1323 results about "Access management" patented technology

A network-based mobile workgroup system has considerably wider appeal and application than normal virtual private networks in that it provides seamless mobility across a number of access technologies at the same time as it offers a granular security separation down to workgroup level. The mobile workgroup system is an access management system for mobile users with VPN and firewall functionality inbuilt. The mobile user can access the mobile workgroup system over a set of access technologies and select server resources and correspondent nodes to access pending their workgroup membership approvals. All workgroup policy rules are defined in a mobile service manager and pushed down to one or more mobile service routers for policy enforcement. The mobile service router closest to the mobile client, and being part of the mobile virtual private network, performs regular authentication checks of the mobile client during service execution. At the same time it performs traffic filtering based on the mobile user's workgroup memberships. Together, these two components constitute an unprecedented security lock, effectively isolating a distributed workgroup into a mobile virtual private network.

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

A method for providing access management and security protection to a computer service includes providing a computer service that is hosted at one or more servers and is accessible to clients via a first network, providing a second network that includes a plurality of traffic processing nodes and providing means for redirecting network traffic from the first network to the second network. Next, redirecting network traffic targeted to access the computer service via the first network to a traffic processing node of the second network via the means for redirecting network traffic. Next, inspecting and processing the redirected network traffic by the traffic processing node and then routing only redirected network traffic that has been inspected, processed and approved by the traffic processing node to access the computer service via the second network.

A method and apparatus for efficiently managing the allocation of available data capacity on a physically shared digital network among devices connected to that network is disclosed. Also disclosed is a method and apparatus for managing the ongoing timely movement of data on the shared network such that precise long-term data rates are achieved between attached devices with minimal additional buffering. The invention further comprises a method and apparatus which allows the use of any remaining network capacity for non time-critical data movement without the need for centralized access management.

Presented is a web-based enterprise management compliant management framework whose back end components are decoupled from the various user interfaces available for accessing the management system. In the Windows environment, the management system of the instant invention is also compliant with the Windows management instrumentation (WMI) requirements. This management system includes WMI providers which implement standard interfaces which decouple all semantic and syntactic checks from the user interface and which provide common error strings, help, etc. to a user regardless of the user interface being used. The providers of the management system of the instant invention store and access data in the active directory. As such, these providers present a customizable user interface which may be based on a user's expertise level and which may be dynamically localized to the user's preferred language. Transaction support is also provided which prevents multiple users from changing the same attributes at the same time through different user interfaces.

The invention provides a method and system for locally tracking network usage and enforcing usage plans at a client device. In an embodiment of the invention, a unique physical key, or token, is installed at a client device of one or more networks. The key comprises a usage application and one or more access parameters designated the conditions and/or limits of a particular network usage plan. Upon initial connection to the network, the usage application grants or denies access to the network based on an analysis of the current values of the access parameters. Therefore, network usage tracking and enforcement is made simple and automatic without requiring any back-end servers on the network while still providing ultimate flexibility in changing billing plans for any number of users at any time.

An Access System can provide identity management and/or access management services. Examples of access management services include authentication and authorization services. In some implementations, users of an Access System want to use the authorization services of the Access System but do not want to use the authentication services of the Access System. The present invention allows some or all of the resources protected by the Access System to use the authentication services of the Access System and some or all of the resources protected by the Access System to use external authentication services.

A wireless access control system for an electronic device comprises a personal locking device and an access control software module. The electronic device and personal locking device are Bluetooth-enabled and use Bluetooth to communicate with each other. The access control software is used to establish a Bluetooth link between these devices, based on the unique Bluetooth identifiers of the personal locking device and the electronic device. The personal locking device is preferably portable and is carried by the user at all times. Examples of preferred personal locking devices are cellular telephones, personal digital assistants, and pocket PCs. The Bluetooth radio chip and the Bluetooth communications protocol monitor the quality of service of the Bluetooth link between the devices. When the quality of service falls below a predetermined threshold, the access control software may switch the electronic device from an unlocked state to a locked state. When the quality of service rises above a predetermined threshold from below the threshold, the software may switch the electronic device from a locked state to an unlocked state.

A method and system for load balancing in a network system such as a data-over-cable system. One method includes receiving a first message on a first network device such as a cable modem termination system (“CMTS”) from a second network device and marking the first message with an identifier of a network access device. The method further includes intercepting the first message on a third network device such as a provisioning/access manager prior to any first protocol server such a Dynamic Host Configuration Protocol server receives the first message. When the third network device intercepts the first message, the third network device determines capabilities of the second network device and applies a set of rules to load balance any requests between a plurality of channel pairs. Each charmel pair is associated with at least one capability of a network device and also has a load factor parameter and a threshold value defining a capacity of a channel pair. The third network device assigns the second network device to a predetermined channel pair based on the capabilities of the second network device, a load factor of the channel pair and a capacity of the channel pair.

Hypervisor-based intrusion prevention platform is provided. The hypervisor-based intrusion prevention platform comprises a virtual network intrusion prevention system (vIPS) framework which obtains internal information of a virtualization system from a hypervisor and performs security control on the hypervisor in response to the result of intrusion detection carried out by using the internal information of the virtualization system, a hypervisor security application programming interface (API) module which provides an API used by the vIPS framework to access the hypervisor, an administrator account management and authentication module which manages an administrator account of a vIPS and authenticates the administrator account, an environment setting management module which manages environment setting values of modules within the vIPS, and an external interface module which provides an interface for system control and security control.

There is provided with an access management apparatus which connects a communication network to a local area network and which manages access from the communication network to the local area network, the access management apparatus including: a packet receiver which receives a packet according to TCP or UDP from the communication network; a database storage unit which stores a database having a port number of the TCP or UDP in association with a MAC address; a MAC address detector which detects a MAC address associated with a destination port number in the packet received by the packet receiver, from the database; a start-up request packet generator which generates a start-up request packet to start up a terminal device having the detected MAC address on the local area network; and an output unit which outputs the generated start-up request packet to the local area network.

A system and method for a first user to communicate in an Internet Protocol (IP) centric distributed network is described. The method can include a plurality of service layers including a network service function layer, a local service function layer, and an access service function layer providing a plurality of functions associated with each of the service layers. The method can also include accessing the network to establish a point of presence at an access management layer and a core portion of the network and to designate a default amount of bandwidth and plurality of default setup parameters; invocating service through an application server on the network to establish an amount of network resources requested by the first user; establishing a transport session to create and manage a connection from the first user to a destination address; and accounting for a service session within the IP centric distributed network.

A system is disclosed that is used to provide access management for resources on a network. The system makes use of query data from a URL (or another identification or request) to identify the appropriate access rule. Examples of an access rule include an authentication rule, an authorization rule, or an audit rule. The system can be configured to require the query data to match order dependent variables or order independent variables. In one option, the system can include two levels of rules and the query data can be used to identify first level rules, second level rules or both.

A cloud-based identity and access management system that implements single sign-on (“SSO”) receives a first request for an identity management service configured to allow for accessing an application. Embodiments send the first request to a first microservice which performs the identity management service by generating a token. The first microservice generates the token at least in part by sending a second request to a SSO microservice that is configured to provide SSO functionality across different microservices that are based on different protocols. Embodiments then receive the token from the first microservice and provide the token to the application, where the token allows for accessing the application.

A system and method for out-of-band network management is provided wherein one or more different management interfaces are converted into a common format management data. The system may encrypt the common format management data. The system may also authenticate each user that attempts to access the management interfaces.

Methods and systems are provided for decentralizing user data access rights control activities in networked organizations having diverse access control models and file server protocols. A folder management application enables end users of the file system to make requests for access to storage elements, either individually, or by becoming members of a user group having group access privileges. Responsibility for dealing with such requests is distributed to respective group owners and data owners, who may delegate responsibility to authorizers. The application may also consider automatically generated proposals for changes to access privileges. An automatic system continually monitors and analyzes access behavior by users who have been pre-classified into groups having common data access privileges. As the organizational structure changes, these groups are adaptively changed both in composition and in data access rights.

The invention discloses a cellular communication system, a method for the inter-cell handover of a terminal and a macro base station. The cellular communication system comprises the macro base station and at least one micro base station within the coverage of the macro base station. The macro base station is used for establishing a control channel for the terminal of the micro base station, performing accessing management operations on the micro base stations within the coverage, receiving a handover request of the terminal and realizing the handover of the terminal to another micro base station within the coverage. The micro base station is used for establishing a data channel for an accessing terminal to perform data transmission with the terminal. By the system, the method and the macro base station, a user control plane and a data plane under a micro cell can be separated, so that the resources of the micro base station can be better used for data communication. Therefore, negative impact on the system can be reduced in a macro cell-micro cell coexisting networking way.

A method and system for policy provisioning and access managing on a data-over-cable system. One method includes receiving a first message on a first network device such as a CMTS from a second network device and marking the first message with an identifier of a network access device. The method further includes intercepting the first message on a third network device prior to a first protocol network server such as a Dynamic Host Configuration Protocol (“DHCP”) server receives the first message. When the third network device intercepts the first message, the third network device determines the identity of the second network device. Based on the identity of the second network device and using the identifier of the network access device, the third network device manages an assignment of configuration parameters for the second network device.

A system is disclosed that logs access system events. When an access system event occurs, a log entry is created for the access system event. Information from an identity profile is stored in the log entry. The identity profile pertains to a first user. The first user is the entity who caused or was involved with the access system event. In one embodiment, the access system includes identity management and access management functionality.

A method of managing visitation includes accessing a visitation control system including a visitation session scheduling interface, communications devices, a switching interface, and at least one authentication interface, defining rules governing visitation, requesting a visitation session using the scheduling interface, assessing whether the visitation session complies with the rules governing visitation, scheduling the visitation session if the visitation session complies with the rules, using the at least one authentication interface to authenticate a first party and a second party, establishing communication between the first party and the second party after authenticating both parties, and storing a record of the visitation session in a database. The record preferably includes at least information regarding identities of the first party and the second party. The visitation session may also be monitored (e.g., in real time, near real time, or by recording).

A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.