Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Partial Containment Structure for Inegration of Distributed Computing Environment and Local Registries

IP.com Disclosure Number: IPCOM000116528D
Original Publication Date: 1995-Sep-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 4 page(s) / 167K

Publishing Venue

IBM

Related People

Guski, R: AUTHOR [+2]

Abstract

The design of a structure for integrating the security registry in the Open Software Foundation's (DCE) and registries on local operating system platforms is disclosed. This structure is referred to as "partial containment" since a subset of the security information pertaining to principals and groups in the local registry is imported into the DCE registry.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 37% of the total text.

Partial Containment Structure for Inegration of Distributed Computing
Environment and Local Registries

      The design of a structure for integrating the security registry
in the Open Software Foundation's (DCE) and registries on local
operating system platforms is disclosed.  This structure is referred
to as "partial containment" since a subset of the security
information pertaining to principals and groups in the local registry
is imported into the DCE registry.

      Vendor implementations of DCE are typically based on operating
system platforms that have existing local security facilities,
including local authentication, access control, and registry.  When a
collection of such systems are connected together to form a DCE cell,
a number of problems arise:
  o  Each system defines and recognizes its own set of local users to
      whom it assigns login names, passwords and other
      security-relevant attributes.  A DCE principal cannot log in to
      all of the systems in the cell with a single login name and
      password.
  o  Access to resources governed by local access control facilities
      is based on local user identities, e.g., userids or UIDs.
      Without a local user identity, a DCE principal cannot access
      these resources.
  o  Each system has a local registry that needs to be administered,
      which may contain security information relating to
      locally-defined principals, groups and resources.  Information
      residing in different local registries but pertaining to the
same
      DCE principal cannot be synchronized and managed from a single
      point.

      These problems need to be addressed by the integration of the
DCE security facilities with the local security facilities on each
platform.  One key task in this effort is the integration of the DCE
registry and the local security registry, in order to establish the
connection between the DCE identity of a principal and the same
principal's local identity on a given system in the distributed
environment.

      The design of the DCE - local registry integration structure
described in this disclosure aims to satisfy the following
requirements:
  o  Enable centralized, remote and distributed administration of DCE
      and local security information on users, groups, policies and
      resources
  o  Enable transparent access to resources governed by DCE and local
      access control facilities by making DCE and
local-system-relevant
      security information available to DCE's ticket-granting
mechanism
  o  Enable single login by performing password synchronization
      between the DCE registry and local registries

      The Figure shows a sample configuration of a cell in which the
DCE registry and the local registries have been integrated.

      The cell can be administered from a central point through the
use of one...