Nothing Special   »   [go: up one dir, main page]

US20110214165A1 - Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data - Google Patents

Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data Download PDF

Info

Publication number
US20110214165A1
US20110214165A1 US13/034,323 US201113034323A US2011214165A1 US 20110214165 A1 US20110214165 A1 US 20110214165A1 US 201113034323 A US201113034323 A US 201113034323A US 2011214165 A1 US2011214165 A1 US 2011214165A1
Authority
US
United States
Prior art keywords
server
application
external
connection
credentials
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/034,323
Inventor
David Kerr Jeffreys
Robert Brian Hess
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAS Institute Inc
Original Assignee
SAS Institute Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAS Institute Inc filed Critical SAS Institute Inc
Priority to US13/034,323 priority Critical patent/US20110214165A1/en
Assigned to SAS INSTITUTE INC. reassignment SAS INSTITUTE INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HESS, ROBERT BRIAN, JEFFREYS, DAVID KERR
Publication of US20110214165A1 publication Critical patent/US20110214165A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries

Definitions

  • the connection server 204 Upon receiving the request for data, the connection server 204 provides a credential request to the authentication server 206 .
  • the credential request includes an identification of the external data source (e.g., data store 208 ) or external server process to be accessed and an account identifier associated with the application 202 or a user of the application 202 .
  • the authentication server 206 may verify the account or user credentials and may search an identity map for a set of credentials associated with both the account identifier and the external data source (e.g., data store 208 ) or external server process.
  • An identity map may be administered according to certain identity map rules. For example, a shared login owner may have full control over the identity map's contents, including identifying the users or groups who may consume the identity or manage the shared login. The users and groups identified in the manager list may read the identity from the shared login and modify the consumer memberships, but may only modify the consumer memberships. This permits the identity map owner to delegate management of application users as identity map consumers. The users and groups identified in the consumer list are used to confirm the authenticated user's membership, allowing an identity map manager to extract credentials on their behalf.
  • the domain name is a search criterion used to locate an identity map for an authenticated consumer
  • a group name is an optional search criterion used to locate an identity map for an authenticated consumer.
  • FIGS. 10A , 10 B, and 10 C depict example systems for use in implementing an authentication manager.
  • FIG. 10A depicts an exemplary system 1000 that includes a stand alone computer architecture where a processing system 1002 (e.g., one or more computer processors) includes an authentication manager 1004 being executed on it.
  • the processing system 1002 has access to a computer-readable memory 1006 in addition to one or more data stores 1008 .
  • the one or more data stores 1008 may include an identity map 1010 as well as user/group mappings 1012 .
  • the hardware may also include data input devices, such as a keyboard 1072 , or other input device 1074 , such as a microphone, remote control, pointer, mouse and/or joystick.
  • data input devices such as a keyboard 1072 , or other input device 1074 , such as a microphone, remote control, pointer, mouse and/or joystick.
  • a module or processor includes but is not limited to a unit of code that performs a software operation, and can be implemented for example as a subroutine unit of code, or as a software function unit of code, or as an object (as in an object-oriented paradigm), or as an applet, or in a computer script language, or as another type of computer code.
  • the software components and/or functionality may be located on a single computer or distributed across multiple computers depending upon the situation at hand.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Fuzzy Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Systems and methods are provided for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map. A credential request is received at the authentication server from the connection server. The credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application. The identity map is searched for a set of credentials associated with both the account identifier and the external data source or external server process. The set of credentials are transmitted from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, where the connection is established without transmitting the set of credentials to the application.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority to U.S. Provisional Patent Application No. 61/308,635, filed Feb. 26, 2010, entitled “Processor Implemented Systems and Methods for Using the Catalog Part of a SQL Identifier to Expose/Access Heterogeneous Data.” The entirety of which is herein incorporated by reference.
    • FIELD
  • The technology described herein relates generally to database access and more particularly to the use of identity maps in conjunction with an authentication server to provide restricted access to server data.
    • BACKGROUND
  • Applications can require access to data stored in secured database servers (e.g., DBMS servers). Such access may be used to produce reports or execute other tasks. Authorization enforcement strategies may be employed to properly secure the data in the database server on a per user basis to grant different privileges to different users.
    • SUMMARY
  • Systems and methods are provided for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map. A credential request may be received at the authentication server from the connection server, where the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application. The identity map may be searched for a set of credentials associated with both the account identifier and the external data source or external server process. The set of credentials may be transmitted from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, where the connection is for providing the application access to the external data source or external server process and where the connection is established without transmitting the set of credentials to the application.
  • As another example, a system for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map may include one or more data processors and a computer readable memory encoded with instructions for commanding the one or more data processors to execute a method. In the method, credential request may be received at the authentication server from the connection server, where the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application. The identity map may be searched for a set of credentials associated with both the account identifier and the external data source or external server process. The set of credentials may be transmitted from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, where the connection is for providing the application access to the external data source or external server process and where the connection is established without transmitting the set of credentials to the application.
  • As a further example, a computer-readable memory may be encoded with instructions for commanding one or more data processors to execute a method for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity. In the method, credential request may be received at the authentication server from the connection server, where the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application. The identity map may be searched for a set of credentials associated with both the account identifier and the external data source or external server process. The set of credentials may be transmitted from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process and where the connection is for providing the application access to the external data source or external server process, where the connection is established without transmitting the set of credentials to the application.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIGS. 1A and 1B depict example authorization enforcement strategies.
  • FIG. 2 is a block diagram depicting an example configuration where a connection server and an authentication server manage access to data.
  • FIG. 3 is a block diagram depicting verification of user credentials at a connection server.
  • FIG. 4 is a block diagram depicting example communications among a connection server, a database server, and a data store.
  • FIG. 5 is a block diagram depicting additional example communications among a connection server, a database server, and a data store.
  • FIG. 6 is a block diagram further depicting communications between a connection server and an authentication server.
  • FIG. 7 depicts contents of an example identity map.
  • FIG. 8 depicts contents of another example identity map.
  • FIG. 9 is an object type diagram of an example identity map and its components.
  • FIGS. 10A, 10B, and 10C depict example systems for use in implementing an authentication manager.
    •  DETAILED DESCRIPTION
  • FIG. 1A depicts an example authorization enforcement strategy. In FIG. 1A, an application 102 with which a user or other program interfaces enforces the data security policies. The application 102 verifies a user's credentials locally, such as by verifying a user's username and password. Once the application 102 verifies the credentials, the application 102 accesses a database server 104 which accesses the desired data in one or more data stores 106. This configuration may be suboptimal because the security policies are not centralized. Security policies are enforced at individual applications, which may exist on many different physical computers. Such a configuration may be a security risk and may be difficult to administer.
  • FIG. 1B depicts a second example authorization strategy. In FIG. 1B an application 152 interfaces with a database server 154, where the database server enforces data security policies using individual user accounts. The application 152 may receive user credentials and forward those credentials to the database server 154. The database server 154 may verify the credentials of the user, and upon verification, the database server 154 may permit access to the one or more data stores 156. This configuration may be suboptimal because the security policies are not centralized. Several database servers (e.g., database server 154) may contain data desired by the application 152 or other applications. Such a configuration may be a security risk or may be difficult to administer.
  • Presented herein are general features of identity maps along with usage scenarios starting at the end-user application. Identity maps provide the bridge between first and second tier authentication for a primary server, such as a DataFlux Federation Server (DFS), to seamlessly connect to and communicate with secondary servers, such as external database servers configured within DFS. The primary authentication tier is from the client to the primary server, and the secondary one is from the primary server process to one or more secondary servers, typically preconfigured in primary server metadata.
  • The credentials used to authenticate to the secondary servers may be hidden from the identity authenticated in primary tier. This security feature incorporated in the identity map design prevents the primary tier user from directly acquiring the secondary tier credentials (e.g., a user id and password tuple) thereby forcing access to the secondary server through the primary one. This is accomplished by a common authentication server which helps to centralize authentication administration and runtime services for applications involving distributed resources across multiple tiered servers.
  • Tiered authentication provides the basis for tiered authorization enforcement whereby the primary tier enforces privileges on primary server operations for the primary server users and the secondary tier enforces privileges on secondary server operations for the secondary server user. In the case of DFS, the secondary servers are the backend database servers, and both DFS and the database servers perform authorization enforcement for their users. Identity maps provide a secure way to map each primary server user identity to multiple secondary server identities where this enforcement can take place in a manageable, predictable way.
  • Identity maps can be employed by any n-level multi-tiered authentication scheme to hop from one server to the next without multiple prompts and without regards to server type so long as the credentials required to authenticate in tier n+1 are available to the server process and not the connecting client in tier n for each tier.
  • FIG. 2 is a block diagram depicting an example configuration where a connection server and an authentication server manage access to data. A user or other application interfaces with a first application 202. For example, a user may interact with the application 202 to generate a report. A user may provide user credentials that entitle that user to access the data needed for the desired report. The application 202 passes the user credentials and the data request to a connection server 204.
  • Either the application 202 or the connection server 204 may perform an initial verification of the received user credentials. If the connection between the connection server 204 and the authentication server 206 is a trusted connection, then the authentication server 206 may rely on a connection server's verification of the user credentials, and the authentication server 206 may not perform an independent verification. If the connection is not a trusted connection, then the authentication server 206 may receive and verify the user credentials.
  • The connection server 204 and the authentication server 206 interact to provide credentials for the connection server to establish a connection to the external data source (e.g., data store 208) based on the verified identity of the user. For example, an initial connection may be established between the connection server and the authentication server. This initial connection may be established using credentials of an identity map manager of one or more identity maps. This connection may be persisted through multiple client credential requests.
  • Upon receiving the request for data, the connection server 204 provides a credential request to the authentication server 206. The credential request includes an identification of the external data source (e.g., data store 208) or external server process to be accessed and an account identifier associated with the application 202 or a user of the application 202. The authentication server 206 may verify the account or user credentials and may search an identity map for a set of credentials associated with both the account identifier and the external data source (e.g., data store 208) or external server process. The authentication server 206 may transmit a retrieved set of credentials to the connection server 204 for the connection server to establish a connection to the external data source (e.g., data store 208) or external server process, such as via database server 210. The connection server may also access the data store 208 directly. In this manner, the connection between the application and the external data source (e.g., data store 208) or external server process can be established without transmitting the set of credentials to the application.
  • A verification of credential provided by a user may be provided at a number of stages. FIG. 3 is a block diagram depicting verification of user credentials at a connection server. A user 302 provides his username 304 and password 306 to an application 308. The application 308 may verify the credentials, or the application 308 may forward the user name 304 and password 306 to the connection server 310 for verification. Upon verification of the username 304 and password 306 at the connection server 310, the user 302 may subsequently be referenced by a user identifier.
  • FIG. 4 is a block diagram depicting example communications among a connection server, a database server, and a data store. A connection server 402 provides a user identifier and a database identifier 404, identifying the database(s) the user wishes to access, to an authentication server 406. The authentication server 406 accesses credentials 408 for the user to access the database(s) identified in the message 404 from the connection server and provides the credentials 408 to the connection server 402. The connection server 402 provides the credentials 408 to the database server 410 along with a query 412 for the desired data from one or more data stores 414. If the credentials 408 provided to the database server 410 are valid, then the database server 410 accesses the desired data from the one or more data stores 414 and provides that desired data 416 to the connection server for subsequent sending to a user or user application.
  • FIG. 5 is a block diagram depicting additional example communications among a connection server, a database server, and a data store. A single user may be associated with multiple sets of credentials. All of the users credentials stored in the authentication server 502 may be associated with a credentials handle 504. Using a credentials handle 504 may enable a connection server 506 to quickly request credentials 508 for a user by referencing the credentials handle 504. Upon an initial access request, the connection server 506 may provide a username and password 510 to the authentication server 502 for the owner of the database credentials. The authentication server 502 may verify the username and password and provide the credentials handle 504 upon verification. The connection server 506 may then request individual credentials 508 for data store 514 accesses using credentials requests 512 by referencing the data store 514 to be accessed and the credentials handle 504. Credentials requests 512 may include other data including user domains, user groups, etc.
  • The connection server 506 provides the credentials 508 to the database server along with a query 516 for the desired data from one or more data stores 514. If the credentials 508 provided to the database server 518 are valid, then the database server 518 accesses the desired data from the one or more data stores 514 and provides that desired data 520 to the connection server for subsequent sending to a user or user application.
  • FIG. 6 is a block diagram further depicting communications between a connection server and an authentication server. A connection server 602 provides a user identifier and a database to access identifier 604 to the authentication server 606. The authentication server 606 may utilize an identity map 608 to identify the proper credentials 610 to return to the connection server 602.
  • An identity map 608 may be administrated by an authentication server administrator 612. Certain of the configurations described herein may be advantageous because those implementations offer centralized maintenance of credentials. The authentication server administrator 612 can add, delete, or update any data store access credentials at a single location. Such centralized administration offers numerous security advantages including fast response to business reality changes (e.g., disabling data store access for terminated employees) and avoiding stale credentials that may occur when credential settings are spread across multiple physical locations and applications. Centralized credential maintenance also offers significant efficiency gains for the authentication server administrator 612. For example, credentials may be assigned to groups of users as opposed to individual users, as discussed herein below. In such a case, an authentication server administrator may greatly limit the number of credentials that are to be tracked. An authentication server may centrally hold identity maps for many connection servers. For example, a collection key may associate the identity map to the connection server.
  • The centralized access provided by an authentication server offers a number of other advantages as well. For example, a user may never have access to the raw credentials required to access one of the data stores. Such a system prohibits unauthorized sharing of those credentials and offers easy changing or disabling of such credentials should their security be breached. The centralized authentication server also offers improved usability for users and applications because users and applications need only track one set of individual credentials (e.g., a username and password) for access to multiple data stores. The specific credentials necessary for any specific data store access are tracked by the authentication server and not the user.
  • An identity (principal map) may include a number of features. Example features include:
      • Ownership: An identity map may have one owner, a user (identity) previously defined in an authentication server (AS). Owners may delegate consumption to managers.
      • Delegation of management: A complete identity map has at least one manager, designated by either the user owner or an AS administrator and optionally additional user and group managers. Managers may add or remove consumers and may extract the identity map's outbound identity and password on behalf of any of its consumers.
      • Delegation of consumption: A complete identity map has at least one consumer, designated by either the owner or an AS administrator. Consumers may access secondary server resources (available to the outbound identity).
      • Primary server association: An identity map is associated with a primary server or a collaboration of primary servers by a collection key. The collection key groups all identity maps that are used by a particular primary server to authenticate to its secondary servers.
      • Secondary server association: An identity map is associated with exactly one secondary server by a domain name. The domain may correspond to a real domain controller, but always uniquely identifies an instance of a secondary server to a primary server.
      • Application context: In AS users and groups may be scoped to a particular “application” group through ordinary group membership. Membership in a particular application group may be specified as a selection criterion when extracting outbound credentials for an identity map consumer. An identity may be a consumer of multiple maps, directly or indirectly, through membership in multiple application groups. An application group name may be specified at extract time by the owing application as a means of indirectly selecting the outbound credentials associated with a particular secondary server.
  • FIG. 7 depicts contents of an example identity map. The example identity map 702 includes a table having columns corresponding to a user identifier 704, a data source identifier 706, and data store access credentials 708. Upon receipt of a credentials request, an authentication server may search the identity map for a record that contains the user identifier and the data source identifier contained in the credentials request. The authentication server may then return the data source access credentials that correspond with the located record, if such a record is located.
  • FIG. 8 depicts contents of another example identity map. In the example of FIG. 8, the credentials are organized based on a group association of an accessing user. The identity map includes columns corresponding to a user group identifier 804, a data source identifier 806, and data source access credentials 808. Upon receipt of a credentials request, an authentication server may first identify one or more groups with which the requesting user is associated. The group lookup may also be performed by other entities, where the credentials request received by the authentication server may identify one or more user groups. The authentication server performs a search of the identity map to identify one or more records that include the group identifier and the received data source identifier. The authentication server may then output the data source access credentials associated with those records. For example, a single user may assume multiple identities to the same resource.
  • FIG. 9 is an object type diagram of an example identity map and its components. The diagram depicts various features described herein. Example association ends are labeled with cardinalities provided. In FIG. 9, type names are in bold, attribute names are in normal typeface, and object attributes are italicized. The cardinality shown on the Managers and Consumers associations are those of a “complete” identity map. The actual cardinality is 0 . . . n for those associations. However, an identity map normally would not be without manager or consumers except in a temporary state while in construction or out of service. Not shown is an ID attribute that may be common to both Identity and Group objects. The ID uniquely identifies an instance of an object within AS and may be used to locate it.
  • This written description uses examples to disclose the invention, including the best mode, and also to enable a person skilled in the art to make and use the invention. The patentable scope of the invention may include other examples. For example, in one example configuration topology, a system may include an application with connection information such as host and port to connect to a connection server. A system may further include an application that is responsible for retrieving credentials from its users, and passing them to the connection server. A system may further include a connection server with connection information such as host and port to connect to an authentication server. The connection server is configured with one or more credentials (e.g., user names/passwords) for connection to the authentication server for use in retrieving credentials from an identity map. These credentials are identified as the manager or owner of all identity maps to be considered when searching for credentials to external data sources or external server processes.
  • The connection server is configured with a collection key, which is passed on to the authentication server to scope qualifying identity maps. The connection server is a secured server. Any server metadata stores are locked down to the connection server process user and possibly other users operating in administrative roles. Server configuration may be stored in memory or persisted in a metadata store.
  • Connection servers are configured with connection information to connect to external data sources and/or external server processes. Connection metadata may include a consumer group to uniquely identify an identity map login when multiple identity maps are available to any application user. The connection server may additionally implement authorization mechanisms to grant/deny authenticated users specific actions through the server.
  • A system may also include an authentication server which has the ability to authenticate (verify) user names/passwords. Additionally, the authentication server is configured with users (identities), groups/group membership, authenticating logins (inbound), and logins to external data sources and servers (outbound). These logins to external resources may be owned by a user, or an identity map. If an identity map, each map will have (in addition to the login) a map owner, map consumers (users or groups who are given permission to use the login), map managers (users or groups who may read the login in the identity map and optionally modify the map consumer list), and a collection key map attribute that identifies map availability to connection servers. The authentication server is a secured server. Any server metadata stores are locked down to the authentication server process user and possibly other users operating in administrative roles (AS administrators). Server configuration may be stored in memory or persisted in a metadata store.
  • Following is a description of an example system and process flow for a use of identity maps (e.g., an identity map) to provide restricted access to a backend server. The SAS DataFlux Authentication server implements an identity map to give business application users secure yet granular access to backend databases while limiting the administrative burden associated with managing associated DBMS accounts and SQL authorizations. The identity map object is a flexible user identity mechanism that maps a user identity authenticated in one domain to a user identity authenticated in another domain.
  • An identity map may be implemented as an identity map object. This object may consists of the following:
  • 1. An association to a single named authentication domain object. The domain object has attributes that describe how identities in the specified domain are formed when extracted from an identity map, as either “userid” or “domain\userid” or “userid@domain”.
  • 2. A user identifier (userid) in the authentication domain.
  • 3. A password to be paired with the identity and used to authenticate to another server in the authentication domain.
  • 4. A consumer list. This list identifies the users and groups who may use the identity to authenticate to another server. Consumers cannot read the identity or password.
  • 5. A manager list. This identifies the users and groups who may read the identity and password.
  • 6. An owner. This identifies the user who may modify the contents of the identity map.
  • A system may further include an identity mapping authentication server. This server is responsible for authenticating users and persisting and managing domain objects, group objects, user objects and identity map objects. The DataFlux Authentication Server is an example of such a server.
  • A system may also include a secured process server that is responsible for providing application functionality. Such a server could have many different functions, depending on the application. It may be responsible for implementing identity maps. It may also authenticate users through the authentication server and leverage identity maps to extract credentials for authentication in pier servers. An example of this server is the DataFlux Federation Server, which provides secured data access to application users.
  • The following is an example process flow. An application may require access to a secured server for data or process execution. The application requires that the user enter credentials. The application sends the credentials to the Secured Process Server (SPS). This server uses the authentication server to authenticate the user. If the user is authenticated, the SPS can perform work as directed by the user and perform appropriate authorization enforcement based on the authenticated user identity. If the user requests services that are delegated through secure backend or pier servers, the SPS would authenticate to those servers on behalf of the user by obtaining mapped credentials from identity maps.
  • The SPS uses a connection to the authentication server made by a manager of all identity maps needed to map the SPS users into user identities in its backend or pier servers. Backend or pier servers are associated in the SPS with one or more domain names which are subsequently used to search candidate identity maps for the user. The remaining filtering is done by confirming the user's membership in the consumer list and optionally requiring membership in a particular group in the identity map's consumer list. Credentials are extracted from matching maps and passed through to the backend or pier servers for authentication and access to the delegated services.
  • An identity map may be administered according to certain identity map rules. For example, a shared login owner may have full control over the identity map's contents, including identifying the users or groups who may consume the identity or manage the shared login. The users and groups identified in the manager list may read the identity from the shared login and modify the consumer memberships, but may only modify the consumer memberships. This permits the identity map owner to delegate management of application users as identity map consumers. The users and groups identified in the consumer list are used to confirm the authenticated user's membership, allowing an identity map manager to extract credentials on their behalf. The domain name is a search criterion used to locate an identity map for an authenticated consumer, and a group name is an optional search criterion used to locate an identity map for an authenticated consumer.
  • The following is another example process flow. The DataFlux Federation Server (DFS) uses the DataFlux Authentication Server (DAS) to authenticate the connecting user. The DFS manages connection information to multiple backend DBMS data sources, each of which is associated with a domain name. The user's connection string specifies which data sources the user wants to connect to, but credentials to those data sources are not specified in the string. The credentials are instead extracted by DFS using a DAS connection made through a DFS identity maps manager account. This account belongs to a user that is a member of all identity maps associated with all the domains configured with the DFS backend DBMS data sources. The connection string may optionally contain a GROUP=groupname specification which further qualifies candidate identity maps for credentials extraction. This process is repeated for each backend database connection, and the resulting DFS connection is then able to access SQL data from multiple data sources without disclosing shared DBMS credentials to the DFS user.
  • SQL authorizations are enforced for the user in the DFS, simplifying security administration. DFS users cannot connect directly to the backend data sources since the credentials are protected in the DAS identity maps created for those users (consumers). Additionally, the identity maps allow DBMS accounts to be shared thereby reducing the administrative burden of managing the backend database servers.
  • Following is another example process of using identity maps in a multi-tiered authentication scheme:
  • 1. A primary server connects to AS using credentials of an identity who is a common manager of all identity maps with a particular collection key value. The value identifies the primary server instance and thus all identity maps configured for use in that server to establish back-end connections to secondary servers. The identity map manager identity and password as well as the collection key itself are preconfigured in the primary server's metadata or supplied as part of the primary server's startup parameters.
    2. From step 1, an identity handle (ihm) is returned to the primary server process and cached for use later when establishing secondary connections on behalf of primary server end-users.
    3. Steps 1 and 2 occur in the primary server during its startup sequence. Remaining steps occur per client connection to the primary server.
    4. An application prompts for end-user credentials (e.g., identity, password tuple) and passes the credentials as inbound credentials to the primary server along with a connection name (dsn) and an application group name (g). The application expects to receive a handle back from the primary server upon successful connection.
    5. The primary server passes end-user credentials unaltered to AS for authentication and receives either a failure (possibly authentication related) or an identity handle (ihu) for the end-user. Upon successful authentication, and for each secondary server connection configured in the named connection (dsn), the primary server makes a getMappedCredentials( ) call to AS on handle ihm to extract the secondary server's credentials (outbound identity, password tuple). The call includes the primary server's collection key (ck), the application group name (g), the domain name corresponding to the secondary server (dj) and the consumer for which the secondary server's outbound credentials are to be extracted (ihu->id).
    6. The getMappedCredentials( )method uses the tuple (ck, g, dj, ihu->id) to locate the identity map from which the credentials are to be extracted: The end user identity, uniquely identified in AS by ihu->id, must directly or indirectly be a member of the application group, g, which must directly or indirectly be a consumer of any candidate maps considered. Candidate maps are further filtered by primary server's collection key (ck) and secondary server domain (d), both of which must also match. If the search criteria yield exactly one identity map, then its credentials are extracted and returned to the primary server. These remain hidden from the end-user behind the primary server's process boundary.
    7. Credentials for the secondary server (associated with domain,) and returned in step 6 are used to establish a connection, sj. The secondary server connection is added to the end-user connection being constructed by the primary server, which can be expressed as p=(s0, s1, . . . , sn−1), an n-way tiered connection.
    8. When connections to all secondary servers are established, the tiered connection handle (p) is returned from the primary server to the application. This handle may be used to access data or services from the secondary servers according to interfaces provided by and authorization rules enforced on the primary server for the original end-user identity corresponding to handle ihu.
  • FIGS. 10A, 10B, and 10C depict example systems for use in implementing an authentication manager. For example, FIG. 10A depicts an exemplary system 1000 that includes a stand alone computer architecture where a processing system 1002 (e.g., one or more computer processors) includes an authentication manager 1004 being executed on it. The processing system 1002 has access to a computer-readable memory 1006 in addition to one or more data stores 1008. The one or more data stores 1008 may include an identity map 1010 as well as user/group mappings 1012.
  • FIG. 10B depicts a system 1020 that includes a client server architecture. One or more user PCs 1022 accesses one or more servers 1024 running an authentication manager 1026 on a processing system 1027 via one or more networks 1028. The one or more servers 1024 may access a computer readable memory 1030 as well as one or more data stores 1032. The one or more data stores 1032 may contain an identity map 1034 as well as user/group mappings 1036.
  • FIG. 10C shows a block diagram of exemplary hardware for a standalone computer architecture 1050, such as the architecture depicted in FIG. 10A that may be used to contain and/or implement the program instructions of system embodiments of the present invention. A bus 1052 may serve as the information highway interconnecting the other illustrated components of the hardware. A processing system 1054 labeled CPU (central processing unit) (e.g., one or more computer processors), may perform calculations and logic operations required to execute a program. A processor-readable storage medium, such as read only memory (ROM) 1056 and random access memory (RAM) 1058, may be in communication with the processing system 1054 and may contain one or more programming instructions for performing the method of implementing an authentication manager. Optionally, program instructions may be stored on a computer readable storage medium such as a magnetic disk, optical disk, recordable memory device, flash memory, or other physical storage medium. Computer instructions may also be communicated via a communications signal, or a modulated carrier wave.
  • A disk controller 1060 interfaces one or more optional disk drives to the system bus 1052. These disk drives may be external or internal floppy disk drives such as 1062, external or internal CD-ROM, CD-R, CD-RW or DVD drives such as 1064, or external or internal hard drives 1066. As indicated previously, these various disk drives and disk controllers are optional devices.
  • Each of the element managers, real-time data buffer, conveyors, file input processor, database index shared access memory loader, reference data buffer and data managers may include a software application stored in one or more of the disk drives connected to the disk controller 1060, the ROM 1056 and/or the RAM 1058. Preferably, the processor 1054 may access each component as required.
  • A display interface 1068 may permit information from the bus 1056 to be displayed on a display 1070 in audio, graphic, or alphanumeric format. Communication with external devices may optionally occur using various communication ports 1072.
  • In addition to the standard computer-type components, the hardware may also include data input devices, such as a keyboard 1072, or other input device 1074, such as a microphone, remote control, pointer, mouse and/or joystick.
  • As additional examples, for example, the systems and methods may include data signals conveyed via networks (e.g., local area network, wide area network, internet, combinations thereof, etc.), fiber optic medium, carrier waves, wireless networks, etc. for communication with one or more data processing devices. The data signals can carry any or all of the data disclosed herein that is provided to or from a device.
  • Additionally, the methods and systems described herein may be implemented on many different types of processing devices by program code comprising program instructions that are executable by the device processing subsystem. The software program instructions may include source code, object code, machine code, or any other stored data that is operable to cause a processing system to perform the methods and operations described herein. Other implementations may also be used, however, such as firmware or even appropriately designed hardware configured to carry out the methods and systems described herein.
  • The systems' and methods' data (e.g., associations, mappings, data input, data output, intermediate data results, final data results, etc.) may be stored and implemented in one or more different types of computer-implemented data stores, such as different types of storage devices and programming constructs (e.g., RAM, ROM, Flash memory, flat files, databases, programming data structures, programming variables, IF-THEN (or similar type) statement constructs, etc.). It is noted that data structures describe formats for use in organizing and storing data in databases, programs, memory, or other computer-readable media for use by a computer program.
  • The computer components, software modules, functions, data stores and data structures described herein may be connected directly or indirectly to each other in order to allow the flow of data needed for their operations. It is also noted that a module or processor includes but is not limited to a unit of code that performs a software operation, and can be implemented for example as a subroutine unit of code, or as a software function unit of code, or as an object (as in an object-oriented paradigm), or as an applet, or in a computer script language, or as another type of computer code. The software components and/or functionality may be located on a single computer or distributed across multiple computers depending upon the situation at hand.
  • It should be understood that as used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise. Finally, as used in the description herein and throughout the claims that follow, the meanings of “and” and “or” include both the conjunctive and disjunctive and may be used interchangeably unless the context expressly dictates otherwise; the phrase “exclusive or” may be used to indicate situation where only the disjunctive meaning may apply.

Claims (15)

1. A computer-implemented method of providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map, said method comprising:
receiving a credential request at the authentication server from the connection server, wherein the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application;
searching the identity map for a set of credentials associated with both the account identifier and the external data source or external server process; and
transmitting the set of credentials from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, wherein the connection is for providing the application access to the external data source or external server process, wherein the connection is established without transmitting the set of credentials to the application.
2. The method of claim 1, wherein the account identifier further provides a group with which the application or the user of the application is associated;
wherein searching further includes searching the identity map for a set of credentials associated with both the group with which the application or the user of the application is associated and the external data source or external server process.
3. The method of claim 1, wherein the identity map is modified based on authentication information received from an authentication server administrator;
wherein the authentication information associates account identifiers and external data sources or external service processes with credentials.
4. The method of claim 1, wherein not transmitting the set of credentials to the application prohibits the application or a user of the application from accessing the external data source or external process without using the connection server.
5. The method of claim 1, wherein a user enters a username and password combination to the application;
wherein the connection server verifies the username and password combination;
wherein the connection server generates an account identifier from the application based on the verified username and password combination;
wherein the connection server transmits the account identifier to the authentication server.
6. The method of claim 1, wherein the application is provided one of a plurality of levels of access to the external data source or external server process based on the set of credentials provided to the connection server based on the searching the identity map.
7. The method of claim 1, wherein searching the identity map includes determining a group with which the account identifier is associated; and
searching the identity map for a set of credentials associated with both the group with which the account identifier is associated and the external data source or external server process.
8. A computer-implemented system for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map, said system comprising:
one or more data processors;
a computer-readable memory encoded with instructions for commanding the one or more data processors to execute a method comprising:
receiving a credential request at the authentication server from the connection server, wherein the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application;
searching the identity map for a set of credentials associated with both the account identifier and the external data source or external server process; and
transmitting the set of credentials from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, wherein the connection is for providing the application access to the external data source or external server process, wherein the connection is established without transmitting the set of credentials to the application.
9. The system of claim 8, wherein the account identifier further provides a group with which the application or the user of the application is associated;
wherein searching further includes searching the identity map for a set of credentials associated with both the group with which the application or the user of the application is associated and the external data source or external server process.
10. The system of claim 8, wherein the identity map is modified based on authentication information received from an authentication server administrator;
wherein the authentication information associates account identifiers and external data sources or external service processes with credentials.
11. The system of claim 8, wherein not transmitting the set of credentials to the application prohibits the application or a user of the application from accessing the external data source or external process without using the connection server.
12. The system of claim 8, wherein a user enters a username and password combination to the application;
wherein the application verifies the username and password combination;
wherein the connection server receives an account identifier from the application based on the verified username and password combination;
wherein the connection server transmits the account identifier to the authentication server.
13. The system of claim 8 wherein the application is provided one of a plurality of levels of access to the external data source or external server process based on the set of credentials provided to the connection server based on the searching the identity map.
14. The system of claim 8, wherein searching the identity map includes determining a group with which the account identifier is associated; and
searching the identity map for a set of credentials associated with both the group with which the account identifier is associated and the external data source or external server process.
15. A computer-readable medium encoded with instructions for commanding one or more data processors to execute a method for providing an application access to an external data source or an external server process via a connection server using an authentication server that has access to an identity map, said method comprising:
receiving a credential request at the authentication server from the connection server, wherein the credential request includes an identification of the external data source or external server process to be accessed and an account identifier associated with the application or a user of the application;
searching the identity map for a set of credentials associated with both the account identifier and the external data source or external server process; and
transmitting the set of credentials from the authentication server to the connection server, for the connection server to establish a connection to the external data source or external server process, wherein the connection is for providing the application access to the external data source or external server process, wherein the connection is established without transmitting the set of credentials to the application.
US13/034,323 2010-02-26 2011-02-24 Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data Abandoned US20110214165A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/034,323 US20110214165A1 (en) 2010-02-26 2011-02-24 Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US30863510P 2010-02-26 2010-02-26
US13/034,323 US20110214165A1 (en) 2010-02-26 2011-02-24 Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data

Publications (1)

Publication Number Publication Date
US20110214165A1 true US20110214165A1 (en) 2011-09-01

Family

ID=44505851

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/034,323 Abandoned US20110214165A1 (en) 2010-02-26 2011-02-24 Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data
US13/035,630 Active US8645386B2 (en) 2010-02-26 2011-02-25 Processor implemented systems and methods for using the catalog part of an SQL identifier to expose/access heterogeneous data

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/035,630 Active US8645386B2 (en) 2010-02-26 2011-02-25 Processor implemented systems and methods for using the catalog part of an SQL identifier to expose/access heterogeneous data

Country Status (1)

Country Link
US (2) US20110214165A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111543A1 (en) * 2011-10-31 2013-05-02 Jeremy Ray Brown Techniques for controlling authentication
US20130198857A1 (en) * 2012-02-01 2013-08-01 International Business Machines Corporation Processing of restricted access data
US20140325616A1 (en) * 2013-04-30 2014-10-30 International Business Machines Corporation File system level data protection during potential security breach
US20170090560A1 (en) * 2015-09-25 2017-03-30 Microsoft Technology Licensing, Llc Combining mobile devices with people tracking for large display interactions
US20170126683A1 (en) * 2015-11-04 2017-05-04 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US10235297B2 (en) 2015-11-04 2019-03-19 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US11347734B1 (en) * 2016-08-17 2022-05-31 Actian Corporation Processing database queries based on external tables

Families Citing this family (69)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012103458A1 (en) * 2011-01-28 2012-08-02 The Dun And Bradstreet Corporation Inventory data access layer
US9152671B2 (en) * 2012-12-17 2015-10-06 General Electric Company System for storage, querying, and analysis of time series data
US9152672B2 (en) * 2012-12-17 2015-10-06 General Electric Company Method for storage, querying, and analysis of time series data
US10192187B2 (en) * 2014-01-03 2019-01-29 Visier Solutions, Inc. Comparison of client and benchmark data
US10437843B2 (en) 2014-07-29 2019-10-08 Microsoft Technology Licensing, Llc Optimization of database queries via transformations of computation graph
US10176236B2 (en) 2014-07-29 2019-01-08 Microsoft Technology Licensing, Llc Systems and methods for a distributed query execution engine
US10169433B2 (en) * 2014-07-29 2019-01-01 Microsoft Technology Licensing, Llc Systems and methods for an SQL-driven distributed operating system
GB2537670A (en) * 2015-04-23 2016-10-26 Fujitsu Ltd A query mediator, a method of querying a polyglot data tier and a computer program executable to carry out a method of querying a polyglot data tier
US20170337232A1 (en) * 2016-05-19 2017-11-23 Fifth Dimension Holdings Ltd. Methods of storing and querying data, and systems thereof
US11620336B1 (en) 2016-09-26 2023-04-04 Splunk Inc. Managing and storing buckets to a remote shared storage system based on a collective bucket size
US11562023B1 (en) 2016-09-26 2023-01-24 Splunk Inc. Merging buckets in a data intake and query system
US11003714B1 (en) 2016-09-26 2021-05-11 Splunk Inc. Search node and bucket identification using a search node catalog and a data store catalog
US11599541B2 (en) 2016-09-26 2023-03-07 Splunk Inc. Determining records generated by a processing task of a query
US10956415B2 (en) 2016-09-26 2021-03-23 Splunk Inc. Generating a subquery for an external data system using a configuration file
US11586627B2 (en) 2016-09-26 2023-02-21 Splunk Inc. Partitioning and reducing records at ingest of a worker node
US20180089324A1 (en) 2016-09-26 2018-03-29 Splunk Inc. Dynamic resource allocation for real-time search
US10977260B2 (en) 2016-09-26 2021-04-13 Splunk Inc. Task distribution in an execution node of a distributed execution environment
US11615104B2 (en) * 2016-09-26 2023-03-28 Splunk Inc. Subquery generation based on a data ingest estimate of an external data system
US11232100B2 (en) 2016-09-26 2022-01-25 Splunk Inc. Resource allocation for multiple datasets
US11550847B1 (en) 2016-09-26 2023-01-10 Splunk Inc. Hashing bucket identifiers to identify search nodes for efficient query execution
US11163758B2 (en) 2016-09-26 2021-11-02 Splunk Inc. External dataset capability compensation
US11243963B2 (en) * 2016-09-26 2022-02-08 Splunk Inc. Distributing partial results to worker nodes from an external data system
US11126632B2 (en) 2016-09-26 2021-09-21 Splunk Inc. Subquery generation based on search configuration data from an external data system
US10353965B2 (en) 2016-09-26 2019-07-16 Splunk Inc. Data fabric service system architecture
US11663227B2 (en) * 2016-09-26 2023-05-30 Splunk Inc. Generating a subquery for a distinct data intake and query system
US10776355B1 (en) 2016-09-26 2020-09-15 Splunk Inc. Managing, storing, and caching query results and partial query results for combination with additional query results
US11294941B1 (en) 2016-09-26 2022-04-05 Splunk Inc. Message-based data ingestion to a data intake and query system
US11461334B2 (en) 2016-09-26 2022-10-04 Splunk Inc. Data conditioning for dataset destination
US11023463B2 (en) 2016-09-26 2021-06-01 Splunk Inc. Converting and modifying a subquery for an external data system
US10795884B2 (en) 2016-09-26 2020-10-06 Splunk Inc. Dynamic resource allocation for common storage query
US11222066B1 (en) 2016-09-26 2022-01-11 Splunk Inc. Processing data using containerized state-free indexing nodes in a containerized scalable environment
US10984044B1 (en) 2016-09-26 2021-04-20 Splunk Inc. Identifying buckets for query execution using a catalog of buckets stored in a remote shared storage system
US11593377B2 (en) 2016-09-26 2023-02-28 Splunk Inc. Assigning processing tasks in a data intake and query system
US11567993B1 (en) 2016-09-26 2023-01-31 Splunk Inc. Copying buckets from a remote shared storage system to memory associated with a search node for query execution
US11580107B2 (en) 2016-09-26 2023-02-14 Splunk Inc. Bucket data distribution for exporting data to worker nodes
US11314753B2 (en) 2016-09-26 2022-04-26 Splunk Inc. Execution of a query received from a data intake and query system
US11281706B2 (en) 2016-09-26 2022-03-22 Splunk Inc. Multi-layer partition allocation for query execution
US11106734B1 (en) 2016-09-26 2021-08-31 Splunk Inc. Query execution using containerized state-free search nodes in a containerized scalable environment
US10726009B2 (en) 2016-09-26 2020-07-28 Splunk Inc. Query processing using query-resource usage and node utilization data
US11604795B2 (en) * 2016-09-26 2023-03-14 Splunk Inc. Distributing partial results from an external data system between worker nodes
US11250056B1 (en) 2016-09-26 2022-02-15 Splunk Inc. Updating a location marker of an ingestion buffer based on storing buckets in a shared storage system
US11269939B1 (en) 2016-09-26 2022-03-08 Splunk Inc. Iterative message-based data processing including streaming analytics
US12013895B2 (en) 2016-09-26 2024-06-18 Splunk Inc. Processing data using containerized nodes in a containerized scalable environment
US11416528B2 (en) 2016-09-26 2022-08-16 Splunk Inc. Query acceleration data store
US11442935B2 (en) 2016-09-26 2022-09-13 Splunk Inc. Determining a record generation estimate of a processing task
US11874691B1 (en) 2016-09-26 2024-01-16 Splunk Inc. Managing efficient query execution including mapping of buckets to search nodes
US11321321B2 (en) 2016-09-26 2022-05-03 Splunk Inc. Record expansion and reduction based on a processing task in a data intake and query system
US11860940B1 (en) 2016-09-26 2024-01-02 Splunk Inc. Identifying buckets for query execution using a catalog of buckets
WO2018058671A1 (en) 2016-09-30 2018-04-05 华为技术有限公司 Control method for executing multi-table connection operation and corresponding device
US11989194B2 (en) 2017-07-31 2024-05-21 Splunk Inc. Addressing memory limits for partition tracking among worker nodes
US11921672B2 (en) 2017-07-31 2024-03-05 Splunk Inc. Query execution at a remote heterogeneous data store of a data fabric service
US12118009B2 (en) 2017-07-31 2024-10-15 Splunk Inc. Supporting query languages through distributed execution of query engines
US10796013B2 (en) * 2017-11-13 2020-10-06 Veeva Systems Inc. User programmatic interface for supporting data access control in a database system
CN110020040B (en) * 2017-08-17 2021-07-06 北京京东尚科信息技术有限公司 Method, device and system for querying data
US11151137B2 (en) 2017-09-25 2021-10-19 Splunk Inc. Multi-partition operation in combination operations
US10896182B2 (en) 2017-09-25 2021-01-19 Splunk Inc. Multi-partitioning determination for combination operations
US11334543B1 (en) 2018-04-30 2022-05-17 Splunk Inc. Scalable bucket merging for a data intake and query system
WO2020027867A1 (en) * 2018-07-31 2020-02-06 Splunk Inc. Generating a subquery for a distinct data intake and query system
US11374938B2 (en) * 2019-04-23 2022-06-28 Jpmorgan Chase Bank, N.A. Database-agnostic secure structured database connector
WO2020220216A1 (en) 2019-04-29 2020-11-05 Splunk Inc. Search time estimate in data intake and query system
US11715051B1 (en) 2019-04-30 2023-08-01 Splunk Inc. Service provider instance recommendations using machine-learned classifications and reconciliation
US11494380B2 (en) 2019-10-18 2022-11-08 Splunk Inc. Management of distributed computing framework components in a data fabric service system
US11922222B1 (en) 2020-01-30 2024-03-05 Splunk Inc. Generating a modified component for a data intake and query system using an isolated execution environment image
CN111309785B (en) * 2020-02-14 2023-05-16 广州极晟网络技术有限公司 Database access method and device based on Spring framework, computer equipment and medium
US11704313B1 (en) 2020-10-19 2023-07-18 Splunk Inc. Parallel branch operation using intermediary nodes
CN113407565B (en) * 2021-06-29 2024-01-30 中国民生银行股份有限公司 Cross-database data query method, device and equipment
US12072939B1 (en) 2021-07-30 2024-08-27 Splunk Inc. Federated data enrichment objects
US11755591B2 (en) * 2021-08-06 2023-09-12 Sap Se Metadata object identifier registry
US12093272B1 (en) 2022-04-29 2024-09-17 Splunk Inc. Retrieving data identifiers from queue for search of external data system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143836A1 (en) * 2005-12-19 2007-06-21 Quest Software, Inc. Apparatus system and method to provide authentication services to legacy applications
US7735122B1 (en) * 2003-08-29 2010-06-08 Novell, Inc. Credential mapping

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2003243635A1 (en) * 2002-06-17 2003-12-31 Beingmeta, Inc. Systems and methods for processing queries
US7493311B1 (en) * 2002-08-01 2009-02-17 Microsoft Corporation Information server and pluggable data sources
US7213014B2 (en) * 2003-03-27 2007-05-01 International Business Machines Corporation Apparatus and method for using a predefined database operation as a data source for a different database operation
US20070005658A1 (en) * 2005-07-02 2007-01-04 International Business Machines Corporation System, service, and method for automatically discovering universal data objects
US20100128638A1 (en) * 2008-11-20 2010-05-27 Sap Ag Hierarchical shortest path first network routing protocol
US8489565B2 (en) * 2009-03-24 2013-07-16 Microsoft Corporation Dynamic integrated database index management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7735122B1 (en) * 2003-08-29 2010-06-08 Novell, Inc. Credential mapping
US20070143836A1 (en) * 2005-12-19 2007-06-21 Quest Software, Inc. Apparatus system and method to provide authentication services to legacy applications

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111543A1 (en) * 2011-10-31 2013-05-02 Jeremy Ray Brown Techniques for controlling authentication
US9519777B2 (en) * 2011-10-31 2016-12-13 Novell, Inc. Techniques for controlling authentication
US20130198857A1 (en) * 2012-02-01 2013-08-01 International Business Machines Corporation Processing of restricted access data
CN104094261A (en) * 2012-02-01 2014-10-08 国际商业机器公司 A method for optimizing processing of restricted-access data
US9317697B2 (en) * 2012-02-01 2016-04-19 International Business Machines Corporation Processing of restricted access data
US20140325616A1 (en) * 2013-04-30 2014-10-30 International Business Machines Corporation File system level data protection during potential security breach
US9069955B2 (en) * 2013-04-30 2015-06-30 International Business Machines Corporation File system level data protection during potential security breach
US9306956B2 (en) 2013-04-30 2016-04-05 Globalfoundries Inc. File system level data protection during potential security breach
US20170090560A1 (en) * 2015-09-25 2017-03-30 Microsoft Technology Licensing, Llc Combining mobile devices with people tracking for large display interactions
US10678326B2 (en) * 2015-09-25 2020-06-09 Microsoft Technology Licensing, Llc Combining mobile devices with people tracking for large display interactions
US20170126683A1 (en) * 2015-11-04 2017-05-04 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US10235297B2 (en) 2015-11-04 2019-03-19 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US10255189B2 (en) 2015-11-04 2019-04-09 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US10270773B2 (en) 2015-11-04 2019-04-23 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US10270775B2 (en) * 2015-11-04 2019-04-23 International Business Machines Corporation Mechanism for creating friendly transactions with credentials
US11347734B1 (en) * 2016-08-17 2022-05-31 Actian Corporation Processing database queries based on external tables

Also Published As

Publication number Publication date
US20110213778A1 (en) 2011-09-01
US8645386B2 (en) 2014-02-04

Similar Documents

Publication Publication Date Title
US20110214165A1 (en) Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data
US10367821B2 (en) Data driven role based security
EP3734932B1 (en) Implicitly linking access policies using group names
US8955037B2 (en) Access management architecture
CA2649862C (en) Translating role-based access control policy to resource authorization policy
US7380271B2 (en) Grouped access control list actions
CN106534199B (en) Distributed system certification and rights management platform under big data environment based on XACML and SAML
US8990896B2 (en) Extensible mechanism for securing objects using claims
US20100299738A1 (en) Claims-based authorization at an identity provider
US20060173810A1 (en) Controlling access to a database using database internal and external authorization information
US20120297455A1 (en) Target-based access check independent of access request
US20110161370A1 (en) Apparatus, program, and method for file management
KR20230035260A (en) Temporary Cloud Provider Credentials via Secure Discovery Framework
WO2018095326A1 (en) Method and apparatus for determining access permission, and terminal
US8918862B2 (en) Managing access to storage media
US8104076B1 (en) Application access control system
US20130125217A1 (en) Authorization Control
US20100082682A1 (en) Web contents archive system and method
US11914687B2 (en) Controlling access to computer resources
EP3815329B1 (en) Registration of the same domain with different cloud services networks
US20170295183A1 (en) Access control for user accounts using a parallel search approach
CN111695108B (en) Unified account identification system for multi-source accounts in heterogeneous computing environment
US9237156B2 (en) Systems and methods for administrating access in an on-demand computing environment
US20070244896A1 (en) System and method for authenticating remote users
US10965612B2 (en) Access management system with a resource-ownership policy manager

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAS INSTITUTE INC., NORTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JEFFREYS, DAVID KERR;HESS, ROBERT BRIAN;REEL/FRAME:026157/0928

Effective date: 20110411

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION