Abstract: A method of assigning the UNIX computers in a network to one of a plurality of groups called zones, of creating independent sets of UNIX identity information for each network entity (user or group) for separate zones, and of associating an entity's sets of UNIX entity information with a single global entity record for the entity in the network's identity resolver. A further method of allowing a UNIX computer to request entity information from the identity resolver, and of the identity resolver returning resolved entity information appropriate for the requesting computer's zone. A further method of managing sets of zone-specific UNIX identity information in the identity resolver to ensure that entity names and entity identification numbers are not duplicated within a zone and to all the same names and numbers to be duplicated across zones. Other embodiments are also described.

Abstract: A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by roles allowed for each user. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions (if the user may assume the rule) for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions to the user's activities in a newly created virtual desktop.

Abstract: A system and method for taking control of process token creation in the Windows operating system to create conditional process tokens that define access to system resources for process running on a Windows computer. The system includes an LSA shim layer that intercepts standard Windows requests for authentication and authorization and an authentication agent that determines context for each request. A custom authentication and authorization (A&A) store determines authentication success and the amount of authorization based on context and supplied credentials. Once the custom A&A store determines a successful log-on and defines authorization for the user, it passes the elements of authorization through the authentication agent to the LSA shim layer, which passes them on to the LSA module, which in turn uses them to request a Windows process token from the Windows kernel.

Abstract: A method of maintaining Network Information Service (NIS) maps where modifying information about any of the network entities described by the NIS maps requires only incremental update of the NIS maps instead of full NIS map regeneration. A further method of detecting when network entity records on a network directory server change so that NIS map updates are necessary.

Abstract: A method of assigning the UNIX computers in a network to one of a plurality of groups called zones, of creating independent sets of UNIX identity information for each network entity (user or group) for separate zones, and of associating an entity's sets of UNIX entity information with a single global entity record for the entity in the network's identity resolver. A further method of allowing a UNIX computer to request entity information from the identity resolver, and of the identity resolver returning resolved entity information appropriate for the requesting computer's zone. A further method of managing sets of zone-specific UNIX identity information in the identity resolver to ensure that entity names and entity identification numbers are not duplicated within a zone and to all the same names and numbers to be duplicated across zones. Other embodiments are also described.

Abstract: A method of detecting when a user logs into a UNIX computer, of determining if the user's local log-in name should be replaced by a network log-in name for network authentication, of replacing the local log-in name if so determined, and of sending the log-in name with any other required authentication information to an authenticator so the user may be authenticated and allowed to log in to the computer. Other embodiments are also described.