1. Technical Field
The present invention relates to security administration for electronic data processing systems. More particularly, the present invention relates to a methodology that employs an object-oriented paradigm to govern a step-by-step security administration process for an electronic data processing system.
2. Description of the Prior Art
The banking industry often requires that the approval of more than one authorized person be provided when certain tasks are performed. This is referred to as a two-party system. For example, if a bank customer wants to cash a check for $10,000, the teller to whom the check is presented may need to have a second bank employee, e.g. a supervisor, approve the check. Just as the banking industry requires a two-party system for certain levels of security administration, such security administration is also required by various other industries, e.g. telephone companies, for example when establishing new telephone numbers.
This two-party approach is also necessary for transactions that involve electronic information, especially as such electronic transactions become increasingly commonplace. For example, it is desirable to be able to perform an electronic task to a certain point and then freeze that task until the task related transaction can be verified and/or authorized by an appropriate person. That is, someone in authority must approve the transaction at its present stage before it may be moved on to the next step.
Related to such two-party systems is the concept of work flow. For example, certain software products provide a work flow in which a first person performs a particular task for a period of time and then another person continues the task for a period of time. Thereafter, the task may be performed by yet other persons until, at some point, it returns to the first person. Such work flow has a security administration element when a person performing a task must break at a defined point, at which time a next level manager, i.e. someone with appropriate authority and accountability, completes the task at that level, e.g. by approving a transaction, before the task can be moved to the next step.
The architecture of such security administration is just as important as that of security measures themselves. For example, if locks are put on all the doors, but the keys are given out indiscriminately it doesn't matter how good the locks are. In an electronic data processing system, it may be possible to provide the appearance of proper two-party authorization through employee collusion or fraud. Consequently, it is necessary to have a comprehensive tool for governing the administration of security policies in the context of electronic work flow.