Abstract: In an embodiment, a verifier receives requirements for membership in a group from a service and receives proof of attributes from users. The verifier verifies whether the proof of attributes meets the membership requirements and sends acceptance or rejection to the service. If the proof meets the requirements, the service allows the users to become members of the group and allows the members to transfer data to and from other members. If the proof does not meet the requirements, the service prevents the users from becoming members. In this way, the service and group members know that other group members satisfy the group membership requirements without needing to know the identity of the group members or other information unrelated to the group membership requirements.

Abstract: In a multi-tiered computing environment, a first program may authenticate with a second program using dynamically-generated public/private key pairs. An authentication token is constructed that includes user information and information about the first program and the second program. The first program then digitally signs the authentication token using the dynamically-generated private key, and sends the authentication token to the second program. The second program then verifies the authentication token using the public key corresponding to the first program. Once verified, the first program is authenticated to the second program. The second program may then authenticate to a next-tier program by constructing an authentication token that includes the information in the authentication token received from the first program.

Abstract: An authenticated identity propagation and translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing components of a multi-component transaction processing computing environment including distributed and mainframe computing components. The technique includes, in one embodiment, forwarding, in association with transaction requests, identified and authenticated user identification and authentication information from a distributed component to a mainframe component, facilitating the selection of the appropriate mainframe user identity with which to execute the mainframe portion of the transaction, and creating the appropriate run-time security context.

Abstract: In an embodiment, a verifier receives requirements for membership in a group from a service and receives proof of attributes from users. The verifier verifies whether the proof of attributes meets the membership requirements and sends acceptance or rejection to the service. If the proof meets the requirements, the service allows the users to become members of the group and allows the members to transfer data to and from other members. If the proof does not meet the requirements, the service prevents the users from becoming members. In this way, the service and group members know that other group members satisfy the group membership requirements without needing to know the identity of the group members or other information unrelated to the group membership requirements.

Abstract: Methods, apparatus, and products for administering access permissions for computer resources that include: establishing, for active access permissions for a computer resource for a user, proposed alternative access permissions for the computer resource for the user; receiving, in an access control module of an operating system from the user, a request for access to the resource; determining, by the access control module, whether to grant access to the resource for the request in accordance with the active access permissions for the computer resource for the user; determining, by the access control module, whether access would have been granted for the request in accordance with the proposed alternative access permissions for the resource for the user; and recording, by the access control module, the result of the determination whether access would have been granted.

Abstract: In a multi-tiered computing environment, a first program may authenticate with a second program using dynamically-generated public/private key pairs. An authentication token is constructed that includes user information and information about the first program and the second program. The first program then digitally signs the authentication token using the dynamically-generated private key, and sends the authentication token to the second program. The second program then verifies the authentication token using the public key corresponding to the first program. Once verified, the first program is authenticated to the second program. The second program may then authenticate to a next-tier program by constructing an authentication token that includes the information in the authentication token received from the first program.

Abstract: A method, system, and computer program product for implementing policy-based security control functions is provided. The method includes constructing an organizational domain specifying business assets to be secured and the actors in specific roles requiring access to the business assets. The method also includes constructing a control policy domain including system setting attributes and access control policies for a computer system, the access control policies specifying permissions-based access to specified types of data based upon actor and purpose of use criteria. The method further includes mapping user identifiers to corresponding actors and mapping system artifacts in the computer system or subsystem to business assets defined in the organizational domain to which an access control policy is to be applied. The method also includes applying the access control policies to the system.

Abstract: An apparatus and method allow a system administrator to manage multiple user identities in multiple user registries in different processing environments. An identity mapping mechanism is provided that includes a directory service that includes entries that reference user identities in the multiple registries, and that reference identity mappings between those entries. The identity mapping mechanism includes an interface defined by a plurality of APIs that allow accessing and correlating the multiple user identities and the identity mappings. A programmer can generate an application or tool that uses the identity mapping mechanism by calling the APIs in the interface. In this manner, administration of user identities occurs with the user as the primary focus, rather than the platform. In addition, a common tool can be used to manage the user identities of different environments, making administration of user identities in a heterogenous network more efficient and cost-effective.

Abstract: A user within a multiple process environment is initially authenticated, such as by verifying the user's identification and password. A first process, such as a client, requests a profile token representative of the user in response to authenticating the user. The profile token has associated with it one or more usage limitations. The profile token is transferred from the first process to a second process, such as a server. The second process, upon receiving a valid profile token, is allowed to perform one or more tasks on behalf of the user within the token's usage limitations. A profile token is invalidated upon violation of a usage limitation, such as a preestablished time-out period. One or more lookup tables are used to manage the profile tokens and to store certain user and profile token information, providing increased processing security.

Abstract: Method for providing at least a portion of a disguised password in an undisguised form is described. More particularly, a program is described having a capability of displaying a single character at a time, more than one character at a time or all of otherwise disguised characters of a password in an undisguised form in response to a successful pre-password check.

Abstract: An authenticated identity translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing units of a multiple computing unit environment. The technique includes, in one embodiment, recording user identification and authentication events occurring within the trusted domain, and making this information available to other computing units within the domain by generating tokens representative of the identification and authentication events. A token is forwarded with a request to one or more computing units of the domain, which in turn provide the token to a domain controller to translate user identities between respective computing units.

Abstract: An apparatus and method allow a system administrator to manage multiple user identities in multiple user registries in different processing environments. An identity mapping mechanism is provided that includes a directory service that includes entries that reference user identities in the multiple registries, and that reference identity mappings between those entries. The identity mapping mechanism includes an interface defined by a plurality of APIs that allow accessing and correlating the multiple user identities and the identity mappings. A programmer can generate an application or tool that uses the identity mapping mechanism by calling the APIs in the interface. In this manner, administration of user identities occurs with the user as the primary focus, rather than the platform. In addition, a common tool can be used to manage the user identities of different environments, making administration of user identities in a heterogenous network more efficient and cost-effective.

Abstract: Method for providing at least a portion of a disguised password in an undisguised form is described. More particularly, a program is described having a capability of displaying a single character at a time, more than one character at a time or all of otherwise disguised characters of a password in an undisguised form in response to a successful pre-password check.