Method and system for management of access information
| Title: | Method and system for management of access information |
|---|---|
| Patent Number: | 7,440,962 |
| Publication Date: | October 21, 2008 |
| Appl. No: | 09/974085 |
| Application Filed: | October 09, 2001 |
| Abstract: | An improved method and system for centrally managing and accessing attribute information in a distributed computing system is disclosed. Applications set up application specific user attributes in a directory. When an application user connects to a server, the server automatically accesses the directory to identify the relevant user attributes for that application. These user attributes are retrieved and stored in the session context. Standard LDAP attributes can also be retrieved from the directory and stored in the session context. |
| Inventors: | Wong, Daniel ManHung (South San Francisco, CA, US); Lewis, Nina (San Mateo, CA, US); Lei, Chon Hei (San Leandro, CA, US) |
| Assignees: | Oracle International Corporation (Redwood Shores, CA, US) |
| Claim: | 1. A method for managing attribute information, the method comprising: a) configuring an application-specific attribute in a directory, wherein the application-specific attribute is configured in the directory to be associated with an identity of an application, the application-specific attribute being an attribute corresponding specifically to the application; b) receiving an indication of authentication of an application user and upon receipt of the indication of the authentication of the application user, establishing a session for the application user; c) upon establishing the session, automatically retrieving the application-specific attribute from the directory based upon the identity of the application; and d) storing the application-specific attribute in a centrally initialized context of the session, wherein the application accesses the application-specific attribute in the session. |
| Claim: | 2. The method of claim 1 in which the act of configuring the application-specific attribute in the directory comprises: configuring a subtree in the directory, the subtree comprising attribute information for the application-specific attribute. |
| Claim: | 3. The method of claim 2 in which the subtree comprises a child subtree for a grouped set of application-specific attributes. |
| Claim: | 4. The method of claim 3 in which the child subtree comprises a child node for the application-specific attribute. |
| Claim: | 5. The method of claim 4 in which the child node corresponds to an attribute value node that corresponds to the application user. |
| Claim: | 6. The method of claim 3 in which the child subtree is accessible only by a related database package. |
| Claim: | 7. The method of claim 3 in which the child subtree corresponds to a namespace in the context. |
| Claim: | 8. The method of claim 7 in which the namespace in the context comprises a variable corresponding to the application-specific attribute. |
| Claim: | 9. The method of claim 2 in which the subtree is shared among a plurality of applications. |
| Claim: | 10. The method of claim 1 in which the act of automatically retrieving the application-specific attribute from the directory based upon identity of the application is performed by a database server. |
| Claim: | 11. The method of claim 1 in which the directory is an LDAP-compatible directory. |
| Claim: | 12. The method of claim 1 further comprising: retrieving a standard directory user-attribute from the directory for the application user; and storing the standard directory user attribute in the context. |
| Claim: | 13. A computer program product that includes a medium usable by a processor, the medium having stored thereon a sequence of instructions which, when executed by said processor, causes said processor to execute a process for managing user attribute information, the process comprising: a) configuring an application-specific attribute in a directory, wherein the application-specific attribute is configured in the directory to be associated with an identity of an application, the application-specific attribute being an attribute corresponding specifically to the application; b) receiving an indication of authentication of an application user and upon receipt of the indication of the authentication of the application user, establishing a session for the application user; c) upon establishing the session, automatically retrieving the application-specific attribute from the directory based upon the identity of the application; and d) storing the application-specific attribute in a centrally initialized context of the session, wherein the application accesses the application-specific attribute in the session. |
| Claim: | 14. The computer program product of claim 13 in which the act of configuring the application-specific attribute in the directory comprises: configuring a subtree in the directory, the subtree comprising attribute information for the application-specific attribute. |
| Claim: | 15. The computer program product of claim 14 in which the subtree comprises a child subtree for a grouped set of application-specific attributes. |
| Claim: | 16. The computer program product of claim 15 in which the child subtree comprises a child node for the application-specific attribute. |
| Claim: | 17. The computer program product of claim 16 in which the child node corresponds to an attribute value node that corresponds to the application user. |
| Claim: | 18. The computer program product of claim 15 in which the child subtree is accessible only by a related database package. |
| Claim: | 19. The computer program product of claim 15 in which the child subtree corresponds to a namespace in the context. |
| Claim: | 20. The computer program product of claim 19 in which the namespace in the context comprises a variable corresponding to the application-specific attribute. |
| Claim: | 21. The computer program product of claim 14 in which the subtree is shared among a plurality of applications. |
| Claim: | 22. The computer program product of claim 13 in which the act of automatically retrieving the application-specific attribute from the directory based upon identity of the application is performed by a database server. |
| Claim: | 23. The computer program product of claim 13 in which the directory is an LDAP-compatible directory. |
| Claim: | 24. The computer program product of claim 13 further comprising: retrieving a standard directory user attribute from the directory for the application user; and storing the standard directory user attribute in the context. |
| Claim: | 25. A system for managing user attribute information, comprising: a) means for configuring an application-specific attribute in a directory, wherein the application-specific attribute is configured in the directory to be associated with an identity of an application, the application-specific attribute being an attribute corresponding specifically to the application; b) means for receiving an indication of authentication of an application user and upon receipt of the indication of the authentication of the application user, means for establishing a session for the application user; c) upon establishing the session, means for automatically retrieving the application-specific attribute from the directory based upon the identity of the application; and d) means for storing the application-specific attribute in a centrally initialized context of the session, wherein the application accesses the application-specific attribute in the session. |
| Claim: | 26. The system of claim 25 in which the means for configuring the application-specific attribute in the directory comprises: means for configuring a subtree in the directory, the subtree comprising attribute information for the application-specific attribute. |
| Claim: | 27. The system of claim 26 in which the subtree comprises a child subtree for a grouped set of application-specific attributes. |
| Claim: | 28. The system of claim 27 in which the subtree comprises a child node for the application-specific attribute. |
| Claim: | 29. The system of claim 28 in which the child node corresponds to an attribute value node that corresponds to the application user. |
| Claim: | 30. The system of claim 27 in which the child subtree is accessible only by a related database package. |
| Claim: | 31. The system of claim 27 in which the child subtree corresponds to a namespace in the context. |
| Claim: | 32. The system of claim 31 in which the namespace in the context comprises a variable corresponding to the application-specific attribute. |
| Claim: | 33. The system of claim 26 in which the subtree is shared among a plurality of applications. |
| Claim: | 34. The system of claim 25 in which the means for automatically retrieving the application-specific user attribute from the directory based upon identity of the application is performed by database server means. |
| Claim: | 35. The system of claim 25 in which the directory is an LDAP-compatible directory. |
| Claim: | 36. The system of claim 25 further comprising: means for retrieving a standard directory user attribute from the directory for the application user; and means for storing the standard directory user attribute in the context. |
| Claim: | 37. The method of claim 1 , wherein the stored application-specific attribute is available to the application while the session is open. |
| Claim: | 38. The method of claim 1 , wherein neither the application nor the application user access the application-specific attribute in the directory. |
| Claim: | 39. The method of claim 1 , wherein the application accesses the application-specific attribute from the session context. |
| Claim: | 40. The method of claim 39 , wherein the application accesses the application-specific attribute without using LDAP. |
| Claim: | 41. The computer program product of claim 13 , wherein the stored application-specific attribute is available to the application while the session is open. |
| Claim: | 42. The computer program product of claim 13 , wherein neither the application nor the application user access the application-specific attribute in the directory. |
| Claim: | 43. The computer program product of claim 13 , wherein the application accesses the application-specific attribute from the session context. |
| Claim: | 44. The method of claim 43 , wherein the application accesses the application-specific attribute without using LDAP. |
| Claim: | 45. The system of claim 25 , wherein the stored application-specific attribute is available to the application while the session is open. |
| Claim: | 46. The system of claim 25 , wherein neither the application nor the application user access the application-specific attribute in the directory. |
| Claim: | 47. The system of claim 25 , wherein the application accesses the application-specific attribute from the session context. |
| Claim: | 48. The method of claim 47 , wherein the application accesses the application-specific attribute without using LDAP. |
| Claim: | 49. The method of claim 4 in which the child node corresponds to an attribute value node that corresponds to the application. |
| Claim: | 50. The computer program product of claim 16 in which the child node corresponds to an attribute value node that corresponds to the application. |
| Claim: | 51. The system of claim 28 in which the child node corresponds to an attribute value node that corresponds to the application. |
| Current U.S. Class: | 707/102 |
| Patent References Cited: | 5450581 September 1995 Bergen et al. 5684951 November 1997 Goldman et al. 5708812 January 1998 Van Dyke et al. 5768519 June 1998 Swift et al. 5884316 March 1999 Bernstein et al. 5899987 May 1999 Yarom 6119230 September 2000 Carter 6145086 November 2000 Bellemore et al. 6158010 December 2000 Moriconi et al. 6178511 January 2001 Cohen et al. 6192130 February 2001 Otway 6240512 May 2001 Fang et al. 6243816 June 2001 Fang et al. 6253216 June 2001 Sutcliffe et al. 6275944 August 2001 Kao et al. 6289462 September 2001 McNabb et al. 6321259 November 2001 Ouellette et al. 6339423 January 2002 Sampson et al. 6377950 April 2002 Peters et al. 6385724 May 2002 Beckman et al. 6490591 December 2002 Denbar et al. 6507817 January 2003 Wolfe et al. 6535879 March 2003 Behera 6556995 April 2003 Child et al. 6651168 November 2003 Kao et al. 6678682 January 2004 Jenkins et al. 6768988 July 2004 Boreham et al. 2002/0007346 January 2002 Qiu et al. 2002/0026592 February 2002 Gavrila et al. 2002/0069223 June 2002 Goodisman et al. 2002/0078004 June 2002 Ambrosini et al. 2002/0082818 June 2002 Ferguson et al. 2002/0083073 June 2002 Vaidya et al. 2003/0195888 October 2003 Croft et al. |
| Other References: | How to use ADSI to set LDAP Directory Attributes, Microsoft 2000 Standard Edition. cited by examiner Configuring LDAP the Apache Software Foundation 2003-2006. cited by examiner Oracle8 Server Concepts, “Privileges and Roles”, Release 8.0, vol. 2, Jun. 1997, pp. 25-1 through 25-15. cited by other Bertino, Elisa, et al., “Controlled Access and Dissemination of XML Documents,” Proceedings of the second international workshop on Web information and data management (Nov. 1999), pp. 22-27. cited by other Bertino, Elisa, et al. “On Specifying Security Policies for Web Documents with an XML-based Language,”, Proceedings of the sixth ACM symposium on Access control models and technologies (May 2001), pp. 57-65. cited by other Bonczek, Robert H., et al. “A Transformational Grammar-Based Query Processor for Access Control in a Planning System,” ACM Transactions on Database Systems, (Dec. 1977) pp. 326-338, vol. 2, No. 4. cited by other Castano, Silvana, et al., “A New Approach to Security System Development,” Proceedings of the 1994 workshop on New security paradigms (Aug. 1994), pp. 82-88. cited by other Gladney, H.M., “Access Control for Large Collections,” ACM Transactions on Information Systems (Apr. 1997), pp. 154-194, vol. 15, No. 2. cited by other Hsiao, David K., “A Software Engineering Experience In The Management, Design and Implementation of a Data Secure System,” Proceedings of the 2nd international conference on Software engineering (Oct. 1976), pp. 532-538. cited by other Myers, Andrew C. et al., “Protecting Privacy Using the Decentralized Label Model,” ACM Transactions on Software Engineering and Methodology (Oct. 2000), pp. 410-442, vol. 9, No. 4. cited by other Sandhu, Ravinderpal Singh, “The Schematic Protection Model: Its Definition and Analysis for Acyclic Attenuating Schemes,” Journal of the Association for Computing Machinery (Apr. 1988), pp. 404-432, vol. 35, No. 2. cited by other Sion, Radu, et al., “Rights Protection for Relational Data,” Proceedings of the 2003 ACM SIGMOD international conference on Management of data (Jun. 2003) pp. 98-109. cited by other Wedde, Horst F. et al., “Role-Based Access Control in Ambient and Remote Space,” Proceedings of the ninth ACM symposium on Access control models and technologies (Jun. 2004) pp. 21-30. cited by other |
| Primary Examiner: | Al-Hashemi, Sana |
| Attorney, Agent or Firm: | Vista IP Law Group LLP |
| Accession Number: | edspgr.07440962 |
| Database: | USPTO Patent Grants |
| Language: | English |
|---|