Method and apparatus for creating switchable desktops with separate authorizations

摘要

A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by the roles. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions in a newly created virtual desktop.

主权项

1. A system for creating switchable virtual desktops each requiring a different user authorization comprising:
a) at least one memory; b) a custom authentication and authorization (A&A) data store configured to store roles assigned to each user in said at least one memory; c) a custom virtual desktop manager including a desktop management agent and a virtual desktop application configured to provide a user interface to enable a user to manage said virtual desktops on a single user device and specify a role for each said virtual desktop, said custom virtual desktop manager configured to enable creating, switching, and destroying virtual desktops and to specify custom process tokens for each said virtual desktop, said process tokens defining different permissions within a single session, and are obtained from a Local Security Authority (LSA) module that requests and assigns process tokens to an executing process, wherein the virtual desktop application launches when a user logs onto a computer and provides a set of controls to enable the user to create a new virtual desktop, specify a role for each new desktop, and switch from one virtual desktop to another; wherein said A&A data store and virtual desktop manager operate cooperatively to generate a plurality of data structures stored in said at least one memory, each representing one of said virtual desktops with an associated custom process token, so that when a user switches from a first one of said virtual desktops to a second one of said virtual desktops, and each of said first and second virtual desktops require a different user authorization, the user's authorization changes to an authorization associated with said switched virtual desktop without requiring the user to re-authenticate with said switched virtual desktop, and wherein the desktop management agent is connected to the custom A&A data store and the LSA module, said agent configured to create and destroy virtual desktops and create custom process tokens for new virtual desktops when the user requests a new virtual desktop and specifies a role for the new virtual desktop, and the desktop management agent looks at a user account in the custom A&A data store to determine if the role is allowed, and i) when said role is not allowed, the desktop management agent causes the virtual desktop application to prompt the user to use a different role, ii) when said role is allowed, the desktop management agent creates a new desktop object and an accompanying user shell process to implement the new virtual desktop.