The present invention generally relates to access control of functions contained in computer software applications. More specifically, the present invention relates to an apparatus and method for enterprise-level, platform-independent, cross-platform-fault-tolerant, extensible security of computer software applications.
The foundational application of the computer is the “operating system”, which is comprised of numerous programs. The programs that comprise the operating system contain the subprograms that perform the fundamental operations of the computer. These subprograms correspond to common system operations such as writing information to a disk, displaying information on a computer screen or printing a report. Operating system subprograms are secured by the built-in security of the operating system, “built-in system security”.
Generally, built-in system security does not perform “application security”, which restricts access to specific functions, to sensitive screens of information, to specific fields on a screen or to specific reports within a software application. For example, built-in system security is designed to secure access to the entire payroll file, but it is not equipped to control access to a specific subset of information within that file. In other words, the built-in system security would not typically be able to restrict access to the records for a single department. Similarly, built-in system security is not designed to secure internal application functions such as the ability to edit specific records within a file, write a check, issue a purchase order, or modify a price list.
Generally, the granularity of control required by application security exceeds the scope of the security for which built-in system security is designed. For the purpose of this discussion, “system security” will be used to refer not only to the built-in security provided by the operating system, but also to the security provided by the various enterprise “directory services”, which are special function databases used to store enterprise information such as a user IDs, passwords, system hardware information, and other frequently-accessed, seldom-changed information. Several examples of common directory services include the following: X.500, LDAP (lightweight directory access protocol), and Microsoft Active Directory Services. System security also refers to any system level security service provider.
For purposes of this discussion, “functions” will be used to refer to application software capabilities and other elements that typically require access control, not just to the business functions of an application. Other examples of elements that typically require access control include specific screens, web pages, data fields within screens, data fields within web pages, records within a file, rows within a database table and so on. Typically, each application handles access control to secure functions within the application. Secured “functions” are also sometimes referred to as “secured resources”.
The exponential increase in computer usage, the increasing pace of software development, the interrelation of existing database technologies, and the heightened concern for data integrity and privacy have increased the need for an efficient and stable means for managing application security and control. In addition, the growth of computer technologies has dramatically increased the amount of administrative overhead required to maintain systems, creating a need for efficient management tools across applications and systems.
The most advanced application security solutions currently available do not operate on multiple operating systems concurrently. Furthermore, existing application security solutions cannot easily be extended to incorporate new systems, new platforms and new applications. In addition, existing solutions do not operate across operating systems and cannot function when the security provider fails. There is a need for scalable, enterprise-level, platform-independent, cross-platform-fault-tolerant, computer application security.