This invention relates to a method and apparatus for controlling access by users to applications programs in a distributed computer system.
A framework for security in a distributed computer system has been proposed by the European Computer Manufacturers' Association (ECMA) and is described in the following references.
1) ECMA TR/46 "Security in Open Systems--a Security Framework" July 1988 PA1 2) ECMA standard ECMA/138 December 1989 PA1 3) "Network Access Control Development", COMPACS 90 Conference, London, March 1990
The ECMA security framework permits a user to be authenticated to the system, and to obtain as a result a data package referred to as a privilege attribute certificate (PAC) which represents a certified collection of access rights. When the user wishes to access a target application, the user presents the PAC to that application as evidence of the user's access rights.
An advantage of this approach is that the user does not need to be authenticated separately to individual applications--the authentication procedure is performed once only, to obtain the PAC. The PAC can then be used several times to access different applications.
The object of the present invention is to build on this idea of using PACs, to provide an improved method of access control.