-
公开(公告)号:US07185359B2
公开(公告)日:2007-02-27
申请号:US10029426
申请日:2001-12-21
CPC分类号: H04L63/0815 , H04L63/083
摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。
-
公开(公告)号:US07617522B2
公开(公告)日:2009-11-10
申请号:US11379998
申请日:2006-04-24
CPC分类号: H04L63/0815 , H04L63/083
摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。
-
3.发明授权System and method for protecting domain data against unauthorized modification 有权保护域数据免受未经授权的修改的系统和方法公开(公告)号:US07200869B1
公开(公告)日:2007-04-03
申请号:US09663811
申请日:2000-09-15
IPC分类号: G06F7/04 , G06F17/30 , G06K9/00 , H03M1/68 , H04K1/00 , G06F15/16 , G06F11/30 , G06F12/14 , H04L9/32
CPC分类号: G06F12/1433 , G06F17/30289 , H04L63/105 , Y10S707/99952 , Y10S707/99953
摘要: Described is an invention for safeguarding against the modification of certain data associated with one domain of a distributed network by an entity (such as an administrator) within another domain of the distributed network while still allowing the entity to modify other data associated with the one domain. More particularly, security safeguards are applied by a directory replication service that operates to replicate the shared data to each domain in a domain “forest.” Those security safeguards allow a user to indicate that certain modifications of specified shared data may only be made within the domain in which the shared data was created. In that way, a shared data namespace may still be implemented in which trust relationships exist so that, for example, an administrator in one domain may alter a configuration of another domain within the forest. However, certain data may be restricted by these safeguards such that certain modifications of that data (e.g., taking ownership of the data) may only be done from the domain which currently owns the data.
摘要翻译: 描述了一种用于防止由分布式网络的另一个域内的实体(例如管理员)与分布式网络的一个域相关联的某些数据的修改的发明,同时仍允许该实体修改与该一个域相关联的其他数据 。 更具体地说,安全保护由应用于将共享数据复制到域“林”中的每个域的操作的目录复制服务应用。 这些安全保护措施允许用户指示指定共享数据的某些修改只能在共享数据创建的域内进行。 以这种方式,仍然可以实现共享数据命名空间,其中存在信任关系,以便例如一个域中的管理员可以改变林内另一个域的配置。 然而,某些数据可能受到这些保护措施的限制,使得该数据的某些修改(例如,获取数据的所有权)只能从当前拥有该数据的域完成。
-
4.发明授权Extensible security system and method for controlling access to objects in a computing environment 有权用于控制计算环境中对象访问的可扩展安全系统和方法公开(公告)号:US06412070B1
公开(公告)日:2002-06-25
申请号:US09157882
申请日:1998-09-21
IPC分类号: G06F1214
CPC分类号: G06F9/468 , G06F21/604 , G06F21/6218 , G06F2221/2141 , Y10S707/99939
摘要: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
摘要翻译: 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统,超越传统权限,如读取,写入,创建和删除。 根据本发明,系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限,而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的,并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利,定义了改进的访问控制条目(ACE),其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。
-
公开(公告)号:US06289458B1
公开(公告)日:2001-09-11
申请号:US09157771
申请日:1998-09-21
IPC分类号: G96F1214
CPC分类号: G06F21/6281 , G06F2221/2141
摘要: Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.
摘要翻译: 描述对对象的各个属性的访问控制。 在一个实施例中,计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口,其操作以控制对对象的属性的访问。
-
公开(公告)号:US06625603B1
公开(公告)日:2003-09-23
申请号:US09157768
申请日:1998-09-21
IPC分类号: G06F1700
CPC分类号: G06F9/468 , G06F21/6218 , G06F2221/2141 , Y10S707/99939 , Y10S707/99944 , Y10S707/99952
摘要: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.
摘要翻译: 对对象提供对象类型特定的访问控制被描述。 在一个实施例中,计算机系统包括可操作以控制应用和在计算机上运行的服务的操作系统。 服务维护具有到访问控制条目的链接的服务对象。 访问控制条目包含对对象类型执行操作的访问权限。 系统还包括操作系统内的访问控制模块。 访问控制模块包括访问控制接口并且操作以授予或拒绝对对象执行操作的访问权限。
-
公开(公告)号:US20090241193A1
公开(公告)日:2009-09-24
申请号:US12475883
申请日:2009-06-01
申请人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
发明人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
CPC分类号: G06F21/31 , G06F2221/2101
摘要: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.
摘要翻译: 提供了改进的入侵检测和/或跟踪方法和系统,用于跨越各种计算设备和网络。 例如,某些方法在每个认证/登录过程期间形成基本唯一的审计标识符。 一种方法包括识别与认证/登录过程相关联的一个或多个基本上唯一的参数并将其加密以形成至少一个审核标识符,然后可以由认证/登录过程中涉及的每个设备生成和记录。 然后可以将生成的审核日志文件与来自其他设备的类似审核日志文件一起审核,以跨多个平台跟踪用户。
-
公开(公告)号:US07543333B2
公开(公告)日:2009-06-02
申请号:US10118808
申请日:2002-04-08
申请人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
发明人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
CPC分类号: G06F21/31 , G06F2221/2101
摘要: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.
摘要翻译: 提供了改进的入侵检测和/或跟踪方法和系统,用于跨越各种计算设备和网络。 例如,某些方法在每个认证/登录过程期间形成基本唯一的审计标识符。 一种方法包括识别与认证/登录过程相关联的一个或多个基本上唯一的参数并将其加密以形成至少一个审核标识符,然后可以由认证/登录过程中涉及的每个设备生成和记录。 然后可以将生成的审核日志文件与来自其他设备的类似审核日志文件一起审核,以跨多个平台跟踪用户。
-
公开(公告)号:US07900257B2
公开(公告)日:2011-03-01
申请号:US12475883
申请日:2009-06-01
申请人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
发明人: Bhalchandra S. Pandit , Praerit Garg , Richard B. Ward , Paul J. Leach , Scott A. Field , Robert P. Reichel , John E. Brezak
CPC分类号: G06F21/31 , G06F2221/2101
摘要: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.
摘要翻译: 提供了改进的入侵检测和/或跟踪方法和系统,用于跨越各种计算设备和网络。 例如,某些方法在每个认证/登录过程期间形成基本唯一的审计标识符。 一种方法包括识别与认证/登录过程相关联的一个或多个基本上唯一的参数并将其加密以形成至少一个审核标识符,然后可以由认证/登录过程中涉及的每个设备生成和记录。 然后可以将生成的审核日志文件与来自其他设备的类似审核日志文件一起审核,以跨多个平台跟踪用户。
-
公开(公告)号:US07568218B2
公开(公告)日:2009-07-28
申请号:US10285175
申请日:2002-10-31
IPC分类号: H04L9/32
CPC分类号: H04L63/10 , H04L63/08 , H04L63/0807 , H04L63/0815 , H04L63/101
摘要: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.
摘要翻译: 选择性跨域认证器将标识符与来自在一个领域中认证的实体的请求相关联,以访问与第二领域相关联的资源。 该标识符表示该实体在与所请求的资源相关联的领域以外的领域中被认证。 与资源相关联的域控制器执行访问检查,以验证经过身份验证的用户是否被授权对请求的资源进行身份验证。 与该资源相关联的权限可用于指定授予由与另一领域相关联的域控制器认证的实体的访问级别。
-
-
-
-
-
-
-
-
-
搜索结果
43 条记录 (耗时 0.028 秒)