1. Field of the Invention
This invention relates generally to computer systems having a master entitlement processor for storage and maintenance of a dynamic database of user information, which user information is utilized by an application run on a user computer system. More particularly, this invention relates to computer systems which allow two-way communication of user information between master entitlement processors and a user computer system.
2. Description of the Related Art
In conventional computer systems having a master entitlement processor, the master entitlement processor stores user information, such as user ID numbers, user passwords and user permission information for use by the user computer system (for example, servers and associated user workstations) when the user computer system runs applications.
Reference to the user information stored in the master entitlement processor (MEP) causes the applications to be controlled in a predetermined manner appropriate for the specific user based on the user information. For example, if the user password is not among the user passwords in the MEP database of user information, then the user cannot use the applications at all. As another example, if the user permission information permits the user access to some features of the applications, but not to others, then the applications will be controlled to allow the user to access only the permitted features.
The user information can be changed in the MEP through dedicated management information system (MIS) workstations, but not through the user computer system itself. As a practical matter, this can make it difficult to change user information for the user. For example, if the user wants to change her password, she must have this operation performed by somebody with access to an MIS workstation.
This also limits the types of user information which can be stored in the MEP database. For example, the user information will not include the identity of the server(s) which the user is currently logged into because these servers have no way of communicating this information to the MEP, and because the MEP cannot receive user information from the user computer system.
Also, in many conventional master entitlement processor systems (that is, computer systems which include an MEP and a user computer system), each user is limited to logging into a single, predetermined server. This means that a users will not be able to run the application if her predetermined server experiences failure conditions. In this kind of system, the user""s designated server may receive from the MEP and store the user""s user information in memory or on a magnetic disk. However, the user""s user information will not be present on any other servers in the system.
It is an object of the present invention to provide a master entitlement processor system wherein user information can be easily modified in an MEP and readily distributed to all computers in the user computer system. It is also an object of this invention to store user permission data in a compact form which can easily adapt to changes in the permission scheme. It is a further object of the invention to provide robust failover and failback operations through the organization of servers into an enterprise/domain/server hierarchy.
It is a feature of the present invention that there is communication of user information from a user computer system up to an MEP. It is another feature of the invention that user permission information is stored in a table-driven format which is expanded through the use of a dynamic table into a predetermined format suitable for an application. It is a further feature of this invention that servers are organized into sets, referred to as domains.
It is an advantage of the present invention that users can easily change at least some portion of their user information. It is another advantage of the invention that the permission scheme does not have to be hard-coded into the user computer system. It is a further advantage of this invention that users can continue to run applications without substantial interruption upon failure of some, or even all, servers in a domain.
It is an advantage of the present invention that enterprises (such as a market data enterprise) can be extended over a publicly connected network so that each enterprise will be using its own resources. In this case, users belonging to an enterprise will be limited to servers in their own enterprise.
According to one aspect of the present invention, a master entitlement processor system includes an MEP, a user computer system (UCS), and communication means for providing two-way data communication between the MEP and the UCS. The MEP has code for storing a database of user information, and for modifying the database according to data received from the UCS through the communication means. The UCS has code for supporting at least one application, for receiving user information from the MEP, and for sending user information database modification instructions to the MEP. In this way the system can provide for central control and maintenance of user information as well as distributed (local) control and maintenance of such information.
According to a second aspect of the invention, a computer system includes a first computer (for example, an MEP computer), a second computer (for example, a server/workstation) and a communication means. The first computer stores a table-driven access permission list in the form of a variable-length string of bits wherein each bit represents the status of a specific permission for a user. The second computer stores a dynamic table and code for expanding the table into permission information in a predetermined format using the dynamic table. The expanded-format permission information can then be directly utilized by applications to control which features of the applications that specific user will be able to access.
According to a third aspect of the present invention, an enterprise computer system includes a first domain, a second domain and a user computer. The first domain includes a plurality of first-domain server computers. The second domain includes a plurality of second-domain server computers. Program code located in each of the server computers allows a user to log into any one of the server computers in at least one of the first and second domains, and thereafter to receive data from the server computer which the user is logged into. The domain structure can be used to maintain the users server access in a controlled, yet flexible, manner, because a particular user may be preferably directed to a particular domain (that is, set of servers) without being rigidly tied to a single, specific server.