News Column

"Methods and Systems for Using Derived User Accounts" in Patent Application Approval Process

June 19, 2014

By a News Reporter-Staff News Editor at Computer Weekly News -- A patent application by the inventor ERLINGSSON, Ulfar (San Francisco, CA), filed on February 3, 2014, was made available online on June 5, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to Google Inc.

The following quote was obtained by the news editors from the background information supplied by the inventors: "The high cost of equipment in the early days of computing led to the development of time-shared computing systems that allowed multiple concurrent users to simultaneously access the computer systems. User accounts encapsulate the information particular to each individual user, such as the user's name, password, area of transient and persistent storage, configuration information, resource-usage quotas and other properties to be enforced on the user's behavior. By using user accounts, time sharing could be implemented without compromising the systems usability. Whereas previous computer system operations always directly affected the global state of the machine, operations on a user's behalf in systems implementing user accounts typically affect only the information in the user's account. In this manner, each user's actions became isolated from other users since, for the most part, they only affected the individual user's account information.

"FIG. 1 illustrates the components in a conventional computer system implementing user accounts. Each operation that involves accessing the state of the system is discriminated to determine if the state being accessed is local to an individual user account or global to the entire system (and therefore shared between all user accounts). If access is to a user-local state, the discrimination procedure determines the context of the access operation, that is, which user's account information to access. In conventional systems, context may be determined by, for example, using a low-level indirection (for memory accesses), the current virtual memory page tables, or a user account reference in each process or thread control block (for system calls).

"Since their invention, user accounts have proven very useful. They enhance usability when multiple individuals simultaneously use a computing system and allow for segregation of system activity based on intent. For example, conventional systems may use a supervisor user account, called 'root,' to run background services. Also, web-server activities may operate as 'nobody,' that is, a user account with very limited privileges. Additionally, user accounts are integral to maintaining the security of a multiple user computer system since they may be used to control which data a user may access or actions a user may perform.

"One key concern of IT professionals today is how to maintain the security of computer systems and data and prevent such systems and data from unauthorized access, modification, or corruption. Security breaches may occur when unauthorized activity results in access to or use of information stored in the computer. Another form of security breach occurs when unauthorized activity changes data or prevents an authorized user from accessing data by modifying permissions, causing a system 'crash,' or otherwise disrupting the operation of the computer system. Computer systems may also be corrupted unintentionally by, for example, installing or deleting new applications that have the effect of altering system files or configurations that other programs rely on.

"One way to cause the system corruption and security breaches mentioned above is to surreptitiously or unintentionally modify the information accessible to a user account. Methods and systems for preventing unauthorized or unintentional modification of user account information will help increase computer system security and stability."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventor's summary information for this patent application: "Consistent with the invention, methods and systems comprising an operating system receive a request to access a resource, initialize at least one derived user account based on at least one original user account and a set of rules; and access the resource based on the at least one derived user account. In some embodiments the at least one user account is initialized by generating the at least one derived user account using user account creation mechanisms of the operating system and populating the at least one derived user account based on the original user account and the set of rules. In other embodiments, the at least one user account is initialized by generating a token representing the at least one derived user account, wherein the token is based at least in part on the original user account. In still other embodiments, the at least one user account is initialized by annotating at least some of the activity of the original user account as belonging to the derived user account. In still further embodiments, the original user account is selectively modified selectively based on the set of rules and the at least one derived user account.


"The accompanying drawings, which are incorporated in, and constitute a part of the specification, illustrate implementations of the invention and, together with the detailed description, serve to explain the principles of the invention. In the drawings

"FIG. 1 is block diagram of a conventional system architecture 100 for performing operations accessing state in a multi-user system;

"FIG. 2 is a flow diagram of a method for performing access operations using a derived user account consistent with the present invention;

"FIG. 3 is block diagram of a system 300 for performing operations accessing state of a derived user account in a multi-user system consistent with the present invention;

"FIG. 4 illustrates one embodiment of a system consistent with the present invention;

"FIG. 5 shows, in more detail, an example of a client-server system interconnected through network 100; and

"FIG. 6 is a block diagram illustrating one exemplary embodiment of a system using DUAs consistent with the present invention."

URL and more information on this patent application, see: ERLINGSSON, Ulfar. Methods and Systems for Using Derived User Accounts. Filed February 3, 2014 and posted June 5, 2014. Patent URL:

Keywords for this news article include: Google Inc.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Computer Weekly News

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters