1. Field of the Invention
This invention is directed to a management system for a communication network, and more particularly to an access control system where privileges are assigned to system resources when they are discovered.
2. Background Art
Many of today""intelligent network elements (NEs) have the ability to report their configuration to an external management system either on request or autonomously as changes occur. Intelligent NEs are software driven in every aspect from maintenance to control, to release upgrades.
The management of these NEs requires a robust and highly efficient system which can process a large volume of data over a geographically distributed network. Network management tools typically run on PC or UNIX workstations and enable maintenance, surveillance and administration of the elements that make-up a network. It allows providers to offer faster response times for service configurations and can reduce calls to customers service requests.
As customer transmission networks grow, so does the demand for the number of users who need access to the system. No longer can the entire customer network be managed centrally from a single point, rather the need for distributed network management, locally and geographically, becomes a growing requirement.
Definition of some terms used in this specification are provided next.
A component or an object is an encapsulated part of a software system with a well defined interface. Components serve as the building blocks of a systems, or the elements of a software part list, and can be either generic or application specific. Generic components serve as a system skeleton, enabling code reuse and faster development of new capabilities.
A process is a self-contained package of data and executable procedures which operate on that data, comparable to a task in other known systems. Processes can be used to implement objects, modules or other high-level data abstractions. Objects interact through functions and procedure invocations.
A function is an action that users may take, process or activate in the management system.
A resource is a piece of hardware or a service in the network of interest, managed by the network management system.
User and user groups are the human users of these management systems. Users with similar rights are put together in a user group.
In a distributed multi-process network management product, it is critical to control access to functions and resources. In a traditional system, a user should be limited to specific rights on specific directories of a central computer system. Currently, security access involves access control to a network, multi-platform/distributed user management, and control over anybody in the world to protect specific processes and data on a sensitive distributed system. Obviously, this kind of control is complex and multi-faced.
A network management product provides access to a wide range of resources and performs many different types of functions. Each function may apply to different resources types. In addition, the rules for how users get rights may be very complex. One user may inherit the rights of another or their may be a concept of user groups. It would be unfortunate to require each distributed component to understand all of these complexities for the xe2x80x98overheadxe2x80x99 task of providing access control.
Access control systems typically depend on knowing about all access controllable resources before privileges can be assigned to users/groups. Many current access control systems require knowledge of user rights to be embedded in all distributed components requiring access control. Other access control systems require fixed knowledge of resource and/or function types in a central partitioning engine.
For example, access control in Unix has a fixed set of functions and resources, i.e. read, write, and execute on files, while it does handle providing defaults for new files. Kerberos is an authentication service for open network systems that uses a centralized ticket granting agent, the key distribution center.
However, it is not always possible to know about all resources that require access control initialization. In some systems, it is not possible to query all resources at any time. Nonetheless, these systems can still require access control on a per resource basis.
Rule based systems can provide access control resources in scenarios where all resources are not available. These systems apply rules to resource properties to determine privileges, however these systems do not allow rules to be overridden on a per resource basis and have changes retained, especially after knowledge that the resource was lost. For example, Unix xe2x80x98forgetsxe2x80x99 file permissions if a file is destroyed and recreated.
There is a need for providing a security manager with means for controlling the access to the resources of a network where privileges are assigned to system resources dynamically, when they are discovered.
There is also a need for providing a partitioning engine that takes responsibility for managing user rights while still allowing individual distributed components to provide arbitrary resources, resource types and functions, even decided at run-time if desired.
It is an object of the present invention to provide an access control system for a communication network which alleviates totally or in part the drawbacks of the prior art systems.
It is another object of this invention to provide an access control system where the privileges are assigned to system resources as they are discovered and the access control information gathered gradually over time is retained, ever if knowledge of the resources is lost. This ensures that resources maintain correct privileges.
Still another object of the invention is to provide a generic partitioning engine designed to provide flexible access control features to a distributed application. The generic partitioning engine of this invention provides distributed components with. services that allow the component to efficiently control access to its resources and functions. These generic partitioning services are designed such that each component need not understand the partitioning rules and so that the partitioning engine need not to understand any specifics of the resources or functions.
Yet another object of the invention is to provide a partitioning engine that manages user rights and allows also for individual distributed components to provide arbitrary resources, resource types and functions.
Accordingly, in a network manager system provided with a plurality of components specialized for executing a plurality of functions on a plurality of resources of a network, and with a graphical user interface (GUI), an access control system comprising, at a component of the network manager, a database for storing access control data pertinent to the component including all resources accessible to the component, all functions executable by the component and all users that have the right to use the component, according to a set of privileges for each user, an access control library for writing and reading the access control data to and from the database for execution of a network operation according to the set of privileges on request from a user having the set of privileges, and an access control user interface connected to the access control library for viewing and editing the access control data on the GUI.
Further, in a network manager system provided with a plurality of components specialized for executing a plurality of functions on a plurality of resources of a network, and with a graphical user interface (GUI), a method for controlling access of a user comprising the steps of storing, in a database of a component of the network manager, access control data pertinent to the component including all resources accessible to the component, all functions executable by the component and all users that have the right to use the component, accessing the database with an access control library for using the access control data for execution by a user of a network operation according to a set of privileges on accorded to the user, viewing the access control data on the GUI using an access control user interface connected to the access control library, and editing the access control using the access control user interface.
Use of the present invention will allow network and service providers to design a flexible and low administration access control system for products that may not have knowledge of all access controllable resources at any time. This is particularly valuable for network management systems with high distributed resource knowledge.
The access control system (ACS) of the present invention has at least the following advantages over the prior systems:
The ACS can discover resources gradually over time. As resources are discovered, rules are applied to determine xe2x80x98initialxe2x80x99 privileges. The ACS allows initial privileges to be overridden at the granularity of a single resource, and retained. This control is not dependent on current knowledge of the resources in the system at large.
The ACS retains knowledge of resources in order to maintain configured privileges even when the system at large does not retain this knowledge.
The partitioning engine according to the invention, handles storing rules for user rights, i.e. user groups, inheritance of rights, etc. The partitioning engine stores three-dimensional matrices of users, functions, and resources, each matrix containing only functions that could apply to the resource in that matrix. A distributed component advertises its functions and resources into a particular matrix in the partitioning engine. A component requiring access control requests user rights against the functions and resources they support from the partitioning engine.
The partitioning engine is distributed and maintains a separation of concerns from the rest of the distributed components. In this way, a distributed application may extend rapidly, without requiring additional work to manage user rights for each new component that provides access to new functions or resources. It also provides centralized administration, resulting in a cheaper and cleaner way to manage access control.