US20060236408A1

Movatterモバイル変換

Info

Publication number: US20060236408A1
Application number: US11/105,612
Authority: US
Inventors: Shunguo Yan
Original assignee: International Business Machines Corp
Current assignee: International Business Machines Corp
Priority date: 2005-04-14
Filing date: 2005-04-14
Publication date: 2006-10-19
Also published as: US20080235811A1; US7657946B2

Abstract

A method, an apparatus, and computer instructions are provided for device-dependent access control for device independent web content. In an illustrative embodiment, a module may be implemented in a computer program detects a client device and security level from a request for a resource by a client device. The module loads, from a data source or configuration file, a three-dimensional device dependent access control matrix, which includes a user role axis, a device axis, and a resource axis. Based on the security level of the device indicated by the device matrix, the module grants or denies access to the resource by the user device. The security levels may include security protocols implemented by different devices, encryption schemes implemented by different devices, and security patches applied by the same device.

Description

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates to an improved data processing system. In particular, the present invention relates to providing access control to resources of a data processing system. Still more particular, the present invention relates to providing device dependent access control for device independent Web content in a data processing system.

2. Description of Related Art

In the current market, a variety of handheld or pervasive devices are available for consumers. Examples of pervasive devices include Web browsers, personal digital assistants (PDAs), smart phones, and traditional voice telephones. These devices support different security protocols, resources, and input capability. For example, a PDA may support input by a pen, while a traditional voice telephone only supports input by voice.

These devices may also have different screen sizes and bandwidth requirements. These variations present challenges in security and resource control for applications that support these devices. For example, a resource, such as a spreadsheet or a chart image, accessible by a user through a Web browser may not be available for the same user accessing through a smart phone, because either the resource is so sensitive that it should only be available to a secured smart phone or that the smart phone does not support the resource data format. A resource may be any data that is available in a given device, for example, an application, a Web page, a spreadsheet, or a data set.

Modern Web applications often adopt a device-independent approach to support various devices. In the device-independent approach, the page content containing business logic is independent from the display on a client device and is tailored to any device for display during run-time based on the device capability. The device-independent approach gives all the devices the same access privilege to a resource.

Traditionally, role-based access control may be used in applications for controlling resource access. Role-based access control is a standard security policy that is applied for many applications, including J2EE based applications. Role-based access control uses a two-dimensional matrix mechanism to control resource access. The two dimensional matrix includes a user role axis that has a list of user roles and a resource axis that has a list of resources. The list of user roles may include administrator, manager, editor or user. The list of resources may include Web page, data set, application, or any combination of the above. The content of the two dimensional matrix includes access rights or permissions assigned to a specific user for a given resource, for example, view, edit, or update.

While role-based access control solves the problem of who can access what resource, it does not distinguish users with different devices. Thus, a user that uses a smart phone is given the same access to a resource as the same user using a voice telephone. As more and more devices are introduced in the market, device capabilities and security becomes an issue. Different devices may have implemented different security protocols, and different encryption schemes, and applied different security patches. There is currently no existing mechanism that solves the problem of who and which device can access what resource. Thus, sensitive data that is only supposed to be delivered to a secured device may end up in an unsecured device.

In addition to role-based access control, programming-based access control can also be used in applications for controlling resource access. Programming-based access control allows security control to be hard-coded in a program. However, in order to add or change a device's access permissions, the user has to manually change the program code. There is no existing mechanism that dynamically configures new devices introduced in the market or removes existing devices for access control without modifying the program.

Therefore, it would be advantageous to have an improved method to control Web resources based not only on user role, but also on device security to achieve fine-grained access control, such that sensitive data may only be delivered to secured devices. In addition, it would be advantageous to have an improved method for adding or removing devices without the need to change the program code.

SUMMARY OF THE INVENTION

The present invention provides a method, an apparatus, and computer instructions in a data processing system for device dependent access control for device independent Web content. The present invention provides a module that detects the device type and security level from a request for access to a resource of the data processing system by a user device, and loads a three-dimensional matrix from a data source, a configuration file, or any other types of resource.

The module then performs a lookup of the matrix based on a user role of the user device, a type and security level of user device, and the resource requested, and determines based on one of a plurality of devices of the device axis. If permission is granted to the user device, the module allows the user device to access the resource based on the permission. However, if the permission is not granted, the module denies the user device access to the resource and sends a warning to the user device.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:

FIG. 1 depicts a pictorial representation of a network of data processing systems in the present invention;

FIG. 2 a block diagram of a data processing system that is depicted in accordance with an illustrative embodiment of the present invention;

FIG. 3 is a diagram illustrating a known user role-based access control two dimensional matrix;

FIG. 4 is a diagram illustrating a known programming based access control two dimensional matrix;

FIG. 5 is a diagram illustrating device dependent access control three-dimensional matrix in accordance with an illustrative embodiment of the present invention;

FIG. 6 is a diagram illustrating an exemplary grouping of devices in accordance with an illustrative embodiment of the present invention; and

FIG. 7 is a flowchart of an exemplary process for device dependent access control for device independent Web content in accordance with an illustrative embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

With reference now to the figures,FIG. 1 depicts a pictorial representation of a network of data processing systems in which the present invention may be implemented. Networkdata processing system100 is a network of computers in which the present invention may be implemented. Networkdata processing system100 contains anetwork102, which is the medium used to provide communications links between various devices and computers connected together within networkdata processing system100. Network102 may include connections, such as wire, wireless communication links, or fiber optic cables.

In the depicted example,server104 is connected tonetwork102 along withstorage unit106. In addition,client108, personaldigital assistant110, andsmart phone112 are connected tonetwork102.Client108 may be, for example, personal computers or network computers. In the depicted example,server104 provides data, such as boot files, operating system images, and applications toclient108. Examples of applications inclient108 includesWeb browsers109, which process Web based content fromserver104 and displays it to the user. Since the Web content is device independent, other types of applications similar toWeb browsers109 may reside in personaldigital assistant110 andsmart phone112 for processing the device independent Web content received fromserver104.

Client

108, personaldigital assistant110, andsmart phone112 are clients toserver104. Networkdata processing system100 may include additional servers, clients, and other devices not shown, for example, traditional voice telephone or other mobile devices. In the depicted example, networkdata processing system100 is the Internet withnetwork102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages. Of course, networkdata processing system100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN).FIG. 1 is intended as an example, and not as an architectural limitation for the present invention.

Referring toFIG. 2, a block diagram of a data processing system that may be implemented as a server, such asserver104 inFIG. 1, is depicted in accordance with a preferred embodiment of the present invention. Data processing system200 may be a symmetric multiprocessor (SMP) system including a plurality of

processors

202 and204 connected tosystem bus206. Alternatively, a single processor system may be employed. Also connected tosystem bus206 is memory controller/cache208, which provides an interface tolocal memory209. I/O Bus Bridge210 is connected tosystem bus206 and provides an interface to I/O bus212. Memory controller/cache208 and I/O Bus Bridge210 may be integrated as depicted.

Peripheral component interconnect (PCI)bus bridge214 connected to I/O bus212 provides an interface to PCIlocal bus216. A number of modems may be connected to PCIlocal bus216. Typical PCI bus implementations will support four PCI expansion slots or add-in connectors. Communications links to clients108-112 inFIG. 1 may be provided throughmodem218 andnetwork adapter220 connected to PCIlocal bus216 through add-in connectors.

Additional

PCI bus bridges

222 and224 provide interfaces for additional PCI

local buses

226 and228, from which additional modems or network adapters may be supported. In this manner, data processing system200 allows connections to multiple network computers. A memory-mappedgraphics adapter230 andhard disk232 may also be connected to I/O bus212 as depicted, either directly or indirectly.

Those of ordinary skill in the art will appreciate that the hardware depicted inFIG. 2 may vary. For example, other peripheral devices, such as optical disk drives and the like, also may be used in addition to or in place of the hardware depicted. The depicted example is not meant to imply architectural limitations with respect to the present invention.

The data processing system depicted inFIG. 2 may be, for example, an IBM eServer pSeries system, a product of International Business Machines Corporation in Armonk, N.Y., running the Advanced Interactive Executive (AIX) operating system or LINUX operating system.

The present invention provides a method, apparatus, and computer instructions for device dependent access control for device independent Web content. In an illustrative embodiment, the present invention may be implemented as a module of a computer program executed by data processing system200 inFIG. 2. The present invention extends the two dimensional matrix in the traditional role-based access control to a three-dimensional matrix. In addition to user role and resource axis, the three-dimensional matrix includes a third axis, device, which has a list of devices used by a given user and can access a given resource. Thus, access permission to a resource is controlled by user role as well as the device the user uses.

With the third axis, an administrator may group devices based on their security level. A device may belong to one or more groups, with each group representing a different security level. For example, Web browser device Internet Explorer™ 5.0 may belong to a different group than Web browser device Internet Explorers 5.0.5, since Intenet Explorer™ 5.0.5 has several security patches applied. As the number of devices introduced in the market increases, grouping devices based on their security level helps ease management and configuration of the devices.

An administrator may define the security levels of devices in terms of the following: security protocols implemented by different devices, encryption scheme used by different devices, security patch applied by the same device, etc. With the role and device-based three-dimensional matrix access control module, a user may transfer sensitive data to a secured device rather than an unsecured device. In addition, an administrator may temporarily remove or disable a device access to a resource in case of a suspicious virus attack while a user can still use other devices to access the same resource. For example, if a prevailing household Pocket PC IE virus is common among Pocket PC devices, an administrator may disable the Pocket PC devices to which a required security patch is not applied while at the same time giving other Pocket-PC devices with the security patches applied access to the resources using the module, since the module has the capability of disabling devices based on security patch applied. Furthermore, an administrator may easily grant or deny access right to a new device, when it is introduced in the market into the operating environment.

In an illustrative embodiment, an administrator may configure the three-dimensional matrix via a user interface. For each resource in the server, the user interface may display a list of all supported devices and potential permissions, including view, edit, update, add, or deploy, in a matrix format. With the user interface, an administrator may grant or deny permission to each device based on the security level of the device. The matrix is preferably stored in a data source or a configuration file, such as an extensible markup language file, and the module reads into a resource-to-device assignment table at run time. However, an administrator may store the matrix using other forms and in other types of storage without departing the spirit and scope of the present invention.

Turning now toFIG. 3, a prior art diagram illustrating a known user role-based access control two dimensional matrix is depicted. As shown inFIG. 3,matrix300 is a two-dimensional matrix that includesuser role axis302 andresource axis304. The content ofmatrix306 includes access permissions to a resource, such as deploy, create, delete, update, configure, assign, or view.

If a user has access permission to a resource, he or she may access the resource using any device supported by the server since the web server provides device-independent web content for the client. Prior to the present invention, there was no current method that allows the user to access confidential data using Pocket PC 2003 instead ofPocket PC 2002, for instance. Windows mobile Pocket PC is an operating system for Pocket PCs personal digital assistants, available from Microsoft Corporation. Thus, user role-based access fails to fine tune resource access based on device security.

Turning now toFIG. 4, a prior art diagram illustrating a known programming based access control two dimensional matrix is depicted. As shown inFIG. 4,program400 determines access control to a resource in multiple levels. First,program400 checks to see if a detected device is aPocket PC402.

If the detected device is a Pocket PC,program400 then checks to see if the detected device isPocket PC2002404, an example of a device model. If the detected device isPocket PC2002404,program400 further checks to see ifPocket PC 2002Security Patch 4 has been applied on thedevice406. If the security Pack has been applied,program400 allows the user to access the resource using thePocket PC 2002device408. Otherwise,program400 outputs the message “update your device with thesecurity pack 4” to the user to warn of adevice update408.

Whileprogram400 provides multi-level validations, if an administrator wants to add or remove the device's access permissions, the administrator has to manually change theprogram400. Prior to the present invention, there was no existing method that allows an administrator to add additional models or browser versions without modifyingprogram400.

Turning now toFIG. 5, a diagram illustrating device dependent access control three-dimensional matrix is depicted in accordance with an illustrative embodiment of the present invention. As shown inFIG. 5,matrix500 is a three-dimensional matrix that includesuser role axis502,resource axis504, anddevice axis506. Similar to two-dimension matrix400 inFIG. 4, content ofmatrix512 includes access permissions to a resource, such as deploy, create, delete, update, configure, assign, or view.

In addition to a list of individual devices,device axis506 may represent security levels of different devices. For example, different devices may implement or adopt different security protocols, and encryption schemes. The same type of devices may be applied different security patches. Examples of security protocols include proprietary protocol specific to device, Secure Sockets Layer (SSL) and Wireless Transaction Level Security (WTLS), etc. Examples of encryption schemes include 32-bit, 64-bit, or 128-bit key encryption etc. Examples of security patch applied include those published by the vendors for their specific devices, as normally indicated by device browser version, such as Internet Explorer™ 5.0 and 5.0.5. The higher browser version is generally securer than a lower browser version.

In this illustrative example, ifdevice axis506 represents individual devices,device1508 may represent a PDA whiledevice2510 may represent a smart phone. Alternatively, ifdevice axis506 represents security protocols,device1508 may represent a wireless access protocols (WAP) device without WTSL, whiledevice2510 represents a WAP device with WTSL. Ifdevice axis506 represents devices with different security patches applied,device1508 may represent Internet Explorer™ 5.0, whiledevice 2 may represent Internet Explorer™ 5.0.5. Ifdevice axis506 represents encryption schemes,device1508 may represent a device with 32-bit key encryption, whiledevice2510 may represent device with 64-bit key encryption. In addition,device axis506 may represent devices or device groups with different security levels, which is a combination of security protocols, and encryption schemes and security patches applied. For instance,device1508 may represent a Web browser with Internet Explorer (IE) 5.0, a PDA with a 32-bit key encryption, and a WAP phone without WTSL.Device2510 may represent a Web browser with IE 5.0.5, a PDA with 64-bit encryption, and a WAP phone with WTSL.Device3511 may represent a Web browser with IE 6.0 and using SSL, a PDA with 128-key encryption and WTSL, etc.

Withdevice axis506, an administrator may control access to resources based on security levels of the individual devices used by the user, in addition to user roles. Thus, a user may transfer sensitive data only to secured device, rather than non-secured ones. An administrator may disable access of a device infected with suspicious viruses to resources. In addition, an administrator may grant or deny access right to a new device without the need to modify the program code.

Turning now toFIG. 6, a diagram illustrating an exemplary grouping of devices is depicted in accordance with an illustrative embodiment of the present invention. As shown inFIG. 6, an administrator may groupdevices600 according to their types. In this example, types of devices includeWeb browsers602,smart phones604,PDAs606, andvoice telephones608.

Next, the administrator may group devices based on their security levels. In this example, the administrator may groupWeb browsers602 further based on the type and version of thebrowsers610, for example, Internet Explorer™ 6.3, Netscape™ 7.0, and Mozilla 3.3.Web browsers602 may also be grouped by other parameters, for instance, the encryption schemes (128-bit, 64-bit or 32-bit key encryption etc.)612.

Turning now toFIG. 7, a flowchart of an exemplary process for device dependent access control for device independent Web content is depicted in accordance with an illustrative embodiment of the present invention. As shown inFIG. 7, the process begins when the device dependent access control module loads the three-dimensional matrix during the start-up of the program from either a data source or a configuration file (step702). The module then reads data into a resource-to-user assignment table (step704) and resource-to-device assignment table (step706). After a user logs into the server successfully (step708), the device dependent access control module on a server detects the client device type and security level (step710). Based on the user role, device type and security levels in the matrix assignment tables, the module looks up the matrix tables for a given user and a given device type or security for the specific resource (step712) and determines if the combination has access to a resource based on the permissions in the content of the matrix (step714)

If the combination has access to the resource based on the permissions, the module allows access to the resource based on permissions (step716). For example, if a user and device has “view” access to the resource, the module grants “view” access only. Otherwise, if the combination does not have access to the resource based on the permissions, the module denies access to the resource and sends a warning to the user (step718). Others may be alerted that the subject device does not have the permissions to access the resource (step720).

In summary, the present invention provides a method, apparatus and computer instructions for device dependent access control for device independent Web content. With the present invention, an administrator may grant access to resources based on a security level of a user device. The present invention allows the administrator to use a variety of security levels as criteria for access control. In addition, administrators may grant or deny access to resources for new devices that are recently introduced in the market. Furthermore, the present invention protects sensitive data intended only for secured devices.

It is important to note that while the present invention has been described in the context of a fully functioning data processing system, those of ordinary skill in the art will appreciate that the processes of the present invention are capable of being distributed in the form of a computer readable medium of instructions and a variety of forms and that the present invention applies equally regardless of the particular type of signal bearing media actually used to carry out the distribution. Examples of computer readable media include recordable-type media, such as a floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs, and transmission-type media, such as digital and analog communications links, wired or wireless communications links using transmission forms, such as, for example, radio frequency and light wave transmissions. The computer readable media may take the form of coded formats that are decoded for actual use in a particular data processing system.

The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims

1. A method in a data processing system for device dependent access control for device independent content, the method comprising:

detecting a device type and a security level from a request for access to a resource of the data processing system by a user device, responsive to a user device login; and

loading a three-dimensional matrix from one of a data source and a configuration file, wherein the matrix includes a user role axis, a device axis, and a resource axis.

2. The method ofclaim 1, further comprising:

performing a lookup of a plurality of matrix assignment tables based on a user role of the user device, a type of user device, and the resource requested;

determining, based on one of a plurality of devices of the device axis, if permission is granted to the user device;

if the permission is granted, allowing the user device to access the resource; and

if the permission is not granted, denying the user device access to the resource and sending a warning to at least one of the user device and another.

3. The method ofclaim 2, wherein the plurality of devices represent a plurality of security levels, wherein the plurality of security levels include a security protocol implemented in different devices, an encryption scheme implemented in different devices, a security patch applied in a device, and a combination of a security protocol, an encryption scheme, and a security patch applied.

4. The method ofclaim 2, wherein the plurality of devices is grouped by a type of the device, and is further grouped by a security level of the device.

5. The method ofclaim 2, wherein the user role includes an administrator, a user, and a manager.

6. The method ofclaim 2, wherein the type of user device includes a personal digital assistant, a Web browser, a smart phone, and a telephone.

7. The method ofclaim 2, wherein the resource requested include at least one of an application, a data set, a Web page, and a spreadsheet.

8. The method ofclaim 2, wherein the permission includes at least one of deploy, create, delete, update, assign, view, and configure.

9. The method ofclaim 3, wherein the security protocol implemented in different devices includes at least one of a proprietary security protocol, and a wireless access protocol.

10. The method ofclaim 3, wherein the encryption scheme includes at least one of public key encryption, 32-bit key encryption, 64-bit key encryption, and 128-bit key encryption.

11. The method ofclaim 3, wherein the security patch applied in a device includes at least one of security patches published by vendors for specific devices, and a browser version of the device.

12. The method ofclaim 2, wherein the detecting, loading, determining, allowing, and denying steps are performed by a module implemented in a computer program executed by the data processing system.

13. The method ofclaim 1, wherein the three-dimensional matrix is configured by an administrator via a user interface.

14. The method ofclaim 1, wherein the loading step comprises:

reading data from the three-dimensional matrix into a resource-to-user assignment table; and

reading data from the three-dimensional matrix into a resource-to-device assignment table.

15. A data processing system comprising:

a bus;

a memory connected to the bus, wherein a set of instructions are located in the memory; and

a processor connected to the bus, wherein the processor executes the set of instructions to detect a device type and a security level from a request for access to a resource of the data processing system by a user device, responsive to a user device login, load a three-dimensional matrix from one of a data source and a configuration file, wherein the matrix includes a user role axis, a device axis, and a resource axis.

16. The data processing system ofclaim 15, wherein the processor further executes the set of instructions to perform a lookup of a plurality of matrix assignment tables based on a user role of the user device, a type of user device, and the resource requested, determine, based on one of a plurality of devices of the device axis, if permission is granted to the user device, allow the user device to access the resource if the permission is granted, and deny the user device access to the resource and sending a warning to at least one of the user device and another if the permission is not granted.

17. The data processing system ofclaim 15, wherein the processor, in executing the set of instructions to load a three-dimensional matrix from one of a data source or a configuration file, reads data from the three-dimensional matrix into a resource-to-user assignment table, and reads data from the three-dimensional matrix into a resource-to-device assignment table.

18. A computer program product in a computer readable medium for device dependent access control for device independent Web content, the computer program product comprising:

first instructions for detecting a device type and a security level from a request for access to a resource of the data processing system by a user device, responsive to a user device login; and

second instructions for loading a three-dimensional matrix from at least one of a data source or a configuration file, wherein the matrix includes a user role axis, a device axis, and a resource axis.

19. The computer program product ofclaim 18, further comprising:

third instructions for performing a lookup of a plurality of matrix assignment tables based on a user role of the user device, a type of user device, and the resource requested;

fourth instructions for determining, based on one of a plurality of devices of the device axis, if permission is granted to the user device;

fifth instructions for allowing the user device to access the resource if the permission is granted; and

sixth instructions for denying the user device access to the resource and sending a warning to at least one of the user device and another if the permission is not granted.

20. The computer program product ofclaim 18, wherein the second instructions comprises:

first sub-instructions for reading data from the three-dimensional matrix into a resource-to-user assignment table; and

second sub-instructions for reading data from the three-dimensional matrix into a resource-to-device assignment table.