by which roles and on which assets. The authority that attaches permissions to the asset 74 is an access control list (ACL) 80. ACL 80 contains a series of access control entries 82 (ACE) 'where the parent entry contains a domain identifier 84, role identifier 86, and one or more permissions 88, such as Figure 8 shows. The realm recognizer 84 and the role recognizer 86 are security heads that can combine one or more members. ACE 82 includes both, because permissions to roles must be regulated by the domain (for example, Admin may be able to perform certain operations in one domain, but may be prevented from performing the same operations in different domains). Permissions allow a combination of realms / roles to work on that asset. As shown in Figure 9, the basic job includes read and write. Other jobs are available, but these depend on the type of asset being managed. In addition to permissions, realms / roles can agree to ownership through special operations on the ACL. The owner of the ACL is allowed to be modified within certain limits: 1 · If the domain / role has operations on the ACL, members who have the combined domain / role head can agree to work in the same role in different domains. For example, in Figure 9 A member in the field ABC and has the role F〇〇 has a write job on the ACL. This member effectively becomes the administrator of the ACL and is therefore allowed to agree to write jobs to the role Foo in the domain DEF. He was also allowed to agree to ownership of the domain DEF / role Foo write job. -11- This paper size applies to Chinese National Standard (CNS) A4 (210 X 297 mm) (Please read the precautions on the back page first)

JJ * C

I A7 ------ —__ R7 — _ One V. Description of the invention (9) ACL ownership and management is a mechanism for transferring authority between domains. In a one-way transfer of authority, the character's ability to diminish is further removed from the "home" domain (where the asset is created). This is because managers may not pretend to have more permissions than they have. At the most, role abilities will remain consistent across all areas, but in reality this is not possible. In the two-way transfer of authority, as shown in Figure 丨, the role's capabilities will change based on the assets in question, and the registered assets are the resources protected by the security system. Registered assets are classified according to their shell type, which determines how assets should be identified and what operations can be performed on them. One possible list of basic asset types includes a price group, a price template, a catalog, a category, a product group, and a URL. This name is useful for developing order systems or similar businesses. New asset types can be defined at the time of development, as described below. 0 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs. The definition of the poor production type is meta-level and instance-level. Metaphysical jobs are those that do not require instance operations. For example, a generation job can be triggered on a price model, but it cannot be applied to an instance because the instance does not yet exist. Instance jobs, such as read, write, and delete, are jobs performed on explicit instances, such as deleting price patterns, and require specific instances to delete. Individual assets are identified by names such as moniker. Moniker is an alphanumeric string that conforms to a predetermined format as defined by the asset type. Moniker can be hierarchical in nature, and can be defined by fixed descriptions. For example, the asset of the type URL can have the following as a moniker: -12- > Paper size applies Chinese National Standard (CNS) A4 specifications (210 X 297 public love) 493122 A7 ______B7 V. Description of the invention (10) /RhythmAuthor/Content/Pricing/CategoryList.jsp The upper-level asset will be as follows: / RhythmAuthor / Content / Pr icing The system supports two authentication modes: decision-based (decisi〇n_based) and entitlement-based. . The main difference between the two modes is the information returned by the security system. In the decision-based model, as shown in Fig. 11, a simple yes / no answer is returned to the client. Decision-based authentication can be defined by the following sequence: ‘1. The initiator 90 transmits a request to the resource manager 92. The requirements include assets, operations performed on the shellfish, and the head (role and field) of the initiator. 2 • The requirements are blocked by the access enforcement function 94 located in the resource manager 92. 3. The access force function 94 forwards the demand information to the access decision function 96. 4-The access decision function 96 makes a judgment as to whether the demand is yes / no and returns this decision to the access forcing function 94. 5 • Access Mandatory Function 94 Take appropriate action based on the suggestions provided (for example, allow demand to proceed, redirect, send error messages, etc.). Access is allowed to asset 98 only if the initiator's head permits. Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs (please read the notes on the back to write this page) In the mode named as basic, the picture is shown in Figure 12, and a set of objects 99 are returned to the client. Named basic authentication can be defined by the following sequence: 1. The initiator 90 transmits the read request to the resource manager 92. This requirement includes query criteria (such as all related greens around the computer) and the head of the initiator. _— _13_ (CNS) A4 Specifications χ Nogongai) 493122 A7 B7 V. Description of the Invention (11) 2 · The requirement is cut by the access force function 94 located in the resource manager 92. 3 · Access forcible function 94 forwards demand information to query modification function 1 00. See item I $ S 4 Query modification function 1 〇 Add security related standards to requirements and execute business query 102. 5. The result of this query is returned to the access forcing function 94 ° 6 · The access forcing function 94 takes appropriate action (such as returning the query result to the end initiator, redirect, etc.). 1 The returned item complies with application-specific standards and certain safety-specific standards. The query result contains only objects that have read access to the initiator, which may be a subset of the balls that were requested. Modifying a more specific embodiment allows the author to define a new asset type. The steps to define a new asset type are as follows: Online Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 1 · Generate a new row in the SEC-ASSETJTYPE table. Supply data for NAME, DESCRIPTION, and FORMAT. The latter must be a valid fixed description that defines a single moniker format (ie the naming format of the string used to identify the asset). This uniqueness requirement exists because moniker is provided as a parameter when a requirement is made on an asset. For security to match assets to their correct form, moniker parameters are compared for each named format. As long as the correct pairing appears, the asset type will be discovered. For example, monikerMBLM: CM.Catalog.Catalog: [2FA4A958AA83 11D498 5A00508BD626C1] " cannot be mistaken for moniker for URL asset type because it will not conform to the URL format '' (/ [A-Za-zO-- 14- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) A7 _______B7 _ V. Description of the invention (12) 9 / · —] +) ([?] {〇, 1} · *) ， 〇2 · Decide what kind of assignment should be applied to the new data type. If these jobs do not already exist in the SEC_OPERATION table, proceed and join them. Confront NAME, DESCRIPTION, and META-FLAG. If the assignment is at the instance level, for the last field, the number should be, pseudo ', (false). If the assignment is a metaphysical level, the number for the last block should be "眞 n (true). 3. Via Add an item to the SEC-ASSET_OPERATION table to combine the operation with the new asset type. This table is only a bond table to facilitate many-to-many relationships between asset types and operations ° Above Describe the mechanisms and procedures for declaring a more suitable security system. Although the words used are relatively self-explanatory, the following list will assist those skilled in the art to understand the description. Access Decision Function (Access Decision Function, ADF): Propose authentication decision (yes / no). ADF is internal to the security system. Access Enforcement Function (AEF): A process that reflects authentication decisions. Aef typically controls the workflow and can be a security system Internal or external. Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs, the Access Entitlement Function: executes queries and restricts starters. There is a process of reading the results of those objects with access. Active Principal Set (APS): A group of heads of a particular member. APS is dynamically determined after the user is authenticated. Anonymous User ): Identifies use that has not been systematically checked. -15- This paper size applies Chinese National Standard (CNS) A4 (210 X 297 mm) 493122 Α7 Β7 5. Invention Description (13). Anonymous users are considered not to Trust. Assets; Assets that can be selected as security system protection. They are real physical files, application software, objects, or data collections. Asset Type: Resources with similar security characteristics Directory. The asset type is combined with one or more operations, and the operation is combined with one or more asset types.) Authentication: The process of determining user identification. Authentication confirms that the user is where he is. The claimant, but did not say anything about the rights to perform on the registered assets. Authenticated User: Identifies a user that has been checked by the system. Authorization ( Authorization): Determine whether the user has the right to perform operations on the registered (protected) assets. Authorization can occur in two modes: 1. Decision mode, the initiator proposes requirements to perform operations on the assets and is A no / no response has been proposed. 2. The nomenclature mode, the initiator proposes a read request to perform operations on the asset, and a filtered subset of the asset is provided. The filtered sub-collection contains assets that only those starters are allowed to read. Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs !! · I I (Please read the notes on the back to write this page) • Line-Credential: The item provided by the user to the system to prove its identification. Identification can include things that the user knows (such as a password) or possesses (such as a digital certificate). Group: —Groups are named members with similar characteristics. Initiator: A client that proposes a security system requirement. The initiator can be a user or an application. -16 · The size of this paper is applicable to China National Standard (CNS) A4 (21 × 297 mm) 493122 A7

V. Description of the Invention (M) Cheng Hing (Member): an account (AccOunt) combined with an authenticated user. Members are just combined with one person (from profile management), and one person is combined with zero or one member. Operation: An action or procedure that can be performed on an asset. An assignment is only specific to one asset type. Policy: —Group describes the rules for various users to access resources located in the application. A policy defines a head with the authority to perform specific operations on one or more assets. Principal: The name or identifier used by the system to make authorization decisions. Heads are an essential element of policy. Heads can be combined with zero or more members, and members can be combined with zero or more heads. The combination of heads and members is dynamically determined. Principal Acquisition: A procedure in which one or more heads are tied to form an active set of heads. Leadership takes place after certification. Principal Type: Principal types with similar characteristics. Each head must be unique among the same type of heads. The director types are: role, company, entry. Registered Asset: A logical representation of the resources of a system that is protected by a security system. Authorization Request: The initiator performs a query of the security system, including assets, operations, and active director sets. Role: The abstract expression of a user's function or ability. User: The person or entity interacting with the application. User Registration: Users provide their own information. 17- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) --- I --------- Equipment ·-(Please read the notes on the back to write this page first) Order: --Line Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 493122 Printed by the Employee Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs = And as a result, Chengma may have more access to resources located in the app. The products of the user registration program are personnel and members (accounts). The above system allows simple group management of the entire security system. Due to the transfer, various management levels can be transferred to the line. For example, a single user can refer to other managers with various levels of management authorization, and various management functions can be distributed among several managers. Each manager can represent all or part of his management rights as he wants. Therefore, because the two-way transfer of authority is allowed, at the same level in different companies, ’and reasoners can cooperate and effectively manage the combined system. This allows the manager to agree on the rights to those areas, or parts of areas, which are equal to what they are responsible for or what they know. In this approach, a single superuser does not have to assume all ultimate security responsibilities. For Q, 4 households can define additional resource types and apply security to them. This system is more flexible than most available security systems. When combined with the ability to treat separate domains together, and with security within a domain, a normal and resilient security system is provided. The present invention has been specifically shown and referenced for specific implementation In the description of examples, those skilled in the art will understand that various modified histories in various forms and details can be made here without departing from the spirit and scope of the present invention. Let ’s make it a lot !!-Install i I (please read the precautions on the back to write this page) --line · -18- This paper size is applicable to China National Standard (CNS) A4 (21〇x 297 mm)

Claims (1)

493122 __g | _ VI. Patent application scope ι_ A security system for computer systems, including: several assets located in the computer system; several members registered to use the computer system; several roles defining user rights, each Each member has at least one role; ^ several access control list columns corresponding to the asset, each control table column defines at least one permission to access the asset according to the member role; and at least one domain, each domain has The sub-collection of the asset and the corresponding access control list, and the sub-collection of the member; wherein when the member has a role corresponding to the asset authority, the member is allowed to access the assets required in the domain. 2. The system of item 1 in the scope of patent application, wherein the authority to each asset includes actions that can be performed on the asset, and when the access required by members includes performing actions to form an access control list, where Access is permitted 3. If the system and system of item 1 of the patent scope are applied, the authority includes read authority. 4. If the system of item i of the scope of patent application is applied, the authority includes amendments. Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs • — III — — — — — — — — (Please read the notes on the back before me page)-Line · 5. If the scope of the patent application [item [item] System, where permissions are limited. . ^ 6. If the system of the scope of patent application, the system includes the field. 7.-A method to provide safe access to assets in the computer system, including the paper towel and money towel Guanjia-19- 493122 A8 B8 C8 _____ D8____ 6. Application for patent scope The following steps: When the user tries to access When an asset is located in the realm, determine at least one role for the user; compare the power of the role assigned to the user with the corresponding asset permissions list; if the access attempted is allowed to be assigned to the user The role of the user, allowing the user to access the asset. 8. The method of claim 7 in which the required access is one of reading, modifying, or deleting. 9. The method of claim 7 in the scope of patent application, further comprising the following steps: before the user attempts to access any asset, authenticate the user's identification and assign at least one role to the user. (Please read the precautions on the back first, then this page) Binding · Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 2T / V Standard 4) A S) N (C Standards Appropriate Standards for National and Intermediate Use Moderate ¾ ¾ cm 7 29