In many distributed networks a server application running on a server computer provides services or functions to a remote client. Security features control access of clients to particular services or functions on the server. The access privileges may be limited to individual users or to groups of users. It is often desirable to provide some capability for a user to change the membership of a user group or to change some of the functions the group may be able to access. Generally, a distributed network will have some centralized control unit which will supervise the access privileges and also maintain access codes such as ID's and passwords. To make such changes a remote terminal of a user will access the centralized control unit and request changes. Conventionally, the server which operates the control unit function will perform authorization checks every time the client makes a request to determine if the user making the request is authorized to alter the access privileges. This repetitive authorization takes up time and blocks transmission bandwidth on the network.
As one example of a distributed network, there are many telecommunications systems which have an air interface which is operated in a trunked manner, that is the communication channels of the air interface are a shared resource among several users. No channel is permanently dedicated to a user, but each channel is assigned temporarily to a user for the duration of a transmission. Such systems usually comprise a network of elements, e.g. switches, base station radio transceivers, base station controllers and databases, connected together by landlines. Representative networks are a GSM cellular telephone network as described in “The GSM System for Mobile Communications”, Cell & Sighs, 1992, or a CDMA cellular system as described in “CDMA Systems Engineering Handbook”, Artech House, 1998, a cellular data network such as the GPRS system described in “Wideband CDMA for Third generation Mobile Communications”, Artech House 1998, a PMR network as supplied by Matra Nortel under the system name MC9600, a cordless public access system (e.g. Bi-Bop) as described in “Cordless Telecommunications Worldwide”, Springer, 1997, the terrestrial part of a satellite transmission system as described in “Satellite Communications Systems”, Wiley, 1998.
The network may be divided logically (and usually physically) into a traffic part which carries user messages and the control signals required therefor and an operations and maintenance part (an Operations and Maintenance network) which controls the operation of the network, e.g. recovering billing information, reporting traffic densities, reporting outages or failures. Due to the expense, complexity and level of disturbance caused by multiple installations particularly in urban areas, it is advantageous to provide a landline network which may be shared by several organizations rather than each organization installing their own network hardware. Such a system has been proposed by Bell Atlantic which allows different operators to provide personal communications services using the same network. Five different access possibilities are provided depending on the installed state of the relevant operator's network. In the system a “D” interface (external Data interface) is provided for the PCS provider to access a centralized database in the Bell Atlantic system. This access may be used for customer location updates, customer authentication, customer service profile access, etc. To manage these services an access manager function is provided. This access manager may be described in other systems by other names and may be either centralized or distributed provided the customer profiles remain consistent. It may be composed of several units with specific functions such as an authentication center, a home location register, a customer profile database, for example.
It is desirable to provide individual user organizations with some degree of control over their own use of the main shared network. For instance an organization may wish to define user groups and to modify these from time to time, e.g. add a new member to a group, delete a member or a whole group, change the geographical range of access of a user group. A user group may be defined as a “role”. To prevent one user organization monopolizing the scarce resources of a network such changes must be coordinated with or controlled by a network access manager function, e.g. by a centralized or distributed function which will be called a mediation device. Requests from user organizations can be sent to the mediation device via the operations and management network (OMN), e.g. an external terminal at the user organization's premises obtains access to the OMN (e.g. via the Internet or other more secure means) and sends a request to the mediation device. This request is processed and if approved the changes are made and the network updated accordingly.
Where several organizations share a network, e.g. a fleet of hospital ambulances, the police force, a cellular telephone operator, it is important that security is maintained and that cross-access between the organizations is not possible. Also, one organization should not be able to manipulate, influence or change the customer profiles of another organization. Conventionally, access to a mediation device requires authentication and authorization checks. By authentication is meant that a check is made as to the identity of the user accessing the network. This may be achieved by several different means, entering passwords or personal identity numbers (PIN), insertion of a device into a suitable reader, e.g. a smart card, fingerprint analysis, retina analysis being just a few examples. Authorization means the ability to restrict access to certain data or services to certain users only. For instance, access control lists (ACL) may be used to associate an authorized user set with a resource. The setting up and maintenance of authorization schemes is very time consuming.
EP 913 966 describes an access control scheme for a distributed client-server network. Access control objects, group objects, rule objects and management objects are provided. The rule objects specify a set of group objects, a set of management objects and access rights by users which belong to a group. Access control servers process access requests. Each access control server controls access to a distinct subset of the management objects in accordance with access rights specified in an access control database. Each access request is sent for processing to one or more of the access control servers for granting denying or partially granting the access requested in accordance with the access rights specified in the access control database. As explained in this document use of a single access server can result in overloading. The revised system makes use of several servers and results in access requests being transmitted through the network before the access rights for the request are confirmed or denied. This results in a traffic load on the network of access requests some of which are subsequently denied.
WO 98/50583 and WO 99/57863 relate to a network desktop management security system which allows or denies access to specific resources, such as a computer program or a file.
WO 99/57863 also relates to a network system in which a user request for a network resource such as an application can be accepted or denied.
It is an object of the present invention to reduce the time necessary to set up and maintain an authorization system in a telecommunications network, especially a trunked radio telecommunications network which may be shared by two or more independent organizations.
It is a further object of the present invention to reduce the amount of unnecessary signaling in a telecommunications network, especially a trunked radio telecommunications network which may be shared by two or more independent organizations.