Delegated management of distributed resources

FIELD: information technology.

SUBSTANCE: present invention relates to management of distributed resources of a network service provider. Description is given of a system and method of delegating access to resources distributed in a distributed computer environment. In one aspect the server distributes a set of resources. The server receives a request from a user for executing an operation in relation to one of the distributed resources. As a response to the received request, the server determines whether the user has already been delegated authority to execute the operation. Delegated authority does not depend on whether the user is a member of a group of administrators, related to any resource of the server.

EFFECT: improved safety of computers and WEB-sites.

38 cl, 3 dwg, 17 tbl

 

Related applications

This patent application is related to application for U.S. patent number 10/281,083, entitled “Role-Based Authorization Management Framework” (“Infrastructure Management Authorization on Role-Based”), filed 26/10/2002, the rights to which are owned by the copyright holder of the present invention and which is incorporated into this description by reference.

The technical field to which the invention relates

The invention relates to the administration of hosted resources network service provider.

PRIOR art

Administration Web-sites can be time consuming and expensive, especially for objects that manage large installations of Internet Service Providers (ISPS, ISP). To save time and money many ISPS support only Web sites of large companies to the detriment of personal Web sites. One reason for this is that computer security is becoming more and more important not only for legal persons and other organizations, but also for the physical violence. To meet such needs in security, strategy computer security and Web sites should be selected and implemented for each administrative script. This choice and the introduction makes them very time-consuming and require a large amount of lying is neither and costly to support personal Web saitow.

The invention

The described systems and methods for delegating access to resources hosted in a distributed computing environment. In one aspect, the server allocates a set of resources. The server accepts a request from a user to perform operations in relation to one of the hosted resources. Depending on the received request, the server determines whether the user has already delegated the authority to perform this operation. Delegated powers are not dependent on whether the user is a member of the administrators group associated with any resource server.

List of drawings

In the figures, the left-most digit, component reference item number identifies the particular figure in which the component appears for the first time.

Fig. 1 is an illustrative computing environment, which can be implemented systems and methods for delegating administration hosted resources.

Fig. 2 - additional illustrative aspects of the system memory of Fig. 1, containing an application program and data of a program for delegation of administration hosted resources.

Fig. 3 is an illustrative procedure for delegation of administration hosted resources.

DETAILED DESCRIPTION

A brief Overview

Describes a reliable, scalable, control is renewable and safe systems and methods for delegating and implementing remote administration Web sites. In particular, the administrator of the computer server of the Internet Service Provider (ISP) uses the following infrastructure Administration Delegation (DA, DA) Information Services Internet (IIS, IIS) to delegate certain administrative tasks Web-site authorized (authorized) users to perform. Such authorized user may, for example, a user who has a personal Web site hosted by ISPS.

Authorization (authorization check) user defined view in plan of a given right (s) access to role-based to perform application specific operations associated with the hosted Web site. This infrastructure YES IRS eliminates existing trends related to computer security, in which personal Web sites are not supported due to inefficiency in terms of time and cost, as described above. One reason for this is that the administrator is not obliged to intervene (i.e. to ensure computer security and authorized access) every time posted by personal website modify or testing. Such modifications may include, for example, changing the content (information and meaningful content) functionality of the Web site, such as posting navigability on this Web site, etc.

These and other aspects of systems and methods for delegated administration of the Web site will now be described in more detail.

Normal Operating Environment

Referring to the drawings, in which identical reference item numbers correspond to the same elements, the invention is illustrated as being implemented in a suitable computing environment. Although this is not required, the invention described in the General context mashinostryenia commands, such as program modules, executed by the personal computer. In the General case, the software modules include procedures, programs, objects, components, data structures, etc. that perform particular tasks or implement certain abstract data types.

Fig. 1 illustrates an example of a suitable computing environment 120, which can be implemented further described systems, devices and methods for administration delegation hosted resources. Illustrative computing environment 120 represents only one example of a suitable computing environment and is not intended to impose any restrictions on the scope of use or functionality of the described systems and methods. We should not interpret computing environment 120 as having any C the dependence or requirement, related to any component or combination thereof, illustrated in the computing environment 120.

The methods and systems described herein may work with many other environments or configurations of computer systems for General or special purposes. Examples of well known computing systems, environments and/or configurations that may be suitable include, but are not in a restrictive sense, the computing device (e.g., handheld, mobile, etc.) compact (e.g., mobile phones, personal digital devices (PDAs), and so on), multiprocessor systems based on microprocessors or programmable consumer electronics, network personal computers (PCs), mini-computers, General-purpose computers (mainframes), and/or the like. The invention may also be implemented in distributed computing environments where tasks are performed by remote processing devices data that are linked through a communications network. In a distributed computing environment, program modules may be located in local and remote storage devices.

As shown in Fig. 1, computing environment 120 includes a computing device for General purposes in the form of a computer 130. Components computer is RA 130 may include one or more processors or processing devices 132, system memory 134 and bus 136, which connects various system components including the system memory 134 to the processor 132. Bus 136 is any one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, the bus accelerated graphics port (AGP) and a processor or local bus using any of a variety of bus architectures. As an example, and not limitation, this architecture includes the bus industry Standard Architecture (ISA)bus, a Microchannel Architecture (MCA), Enhanced ISA (EISA), local bus Association for standardization in the field of video equipment and microelectronics (VESA) and the bus, the peripheral component interconnect (PCI), also known as mezzanine bus.

The computer 130 typically includes a variety of machine-readable media. Such media can be any available media that the computer 130 can access, and they include both volatile and nonvolatile media, both removable and fixed media. System memory 134 includes machine-readable media in the form of volatile memory, such as random access memory (RAM) 138, and/or non-volatile memory, such as permanent storage of the mouth of austo (ROM) 140. The system basic input-output 142 (BIOS contains the basic routines that help to transfer information between elements within computer 130 (e.g., at initial startup), and is typically stored in ROM 140. RAM 138 typically contains data and/or software modules to which the processor 132 may implement direct access and/or processed them at the moment.

The computer 130 may also include other removable/non-replaceable, volatile/nonvolatile computer storage media. For example, the drive 144 on hard magnetic disks can be used to read a non-replaceable, non-volatile magnetic media (not shown) and write on it, a magnetic disk drive 146 for reading from a removable, nonvolatile magnetic disk 148 (e.g., a "floppy disk") and write on it, and an optical disk drive 150 for reading from a removable, nonvolatile optical disk 152 such as a CD-ROM/R/RW, DVD-ROM/R/RW/+R/RAM or other optical media, and write on it. Each of the drive 144 on hard magnetic disks magnetic disk drive 146 and the optical drive 150 is connected to the bus 136 through one or more interfaces 154.

Drives and drives and their associated computer-readable media provide nonvolatile storage of computer-readable commands, structures the data, program modules and other data for the computer 130. Although described here for illustrative environment uses a hard disk, a removable magnetic disk 148, and a removable optical disk 152, specialists in the art will understand that in a normal environment can also be used in other types of computer-readable media that can store data, which the computer can access, such as magnetic cassettes, flash memory cards, digital video disks, random access memory (RAM), persistent memory (ROM), etc.

On the hard disk, magnetic disk 148, optical disk 152, ROM 140 or RAM 138 may store the multiple software modules, including, for example, an operating system 158, one or more application programs 160, other program modules 162, and data 164 programs.

The user such as the administrator of the Web site ISPS may enter commands and information into the computer 130 through input devices such as keyboard 166 and pointing device 168 (such as "mouse"). Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, serial port, scanner, digital camera, etc. These and other input devices connected to the processor 132 via the interface 170 polzovatelskoe, which is connected to the bus 136, but may be connected by other interfaces and structures of the tire, such as a parallel port, game port or a universal serial bus (USB).

Monitor 172 or a display device of another type is also connected to the bus 136 via an interface, such as a video adapter 174. The monitor can be used, for example, to represent UI (PI, UI)associated with the described systems and methods for delegating administration Web site, for example, by defining policies and rules of access to applications, as described below. In addition to the monitor 172, personal computers typically include other peripheral output devices (not shown), such as speakers and printers that can be connected via the peripheral interface 175 output.

The computer 130 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer 182. The remote computer 182 may include some or all of the elements and features described herein in relation to computer 130. Logical connections include a local area network (LAN) 177 and the wide area network (WAN) 179. Such networking environments are widely used in offices, computer networks, the scale of the enterprise, intranets and the Internet.

When using in a network environment LAN computer 130 connected to the LAN 177 through a network interface or adapter 186. When used in a WAN network environment, the computer 130 typically includes a modem 178 or other means for establishing communications over the WAN 179. Modem 178, which may be internal or external, may be connected to the system bus 136 via the interface 170 user input, or other suitable mechanism.

In Fig. 1 shows a concrete implementation of the WAN via the Internet. In this case, the computer 130 uses the modem 178 for communication with at least one remote computer 182 via the Internet 180. In a networked environment, program modules depicted in relation to the computer 130 or its parts may be stored in a remote storage device. Thus, for example, as shown in Fig. 1, the remote application program 189 may reside in a storage device of the remote computer 182. Shown and described a network connection are illustrative. Thus, you can use other means of establishing lines of communication between computing devices.

Illustrative of the Application Program and Data

Fig. 2 is a block diagram, which additionally shows an illustrative aspects of the system of the Noah memory 134 of Fig. 1, containing the application program 160 and the data 164 programs for administration delegation hosted resources. In this embodiment, the application program 160 include, for example, the Module 202 Authorization Module 204 Delegation module 206 Remote Administration of the Web site of the Client (RCWA) (i.e., "the requesting application"), the Executable Module 208 and Authorized Process(s) 210. For discussion purposes these application program in combination with selected other features of the system 100 of figure 1 are often referred to hereinafter as "Infrastructure Delegated Administration (DA) Information Services (IRS) or "infrastructure".

Manager (management tool) 202 Authorization provides security support for delegated administration placed the resources of the metabase nodes ISI (i.e. metabase nodes 212 ISI). The metabase 212 IRS identifies the nodes to applications, resources, or objects placed deployed and/or managed by the computer 130 in Fig. 1. In more detail, the metabase is a hierarchical store of configuration information and schema that are used to configure the IRS. In existing systems, only users who are members of the Administrators group can view and modify resources, presents the evil metabase. In contrast to such known systems infrastructure YES ISI, which is described now provides the opportunity and other users, and not only within the group of Administrators (for example, application administrators), such as the owners of the website, to view and/or modify specifically the specified part (s) metabase 212 ISI. For the purposes of this description, a "user" is an individual who is not assigned to the Administrative group, although the user can also log into the Administrators group.

To this end, the Module 202 Authorization Manager via selective interaction with module 204 Administration Delegation (YES), provides the opportunity for an administrative object (i.e. the member of the Administrators group) to set (for example, set through PI displayed on the display device 172 in Fig. 1) user access rights to the metabase nodes 212 ISI. Module 202 Authorization Manager writes such user access rights (i.e. policy/rules) in the Repository 214 Authorization Policies. In one embodiment, such access rights are represented, for example, in the form of Extensible Markup Language (XML), Active Directory, Language Software Queries (SQL) or any other data format.

The application queries the Repository 214 Authorization Policies (via interface 216 go active the underwater programming (IPP, API) 216 provided by the Manager 202 Authorization) at run time to ensure that the client is authorized to perform the requested operation on the resource. The Authorization Manager provides interfaces PPIS to control authorization policy and management approve access and user interface for administrators so that they could manage the store authorization policies.

The Application definition

The application, as defined by the Repository 214 Authorization Policies (HPA, APS), represents the top node of the Storage layer 214 authorization policies. For applications specification of operations or tasks that the application can perform and announce them in HPA 214, for example, during installation of the application. Specification application includes a specific application role, identified by the administrator from the point of view of the tasks and operations that are necessary to perform the work (e.g., organization). Definition of roles, tasks and operations (methods), and scope are stored in the HPA 214. A role is a role authorization or resource configurations (e.g., organizational granting access rights to a set of resources). Role authorization is based on the function of the user experience. The role of the resource configuration osnovyvaetsya computer functions.

Task is a set of operations of the lower level. The purpose of the task is to determine what operations the lower level perform some unit of work, which is important for administrators. An example task is to Change password. Tasks may also contain other tasks. For example, a task called "Managing User Accounts" may include tasks, Password Change, Password Reset, Block the Account and so on.

The operation is a lower power level, which uses the resource Manager to identify security procedures. To perform meaningful tasks can be used multiple operations (Operations are often not obvious or important for administrators). An example of an operation can be the Entry Attributes (WriteAttributes) or Attributes Read (ReadAttributes). The scope is a set of one or more physical or logical resources (for example, folders and/or files associated with the corresponding authorization policy. The application can use the scope in the resource groups to display the requested user resource scope (for example, when the application checks the user access), and so on.

In this embodiment, the Manager 20 Authorization provides the ability to set the zero (0) or more of the groups and the respective roles for each of the specified member of the group. The group meets user roles, and application administrator defines access rights that are necessary role to grant authority group in the Access Control List (ACL ACL) for an object (e.g., application, resource, etc). TABLE 1 shows a typical application definition in HPA 214, which in this embodiment, presented in the format of XML data.

TABLE 1
ILLUSTRATIVE SPECIFICATION of the APPLICATION

Each application includes numerous attributes, such as being a globally unique identifier ("GUID", for example, d9089f17-5fa6-4ae9-bddf-8ca6cd1c06fb), airport name (for example, SiteAdminApp) and so on. Attributes application is used, for example, to identify specific applications that are defined in the repository 214 authorization policies. In the example shown in TABLE 1, the application includes a group (for example, see a couple of tags (invisible markup elements) "AzApplicationGroup") to define one or more users assigned to one or more "roles" in relation to the application. A role is a set of permissions assigned to a user to allow the user to perform a set of tasks. Each group PR the provisions includes the GUID attribute (for example, is bf9d00fC-2be3-marketed 4 367-a931-680038b51d0a) and the attribute name (for example, GroupMetabaseChangeDefaultDoc). This illustrative group illustrates the only member identified by the Security Identifier (SID): S-1-5-21-3131233723-616130271-937215924-1032. For purposes of this example assume that this SID is associated with the user "User1".

In this embodiment, a role is applied to the set of associated objects, and then the user group assign this role.

The definition of the scope and Roles

The application, presented in TABLE 1, includes a group of applications (although it can be defined any number of such groups) with the scope. The scope is a set of one or more physical or logical resources (for example, folders and/or files associated with the corresponding authorization policy. The application can use the scope to the resource group, displaying the requested user resource scope (for example, when the application checks the user's access), and so on. Next is illustrative syntax scope definition: <AzScope Guid = "ce010982-6b6f-4e93-804e-d04bf1ddff78" Name= "Site Access for "User1"/>. Each scope has a unique identifier (for example, ce010982-6b6f-4e93-804e-d04bf1ddff78) and name (for example, Site Access for "User1"), which can be used with the Interface CIDP is odnogo Programming (IPP) to access the actions pane. For the purposes of discussion illustrated the scope is site identifier metabase equal to "w3svc/1".

In one embodiment, the Module 202 Authorization Manager is used as a store security policies, defining one or more roles at the level of scope (i.e. within scope). For example, a particular role can be defined to change the security access to the relevant site; another role may be generated to specify the new node, such as (for example, "WebDirs") under the site. Illustrative role within the actions pane is illustrated to change the default document list for the site: "<AzRole Guid = "3ac117fd-7f12-4287-a7ff-982770d6ce49" Name = "ChangeDefaultDoc"/>". The role has a unique ID assigned at creation time (for example, 3ac117fd-7f12-4287-a7ff-982770d6ce49), and the name, for example, ChangeDefaultDoc (the name can be defined so that it is meaningful). TABLE 2 shows an example of the role that is defined inside the scope:

TABLE 2
EXAMPLE ROLES DEFINED WITHIN the SCOPE

The role is well-defined if at least one (1) task defined with respect to the application group that has access to the areas and actions to which the role belongs. The task represents one or more operations of the lower level to perform some unit of work for the administrator. For example, a task could be "Change password". The task may form one or more other tasks. For example, a task called "Managing User Accounts" may include tasks "Change password", "Password Reset", "Blocked Accounts" and/or other TABLE 3 shows an example of the role definition.

TABLE 3
ILLUSTRATIVE definition of the ROLE

Role, shown in TABLE 3, includes the attribute AppMemberLink that accesses the application group based on its unique identifier, in this example, bf9d00f0-2be3-marketed 4 367-a931-680038b51d0a. TABLE 4 shows the scope associated with the role.

TABLE 4
ILLUSTRATIVE of the SCOPE of the ROLE

Definition of Tasks and Business Rules

The role may define one or more tasks. The task consists of one or more operations of the lower level, to which the user before the taulani authority together with the business rule. The operation is a lower power level, which identifies the level(s) security associated with the task. Several operations may include significant task. Examples of operations include "Record Attributes and Attributes Read. The following example shown in TABLE 5, illustrates the task of providing the user the ability to change the property (for example, the property "DefaultDoc") for the Web site. The task contains two operations: one to establish the value of this property, and one to retrieve the value of this property.

TABLE 5
ILLUSTRATIVE TASK

In the example shown in TABLE 5, the operation is assigned a unique ID and name as it was when the previous definition attributes. One of the most important characteristics of the operation is an attribute OperationID. The task may access one or more transactions through the OperationID. TABLE 6 illustrates how to determine the illustrative task.

TABLE 6
ILLUSTRATIVE TASK DEFINITION

Example, privedennyu TABLE 6, shows two operations are accessed by one task. This should illustrate how it can be defined in the policy file. It is possible to have a task that accesses a set of operations. In one embodiment, however, to ensure that the infrastructure Administration Delegation ISI work as expected within a policy file that is used with a tool, the task refers to only one operation. In this embodiment, when a task accesses operations within a role for surgery does not address another task in the same role. However, you should pay attention to the fact that operations can address the problem from a different role. For detailed information regarding the illustrative syntax policy store permissions, see TABLE 11, below.

The task defines one or more operations (e.g., two operations are defined in TABLE 6), identifying their unique identifiers, and a business rule or a BizRule. A business rule is also known as a script (program in the macro language) authorization, written in the language development of scripts, such as Jscript or VBScript. In this embodiment, the scripts attached to the object task that is performed when calling the IPP Access Checks to ensure that the user can perform this IU the od. In this embodiment, the PPI Test Access is implemented by means of known PPIS Security Private Object (BSO, POS) operating system 158 (Fig. 1). IPP, BSO analyzes a user's membership in groups in the token and compares it with the contents of the Access Control List (ACL) to determine whether the user has requested access. Scripts can use the information that is available only at run time, such as "time of day" or "the requested amount of dollars, for a decision about authentication.

In the example shown in TABLE 6, the business rule JScript imposes restrictions on the actions that the user can try to run. Suppose the user tries to perform an operation with OperationID=1 as part of the task. The script may invalidate the value of the parameter DefaultDoc that the user passes to a method as an argument. In this example, the script does not allow the user to set the value of this property in the string, which is different from "index.htm". AzBizRuleContext represents the object to which the script BizRule has access. His property BizRuleResult is used to determine whether the user is allowed to perform operations.

Delegate User Access to the Hosted Resource

For agreed what I Manager 202 Authorization module 204 Delegated Administration (DA) uses a single set of input values for direct interaction Manager 202 Authorization and a different set of values, which are the parameters to the operation that the user wishes to perform in relation to the hosted resource (e.g., Web site) via the requesting application (for example, an Application 208 Remote Administration of the Web site of the Client). For example, in the previous example are shown in TABLE 6, the operation SetDefaultDoc, YES 204 uses as input the name of the scope, the name of the operation or method and the value is the value of the DefaultDoc mentioned in BizRule above.

YES 204 uses the file 218 configuration for determining what is a Vault (vault) 214 Authorization Policies contains an input scope for the display enter the name of the operation or method on the OperationID. In this embodiment, the file 218 configuration file is an XML file that specifies/identifies each method is assigned to a specific set of users and displays this method to the corresponding ID (identifier) operation (ID) in the repository 214 authorization policies. File 218 configuration also includes method parameters, display scope, the data format of the log file and the templates command line. When displaying the name scope YES 204 receives from file 218 configuration path to the repository 214 authorization policies, which is the area actually is, and the name of the application in the authorization policy store, which is determined by the scope.

After running YES 204 parse the configuration file in respect of such information YES 204 initializes Manager 202 Authorization using the store path, opens the desired application and receives the client context object that will be used for the purpose of determining whether the user has access to the requested function/resource.

An illustrative Configuration File Format

Infrastructure Delegated Administration of ICI uses the entry in the system registry type "String" (string) to store the full file path 218 configuration (for example, HKLMSoftwareEntityIISDelAdminDelegAdminMappingPath (REG_SZ)). This string is stored in the registry 220. TABLE 7 shows an illustrative file 218 configuration.

TABLE 7
An ILLUSTRATIVE CONFIGURATION FILE DELEGATED ADMINISTRATION

In this illustrative embodiment, the file 218 configuration includes the following entries: an entry for each method that will be allowed to the user; recording for each area of action is s, used in storage that contains the task related to an existing method file 218 configuration. Each entry relating to the scope that corresponds to the user who has scope in the authorization policy store. Additionally, the record specifies the desired and/or the default data format of the log file.

The syntax of the Method and

TABLE 8 shows an illustrative template for a method definition in the node IISDAMethod file 218 configuration:

TABLE 8
ILLUSTRATIVE TASK DEFINITION

In this embodiment, use all of the attributes except the Description. If the attribute is missing in the site definition, which is used ExecuteMethod, the method will generate an error. (ExecuteMethod is an IPP 222 provided by module 204 YES to perform the operation requested by the user, if he is authorized to access).

The syntax of the method uses the following attributes:

PublicName is the method name, as it is provided to the user name, in relation to confidence in the quality of the recording (method parameter object ExecuteMethod dynamic link Library (e.g. the, component object model (COM)available through the IPP 222 provided by module 204 DA) tool checks.

ExePath-specifies the path to the executable file or command-line script that will be used to perform the method requested by the user, or the ProgID of the COM object that has been identified to perform the operation through one of its methods.

AZStoreID - specifies the identifier of the operation OperationID, which corresponds to this method in the authorization policy store.

CmdLine - defines the way in which is formed the command line for the executable or the name of the method, if ExePath specifies the ProgID of the COM object. For the executable in this attribute you can specify the keyword name/value attribute (attributes, method, parameter, and scope) and the index of the parameter. For detailed information about defining values CmdLine, see Field Format CmdLine below.

WaitTimeout - indicates YES 204 how many seconds it should wait after a request IPP CreateProcess before leaving and check result. After a successful request to CreateProcess, tool calls WaitForSingleObject (processHandle, timeout) to wait for the end of the process. This attribute is not used if the operation is associated with the SOM method.

ProcessType - specifies the type of process that is used to run the method. Valid values for this attribute are "COM" (to determine that the SOM method performs the method under consideration) and "CMD" (for determining that the executable program command line executes this method).

Separator - helps in creating a more structured output of the executable module. For special characters (such as "r" and " ") this field includes the version of the character in an escape character (e.g."% 0D and%0A"). Tool always reads the value of the field Separator and then performs the inverse transform of the escape characters, so you can set these special characters so that they will be recognized tool as delimiters. For example, suppose that the result is a string containing the set of addresses of Internet Protocol (IP)addresses, which are forbidden to the Web site, and also that the result is a string containing all the addresses separated "CRLF" (sequence "r "). If Separator = "% 3D%0A" is defined in the node IISDAMethod, function OutputArray, instead return a string with the IP address as a whole, will return an array of strings, each of which corresponds to the IP address of resultant string.

Description - adds a description of a method that can be used in an application that provides a method to the user. For example, it is used in the model : application ADMIN ASP.NET to display the description of the method when the user moves the mouse over the name of the method on the page.

Syntax Parameter

Each method can determine the zero (0) or more parameters. The pattern below shows how to determine the parameter:

<Parameter Name=" " MetabaseProperty="" Description=""/>

If the XML tag Parameter is specified, all attributes are used, in addition to the Description. If one attribute is missing in the definition of node and node will be used ExecuteMethod, the method will throw an error.

Syntax parameter method uses the following attributes:

Name- Sent tool as a parameter for the function AccessCheck. The same name will be used in the BizRule tasks that apply to the operation ID, a corresponding method, in which the parameter is defined.

MetabaseProperty- can be used if the executable module will ask for a specific metabase property as part of its command line, for example: adsutil.exe get w3svc/1/AnonymousUserName,". In this example, the parameter is the attribute MetabaseProperty = "AnonymousUserName," and "w3svc/1" is the metabase node MetabaseNode defined in the actions pane. For detailed information about defining scope, see below for the Syntax of Scope.

Description- Associating a description with the option. For example, an application that provides a method to which such option prin who belongs, can use this field to display the constraints imposed on the parameter values.

Syntax Interface

You can specify the interfaces that will be used to perform a BizRule in the task that refers to operations using the node Interface. The example below shows the syntax of the node Interface: <Interface Name=" " Flag="" ProgID=" " />. The Interface nodes are optional and are used when COM objects are used in the business rule task, which refers to the method. If the host Interface is specified, all attributes are used. If the site definition one attribute is absent, and the site will be used ExecuteMethod, the method will generate an error.

Syntax interface uses the following attributes:

Name- identifies the name of the object as it is supposed to use in the business rule.

Flagsets the flag that will be used to create the object in the script BizRule.

ProgIDspecifies the independent version of the ProgID of the COM object. An appropriate name for this site is, in fact, an instance of this object. BizRule uses the object only through the provided Name.

Each attribute corresponds to the parameter used AccessCheck associated with the interfaces.

Syntax Scope

The following entry template defines the scope of:

<IISDAScope PublicName=" " AZName="" MetabaseNode=" " AZStorePath=" "AZApplicationName=" "GenerateAudits=" " AuditName=" "/> . All attributes are used. If one of them is missing and the site will be used ExecuteMethod, the method will throw an error.

Syntax scope uses the following attributes:

PublicName -the name provided to the user when the scope is created and the name that the user will provide to identify the level at which the metabase 212 changes (because the user, for example, may have more than one assigned site).

AZName -the name of the scope in file storage authorization policy that meets this scope. MetabaseNode determines the actual scope, which, in fact, is a node in the metabase, to which the user has access to.

AZStorePath -the path store authorization policies in which this scope is. This attribute specifies the authorization policy store in which the module 204 YES will look for this scope.

AZApplicationName -specifies the application store, in respect of whom defined in this scope.

GenerateAuditsspecifies that does attempt to access the scope of the audit (activity tracking by registering events).

AuditName- specifies the key string used in the audit to identify the object that was accessed (in this var the ante implementation this confirms that this scope, in particular, was accessed).

The syntax of the Log File

File 218 configuration also specifies the format for the file 224 log, using the template below:

<IISDALog Path=" ">
<Field Name=" "/>
<Field Name=" "/>
</IISDALog>

The syntax of the file 224 log uses the following attributes:

Path- specifies the path where save the log file. This attribute is used. Tool generates an error if it is not present. The value of this attribute points to a valid and accessible folder; otherwise, the tool according to this variant implementation does not check anything, but will throw an exception. When creating the log file the first time the application uses the security settings that are inherited from the parent folder (identifizierung value of the Path attribute), suggesting that the identified data item is application COM + (see another module 210) imply access to read/write in this folder.

Field- identifies each field in the log file using the associated Name attribute. For more detailed information about the fields, see the following Fields of the log file.

The result ExecuteMethod (ExecuteMethod is an IPP 222 provided by module 204 YES to perform the operation requested by the user, if he is authorized to access. The operation or task undertaken ExecuteMethod (shown in the form of an Executable Module 208), register using the format of the log file corresponding to a comma-separated values. In this embodiment, if the partition registration is not present in the file 218 configuration, 202 YES nothing registers and throws an exception.

Fields of the Log File

The log file may have any number of fields, each of which is identified by the Name attribute (Name) of the node Field. The log file by default includes the following first six fields:

Date and time (fieldDate) request (call ExecuteMethod).

The user name (User; for example, if ExecuteMethod is invoked on the .aspx page , the name of the user who has been granted access to the .aspx page, will be registered).

The name of the method (Methodprovided by the caller.

The name of the scope (Scopeprovided by the caller.

The attribute value ExePath, the appropriate method (ProcessType attribute that is an attribute of a method definition in the attribute configuration file).

The attribute value CmdLine, corresponding to the method (CmdLine).

Delegated Administration 204 also registers in the last two positions of the result fieldResult) function 208 ExecuteMethod and information exception (the Exception field). The exception information provides details concerning exception context (i.e. at what stage of execution of the method of the exception occurs and the exception code that was intercepted tool.

Field format CmdLine

The sixth field CmdLine requires special consideration. In the case of node IISDAMethod when ProcessType = "COM" value registered in this field looks like as it is defined in the file 218 configuration in the CmdLine attribute. In the case of node IISDAMethod when ProcessType = "CMD"value registered in this field will appear either as it is defined in the file 218 configuration in the CmdLine attribute or (if the string matches IISDACmdLineKeys) as is the full command line of the executable module, if ExecuteMethod actually formed the command line for a module before issuing the result. This provides more detailed information in the Isle of log to help determine the maximum possible cardinality of a query and simplifies the Troubleshooting process.

If the host Field is not defined, the module 204 YES registers, for example, eight (8) of the above-mentioned fields, and the node IISDALog is only used to get the path of the log file. The field name is generally presented in the form of "Param1", "Param2" and so forth, because, in addition to the above fields, which are registered by default, there are other fields, each of which may be useful.

In this embodiment, the Param" register after the first six fields described above. If the value list contains more items than the actual number of fields/nodes in the node IISDALog, then registered not all parameter values. However, if there are fewer values of the parameter for the method than the number of nodes Field in the node IISDALog, then the rest of the field values in the record log will consist of spaces (" ").

The format of the Command-line Option

In file 218 configuration you can define the format for the command line parameter of the methods that will be executed (in other words how the attribute value CmdLine IISDAMethod will be interpreted when the ProcessType attribute equal to "CMD"). The following template shows the format of the command-line option:

<IISDACmdLineKeys>
<IISDACmdLineKey Name=" " AttributeName="" Node=""/>
</IISDACmdLineKeys>

IISDACmdLineKeys has the following attributes:

Name -used in the command string as the key.

AttributeName -specifies the name of the attribute inside the configuration file under the node IISDAMethod, IISDAScope or Parameter, which is the key. This attribute enables you to specify either the name of the attribute, or the attribute value that corresponds to it.

Node -identifies the node, which is set AttributeName. The node attribute can have one of the following values: "IISDAMethod", "IISDAScope", "Parameter". The template command line enables Delegated Administration 204 to maintain the tokens in the definition of the command line method (CmdLine attribute node IISDAMethod). Such tokens include, for example, the tokens shown in TABLE 9.

TABLE 9
ILLUSTRATED TOKENS TEMPLATE COMMAND LINE
TokenDescription
KeywordSet as it is. Therefore, if the CmdLine attribute contains, for example, the string “get” (“get”),this string will be used to create the command line for the module.
#D#The parameter value is specified using the following format: #D#. (D identifies the number). The number that appears between two # characters, determines the index of the parameter. Tool replaces the sequence #D# a parameter value with the index "D", which was passed to the method as an argument. For example, if the values of the two parameters passed to the method as arguments, if CmdLine includes #1#, ExecuteMethod replaces the sequence #1# value of the first parameter. In this embodiment, for example, if the attribute CmdLine contains #3#, ExecuteMethod generates an error, because the arguments were given only the values of the two parameters.
$KEY$Specifies the name of the attribute. KEY represents the value defined in the node IISDACmdLineKeys using the Name attribute). For tokens #KEY# and $KEY$KEY (specified in the Name attribute of the node ISDACmdLineKeys) can be the name of the attribute in the following sites: IISDAMethod, IISDAScope and Parameter. As mentioned above, the exact location is specified in the Node attribute node ISDACmdLineKeys. The method parses the value of KEY, checks whether there is a node IISDACmdLineKey under IISDACmdLineKeys, and checks whether there is an attribute identified by AttributeName corresponding to the node ID is notifizierung using Node. If the node and the attribute exists, the method replaces the token name ($KEY$) or value (#KEY#) this attribute.
#KEY#Sets the value of the attribute. For tokens #KEY# and $KEY$KEY (specified in the Name attribute of the node ISDACmdLineKeys) can be the name of the attribute in the following sites IISDAMethod", "IISDAScope", "Parameter". As mentioned above, the exact location specified in the Node attribute node ISDACmdLineKeys. The method parses the value of KEY, checks whether there is a node IISDACmdLineKey under IISDACmdLineKeys, and checks whether there is an attribute identified by AttributeName corresponding to the node identified by the Node. If the node and the attribute exists, the method replaces the token name ($KEY$) or value (#KEY#) this attribute.
#KEY@D#If the command line uses the attribute value of some parameter, use the token #KEY@D#. The interpretation of this symbol represents the value of the attribute specified KEY for the parameter with index D.

In this embodiment, since the # and $ are used to build the command line, these characters are limited in the sense that, if there exists a sequence of two of these characters (like #line# or $string$), the tool will try to find the site IISDACdLineKey, which has a Name attribute equal to "string". This is a sign that depends on the implementation, which can be changed as implied by the architecture design.

This method of determining the command-line options allows you to set environment variables such as %SYSTEMROOT%, in the command line module. When you create a node IISDACmdLineKey, all attributes are used. Otherwise, ExecuteMethod will fail when you try parsed node. For more information about defining nodes IISDACmdLineKey and how they interpret at run time, see the Examples CmdLine and IISDACmdLineKeys.

Illustrative methods (IPP 222)Provided by the Module Administration Delegation

Module 204 Delegated Administration provides the following methods through IPP 222:

Methods Parameters - sets the parameters associated with the operation. The parameters of this method are a variant of type VT_ARRAY (where each element in the array is of type VT_BSTR) or of type VT_BSTR. This method is called before calling ExecuteMethod.

Method ParamError - checks if the parameters are set correctly by the method Parameters. If the parameters have been set successfully, it gives 0. This method is called to prevent the call ExecuteMethod if the settings have not been set correctly by the method Parameters.

Method xecuteMethod - performs the operation that the user is requesting. Gives 0 on success. Before calling this method, call the method Parameters if the operation uses at least one parameter. For information about the error codes, which are issued on failure, see the Return value of Delegated Administration. Method ExecuteMethod has the following options:

- Scope name scope associated with the user requesting the operation. The application provides methods for the user receives this scope from the user. For example, using typical application ASP.NET the user specifies the name of the site for administration. It retain the name as a session variable and use whenever called ExecuteMethod. The parameter type is a BSTR.

- Method name - the name of the method that the user is trying to do. This name corresponds to the attribute value PublicName node IISDAMethod in the configuration file. The parameter type is a BSTR.

- LogResult - a Boolean value that specifies whether the method to register the result of the operation.

- ExecuteOperation - a Boolean value that specifies whether ExecuteMethod command line or calls the SOM associated with this method. This option is useful when you want to use ExecuteMethod to the IOM is one when AccessCheck decides pedestaled whether user access to perform this method. If selected, the failure of any method or command line (by setting this parameter to FALSE)), you can leave the values of the corresponding attributes of the node IISDAMethod as empty strings. After returning AccessCheck, the result register.

An illustrative Procedure for delegation of Administration Web site

Fig. 3 shows an illustrative procedure 300 delegated administration Web site. In particular, the procedure shows illustrative processing that occurs when the user attempts to modify the properties of the Web site and the Web site is hosted by ISPS, which implements the described Infrastructure Administration Delegation ISI in Fig. 1 and 2. Accordingly, and for purposes of illustration, the operation procedures are described in relation to the characteristics of Fig. 1 and 2. As noted above, in the drawings, the left-most digit, component reference item number identifies the particular figure in which the component appears for the first time.

At step 302 administrative object (for example, a member of the Administrative group) provides one or more parameters for the operation in relation to the application and/or resources hosted by the computer 130 (Fig. 1). Such a condition is provided which is moved through the IPP 216, provided by Module 202 Authorization (Fig. 2).

At step 304, the user executes an application, such as application 206 Remote Administration Web site (RWSA) (Fig. 2)posted via computer 130 (Fig. 1). The application 206 RWSA allows the user such as the owner of the Web site, modify, test, or otherwise to administer the content and/or functionality or any other aspect of the Web site or resources hosted by the computer 130 (Fig. 1). As described below, the authorization for such administration dynamically determined by module 204 Administration Delegation (YES). For the purposes of this example, the user is not a member of the Administrators group in relation to configuration management and/or resources associated with the computer 130 in Fig. 1, although the user may be a member of the Administrators group. At step 306, the user requests the execution of at least the operation in relation to the hosted resource (e.g., Web site, etc). To this end, the application (for example, the application 206 RWSA) causes one or more IPP 222 provided by module 204 Administration Delegation (YES) to request access to surgery. As already noted, access control, user transactions posted to the resource e is the first of several levels of functionality, as shown in TABLE 10.

TABLE 10
ILLUSTRATIVE LEVELS of FUNCTIONING
LevelDescription
Store 214 Authorization PoliciesStore 214 Authorization Policy is used to validate user access to the requested task/method. Task refers to a single operation, in which you can control the values of the parameters. Associate business rule provides the ability to deny access to this method based on user input. For more information about writing the script for each task, see TABLE 11, illustrating the Authorization Policy Store.
Module (Authorized)The module is a Authorized Process 210, which performs the operation after the previous levels verified in that the user can perform an operation (i.e. to execute the method). A module is any module command line, or by using SOM.
Posted by the Application (for Example, the application 206 RWSA)Provides interf is for the task, calling the appropriate IPP 222 module 204 Administration Delegation. At this level you can control the input from the user through a set of characteristics, such as length, values and formats. In this embodiment, the application 206 Remote Administration Web site (RWSA) provides the following interfaces to provide IPP 222 Module 204 Administration Delegation.

At step 308 Module 204 Administration Delegation determines endowed whether the user is authorized to access the resource through the requested operation. This definition is completely independent of whether the user is a member of the Administrators group in relation to the administration of the resources of the computer 130 (Fig. 1). To this end, the module 204 YES, via IPP 222 method Parameters, sets the parameters ExecuteMethod. ExecuteMethod looks for an entry in the registry 220, providing file path 218 configuration. File 218 configuration defines all the possible methods that can be performed by all users, and where the administrative object may add an entry (i.e. the node IISDAScope) for each user.

At this point, at step 306, ExecuteMethod reads the file 218 configuration and attempts to display the requested name of the operation, scope and parameters for the entries in this file. what if these records are found, the information relating to the storage 214 authorization policies (i.e., obtained from the attribute node IISDAScope) extracted. ExecuteMethod retrieves information from Storage 214 Authorization Policies and checks (for example, causing AccessCheck)whether the user has access to a given scope, based on the method and the provided parameters. To achieve this ExecuteMethod plays the role of the caller to represent the identity of a customer's allocated resources on behalf of the client to verify access or authentication to be executed in relation to the identification data of the client (the execution of the role is the ability of a thread to execute in the security context different from the context of the safety of the method, which is the owner of this thread).

At step 310, if it is determined that the user is not authorized to perform the requested operation, then the user is denied access to this operation. However, at step 312, if the user is provided access to a scope, and if you refer to the method in the problem that are within the scope of the user, ExecuteMethod method performs (i.e. Authorized Process 210) or generates a Command prompt 210 for performing the process, which performs the requested user operation (i.e. performs through the object(for example, the COM object) or the Command line).

For example, module 204 YES or creates the command line for the executable, which will actually perform the operation/method, or attempts to initialize the COM object associated with surgery, and get the dispatch ID (DISPID) of the given method. Then the module 204 YES either calls CreateProcess, or COM method associated with surgery, depending on what is specified in the first Boolean parameter. If CreateProcess module 204 YES uses newly formed command line 210, and the method begins under the user context (for example, application SOMS). For discussion purposes, this application is shown as an Authorized Process 210.

At step 314, if the requested operation is successful, the Authorized Process 210 assembles the output array and registers this output array in the file 224 log. For discussion purposes, this output array is shown as a respective portion of "other data" 226. In this embodiment, if issued by the type issued by the result of the method is a VT_BSTR or VT_ARRAY, then all elements in the array are of type VT_BSTR.

Illustrative Delegated Administration

TABLE 11 shows an illustrative format of the Repository 214 Authorization Policies. For more detail the information about the syntax of this file type, see the File Format Store Authorization Policies.

TABLE 11
ILLUSTRATIVE AUTHORIZATION POLICY STORE

Examples CmdLine and DACmdLineKeys

The following examples show how the command line for the module, based on the settings in the file 218 configuration and parameters passed to the methods Parameters and ExecuteMethod as arguments.

TABLE 12
ILLUSTRATIVE COMMAND LINE - EXAMPLE 1
"SET w3svc/1/Root/AccessFlags 3"

The example below shows an illustrative syntax file 218 configuration, which gives illustrative command line TABLE 12.

The following options are passed ExecuteMethod as arguments: ("Scope1", "SetFlags", true, true). The following parameter as an argument passed Parameters: "3". The attribute value CmdLine method is "SET #mn#/#mp@l# #1#". Delegated Administration 204 ("tool") the anal which indicates excess the first sequence, separated the two characters # or $in this example, #mn#. Tool attempts to locate the sub-node IISDACmdLineKeys attribute Name="mn". Delegated Administration IRS determines the location AttributeName, to which it refers, in this example, to MetabaseNode; and Node, which said that it is this attribute must be defined, in this example IISDAScope. Tool replaces the sequence #mn# attribute value MetabaseNode defined in the scope Scope1"because "Scope1" represents the scope given by the caller ExecuteMethod. In this example, this value represents the "w3svc/1/Root".

Delegated Administration 204 evaluates the following sequence, separated the two characters # or $in this example, #mp@l#, to determine the location of the sub-node IISDACmdLineKeys attribute Name="mp". Delegated Administration 204 determines the location AttributeName, to which it refers, in this example, to MetabaseProperty; and Node, which said that it is this attribute must be defined, in this example - Parameter. Since the "@1" is present in the token, the tool replaces the token #mp@l# attribute value MetabaseProperty defined for the parameter with index 1, which in this example is "AccessFlags".

In view of the foregoing, to create this command the first line are the following: "SET" is used in the form as it is, because he is not delimited by the characters#$; #mn# replace "w3svc/1"; "/" is used as it is, because he is not delimited by the characters # or $, " #mp@l# replace "AccessFlags"; and #1# replace value with index 1, which is 3.

TABLE 13
ILLUSTRATIVE COMMAND LINE - EXAMPLE 2
"SET MetabaseNode AccessFlags 3".

The example below shows an illustrative syntax file 218 configuration, which gives illustrative command line TABLE 13.

The following parameters are passed ExecuteMethod as arguments: ("Scope1", "SetFlags"). The following parameter as an argument passed Parameters: "3". Refer to the syntax of the configuration file for understanding the following discussion of how form the command line. The attribute value CmdLine method is a "SET $mn$ #mp@l# #1#". Delegated Administration 204 analyzes the first sequence, delimited by two characters # or $in this example, $mn$, and tries to find a subnode IISDACmdLineKeys attribute Name="mn". Delegated Administration finds AttributeName, to which it refers, - MetabaseNode, and Node, which said that it is this attribute must be defined - IISDAScope, and replacing the t sequence $mn$ attribute name MetabaseNode, which is defined in the scope Scope1"because "Scope1" represents the scope specified by the caller ExecuteMethod. Delegated Administration analyzes the following sequence, separated the two characters # or $in this example, #mp@l#, and trying to find the location of the sub-node IISDACmdLineKeys attribute Name="mp". Delegated Administration determines the location AttributeName, to which it refers, - MetabaseProperty, and Node, which said that it is this attribute must be defined-Parameter. Since the "@1" is present in the token, the tool replaces the token $mp@l$ attribute MetabaseProperty defined for the parameter with index 1, which in this example is "AccessFlags".

In the end, to create this command line are the following: "SET" is used in that form, he is, because he is not delimited by the characters#$; #mn# replace "MetabaseNode"; #mp@l# replace "AccessFlags"; and #1# replace value with index 1, which is 3.

TABLE 14
ILLUSTRATIVE COMMAND LINE - EXAMPLE 3
"SET 1 1 1"

The example below shows the syntax of the configuration file from which to get the command line of the TABLE 14 .

The following parameters are passed ExecuteMethod as arguments: ("Scope1", "SetFlags"). The following options as arguments passed Parameters: an array containing the following lines: "1", "1", "1". Refer to the syntax of the configuration file for understanding the following discussion of how form the command line. The attribute value CmdLine method is "SET#1# #2# #3#". Tool analyzes the first sequence, delimited by two characters # or $in this example, #1#. Since there is a figure between the two characters #, tool replaces this token with the value of the first parameter. Tool performs the same procedure for the next two tokens: #2# #3#.

TABLE 15
ILLUSTRATIVE COMMAND LINE - EXAMPLE 4
"#1# #2# #4#"

The example below shows the command line that causes the error, giving the wrong number of parameters method Parameters. The following is the syntax of the configuration file from which to get the command line of the TABLE 14.

The following parameters are passed ExecuteMethod as arguments: ("Scope1", "SetFlags"). The following options as arguments passed Parameters: an array containing the following strings: "1", "1", "1".

In this example, module 204 Administration Delegation fails because the command line refers to an argument with index 4 (defining #4# CmdLine attribute), but Parameters only accepts three parameters. Accordingly, the command line is not generated.

An illustrative Configuration File

The file below 218 configuration defines a method "SetProperty" and associated display: scope, referred to as “www.fabrikam.com”for the user; the format of the log file; and a template for tokens from the command line.

TABLE 16
An ILLUSTRATIVE CONFIGURATION FILE

Method SetProperty

In the example shown in TABLE 16, this method corresponds to a method with OperationID=1 in the repository 214 authorization policies. The path of an executable program or command line 210, which performs the requested action, the following: "C:Adsutil.exe". The command-line pattern for this method: "SET #mn# #1#". Limit time-out for this method to be executed is set to 10 seconds. The separator or the description is not defined. The method has only one parameter named "Flags", which corresponds to the property "AccessFlags" in the metabase ISI. The method determines the name of the object "MyObject" (corresponding to an instance of an object "Scripting. FileSystemObject") as suitable for use BizRule associated with the task that accesses the transaction with ID 1 in the authorization policy store.

In the example shown in TABLE 16, the scope defined as "www.fabrikam.com"that matches the scope with the name "Scope1" store, located in the "C:Store.xml". This scope at this store is defined under the application SecurityApplication". Access to this area action causes the audit, using the name "Scope1" to identify entries in the system log EventLog.

Format Tokens Command line

This template specifies that the attribute CmdLine method "SetProperty" can be used (in addition to tokens, keywords and #D# for parameter values) only tokens, which include the key "mn", which identifies by name (using $mn$) or value (using #mn#) attribute with name "MetabaseNode"defined under "IISDASCOPE", the appropriate scope that is defined as a parameter for ExecuteMethod.

Illustrative Scenario: How Does ExecuteMethod

Please see the following simplified configuration and file Manager Authorization for understanding how ExecuteMethod works in this scenario. File 218 configuration to the following:

Illustrative store 214 policies autorizati the following:

The following assumptions apply to this illustrative scenario: writing system registry HKLMSoftwareMicrosoftIISDelAdmmDelegAdminMappingPath (REG_SZ) is defined and contains the following line: "C:DelegAdminConfigConfig.xml" file 218 configuration. Object Delegadm.dll running in a COM+ application (i.e. authorized process 210), the identity of which involve access to read about this entry in the registry.

The user, for example, "user1", is identified in the store the next ID of the security group ApplicationAccessGroup:

This user makes a request to the application (for example, the application 206 Remote Administration of the Web site of the client) to perform the method SetAccessProperty". In the request scope is "ScopeUser1", method - "SetAccessProperty", and the parameter for the method is equal to "1". On the .asp page is following simplified code based on this query:

This code will attempt to allow user1 to install the AccessFlags property 1 for a site, the appropriate "ScopeUser1", calling the method "SetAccessProperty" and using interfaces IPP Manager Authorization.

Illustrative Processing ExecuteMethod

DL is complete this task within ExecuteMethod perform the following steps: confirm the correctness of the specified parameters. As noted in the syntax of the method Parameters, the parameter for the method Parameters can be either a string or an array of strings. In this example, the parameter is acceptable because it is a string. If the reject option, register the corresponding error code. The object attempts to retrieve the value of the registry entries HKLM_Software_Microsoft_IISDelAdmin_delegadminmappingpath. In this example, is defined as C:DelegAdminConfigConfig.xml. The identity of the COM+ application involve access to this value. If the application cannot read the value system registry entries, it logs an error.

Because the operation has not been executed, theCMD Linethe log file will contain the attribute value CmdLine node IISDAMethod, which corresponds to SetAccessProperty.

After receiving the application access to the configuration file, it looks for the configuration file for the scope "ScopeUser1"that is set as a parameter. If the scope is not found, an error is logged. The error can occur even if there is a node "IISDAScope", which contains the attribute PublicName value "www.fabrikarn.com"if this node does not have all used attributes.

Once the scope is found, the corresponding node IISDAScope is read, and the application knows that "ScopeUser1" is displayed on the scope with the name "Scoe1" in the authorization policy store, defined in the attribute AZStorePath, which in this example is "C:DelegAdminStoresUser1.xml". The app also gets the name of the application in the repository, which defined the scope Scope1"through the attribute value AZApplicationName, which in this example is "SiteAdminApp".

After confirming the validity of the public name scope, confirm the validity of the method name. The application searches for the specified method name in the file 118 configuration, which in this example is "SetAccessProperty". If the method is not found, then record the corresponding error code. The error can occur even if there is a node "IISDAMethod", which contains the attribute PublicName with a value of "SetAccessProperty", if this node does not have all used attributes.

After you find the name of the method read the corresponding node IISDAMethod. Tool now displays the method "SetAccessProperty" on the operation defined in the attribute AZStorelD, which in this example is "1". As defined in the syntax of the policy file, only one task in the authorization policy store can access this method. If the authorization policy store to this method addresses more than one task, the AccessCheck may refuse access to the scope. This can occur because the business rule against one of the tasks was denied access to the area on istia.

Along with attributes are read subnodes of the node IISDAMethod to retrieve information about the method parameters and interfaces that will be used in the business rule task that accesses this operation (in this example, the transaction with identifier "1"). If an error occurs during validation, then registers the corresponding error code. The error may occur because used inside sub-nodes Parameter or Interface attributes are missing in the site definition IISDAMethod. The number of parameters defined in the configuration file that corresponds to the number of parameters that are set before calling ExecuteMethod (method Parameters). Otherwise registered with specific error code.

The application attempts to initialize the object Authorization Store using the store path, which in this example is "C:DelegAdminStoresUser1.xml"and opens the corresponding application in this store, which in this example is "SiteAdminApp". If one of the operations fails, it will be caught by the exception, and the result will be registered.

The application collects information about the caller (which in this example is user1) and generates parameters for AccessCheck. The following TABLE 17 describes the parameters AccessCheck used in this example.

TABLE 17
An ILLUSTRATIVE SET of PARAMETERS ACCESSCHECK
Parameter AccessCheckDescription
bstrObjectNameBecause the host IISDAScope in which "ScopeUser1" is defined, specifies that GenerateAudits="1", this parameter is the attribute value AuditName, which in this example is "Scope1".
varScopeNamesThe parameter "ScopeUser1" the actions pane displays the name of the scope Scope1" in the Authorization Store. It represents the value of this parameter for AccessCheck.
varOperationsThis parameter contains the identifier of the operation of the store of interest to us, which in this example equals 1.
varParameterNamesThis parameter contains an array of parameter names. In this example, the method has only one specific sub-node Parameter, which is the "Flags".
varParameterValuesThis parameter contains an array with the values of the parameters corresponding to the parameter names defined in the array above. This example uses only one parameter value is of "1".
varlnterfaceNamesThis parameter contains a list of object names, because these names are used in the business rule defined in the task that accesses a transaction with identifier 1. In this example there is only one sub-node Interface and the array contains only the value of the Name attribute of this node, which is "MyFSOObject".
varlnterfaceFlagsThis array contains only one element, corresponding to the name of the object described above. It represents the value of the Flags attribute in the node Interface, which is equal to 9600.
varlnterfacesThis parameter is an array (one element in this example) pointer to the IDispatch)obtained during attempts to instantiate an object, which is defined by the ProgID defined in the ProgID attribute of the node Interface. In this example, this ProgID is a "System. FileSystemObject". If an instance of this object cannot be created, issued specific error code.

If the process of forming parameters for AccessCheck succeeds, then call the function and check the result. In this example, User1 provide access to the scope Scope1" on the basis of the specified the parameters and the two XML files. If these functions fail, then an exception is thrown. If AccessCheck denies access to the user that is logged specific error code.

If the function gives the user access to the "Scope1"form the command line 210 for the executable (i.e., since the value of the attribute ProcessType in this example is "CMD"), and invoke the executable module using the generated command line. In this example, the command string is formed as follows: #Path# replace the value attribute MetabaseNode defined under IISDAScope, which corresponds to the found scope, which is a IIS: // Localhost/W3svc/1. #Flag@1# replace the value attribute MetabaseProperty, for certain parameter values with index 1, which in this example is AccessFlags. #1# replace the value of the first parameter, which in this example is equal to 1. This means that the command line for the executable module is a "SET IIS://W3svc/1/Root/AccessFlags 1". The example below shows the full command line that is executed: C:adsutil.exe SET IIS://w3svc/1/Root/AccessFlags 1.

In General, if during the formation of the command line error happens (for example, if you used an invalid sequence, such as the definition of key #KEY$, or if you used an indefinite keys), the application logs the error./p>

Conclusion

The described systems and methods for delegating access to resources hosted in a distributed computational environment. Although systems and methods have been described in a specific language specific to structural features and methodological operations, the scope of the invention defined by the attached claims is not necessarily limited to the described specific features or operations. On the contrary, the specific features and operations are disclosed as illustrative forms of implementing the claimed invention.

1. The method of administration of resources performed by a server connected to one or more client devices in a distributed computing environment, comprising the steps are:
place the set of resources;
accept a request from a user to perform an operation on a resource of the resources mentioned, and the request accepted by the application hosted on the server; and
determine whether to authorize this activity, depending on delegated if the user permissions to perform this operation on a resource, but these powers do not depend on whether the user is a member of the administrators group associated with any resource server.

2. The method according to claim 1, wherein the determining whether to authorize l the operation, perform via a secure infrastructure administration delegation.

3. The method according to claim 1, in which the operation is associated with a modification of content and/or functionality of the resource.

4. The method according to claim 1, in which the resource is represented as a node in the metabase Internet Information Services (IIS).

5. The method according to claim 1, wherein the request includes scope associated with the user, and the name of the method associated with the operation.

6. The method according to claim 1, wherein the resource is a Web site hosted by your Internet Service Provider (ISP), the user is not authorized to perform administrative actions in relation to any resources associated with ISPS, except send to ISPS request for evaluation of the rights of a secure infrastructure administration delegation.

7. The method according to claim 1, wherein the request additionally includes an indication of whether the user wants to perform an operation through a dynamically generated command line, or through an executable object that is already associated with the operation.

8. The method according to claim 1, wherein the request additionally includes an indication of whether the user wants to register the result of the operation.

9. The method according to claim 1, wherein the secure infrastructure administration delegation is safe, at least, the pot is mu she does not give the user access to the display of the user's rights to a role based on the operation-oriented resource.

10. The method according to claim 1, further comprising the steps are:
install the application on the server;
in response to the installation of the application identifies the set of operations that an application can perform;
with the help of a member of the administrators group mentioned display operation on a set of security rights-based-dependent authorization roles (roles) of the set of users that includes the mentioned person; and
at this stage determine additionally includes the stage at which the application uses the mapping to identify whether the user is authorized to perform the operation.

11. The method according to claim 1, further comprising the steps are:
with the help of a member of the administrators group set user permissions on a role basis in the nodes of the metabase Information Services (IRS), identifying resources;
specify the interface for the task, and the interface has a name and includes a set of parameters, the task includes an operation; and
at this stage determine additionally includes the steps are:
determine the location of the interface in FAI the e configuration,
in response to determining the location of the interface represent the identity of the user resource to assess the scope of the parameters, name, and resource and
in response to the presentation identify delegated to whether the user has been granted access on a role basis to perform an operation on a resource.

12. The method according to claim 1, wherein in response to determining that the user has delegated the authority to perform operations on a resource, the method further includes the steps are:
set the parameters associated with the operation; and
perform an operation within the scope associated with the user.

13. Machine-readable media used to implement the administration of resources in a distributed computing environment that includes a server and one or more client computing devices connected to the server, while the machine-readable medium contains Mashinostroenie commands:
placing the set of resources, with a particular resource of these resources provides the user the ability to define delegated to whether the user is authorized to access the resource of these resources;
receiving a request from a user to perform an operation in respect of this resource; the
determine whether to authorize this activity, depending on delegated if the user permissions to perform this operation, but these powers do not depend on whether the user is a member of the administrators group associated with any resource server.

14. A machine-readable medium of clause 13, in which the operation is associated with a modification of content and/or functionality of the resource.

15. A machine-readable medium of clause 13, in which the resource is represented as a node in the metabase Internet Information Services (IIS).

16. A machine-readable medium of clause 13, where the request includes scope associated with the user, and the name of the method associated with the operation.

17. A machine-readable medium of clause 13, in which the resource is a Web site hosted by your Internet Service Provider (ISP), the user is not a member of the administrators group.

18. A machine-readable medium of clause 13, in which the request additionally includes an indication of whether the operation is performed through a dynamically generated command line, or through an executable object that is already associated with the operation.

19. Machine-readable medium according to item 13, wherein the operations associated with determining whether to authorize transactions are safe, at least, because p is lovatelli has no access rights of the user role based on the operation.

20. A machine-readable medium of clause 13, in which Mashinostroenie team additionally include commands to:
the identification of the set of operations associated with the resource;
display operations on a set of security rights and security rights based on dependent authorization roles (roles) of the set of users that includes the mentioned person; and
when this command to determine additionally contain commands to use the above display to identify whether the user is authorized to perform the operation.

21. A machine-readable medium of clause 13, in which Mashinostroenie team additionally include commands to:
safe job user access rights for a role based in the nodes of the metabase Information Services (IRS), identifying resources;
specify the interface for the task, and the interface has a name and contains a set of parameters, the task includes an operation; and
this Mashinostroenie command to determine additionally include commands to:
determine the location of the interface in the configuration file,
presenting, in response to determining the location of the interface, the identity of a user resource to assess the scope of the parameters, name and resursei
identify, in response to the presentation, delegated, whether the user access role on the basis of performing an operation on a resource.

22. A machine-readable medium of clause 13, in which Mashinostroenie command, in response to determining that the user has delegated the authority to perform operations on a resource, additionally include commands to:
installation parameters associated with the operation; and
perform the operation within the scope associated with the user.

23. Server for the implementation of administrative resources in a distributed computing environment that includes the server and one or more client computing devices connected to the server, the server includes:
processor and
a memory connected to the processor, the memory contains Mashinostroenie commands:
placing the set of resources;
receiving a request from a user to perform operations on the resource of these resources; and
determine whether to authorize this activity, depending on delegated if the user permissions to perform this operation, and this power does not depend on whether the user is a member of the administrators group associated with the resource server.

24. The server is on item 23, in which the query is generated, at least one resource of the mentioned resources.

25. The server according to item 23, in which the operation is associated with a modification of content and/or functionality of the resource.

26. The server according to item 23, in which the resource is represented as a node in the metabase Internet Information Services (IIS).

27. The server according to item 23, in which the query includes the scope associated with the user, and the name of the method associated with the operation.

28. The server according to item 23, in which the resource is a Web site hosted by your Internet Service Provider (ISP), the user is not a member of the administrators group.

29. The server according to item 23, in which the request additionally includes an indication of whether the operation is performed through a dynamically generated command line, or through an executable object that is already associated with the operation.

30. The server according to item 23, in which a secure infrastructure administration delegation is safe, at least, because it does not provide the user access to the display of the user's rights to a role based on the operation-oriented resource.

31. The server according to item 23, in which Mashinostroenie team additionally include commands to:
the identification of the set of operations associated with the resource;
display operatina set the security rights on the basis dependent authorization roles (roles) set of users, includes mentioned person; and
when this command to determine additionally contain commands to use the above display to identify whether the user is authorized to perform the operation.

32. The server according to item 23, in which Mashinostroenie team additionally include commands to:
safe job role based user access rights to the nodes of the metabase Information Services (IRS), the nodes identify resources;
specify the interface for the task, and the interface has a name and contains a set of parameters, the task contains an operation; and
this Mashinostroenie command to determine additionally include commands to:
determine the location of the interface in the configuration file;
presenting, in response to determining the location of the interface, the identity of a user resource to assess the scope of the parameters, name, and resource; and
identify, in response to the presentation, delegated, whether the user access role on the basis of performing an operation on a resource.

33. The server according to item 23, in which Mashinostroenie command, in response to determining that the user has delegated the authority to perform operations against the attachment resource extras include commands to:
identification of parameters associated with the operation; and
perform the operation within the scope associated with the user.

34. Server for implementation resources administration, contains:
means for placing the set of resources;
means for receiving a request from a user to perform an operation on a resource of these resources; and
means for determining whether to authorize this activity, depending on delegated if the user permissions to perform this operation, and this power does not depend on whether the user is a member of the administrators group associated with the server.

35. The server 34, in which the operation is associated with a modification of content and/or functionality of the resource.

36. The server 34, in which the resource is a node in the metabase Internet Information Services (IIS).

37. The server 34, in which the resource is a Web site hosted by your Internet Service Provider (ISP), the user is not a member of the administrators group.

38. The server 34, in which, in response to determining that the user has delegated the authority to perform operations on a resource, the server further comprises:
means to set the I parameter, associated with the operation;
means for performing operations within the scope associated with the user.



 

Same patents:

FIELD: physics; image processing.

SUBSTANCE: present invention relates to dactylography and can be used for preventing unauthorised access to a protected system by random persons. The method of identifying a living finger is based on comparing distinctive features of a papillary figure when a finger is pressed twice to the receiving surface of a scanner. The degree of linearity of displacement of coordinates of the distinctive features of the papillary figure determines whether the finger is living.

EFFECT: increased security of the system.

2 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to the mechanism of digital rights management (DRM), and more specifically, to the method and apparatus for sharing content between domains with different DRM. The first DRM-device comprises an unpacking resource for unpacking the contents formatted with first DRM, into clean resources, metadata and rights expression; conversion means for transforming each of the clean resources, metadata, and the expression of rights in its own predefined neutral format, respectively; means of forming neutral-formatted contents, combining the converted resources, metadata and rights of expression, adding to the pre-defined header information; and transferring means for transmission of neutral-formatted contents of the second DRM-mentioned device. The second DRM-device comprises means of extracting the clean resources, metadata, and the expression rights of the neutral-formatted contents, transferred from the above mentioned first DRM-device, and means of packing of the extracted clean resources, the metadata and expression of the rights in the contents formatted with second DRM.

EFFECT: more functional capabilities.

26 cl, 8 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to the identification of an executable file, or another beneficiary for determining the credibility of the resource object so that this object can provide a resource for the executable file. Resource is received from the resource provider for a resource requester, which functions on a computer device. The resource requester has an associated identifier descriptor. The identifier descriptor includes information related to security, giving the environment in which the resource requester operates. An identification code (ID code) is generated in accordance with loaded resource requester and the loaded identifier descriptor, based on the loaded resource requester and the loaded identification code. The resource provider makes sure that the calculated id-Code in request for a resource coincides with one of one or more valid id-Codes for the identified resource requester, so as conclude, that resource requester and identifier descriptor can be trusted, and the resource provider responds to the request by providing the resource requester with the resource.

EFFECT: invention can increase the credibility of executable files, or other recipient of the resource by the resource providers.

36 cl, 4 dwg

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to authentication of applications. Identifier of the corresponding distributor is retrieved from meta data applications. Certificates are received. Each certificate contains one or more identifiers of corresponding distributors. The above mentioned identifiers are retrieved from certificates and certificates are chosen, based on comparison of identifiers, retrieved from meta data applications and certificates, such that, the relationship between the identifier and the distributor is controlled so that, certificates could be used only for identifying applications, distributed by identified distributors.

EFFECT: provision for selecting a certificate for authenticating an application, linked to a distributor.

15 cl, 4 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to the architecture and method of establishing a secure multimedia channel for content delivery. The computer device has a secure multimedia channel for delivering content from a source to a receiver. In the secure channel, the multimedia base provides a secure environment in the computer device and comprises a common infrastructure of key components, processing content from any specified source and delivering the processed content to any specified receiver, and also comprises a policy implementation unit, providing for compliance with policy on behalf of the source. The policy corresponds to the content from the source and comprises rules and requirements for accessing the content and its playback. The multimedia base provides for secure transmission of content through the computer device and allows for arbitrary processing of protected content in the computer device.

EFFECT: increased security of content from unauthorised use.

23 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: invention can be used in system of the forced performance of requirements which provides access possibility to the enciphered digital content on a computing mechanism only according to parametres the certain rights of the license got by the user of digital contents. The first confidential builder on the first computing mechanism carries out cryptographic, an estimate and the forced performance of requirements and forcedly contacts it, the first certificate of the user device corresponding to the first computing mechanism, forcedly contacts the user. Accordingly, the second confidential builder on the second computing mechanism carries out cryptographic processing, an estimate and the forced performance of requirements and forcedly contacts it, the second certificate of the user device corresponding to the second computing mechanism, also forcefully contacts the user. The first competent builder gains contents for reproduction on the first computing mechanism by means of the first certificate of the user device and the license, and the second confidential builder gains contents for reproduction on the second computing mechanism by means of the second certificate of the user device and the same license.

EFFECT: prevention of non-authorised duplication of digital content by the user related to the digital license and having of some computing mechanisms.

16 cl, 6 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to computer engineering. The method involves the following: general-system software is installed on each computer installation; integrated means of intercomputer information exchange is provided for; guaranteed protected interaction is provided between terminal applications through a series of outgoing and incoming messages; on each computer installation, protective randomised data storage is created, referred to as a private safe; the series of outgoing and incoming messages is stored in the private safe; provision for creating and deleting information objects, referred to as links, with possibility of extracting these links to special information resources, referred to as DataMart; provision for guaranteed storage of data windows in the private safe in form of a set of links, referred to DataMarket; confidential data and credentials of the administrator are stored in the private safe; provision for mandate and discretional control of access of the administrator to the DataMarket; provision for guaranteed processing of links in the DataMarket; systematic verification of credentials of each administrator, given access to work with the DataMarket, and working session of any administrator is stopped there discrepancy of at least one parametre of the corresponding access profile, stored in the private safe in the computer installation.

EFFECT: realisation of a general protected transport medium with integration of information resources to provide for uniform data exchange between the Central information object (CIO) and complexes of automation equipment (CAE) for all purposes.

6 cl, 5 dwg

FIELD: physics; image processing.

SUBSTANCE: present invention relates to dactylography and can be used for preventing unauthorised access to a protected system by random persons. The method of identifying a living finger is based on comparing distinctive features of a papillary figure when a finger is pressed twice to the receiving surface of a scanner. The degree of linearity of displacement of coordinates of the distinctive features of the papillary figure determines whether the finger is living.

EFFECT: increased security of the system.

2 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention relates to computer engineering and can be used for protecting binary program files. In the invention description is given of a system and method which enable installation of security patches (on weak points) in binary files. Detection and installation of patches on vulnerable binary files is automatic, reliable, and free from worsening and exhaustion in networks of unlimited size. Reliable detection of vulnerable binary files (for example, in operation systems, application programs etc) is achieved through use of binary signatures, which are related to the detected vulnerabilities. Distinction of security patches from ordinary service packs provides for possibility of making patches which do not worsen vulnerability in binary files.

EFFECT: provision for reliable detection of vulnerable binary files and making patches which do not worsen vulnerability in binary files.

24 cl, 7 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to the administration of network systems and, more specifically, to the command line environment, designed to administer a remote network system. The command line environment is configured to receive the command line, which includes many remote nodes. The environment of the command line is configured to establish a session, which may be constant for every connected remote node, and for initiating implementation of remote commands on these nodes. The session may be assigned to a variable, and remote execution can be performed simultaneously. The results of remote implementation are received and can be combined into an array.

EFFECT: possibility for allocation of task when establishing sessions in the command line environment of one system to other systems for improvement of operational characteristics.

32 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to the mechanism of digital rights management (DRM), and more specifically, to the method and apparatus for sharing content between domains with different DRM. The first DRM-device comprises an unpacking resource for unpacking the contents formatted with first DRM, into clean resources, metadata and rights expression; conversion means for transforming each of the clean resources, metadata, and the expression of rights in its own predefined neutral format, respectively; means of forming neutral-formatted contents, combining the converted resources, metadata and rights of expression, adding to the pre-defined header information; and transferring means for transmission of neutral-formatted contents of the second DRM-mentioned device. The second DRM-device comprises means of extracting the clean resources, metadata, and the expression rights of the neutral-formatted contents, transferred from the above mentioned first DRM-device, and means of packing of the extracted clean resources, the metadata and expression of the rights in the contents formatted with second DRM.

EFFECT: more functional capabilities.

26 cl, 8 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to the identification of an executable file, or another beneficiary for determining the credibility of the resource object so that this object can provide a resource for the executable file. Resource is received from the resource provider for a resource requester, which functions on a computer device. The resource requester has an associated identifier descriptor. The identifier descriptor includes information related to security, giving the environment in which the resource requester operates. An identification code (ID code) is generated in accordance with loaded resource requester and the loaded identifier descriptor, based on the loaded resource requester and the loaded identification code. The resource provider makes sure that the calculated id-Code in request for a resource coincides with one of one or more valid id-Codes for the identified resource requester, so as conclude, that resource requester and identifier descriptor can be trusted, and the resource provider responds to the request by providing the resource requester with the resource.

EFFECT: invention can increase the credibility of executable files, or other recipient of the resource by the resource providers.

36 cl, 4 dwg

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: information technologies.

SUBSTANCE: data of serial interface for detection of dual-in-line memory module (DIMM) presence in electronically erasable programmable read-only memory (EEPROM) is encoded using closed key of motherboard with which this dual-in-line memory module (DIMM) is to be used, so that only basic input-output system (BIOS) of specified motherboard could decode presence detection serial (SPD) interface data to complete downloading.

EFFECT: improving protection of computer system integrity by blocking the use of memory modules retrieved from original motherboard in another motherboard.

15 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to methods and devices for performance of operation requested by user over content element. Invention is intended for authorization of operation requested by the first user over content element on the basis of user right. User right may identify the first user or second user and authorise performance of requested operation by user over content element. If user right identifies the second user, then operation is authorised on reception of information on relation of the user right of the first user and user right of the second user. It is preferable that information consists of one or more domain certificates that identify the first and second users as members of one and the same authorised domain. It is preferable that right for content is used, which permits the operation, at that user right authorises performance of right for content by the second user.

EFFECT: provides control of rights for content for groups of people on the basis of persons, not devices.

19 cl, 3 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to devices for limiting access to digital data stored on a data carrier. The technical outcome is achieved due to that permission for access to data is checked using a separate device, fitted on the controller board of the data carrier. Change in device parametres, which are program-accessible, can only be done using special software, which is part of the system for limiting access to data. For this purpose in the device there is an extra unit for analysing commands, which verifies authenticity of commands given by the software.

EFFECT: provision for limited access to sectors of a data carrier, distinguished by special attributes, and prevention of unauthorised altering of the attributes themselves.

2 cl, 5 dwg

Up!