Method of document-oriented adaptive guidance of safety

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns methods of guidance of document circulation in safety system. Develop inquiry about change of access rights of the subordinated employee by higher means of input by the higher employee of data about change of access rights in the IT system, thus a system web portal carries out activities over inquiry during inquiry life cycle. Then handle inquiry about change of access rights of the subordinated employee, for the purpose of definition of the information necessary for performance of the further procedure of processing of inquiry and development of instructions. After process of decision-making concerning granting of access rights to resources of the IT-system to the employee who is in submission authorise inquiry. The method also includes inquiry about realisation by means of appointment of the executor for all instructions of inquiry and modification of text instructions and performance of instructions by means of change of a state of IT system by the appointed executor. The expedient can include the control over performance of instructions by means of monitoring of a correctness of changes of access rights and acknowledgement of conformity of these changes to blanket instructions.

EFFECT: integrating and the self-acting coordination of procedures of guidance of identification of users and access rights.

9 cl, 17 dwg

 

The technical field

This invention relates to the field of information security management. The owner of the information management Department, responsible for maintaining information security. This responsibility may result either from legal requirements and internal company standards. Usually functions operational information security management performs IT Department (information technology Department)and the Department of information security. The task of the IT Department is responsible for providing health IT systems used in the work, while the Department of information technology security provides security of data to be processed.

Prior art

Increased use and capabilities of IT systems often give rise to conflicting functions of the IT Department and security Department of information technology.

1. The IT Department strives to create an environment for IT systems, in which any change in the latter will not cause a failure in the operation of the software. Since the goal of the IT Department is the establishment of a system that operates continuously, the measures proposed by the Department of information technology security, discusses the IT Department as making instability and braking workflows system is neither.

2. Department of information technology security considers each user of the IT system as a potential threat to the safety and health system, and tries to restrict the access rights of each user to system resources.

Managing Director, therefore, wants to ensure that all legal requirements applicable to information security and risk management, as well as all internal company standards are continuously complied with. In addition, managing the Affairs of the company wants the funds on information security were allocated and spent efficiently, and the acquired system information security worked in the optimal mode, allowing business units to perform their functions, and the users ' access to information at the same time was limited.

For many users, the relationship between applications and information resources can become very complex and diverse. Typically, there are several types of information security tools: standard tools of information security operating systems and applications, as well as special protection information (for example, firewalls). For various reasons, information security management is usually the soap is separated between two or more departments: the IT Department is usually responsible for the standard remedies, while the Department of information security controls special subsystems security. This can lead to unclear and blurry understanding of responsibilities for information security among employees of this Department.

Unclear and vague understanding of responsibilities may have the following negative consequences.

1. Some employees may receive excessive access rights to resources IT system.

2. May reduce the effectiveness in the provision or restriction of the rights of users to access system resources.

3. If responsibilities should be divided between the 10 departments, between them possible conflicts.

One element of the security of IT systems is the development of a corporate security standards. These standards represent a set of policies and rules, which, in particular, outline the procedure for making changes to the IT system. These policies and rules should specify that all changes must be documented and agreed with the responsible persons in accordance with the document.

The classical scheme of circulation, however, is practically unusable with information systems for the following reasons.

1. To negotiate changes may require too much time. In the many cases, the IT Department is simply not able to delay making changes to the IT system, waiting for the permit document.

2. Often there is a mismatch between the text document and the actual changes in the system. Changes in the IT system may not be consistent with documented standards. In many cases, tracking changes is a complex task.

3. The document that describes the original standard, often may not contain a detailed description of all changes, which would then need to make in your IT system. The introduction of IT system with one change may entail the need for other changes, for lack of which the ultimate goal of using standard may not be achieved.

4. It often happens that the concepts and procedures described in the standards, may not be correctly interpreted by the staff of the IT Department. Similarly, in the report of the IT Department of all executed actions can be described is not clear enough to facilitate their subsequent verification and confirmation. The situation was further compounded by the diversity of professional terms used by management and IT personnel to discuss IT-systems.

Method document-oriented adaptive security management (DOASM) is designed to implement the following functions:

- Automatic transformation the rules of security policies, written in business terms (employment, reduction, new responsibilities in the technical instructions for configuring the internal and external security systems.

Detection, distribution of responsibility and the inventory of information resources of the company.

- Join and auto-negotiation procedures control the authentication of users and access rights.

- Conducted on the basis of reliable data automatic monitoring of compliance of the actual security settings of an existing security policy of the company with notification management on detected non-conformance.

Automatic planning and implementation of the workflow associated with information security management (creation, modification and validation of formal requests for change of status of employees, expansion of access rights and so on).

It will be useful to consider some aspects of the system of the invention compared to conventional systems at a lower level. As will be shown, system of a lower level can be used to solve some similar problems, but none of them has all the features and benefits of the proposed system.

Controlled objects. In some systems, lower level management about Westside centrally through a set of controlled objects (in the operating system or application), mainly for web applications. DOASM has the following advantages over the systems of this type.

- DOASM allows you to manage access rights not only for web applications, but also for other applications.

- DOASM takes into account the topology of the network to manage network devices (for example, the relative location of the user in the network; to provide access to the object, in particular, can be used to configure firewall settings).

- DOASM automatically (without manual intervention) determines the route for the coordination and formulation of requests to change access rights on the basis of the organization's structure and resources.

In DOASM implemented the exact division of responsibilities between the IT Department and security Department of information technology in relation to the management and control of the system.

- DOASM able to make requested changes in the work system, and can and not to make them. Thus, DOASM does not replace the standard control system.

- DOASM creates precise technical instructions, which must be performed by managers using familiar tools.

Advantages DOASM over the lower level.

- DOASM is used to control access to specific resources (files, directories, tables, permitted operations), and not something which are at the level of the IDs and user IDs.

- DOASM automatically (without manual intervention) determines the route for approval and shall wording change request access rights on the basis of the organization's structure and resources.

In DOASM implemented the exact division of responsibilities between the IT Department and security Department of information technology in relation to the management and control of the system.

- DOASM is also used for inventory information resources of the enterprise and determine the liability of the owner of the information.

In this class of systems the lower level there is no correlation between a high level between the set values of the parameters of the subsystems of information security (for example, output values on the basis of the standards policy and control of operations.

In many systems the lower level there is no automatic check of the technical parameters of IT systems (for example, force an update of the password length password) standards. The lower level also there is no connection with the security policy, as printed document in business terms (language problems, adjustments, performance monitoring), as well as communication with the workflow process (development, validation, formulation of request to the as to allow access).

In some systems, lower level, attempts were made to link the business roles and technical parameters of access, commissioning and monitoring of compliance with rules. However, in systems of this type there is no automatic scheduling of data flows and the implementation of the document on the development, validation, implementation and monitoring of compliance with rules for the granting of rights and privileges in the IT systems.

In some systems, the lower level functions are implemented training, validation and formal control over the execution of the instructions contained in the document. However, unlike DOASM these systems do not perform conversion of the working documents in the technical instructions and do not undertake targeted control of their execution.

Thus, to date there is no technology, similar DOASM in all described differentiating functions.

One aspect of the present invention is a method of workflow security. The security system includes a server, a database, a subsystem of the system configuration and the web portal module-agent, managing access to restricted information in the system, IT system, associated with changes in the status of employees, projects, responsibilities, and the objects IT systems professional who has access to one of the resource types. The method includes the following elements:

production change request access rights of a subordinate employee of the parent by entering data about changing access rights of the parent employee in the IT system, provided that the senior employee has access to the system and its responsibilities include the creation of queries;

the web portal system used to perform the actions contained in the request, within the lifecycle of a request.

The method also includes processing the change request access rights of a subordinate employee, sent upstream by employee to determine the information necessary to perform further steps of query processing and generation instructions.

The above method also includes the authorization request after the decision-making process regarding the provision of access rights to resources IT systems officer subordinate. The method also includes a request for implementation through the appointment of the contractor for all statements in the query and make changes to text instructions. The method includes executing instructions by changing the state of IT systems assigned by the contractor. The method may also include monitoring the implementation of instructions by monitoring the and the correctness of the change permissions and verify compliance with these changes to the General instructions.

Function DOASM also include the following.

1. Implementation of document management system based on the model business processes - server model DOASM and procedures of sequential processing of documents related to its changes.

2. Modeling controls in the IT system with adaptive feedback, allowing the conversion changes with the level of information and technical resources at the level of the organization (company) and Vice versa.

3. Centralized registration of changes in the model and IT-enterprise systems using the interface for analysis.

Additional features and advantages of the method will be described hereinafter in the detailed description. These innovations will be obvious to a person versed in this area, or identified during practical use of the method in accordance with this document, which includes the actual text, the patent claims and drawings.

Brief description of drawings

Figure 1 shows an example of object-level documents.

Figure 2 shows the structure of a query between objects document-level, depicted in figure 1.

Figure 3 shows an example of level objects of the company.

Figure 4 shows the structure of a query between objects of the company level, is shown in figure 3.

Figure 5 shows an example of platform objects.

Figure 7 shows an example of the relationships and roles of managers at the level of IT resources, depicted in figure 2, figure 3, figure 4, figure 5 and 6.

On Fig shows a block diagram of a deployment system using agents W2K AD and PKI.

Figure 9 shows a block diagram of the input data, the model DOASM data IT systems.

Figure 10 shows a block diagram deployment emulator agent.

Figure 11 shows the block diagram of the data input of the organizational structure of the enterprise model DOASM.

On Fig shows the block diagram of the synchronization level objects IT with objects of enterprise, is shown in figure 3.

On Fig shows the block diagram of the legalization of resources depicted on Fig.

On Fig shows the block diagram of the model's state changes and IT systems.

On Fig shows the block diagram implementation of the working document.

On Fig shows the block diagram of the process of the query shown in figure 2.

On Fig shows a block diagram of a query processing server.

Disclosure of inventions

The starting point for operation of the system is controlled information and hardware equipment of the company used to deploy DOASM.

The technology DOASM is a comprehensive model of storing data (hereinafter referred to as "model DOASM" or "integrated model DOASM"), combining organizational, informational objects the points and technical resources of the enterprise, and providing communication between objects enterprise and their technological and informational perspectives.

An integrated model DOASM represents multiple levels of objects.

1. 1. The level of documents

2. 2. The level of interest of the enterprise

3. 3. The level of IT resources.

The paradigm model DOASM has rules objects are displayed on the same or on a different level, as well as rules of relations between objects. Document-level considers only two objects: the request and instruction.

Figure 1 shows examples of objects of the document level 100, consisting of the Query 110 and Instructions 120. The object request is in the model, a document containing the requirements to change IT systems, expressed in business terms. Object-instruction in the model indicates indivisible action directed at changing the parameters of the IT system, expressed in terms of a platform for special purposes. The object request is related to a number (zero or more) instructions. An object can belong to many (one or more) queries.

Figure 2 shows the query Structure 200 between objects document-level 100, depicted in figure 1. Request 100 consists of many phases 210, each of which represents a stage of processing life-cycle of a document in the system. For example, a typical example of query processing involves the AET the presence of the following phases:

1. Initial processing.

2. The validation.

3. Control.

4. Update.

5. Application.

Each phase of the request 210, in turn, consists of many elements phase 220, which represents participants in the stage of processing of the document and additional process parameters. For example, the authorization request contains N elements phase 220 multiplied by the number of responsible persons, 230 participating in the validation.

At the level of the company's objects are the objects that model the essence of the organizational units of the enterprise (business units, positions, projects, employees and managers), as well as the nature, necessary for modeling business processes (for example, the distribution of rights and duties).

Figure 3 shows an example of the Objects of the company level 300. Object-employee 310 is in the model of a real employee, registered in DOASM. The object Manager 230 is in the logical model of the subject of access control also has an employee assigned to the position 340. One staff member 310 may be assigned to any number of positions 340, i.e. to have zero or more managers 230. Object-organizational unit 320 is in the model any structural unit of the company or of the holding company: a legal entity, Department, division, section, etc. unit of the joint is errichetti (hierarchical tree), where units of a higher level are larger organizational unit, and associated with them are smaller organizational units subordinate to them. In the model, the object-position 340 reflects the concept of the permanent posts in a specific organizational unit of the company, such as engineer of the analytical Department, programmer technical Department or the Secretary of the Department staff. The unit can exist any number of positions, but the position is always associated with only one unit. In the model, the object-role 330 reflects the concept of access based on roles. Assign access rights at the company level through roles. The role of 330 are distributed between the subjects of access control (managers) directly or through their positions. The head 230 can be associated with any number of roles 330. The post 340 may also be associated with any number of roles, 330.

Figure 4. an example of a structure of roles 330, shown in figure 3. Direct or indirect link 410 between the head 230 and the role of 330 (via the post) 340 is processed in DOASM as access to the necessary resources. As for patterns, the role of 330 consists of a set of pairs of resource 430 and access rights 420. Role 330 is intraplatform concept, i.e. it may contain any number of the number of different resources 430 variety of platforms and rights 420 access.

On the level of IT-objects that contain objects that are required for modeling the informational and technological resources of the enterprise (platform and its copies, resources and their types, objects and subjects of logical and physical access, computers, domains, hosts, subnets, routing tables, etc).

Figure 5 shows an example of Objects platform 500. In the model, the platform object 510 is any class of software, services, or equipment belonging to any given item types 520 resources, access rights 420 to them and other values of the parameters of safety. In the model, the object-agent 530 is a copy of the platform and the software agent DOASM associated with it.

The object-type of the resource is in the model, the resource type 520 supported by a platform 510. For example, for a platform based on the Windows operating system can be configured such types as the directory and file, and for the platform IT Department can be specified organizational unit. Object-resource 430 is in the model information resource, object logical access. Object access is the access type for the given resource type.

Figure 6 shows an example of subjects and objects 600 system access IT. For descriptions of the subjects access IT-level, there are three object is bobunny subject access 620, user ID 610 and a group of user IDs 630. The object model, the generalized subject access 620, is an identifier 610 user (or its analogues) or a group of user IDs 630 (or its analogues). In the model the object-the user ID is the user ID 610 or equivalent for the target platform 510. Object-group user ID is in the model group user IDs 630 or equivalent for the target platform 510. Generalized subject access is also characterized by a set of objects associated with it, the access elements 640, combined resources 430 and access rights 420 to him for the copy of the target platform (agent).

Figure 7 shows an example of projections of the Role and Director-level IT resources 700, shown in figure 2, 3, 4, 5 and 6. Model projections of these objects is used on the IT level to control access rights 600-level objects of the company 200. The object Manager 230 is projected onto the objects the user IDs 610 managed copies of the platform 510, and the object-role 330 is projected to group user IDs 630. Thus, create, delete, edit, direct and indirect connections, and changing the status of a role, 330 and facilities managers are seen as necessary to create, compa is s, the edit relationships or status of the corresponding projections of these objects.

The deployment of IT resources includes the installation of the Central components of the system (server and control subsystem), and ins agents on the managed sets of complexes of hardware and software.

On Fig shows a block diagram of a deployment system using agents 800 W2K-AD (Windows 2000 Active Directory and PKI (infrastructure public key). It includes the installation of the Central components of the system (server 880 and control subsystem 850), as well as the ins-agents 810, 820 on the managed sets 830, 840 hardware and software. Special requirements for hardware configuration to install components DOASM shown in the table below. The hardware configuration must meet the following minimum requirements.

NameRequirements
Server security 880Intel Pentium IV Xeon processor with a clock frequency of 3 GHz
2048 MB RAM
The hard disk controller SCSI
The administrator's computer DOASM 890Intel Pentium IV processor with a clock frequency of 1,5 GHz 512 MB RAM

For a domain controller 870 and file servers 860 no special requirements.

Creating a model of IT facilities requires the input into the database system the necessary information on the schema of the underlying model DOASM in accordance with the actual data about specific IT system.

Figure 9 shows a block diagram of the input 900 data in the IT system model DOASM. The following 10 processes the input data and IT systems in the model DOASM.

R Installation 910 agent represents the installation and configuration of software modules of the agent on the server that is running IT-objects. The input data for the process:

- A1. The parameters to connect to the server DOASM technical data required for a data transmission channel between the agent DOASM on the server DOASM and maintain the correct operation of the agent (URL-server), configure the operating modes of the agent depends on the specific implementation of the agent). Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions). Framework for the implementation process:

- A3. Instructions for installing the agent - the document of the complete set of documentation for the system DOASM in which on anywayse installation and adjustment software module-agent DOASM. The results of the process:

- A4. The agent connection to the server DOASM channel providing communication and the necessary interaction through the interface methods of interaction.

- A5. Copy agent is a software module DOASM used to implement control mechanisms, access rights management and copy IT systems. Monitors changes in the IT system and project them onto the appropriate instructions or creates deviations (generation of user IDs, groups, user IDs, and so on).

R Receive data about the state of the model 920 is the process of receiving agent DOASM data about the state of the model considered in the system. This process does not require the input data and the basis for its implementation. Resources for the process:

- A4. The agent connection to the server DOASM channel providing communication and the necessary interaction through the interface methods of interaction. The results of the process:

- A7. The state of the model is systemoperation description of the item objects, their status and relationships. Structure and description of objects depends on the type of copies of IT systems. There is a possibility to accommodate groups of users, users, resources, and access rights, as well as their relationship as shared objects.

R Getting to Yes is the data on the copy status of the IT system 930 - this is the process of collecting agent DOASM state data copies of IT systems and translate them into an internal format system. The structure and completeness of the collected information corresponds to the resource types supported by IT systems. This process does not require the input data and the basis for its implementation. Resources for the process:

- A5. Copy agent is a software module DOASM used to implement control mechanisms, access rights management and copy IT systems. Monitors changes in the IT system and project them onto the appropriate instructions or creates deviations (generation of user IDs, groups, user IDs, and so on). The results of the process:

- A8. These copies are interrelated data on the subjects and the objects that describe the state of copies of IT systems (groups, users, resources, and access rights, as well as their relationship).

R analysis of the model 940 is the process of comparing the data describing the state of the model with the data describing the state copies of IT systems in order to identify differences between them. The input data for the process:

- A7. The state of the model is systemoperation description of the item objects, their status and relationships. Structure and description of objects depends on the type of copies of IT-the system is m There is a possibility to accommodate groups of users, users, resources, and access rights, as well as their relationship as shared objects.

- A8. These copies are interrelated data on the subjects and the objects that describe the state of copies of IT systems (groups, users, resources, and access rights, as well as their relationship). This process does not require foundations for its implementation. Resources for the process:

- A5. Copy agent is a software module DOASM used to implement control mechanisms, access rights management and copy IT systems. Monitors changes in the IT system and project them onto the appropriate instructions or creates differences (generation of user IDs, groups, user IDs, and so on). The results of the process:

- A9. Changes take effect in the case, if the information about the objects and their relationships, data backup IT systems and the state of the model is missing in the description.

R Analysis and input into the database copies 950 is the process of converting and saving state information copies of IT systems in a centralized data store DOASM. The input data for the process:

- A9. Changes take effect in the case, if the information about the objects and their relationships, data backup IT systems and with the being of the model is missing in the description. This process does not require foundations for its implementation. Resources for the process:

- a10. The database is a subset of the DOASM for storing and processing data. Is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. The results of the process:

- a11. The synchronized state of the model and the copy - state model of the system, which takes into account information received from a new copy of IT systems, and contains the information required to be taken into account for all controlled copies of IT systems.

Figure 10 shows a block diagram deployment emulator agent 1000. Deploying emulator agent (agent a "Black box") includes the following processes: R 2.1 creating a platform Description 1010 is the process of creating an XML file that contains the description of the platform required for the implementation of the access rights management with the use of platform resources. The input data for the process: none. Resources for the process:

- A12. Master description platform - a software module that is part of a complete kit for administration DOASM. Is a graphical user interface for creating descriptions of the platform.

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and the us is raiku software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions). This process does not require foundations for its implementation. The results of the process:

- A13. A description of the platform engages the employee in the IT Department of the company performing the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

R creating a data copy status business applications 1020 is the process of creating a text file that contains information about copies of specific business applications. The file contains a range of user IDs and group IDs of users available in the managed copy, as well as the range of resources with the rights of access provided by the IDs and groups. The input data for the process: none. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A15. These copies BIZ the EU-application - information about the user IDs and group IDs of users and the resources contained in the copy of the business application. Framework for the implementation process:

- A14. The data file format business applications - document from documentation DOASM containing the description of the structure and format of the data file copies of business applications. The results of the process:

- A16. The data file copies of business applications is a text file with a specific structure and format that contains information about copies of the business application.

R backups platform 1030 is the process of installing and configuring the emulator agent for this copy of business applications, including exporting information associated with the description of the platform and data backup business applications. The process is performed with use of special masters, included in the system configuration DOASM. The input data for the process:

- A13. Platform description is an employee of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A16. The data file copies of business applications is a text file with a specific structure and format that contains information about backup BIZ the EU-application. Resources for the process:

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data.

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information technology. This process does not require foundations for its implementation. The results of the process:

- A18. The synchronized state of the model and the copy of the business application, the state model system, which takes into account information received from the new copy of the business application and contains the information required to be taken into account for all controlled copies of IT systems.

Figure 11 shows the block diagram of the data input of the organizational structure of the enterprise model DOASM. Enter in the data model of the enterprise organizational structure includes the following processes.

R Choice of adapter for the data source of the enterprise organizational structure 1110 is the process of selecting a specialized adapter for btes is and data about the organizational structure of the enterprise from the range, supported DOASM. In addition, the job-specific settings in the data source connection, and receive information about the organizational structure of the enterprise. The process is performed using a specialized wizard (wizard import data organizational structure)included in the system configuration. This process does not require input data. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information technology. This process does not require foundations for its implementation. The results of the process:

- A19. Information on the adapter and the data source of the organizational structure is the technical information necessary to maintain the connection with history is the nickname data organizational structure and obtain from him information. Consists of adapter communication channels and parameters of the data source connection of the organizational structure.

R 3.2 Obtaining and importing data organizational structure 1120 is the process of obtaining, analyzing and converting data into an internal format, and storing the data of the enterprise organizational structure in the database DOASM. The input data for the process:

- A19. Information on the adapter and the data source of the organizational structure is the technical information necessary to maintain the connection to the data source of the organizational structure and obtain from him information. Consists of adapter communication channels and parameters of the data source connection of the organizational structure. Resources for the process:

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. This process does not require foundations for its implementation. The results of the process:

- A20. The synchronized state of the model and source data organizational structure is a model of the system state given the information about the organizational structure of the company (the information about the structure of departments, employees and occupied positions).

On Fig given is a block diagram of the synchronization level objects IT with objects enterprise 1200. Synchronization objects IT level company level 300 in DOASM includes the following processes.

R leaders, and the relationship between user IDs 1210 is the process of comparing managers and user IDs. The process is performed by the employee IT Department using specialized wizard (wizard synchronization), part of the system configuration DOASM. The input data for the process:

- A21. Information about the leaders is the list of managers, and information about them.

- A22. Information about the user ID is the identifier list obtained IT objects. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information the x technologies.

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. Framework for the implementation process:

- A23. Match user IDs to employees is information on the relationship managers user ID. The results of the process:

- A24. The relationship managers and user IDs is a set of correspondences user IDs heads.

R Development of the "core" roles based on existing groups of user IDs

1220 is the process of creating and maintaining a major role in the database. The main roles are the objects of the company level, with some relationship to groups of user IDs (one role assigned to each group of user IDs) and have the same name. The input data for the process:

- A28. Information about the groups the user IDs is a list of groups of user IDs created in the IT objects. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database, Podesta the and control modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information technology.

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. This process does not require foundations for its implementation. The results of the process:

- A25. "Main" role - this is a list of the major roles created on the basis of information about groups of user IDs company.

R roles of leaders 1230 is the process of analyzing and assigning roles created in the system, among the leaders. Assigning roles to managers is based on information about the distribution of user IDs among groups and facilities employees a certain position. The input data for the process:

- 24. The relationship managers and identificationdata - this set matches the user IDs heads.

- A25. "Main" role - this is a list of the major roles created on the basis of information about groups of user IDs company. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information technology.

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. This process does not require foundations for its implementation. The results of the process:

- A26. Information on the distribution of roles is the set of roles, distributed between managers ENT who I am.

R Optimization of the relationship between leaders and roles 1240 is the process of adjusting and optimizing actions of employees of the IT Department, which are performed in respect of match heads and roles, the resulting distribution. The input data for the process:

- A26. Information on the distribution of roles is the set of roles, distributed between the leaders of the company. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department of information technology.

- a10. The database is a subset of the DOASM for storing and processing data. She is a homogeneous relational database to input operational information, ensuring the preservation and integrity of the reference system data. E. the process does not require a framework for its implementation.

The results of the process:

- A27. Synchronized copy status of the platform and company level - system model, which takes into account the relationship between level objects of the company (the leaders and the role and interest levels of the IT system (user IDs and group IDs of the users).

On Fig shows the block diagram of the legalization of resources depicted on Fig. Legalization of resources includes the following processes.

R the Choice of platform for the legalization 1310 is the process of selecting platforms by an employee of the IT Department. You must complete legalization of resources and access rights. The input data for the process: none. Resources for the process:

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended for use by qualified specialists of the IT Department and security Department in ormation technologies. This process does not require foundations for its implementation. The results of the process:

- A70. Information about the contents of the groups - information about resources and access rights, submitted by the group.

- A71. Information about the content of roles - information about resources and access rights represented by the role.

R information Analysis 1320 is a process of content analysis of roles and groups to find information about resources and rights of access to them, are presented in groups, but not taken into account in roles associated with them. The input data for the process:

- A70. Information about the contents of the groups - information about resources and access rights, submitted by the group.

- A71. Information about the content of roles - information about resources and access rights represented by the role.

- A2. Employee of the IT Department is a staff member of the IT Department of the company carrying out the installation and configuration of software DOASM (server, database management subsystem and modules-agents), and also engaged in operation DOASM (validation and updating requests, execution of the instructions).

- A17. System configuration DOASM is a software package designed to perform operations for configuring and managing DOASM. Allows you to perform administration objects internal infrastructure systems. It is intended to use aniu qualified specialists of the IT Department and security Department of information technology. This process does not require foundations for its implementation. The results of the process:

- A72. Information about the contents change roles - information about these resources and access rights to them, which is not taken into account in the content of roles.

R Save changes 1330 is the process of storing the identified changes in the database system. The input data for the process:

- A72. Information about the contents change roles - see the result of the process "R 15 Analysis of information". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require foundations for its implementation and has no results.

On Fig shows the block diagram of the model's state changes and IT system 1400.

Modeling of processes in the enterprise, on the basis of the workflow based on the paradigm of the two components of the Query 110 and Instructions 120. In modeling processes at the enterprise model changes and DOASM 1410 lying electronic document request 110. The request 110 defines a list of operations to change the model. Changes in the model are converted by the system instructions 1440, which are the atomic actions in the process of changing IT-objects. The list of query operations is processed by the server DOASM and represents a typical business procedures - hiring and dismissal from the mines, the appointment and removal of officers from office, the enforcement of their rights and duties, etc. Instructions 1440 generated by the server DOASM 1430, determine the steps to change IT-objects required to comply with requests expressed using terms that correspond to the software or hardware components, for which they were intended. Model 1410, 1450 and IT systems 1420, 1460 are in a state of mutual synchronization. This means that the state of the model matches the state of the IT system. The state change in the model caused by the query leads to the creation of teams, after which the model and IT systems are moving to a new state synchronization.

Implementation of workflow workflow is the automation of business process aimed at authorizing document and authorized the distribution of the received instructions between the performers. On Fig shows the block diagram implementation of the working document 1500. Implementation of workflow workflow includes the following processes.

R Output request 1510 is the process of creating a query 110 to change the access rights 420 subordinate staff officer. The process is performed with use of special masters, part of the web portal DOASM to create a query. The input data is for the process:

- A29. Information about changing permissions 420 is information that you need to change the access rights of the employee for IT systems 1420 associated with the change of Manager 230, project or other duties.

- A30. The user is an employee of a company that has access to DOASM and has the necessary rights to create queries.

- A44. The web portal DOASM is a software package designed to implement the actions contained in the request, throughout the lifecycle of a request, and to receive information messages. It is intended for use by employees. This process does not require foundations for its implementation. The results of the process:

- A31. Change request access rights - this is an internal document that includes information about employees and they need to change access rights, or other proprietary information (creation date, author information)necessary for the operation of the system.

R Receive and start processing 1520 is the process of validating and processing the request to identify information necessary to perform further actions for request processing (validation, updating and execution), as well as to develop the technical instructions. This process is performed by the server DOASM 1430. The input data for the process:

- A31. Request changed the e rights of access this is an internal document that includes information about employees and they need to change access rights, or other proprietary information (creation date, author information)necessary for the operation of the system. Resources for the process:

- A32. Server DOASM is a software package that implements basic logic DOASM, providing interaction and validation of the work of other system components, as well as the protection of information in the database. Framework for the implementation process:

- A33. The state of the model DOASM 1410 is a system information requests, instructions, user groups, users, roles and access rights, and other proprietary information, influencing the process of formulation and processing of the change request access rights. The results of the process:

- A34. The list of sanctioned leaders is the list of managers who must authorize the request for granting access rights. The list of managers who must authorize the request for further processing. This list is created by the server DOASM on the basis of information about resources, access to which is being referred to in the request.

- A35. Information about changing access rights is information about changes in the IT systems needed to provide the honeycomb is uniqu access rights. This information is made on the basis of the processed query and stored in an internal format.

- A36. Information about the person that performed the update query is the Manager, whose responsibilities included in the updating request (appointment of executors to execute the query). This person is determined by the server based on the information contained in the request.

- A37. The list of artists statement is a list of managers that are assigned to execute instructions contained in the request. Information about the performers is created by the server based on the necessary changes in IT systems, as well as on the basis of information about employees responsible for entering data in the IT system.

R Authorization request 1520 is the process of making decisions about granting access rights to resources IT systems employee. This process is carried out by the managers involved in authorizing, using the web portal DOASM. The input data for the process:

- A34. The list of sanctioned leaders is the list of managers who must authorize the request for granting access rights. The list of managers who must authorize the request for further processing. This list is created by the server DOASM on the basis of the info is information about resources, about the access to which is being referred to in the request.

- A35. Information about changing access rights is information about changes in the IT systems needed to provide employee access rights. This information is made on the basis of the processed query and stored in the internal system format. Resources for the process:

- A44. The web portal DOASM is a software package designed to implement the actions contained in the request, throughout the lifecycle of a request, and to receive information messages. It is intended for use by employees of the company.

- A39. Managers - employees of the company with sufficient authority to implement actions for query processing in DOASM. This process does not require foundations for its implementation. The results of the process:

- A38. Instructions to be executed is a list of the technical instructions (in internal format), which are required to change the access rights of an employee in the IT systems. The instruction list is created by the server DOASM on the basis of information contained in the request information, and based on the state of the model DOASM.

R Update query 1540 is the process of appointment of executors for all statements in the query and make changes to the text of the instructions. This process is carried out by the heads of participating the mi in update query using the web portal DOASM. The input data for the process:

- A36. Information about the person that performed the update query is the Manager, whose responsibilities included in the updating request (appointment of executors to execute the query). This person is determined by the server based on the information contained in the request.

- A37. The list of artists statement is a list of managers that are assigned to execute instructions contained in the request. Information about the performers is created by the server based on the necessary changes in IT systems, as well as on the basis of information about employees responsible for entering data in the IT system.

- A38. Instructions to be executed is a list of the technical instructions (in internal format), which are required to change the access rights of an employee in the IT systems. The instruction list is created by the server DOASM on the basis of information contained in the request information, and based on the state model DOASM. Resources for the process:

- A44. The web portal DOASM is a software package designed to implement the actions contained in the request, throughout the lifecycle of a request, and to receive information messages. It is intended for use by employees of the company.

- A39. The heads of the employees, about lagausie sufficient authority to implement actions for query processing in DOASM. This process does not require foundations for its implementation. The results of the process:

- A40. Given the list of performers is a list of performers in the technical instructions, which were amended on the basis of the current situation with the staff (load employees, the presence of employees in the workplace and so on). For these artists need to make changes in IT-objects (based on instructions).

R Execute instructions 1550 is the process of making changes in the status of IT systems implemented by the appointed officers on the basis of the technical instructions, created DOASM. The input data for the process:

- A38. Instructions to be executed is a list of the technical instructions (in internal format), which are required to change the access rights of an employee in the IT systems. The instruction list is created by the server DOASM on the basis of information contained in the request information, and based on the state model DOASM.

- A40. Given the list of performers is a list of performers in the technical instructions, which were amended on the basis of the current situation with the staff (load employees, the presence of employees in the workplace and so on). For these artists need to make changes in IT-objects (based on instructions). Resources for the process:

- A39. Managers - employees p is Adbrite, possessing sufficient authority to implement actions for query processing in DOASM.

- A43. IT systems are IT-objects. All IT objects, access rights to resources which are controlled DOASM. This process does not require foundations for its implementation. The results of the process:

- A41. Change access rights to IT systems - changes in the IT objects to change access rights in accordance with the received instructions.

R Control statement 1560 is the process of control over the correctness of changes in access rights and whether the changes worked out the instructions. The input data for the process:

- A38. Instructions to be executed is a list of the technical instructions (in internal format), which are required to change the access rights of an employee in the IT systems. The instruction list is created by the server DOASM on the basis of information contained in the request information, and based on the state model DOASM.

Resources for the process:

- A43. IT systems are IT-objects. All IT objects, access rights to resources which are controlled DOASM. This process does not require foundations for its implementation.

- A32. Server DOASM is a software package that implements basic logic DOASM, providing interaction and validation of the work of other system components, as well as the protection of information the database. This process does not require foundations for its implementation. The results of the process:

- a. Information about discrepancies are registered in DOASM information about events related to changes in access rights, and about the objects IT systems associated with them, the implementation of which occurred without the production of the technical instructions for changes.

On Fig shows the block diagram of the process request 1600. Output of the query 110 in DOASM includes the following processes.

R Connection with the server 1610 is the process of creating a communication channel between the web portal and the server DOASM used for information exchange and interaction through interface methods. The input data for the process:

- A29. Information about changing permissions 420 is information that you need to change the access rights of the employee for IT systems 1420 associated with the change of Manager 230, project, or other responsibilities. Resources for the process:

- A44. The web portal DOASM is a software package designed to implement the actions contained in the request, throughout the lifecycle of a request, and to receive information messages. It is intended for use by employees. This process does not require foundations for its implementation. The results of the process:

- A35. Information about changing access rights is - this information about the changes in the IT systems needed to provide employee access rights. This information is made on the basis of the processed query and stored in an internal format.

- A45. Technical information is information necessary for correct processing of the request (the time of creation, the author of the query, and so on).

- A35. Information about changing access rights is information about changes in the IT systems needed to provide employee access rights. This information is made on the basis of the processed query and stored in an internal format.

- A45. Technical information is information necessary for correct processing of the request (the time of creation, the author of the query, and so on). Resources for the process:

R Create context request 1620 is creating on the server of the technical facilities required for further processing of the request. The input data for the process:

- A32. Server DOASM is a software package that implements basic logic DOASM, providing interaction and validation of the work of other system components, as well as the protection of information in the database. This process does not require foundations for its implementation. The results of the process:

- A35. Information about changing access rights is information about the changes in I-systems, they need to make to provide employee access rights. This information is made on the basis of the processed query and stored in an internal format.

- A46. The context of the query is a range of technical facilities required for further processing of the request.

R data Conversion changes the access rights to change the model 1630 is the conversion level objects of the company (Director, title role) and relationships between them in technical objects (user ID, group IDs of users, access rights) and the relationships between them. The input data for the process:

- A35. Information about changing access rights is information about changes in the IT systems needed to provide employee access rights. This information is made on the basis of the processed query and stored in an internal format.

- A46. The context of the query is a range of technical facilities required for further processing of the request. Resources for the process:

- A32. Server DOASM is a software package that implements basic logic DOASM, providing interaction and validation of the work of other system components, as well as the protection of information in the database. Framework for the implementation process:

- a. And is gorithm conversion - the code of technical regulations necessary to convert the interest level of the company (Director, title role) and relationships between them in technical objects (user ID, group IDs of users, access rights) and the relationships between them. The results of the process:

- A48 motorway. The request is passed to the execution is a group of interconnected internal system objects, containing the information required for the implementation process the request and generate instructions to make changes in IT systems.

On Fig is a diagram of a query processing server 1700. The request is processed by the server includes the following processes.

R verify the digital signature and the query parameters 1710 is a process server validates the digital signature for the employee who made the request, and check that the request matches the current state of the model DOASM. The input data for the process:

- A48 motorway. The request is passed to the execution - see for the process R data Conversion changes the access rights of change model". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require foundations for its implementation. The results of the process:

- a. The correct query is a query that is checked by the server.

R Definition of leadership the residents, participating in the pre-1720 is a process of obtaining information and determining the list of managers who must authorize the granting of access rights. The input data for the process:

- a. A valid request - see Resources for a process: "R digital signature Verification and query parameters". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". Framework for the implementation process:

- A60. The algorithm for determining the responsible leaders is a set of rules based on the mechanism of allocation of responsibilities for control of access rights to resources that need to change. The results of the process:

- A51 motorway. The list of sanctioned leaders is the list of managers who must authorize the change of access rights to resources IT system.

R Sending notifications and authorization request 1730 is the process of sending notifications and implementation of authorization from all officers involved in the authorisation. The input data for the process:

- A51 motorway. The list of sanctioned leaders see the results of the process: "R definition of the leaders involved in the authorisation". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require a framework for its implementation. The results of the process:

- A52. Notification of the need for approval - send emails containing information about the necessary authorization request.

- A53. Authorized request request, approved by all the Directors, whose approval was required for further processing of the request.

R information Preservation and creation instructions 1740 is the creation of the technical instructions for making changes in IT systems and store information about them in the database. The input data for the process:

- A53. Authorized request - see the results for process R Sending notifications and authorization request". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". Framework for the implementation process:

- A54. The conversion algorithm of the query text in the manual rule generation technical instructions for making changes in IT systems. The algorithm contains the transformation rules of operations of the company level in the technical instructions for making changes in IT systems. The results of the process:

- A55. Instructions for performing technical instructions containing indivisible operations for setting up an IT system (for example, creating a group, the name of the user, enabling the user name in the group, and so on).

R Determination of leaders to address audacia actualization and fulfillment 1750 - this process of obtaining information and create a list of leaders who will carry out the updating of query instructions and their execution. The input data for the process:

- A55. Instruction to be executed - see the results of the process: "R information Preservation and creation instructions. Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require foundations for its implementation. The results of the process:

- A56. The list of managers involved in updating and implementation - list of managers, whose duties include updating of query instructions (if necessary, the appointment of executors, text editing instructions), as well as the execution of these instructions (the necessary changes in IT systems).

R Sending notifications and updating the query statement 1760 is the process of sending notifications to update request and its current status. In addition, this process of actualization, appointment or authorization of performers instructions and amendments to the text of the instructions (if necessary). The input data for the process:

- A55. Instructions to be performed - see the results of the process: "R Determination managers involved in updating and running.

- A56. The list Roux is voditelj, involved in updating and running - see the results of the process: "R Determination managers involved in updating and running". Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require foundations for its implementation. The results of the process:

- A57. Reminder actualization send notifications containing information about the necessity of updating the instructions of the query.

- A58 motorway. List updated instructions with the performers - a list of instructions for making changes in IT systems and performers assigned to each statement.

R notification and statement of 1770 is the process of sending notifications to execute instructions and control of changes in the IT system in compliance with the instructions. The input data for the process:

- A58 motorway. Updated list of instructions with performers - see the results of the process: "R Sending notifications and updating instructions"query. Resources for the process:

- A32. Server DOASM - see Resources for a process: "R Receive and start processing". This process does not require foundations for its implementation. The results of the process:

- A59. Notice of the necessity of the execution of instructions to send email notifications required in the execution of instructions and make changes to IT systems.

- A60. The processed query is a query, all the statements which were made, after which IT objects, appropriate changes were made.

Be aware that the information contained in the above description and the accompanying drawings should be considered illustrative and not as limiting. The following patent claims describe all General and special functions mentioned in this document, as well as statements about the spectrum of application of this method and system, which, due to language features can be understood in two ways.

1. The method of document management in the security system that includes a server, a database, a subsystem of the system configuration and the web portal module-agent, managing access to restricted information in the system, IT system, associated with changes in managers, projects, responsibilities, and the objects of IT-systems, each of which has access to one of the types of resources that includes the following steps:

production change request access rights of a subordinate employee of the parent by entering data about changing access rights of the parent employee in the IT system, provided that the senior employee has access to the system and its responsibilities include the creation of queries, while the web portal with the system performs actions on the request within the request's life cycle;

processing the change request access rights of a subordinate employee, sent upstream by employee to determine the information necessary to perform further steps of query processing and production regulations;

the authorization request after the decision-making process regarding the provision of access rights to resources IT systems employee, subordinate;

request update through the appointment of the contractor for all statements in the query and make changes in the text of the regulations;

execution of the instructions by changing the state of IT systems assigned;

control over the execution of the instructions by monitoring the correctness of the change permissions and verify compliance with these changes to the General instructions.

2. The method according to claim 1, characterized in that the change request access rights is an internal document that includes information about employees and change access rights and service information required for IT.

3. The method according to claim 1, characterized in that the change request is executed using a specialized wizard, part of the web portal security.

4. The method according to claim 1, characterized in that the processing request on the change access rights is performed by the server using the digital signature of the head, whose authorization request is necessary for granting access rights.

5. The method according to claim 1, characterized in that the further processing of the change request access rights includes the following steps:

enter the results of the query to change access rights in an internal document system;

use the server program that implements basic logic safety system that communicates and enhances the performance of operating system components and provides safety information in the database that contains the inventory of resources IT systems that are managed, and the ID of the supervisor who is responsible for these resources;

enter the system information requests, instructions, user groups, users and user rights;

create a list of leaders who must authorize the request for granting access rights; this list is created automatically on the basis of the resource to which access is requested, and responsibility for these resources;

obtaining information about changes to the IT systems necessary to provide access to the employee, subordinate;

obtaining information about the Manager, whose responsibilities included in the process updates the sacii request, the person involved in updating, by the server based on the information contained in the request;

getting the list of managers assigned to the query instructions, with information about the performers is created by the server on the basis of changes in the IT system.

6. The method according to claim 5, wherein the authorization request to grant access to resources in an IT system to a subordinate employee through the decision making process further comprises the following steps:

enter the list of managers who must authorize the request for granting access rights; this list is created automatically on the basis of the resource to which access is requested, and responsibility for these resources;

enter information about changes to the IT systems necessary to provide access to the employee, subordinate;

use the server program that implements basic logic safety system that communicates and enhances the performance of operating system components and provides safety information in the database.

download list of employees with sufficient rights for the implementation of the action request;

creating a server system list of tech the ski instructions, necessary to change the access rights of a subordinate employee in the IT system.

7. The method according to claim 6, wherein the request to update through the appointment of the contractor for all statements in the query further comprises the following steps:

enter information about the Manager, whose responsibilities included in the updating request, the person involved in updating, by the server based on the information contained in the request;

enter the list of managers assigned to the query instructions, with information about the performers is created by the server on the basis of changes in the IT system;

enter the list of the technical instructions, execution of which is necessary to change the access rights of a subordinate employee in the IT system;

use software system designed to perform actions on the request within the request lifecycle;

download list of employees with sufficient rights for the implementation of the action request;

obtain the list of performers in the technical instructions, which were amended on the basis of the current situation with the staff (load employees, the presence of employees in the workplace and so on), and the amendments to IT-is the system for these performers.

8. The method according to claim 7, wherein further execution of instructions includes the following steps:

enter the list of the technical instructions, execution of which is necessary to change the access rights of a subordinate employee in the IT system;

enter the list of performers in the technical instructions, which were amended on the basis of the current situation with the staff, and changes in the IT system for these artists;

download list of employees with sufficient rights for the implementation of the action request;

identification of access rights IT object to resources controlled by the IT system;

changes in IT-the object to change access rights to the IT system in accordance with the received instructions.

9. The method according to claim 8, characterized in that the further control execution of the instructions includes the following steps:

enter the list of the technical instructions, execution of which is necessary to change the access rights of a subordinate employee in the IT system;

identification of access rights IT object to resources controlled by the IT system;

use the server program that implements basic logic safety system that communicates and enhances the productivity of the workers comp the components of the system and saves information in a database;

obtaining information registered in the IT system, the events associated with a change in access rights, and about the objects IT systems associated with them, the implementation of which occurred without the production of the technical instructions for changes.



 

Same patents:

FIELD: information technologies.

SUBSTANCE: software packer comprises packer interface that provides controlled access to file of applied program. Applied program file is encapsulated with the help of software code of security provision for its protection against its unauthorized access. Software packer comprises license key for application of program package, which identifies license policy that determines limitations for application within the bounds of geographical border. Software packer comprises mechanism of license certification, which periodically determines compliance to license policy. Mechanism of license certification allows access to the other process, which operates in local computer via packer interface, in response to signal of license validity confirmation received from license server.

EFFECT: protection of software suppliers rights by software distribution by supplier, limitations on their application and support of safety on end user platform.

13 cl, 18 dwg

FIELD: information technologies.

SUBSTANCE: when user specifies (explicitly or implicitly) that he or she tries or intends to open file, this file may further be locked for edit. Therefore, default action executed, when user requests file opening, results in the fact that access of other users to this file is not prohibited. Then, when user specifies that editing should take place, file is locked.

EFFECT: provision of possibility of file opening modified action.

4 dwg

FIELD: physics; computer technology.

SUBSTANCE: present invention pertains to computer technology. The computer makes an authentication attempt at the server for automatic access to the first network. The server determines that the computer system is not authorised to access the first network. The computer system is authorised to access the second network with the objective of loading files, required for gaining access to the first network. A user interface is automatically provided in the computer system, for receiving the user-supplied signup information. The first document, based on a given layout which contains the user-supplied information, is sent to the server. If the server determines that, the user-supplied information is acceptable then a second document is received, which contains of an instruction for authorising access to the first network. The computer system provides a third document for compatible configuration of the computer system to gain access to the first network.

EFFECT: higher level of automation during initialisation and configuration of a computer system for accessing a network.

32 cl, 4 dwg

FIELD: information technologies.

SUBSTANCE: invention version implies application of broadcasting mechanism for hardware detection, whereas Application Programming Interfaces enables provide internetwork security software detection. Another invention version includes survey procedure providing that configuration of linking device is not changed otherwise endangering protected network.

EFFECT: provided dynamic decisions relying on internetwork security software or hardware (firewall), and automatic transparent configuration of any decision.

17 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: system of digital media in a computer network consists of massive servers for the adaptation of streams of content of the provider (computer-aided manufacturing system), appropriating IP addresses of a computer network, access to which is possible through many network terminals (STB or personal computers), containing a player of content, the module of demand of the content is connected with the servers of administration of access of the subscriber in the local computer network and the server giving session keys for the protection of the operating words of the provider. By means of the SK on the CAM system controlled by the computer network, encoding CW by means of which the content of the provider is protected, placed further in rights usage management a stream of the content, further the control of access over network terminals (CT) is organised for the subscribers to the IP addresses appointed for adapted streams of content of the provider, by control facilities and configuration. In this case to realise the flexibility according to the tariff plans not achievable with the use of the chip of cards of conditional access of extended CAS.

EFFECT: possibility of relaying of the protected content by the provider in a computer network with the retention of control over subscribers from the side of the provider of the content.

60 cl, 3 dwg

FIELD: computer engineering.

SUBSTANCE: data introduction is performed by substitution of text line characters with identical in style characters from other character set; unique identifier is assigned to each user which identifier is transmitted to marking unit when request is sent to database control system. Value of signature bit for answer text line is calculated using one-bit hash function against key sequence corresponding to user identifier. To check the selected line, original line is taken and marked, the result is compared with checked line; to check the entire watermark it will be enough to check several arbitrarily selected lines which accelerates check procedure and do not impose limitations on line order. Using of one-bit hash function and key sequence allows to raise protection level.

EFFECT: enhancement of efficiency of surveillance system for processing, transmitting and distributing confidential information which is stored in text form in multiuser database.

2 cl, 4 dwg

FIELD: physics, computation equipment.

SUBSTANCE: method involves unique ID conversion into security ID (SID) suitable for application in access control unit and protecting computation resource, without necessity of additional standard user facilities for access control of given resources.

EFFECT: obtaining controlled access levels to selected objects without necessity of additional user account.

57 cl, 7 dwg

FIELD: physics, video technics.

SUBSTANCE: invention concerns additional or interactive television content security, particularly subscribing to additional or interactive TV content. Method of signing additional TV content application in the form of a file set with program code and associated objects involves the following stages: identification of at least the first part (2201-220M, 2201-220V) of files in at least one file cluster (2141-214N); cluster signature (2111, 211N) calculation for each cluster; creation of security data resource file (100), which includes signature location description (120, 120A).

EFFECT: increased TV content security.

51 cl, 16 dwg, 1 tbl

FIELD: information technologies.

SUBSTANCE: device contains the block of processors (1), external medium in the form of non-volatile memory (2), RAM unit (3), formatting unit (4), external medium data reading unit (5), interface unit (6), local bus (7), blocking unit (8), external bus (11), read only memory (9), power supply unit (10).

EFFECT: increase of protection efficiency against unauthorized access and violation of confidentiality of the information.

1 dwg

FIELD: computer engineering.

SUBSTANCE: invention refers to the computer engineering, particularly to PC users identification according their keyboard typing. The method of reference values generation of PC user characteristics lies in changing of user's typing and writing it into memory, thereat the typing characteristics consists of user's typing speed.

EFFECT: increase of identification reliability using user's keyboard typing.

1 dwg, 2 app

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

FIELD: distribution devices, terminal devices.

SUBSTANCE: in distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content.

EFFECT: distribution of digital content for a more complete satisfaction of user's demand.

22 cl, 58 dwg

FIELD: access to protected system restriction technics; avoidance of accidental persons access to system.

SUBSTANCE: fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

EFFECT: increased level of protection against access of accidental persons.

3 cl, 2 dwg

FIELD: access to protected system restriction technics; avoidance of accidental persons access to system.

SUBSTANCE: fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

EFFECT: increased level of protection against access of accidental persons.

3 cl, 2 dwg

FIELD: engineering of technical means for complex protection of information during its storage and transfer.

SUBSTANCE: method for complex information protection is realized in following order: prior to transfer into communication channel or prior to recording into memory, state of used communication channel or information storage environment is analyzed, from M possible codes parameters of optimal (n,k) code for current status of channel or information storage end are determined, information subject to protection is split on q-nary symbols l bits long (q=2l) for each q-nary system gamma combinations l bits long are formed independently from information source, for each set of k informational q-nary symbols (n-k) excessive q-nary symbols are formed in accordance to rules of source binary (n,k) code, each q-nary symbol is subjected to encrypting stochastic transformation with participation of gamma, after receipt from communication channel or after reading from memory for each q-nary symbol combination of gamma with length l is generated, synchronously with transferring side, reverse stochastic decrypting transformation is performed for each q-nary symbol with participation of gamma, by means of checking expressions of source binary code localized are correctly read from memory or received q-nary symbols, untrustworthily localized symbols are deleted, integrity of message is restored by correcting non-localized and erased q-nary symbols of each block, expressing their values through values of trustworthily localized or already corrected q-nary symbols, if trustworthy restoration of integrity of code block is impossible it is deleted, number of deleted blocks is counted, optimality is determined within observation interval of used code with correction of errors for current state of channel, if code optimum criterion exceeds given minimal and maximal limits, code is replaced with optimal code synchronously at transferring and receiving parts of channel in accordance to maximum transfer speed criterion.

EFFECT: efficiency of each protection type and increased quality of maintenance of guaranteed characteristics of informational system.

18 cl

FIELD: technology for improving lines for transferring audio/video signals and data in dynamic networks and computer environments and, in particular, setting up communication lines with encryption and protection means and controlling thereof in such environment.

SUBSTANCE: invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets.

EFFECT: simplified setup of dynamic protected lines of communication between client computer and server device.

6 cl, 10 dwg

FIELD: automatics and computer science, in particular, identification means for controlling access to autonomous resources.

SUBSTANCE: method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

EFFECT: increased level of protection from unsanctioned access.

3 cl, 1 dwg

FIELD: digital data processing, namely, remote user authentication.

SUBSTANCE: in accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority.

EFFECT: possible passive user authentication mode without usage of hardware.

2 cl, 2 dwg

FIELD: information dissemination systems.

SUBSTANCE: in accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information.

EFFECT: ensured valid dissemination between various clients.

10 cl, 7 dwg

FIELD: information safety of digital communication systems, possible use in distributed computing networks, combined through the Internet network.

SUBSTANCE: in the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet.

EFFECT: increased safety and concealment of communication channel operation.

6 cl, 27 dwg

Up!