Abstract: Processing within a computing environment is facilitated by: determining by a local security manager of a first system in a first security domain whether a local security context of a user is acceptable to a second system in a second security domain; responsive to the user's security context being unacceptable to the second system, creating by a local security manager of the second system a runtime security context for the user in the second system; and providing the first system with a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system, the reference or the portable representation being subsequently returned to the second system with a request from the first system to process work at the second system.

Abstract: Processing within a computing environment is facilitated by: determining by a local security manager of a first system in a first security domain whether a local security context of a user is acceptable to a second system in a second security domain; responsive to the user's security context being unacceptable to the second system, creating by a local security manager of the second system a runtime security context for the user in the second system; and providing the first system with a reference to the runtime security context for the user in the second system which is resolvable within the computing environment or a portable representation of the runtime security context for the user in the second system, the reference or the portable representation being subsequently returned to the second system with a request from the first system to process work at the second system.

Abstract: An authenticated identity propagation and translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing components of a multi-component transaction processing computing environment including distributed and mainframe computing components. The technique includes, in one embodiment, forwarding, in association with transaction requests, identified and authenticated user identification and authentication information from a distributed component to a mainframe component, facilitating the selection of the appropriate mainframe user identity with which to execute the mainframe portion of the transaction, and creating the appropriate run-time security context.

Abstract: A multi-identity security environment is created for use in controlling access to resources. The multi-identity security environment enables one process that is spawned by another process to access resources security accessible to the one process, as well as resources security accessible to the another process. The multi-identity security environment includes an identity of the one process and an identity of the another process.

Abstract: A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

Abstract: A method and system are disclosed for mapping a privacy policy into classification labels for controlling access to information on a computer system or network, said privacy policy including one or more rules for determining which users can access said information. The method comprises the steps of parsing said one or more rules of the privacy policy; sorting the one or more rules into one or more sets; and, for each set of rules, (i) forming a logical statement from the rules of said each set, and (ii) using said logical statement to create associated privacy labels that allow access to said information. In a preferred embodiment, each of the rules is associated with a user category, a data category and a purpose category; and the rules in each set of rules have the same user category, the same data category, and the same purpose category.

Abstract: A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

Abstract: An identity vectoring method is accomplished by matching a distinguished name or partial distinguished name from a digital certificate with a distinguished name mapping record. A data field in the distinguished name mapping record includes either a variable name or a user ID. The variable name corresponds to any environmental factor. The next mapping record to be considered, the criteria mapping record, is determined by substituting the environmental factor for the variable name in the data field. A data field in the criteria mapping record includes either a variable name or a user ID. The process completes when a mapping record containing only a user ID is encountered or when no matching criteria mapping records are found.

Abstract: An approach for allowing a server to act on behalf of an original requestor (originator) which includes an approach for indicating the chain of servers through which the original request came has been defined. This provides a mechanism for a server to act as a “delegate” for a request made by an originator. This approach uses PKI constructs and relies upon public-private key digital signatures for verifying the validity if the “delegation” information. The approach described here allows the originator some control over the extent to which its identity can be used on its behalf by servers that it contacts and servers that are contacted on its behalf. The entire “delegation chain” is contained within the construct, allowing examination of the “path” that a request has taken in getting to a server from which service was requested.

Abstract: An authenticated identity translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing units of a multiple computing unit environment. The technique includes, in one embodiment, recording user identification and authentication events occurring within the trusted domain, and making this information available to other computing units within the domain by generating tokens representative of the identification and authentication events. A token is forwarded with a request to one or more computing units of the domain, which in turn provide the token to a domain controller to translate user identities between respective computing units.

Abstract: A system for authenticating a user located at a requesting node to a resource such as a host application located at an authenticating node using one-time passwords that change pseudorandomly with each request for authentication. At the requesting node a non-time-dependent value is generated from nonsecret information identifying the user and the host application, using a secret encryption key shared with the authenticating node. The non-time-dependent value is combined with a time-dependent value to generate a composite value that is encrypted to produce an authentication parameter. The authentication parameter is reversibly transformed into an alphanumeric character string that is transmitted as a one-time password to the authenticating node. At the authenticating node the received password is transformed back into the corresponding authentication parameter, which is decrypted to regenerate the composite value.