DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. As will be appreciated by one of skill in the art, the present invention may be embodied as methods, systems or computer program products. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment or an embodiment combining software and hardware aspects.
FIG. 1 illustrates an embodiment of a computer network including configurable application program management capabilities according to an embodiment of the present invention. Computer network system 10 includes a network management server such as a Tivoli server 20 and on-demand servers 22, 22. As used herein, on-demand refers to a server delivering applications as needed responsive to user requests as requests are received. System 10 further includes client stations 24, 24, 26, 26. As illustrated, on-demand servers 22, 22 are connected to Tivoli server 20 over a first network segment 10. Client stations 24, 24 are served by on-demand server 22 and communicate over network 10. Similarly, clients 26, 26 are served by server 22 and communicate over network 10. As schematically illustrated in FIG. 1, client stations 24, 24, 26, 26 may be a variety of different hardware operating a variety of different operating systems.
System 10, as illustrated in FIG. 1, is a centrally managed computer network with Tivoli server 20 acting as the central administration station executing network management software such as TME 10 from Tivoli Systems, Inc. Servers 22, 22 act as on-demand servers for their respective associated client stations 24, 24, 26, 26 and provide for client/server application support. It is further to be understood that networks 10, 10, 10 may be separate physical networks, separate partitions of a single physical network or may be a single network. Furthermore, Tivoli server 20 may be configured to allow for direct communication between server 20 and clients 24, 24, 26, 26. In addition, a single machine may be configured to include a client, an on-demand server and/or a network (system) management server.
As will be described further herein with reference to the flowcharts, Tivoli server 20 provides a means for software distribution and management in computer network system 10. Furthermore, on-demand servers 22, 22 each provide an application management system for managing configurable application programs using both user and administrative preferences for various application programs. More particularly, as described in the embodiments herein, on-demand servers 22, 22 are configured to operate within the eNetwork environment available from International Business Machines Corporation (IBM). As will be further discussed herein, the present invention provides for an integration of an on-demand server as described herein in the IBM eNetwork environment with the TME 10 system to provide for centralized control of software applications including the capability for supporting separate user and administration preference parameters. However, while the present invention may be implemented in the Tivoli environment, it is also suitable for use with other network management environments. Configurable preference management (and license use management) operations suitable for use with the present invention are described in U.S. patent application Ser. No. 09/211,529, now U.S. Pat. No. 6,324,578 entitled Methods, Systems and Computer Program Products for Management of Configurable Application Programs on a Network, which is incorporated herein by reference in its entirety.
FIG. 2 illustrates an embodiment of an on-demand server according to the present invention. As shown in FIG. 2, the server system 22 of the present invention includes client management server 204 and access to a storage device for maintaining an application management database 208. While illustrated in FIG. 2 as an integrated part of system 22, database 208 may be a separate device so long as it is available to server system 22. In the illustrated embodiment which will be described herein, client management server 204 includes web server 206 providing an interface to an administrator user such as that illustrated by administrator console 200 and to users interfacing to the system through client stations such as the illustrated user console 202. Database 208 acts as a central repository of application management information, such as user, software, device, preference and access control information, responsive to client management server 204.
Client management server capabilities may be further broken down within client management server 204. For example, client management server 204, may be implemented in a JAVA environment with various applets or servlets where the term servlets generally refers to server-side JAVA programs each of which provides a particular function. For example, an application server servlet may control user application access through client management server 204 by receiving requests from web server 206. Various additional servlets could support controlling access to database 208, providing centralized preference management, centralized license use management and error logging and tracing.
User console 202 provides an end user client desktop. As will be described further herein, the desktop provides a task bar (to switch between active applications) and a launch panel with icons for the applications that the user is authorized to access. Pursuant to the control of client management server 204, the user desktop automatically provides icons for those applications that the user is authorized to use including automatically adding icons for new applications that the user is authorized to access when the new applications become available without any action required on the part of the end user.
Administrator console 200 provides a modified desktop interface for an administrator authorized user. The administrator desktop is preferably provided by a configuration management servlet which allows a user with administrative authority to modify system parameters and settings. Functions typically provided through the administrator console 200 could include adding or modifying users, user groups, software, customizing applications for users or groups, and granting or denying application access to certain users or groups.
Independent software designers provide various applications configured to benefit from the capabilities of server system 22. A software designer may utilize a particular version of server system 22 which includes a tool kit of functions for establishing preference management, license use management and error logging and tracing aspects unique to the specific application being provided by the software designer. The software designer utilizes the tool kit of functions in developing one or more JAVA-based web applications (such as a word processor, emulator, calendar program, etc.) where the on-demand server tool kit functions expand the application's capabilities by allowing implementation of centralized preference storage and retrieval, centralized license tracking, and centralized error and event reporting, and centralized distribution for a particular application. For each application, the software designer preferably produces both an end-user application, used by typical end-users, and an administrative or configuration application, used only by administrators. The configuration application allows configuration of preferences that end-users will not be allowed to modify. The software designer also preferably provides a set of default preferences for each application so that the application is usable with or without any customization by administrators or end users.
A customer utilizing the server system 22 of the present invention may then purchase applications from software designers who have provided on-demand server capabilities in their applications. As will be further described with reference to the flowcharts, an administrator then defines users and groups of users that will have access to the applications installed on the server and installs the software defining it to the database 208 on server system 22. The administrator may also then perform any desired customization of preferences (using the configuration management application) for global defaults, specific groups, or specific users. The administrator further then may authorize certain groups or users to access the application. The database is updated so that when individual users next bring up their end-user client desktop, they will be provided an icon that may be used to launch the new application.
The application may also be provided the capability to retrieve its preferences (such as default fonts, target systems, screen colors, etc.) from the server database 208, register licenses through client management server 204 and log any error events through client management server 204. The administrator further can change preferences, monitor or enforce license usage, and diagnose errors for any user from the configuration management application executing on any support or client workstation such as console 200.
Administrator console 200 in the illustrated embodiment utilizes a JAVA capable browser, or desktop, for the user interface to interact with client management server 204. The configuration framework for the system, enabled by a JAVA applet, identifies manageable components, preferably utilizing a graphical tree representation of users/groups, application and machines. The administrator console 200 enables the definition and administration of users, groups of users, applications and machines. Once defined, users may be granted access to applications and the applications may be customized for user preferences, group preferences, and system-wide default preferences. Similarly, machine configurations may be defined for network computers and managed personal computers or other devices communicating over the network served by server system 22.
User console 202 provides client access services which provide an interface to request execution of instances of an application on console 202 whether it is a full function personal computing device or a network computer. Network computers functioning as user console 202 are initialized by configuring network access and then downloading a small kernel to initialize the operating environment of the network computer 202. The network computer machine environment is then further customized based on device configuration information provided by a client access services function. In a JAVA environment, the client access services function is preferably provided by a browser application presenting a user desktop window. The applications (and associated application launchers) are also provided as applets. It is further to be understood that, in the JAVA environment, currently available web browser applications are known to those of skill in the art which provide a user interface and allow hardware independent communication such as that currently specified by Internet protocols. Thus, the application launcher programs may be applets which display the icon which are associated with a web browser Universal Resource Locator (URL) which points to the location of the applet to be executed. Upon selection of the icon displayed by the application launcher, the selected application is launched by requesting the URL of the application from the on-demand server. Such requests may be made utilizing conventional Hyper-Text Transfer Protocol (HTTP) communications or other suitable protocols.
For both network computers or managed personal computers, once the machine environment is initialized, the user may log on to the network client management environment provided by server system 22 for authentication. User authentication allows the selection of the appropriate context (individual, group, default) for the desktop to be provided to console 202. For example, icon displays may be selected for inclusion in the desktop based on whether a particular user is an authorized user for the associated applications. In addition, any specific user preferences for the desktop interface (to the network management environment of the present invention) may be applied.
Referring now to FIG. 3, the network client management environment provided by server system 22 will now be further described. Client management server 204 provides for the centralized management of network client machine preferences, application access and application preferences. Software services, hosted by JAVA servlets operating on web servers, store and retrieve the management information requested by clients or administrators through the framework architecture as illustrated in FIG. 3. The framework architecture of the illustrated embodiment of FIG. 3 leverages JAVA servlets on the client management server 204 and JAVA applets and JAVA beans on the client interface in the administrator console 200 to maximize the ease with which new elements may be managed. Management information is maintained in database 208 through a network registry which may be based, for example, on the Lotus registry (single-server) or Lightweight Directory Access Protocol (LDAP) for a multiple-server environment, such as the IBM eNetwork Directory Server, to support the distributed capabilities provided by server system 22.
As shown in FIG. 3, communications with client management server 204 are provided through applications including web server 206 and, either directly or indirectly, with servlets 208. As illustrated in FIG. 3, there are 5 specific servlets performing different network management functions. The configuration management component 210 provides configuration tasks which are performed for users, machines and applications. For user and group support, configuration management component 210 preferably provides the ability to create, modify, and delete users and groups of users as well as the ability to configure services and preferences for users in groups. Machine support preferably includes the ability to configure preferences for client machines, groups of machines (optionally defined by profiles) and machine platforms (for example, network stations or network computers). Configuration management component 210 further provides login support for user authentication and mapping to a user profile and software support to configure the software (applets and applications) users and groups for access to and the user preferences for those software applications.
The configuration management component supports the configuration framework on the administration console 200 as well. This console provides a common, centralized user interface on which configuration management tasks for services for the particular server system 22 occur. When access to configuration management is provided through a JAVA-enabled web browser, access to multiple servers is possible from a single administration station 200. The configuration framework 224 preferably minimizes the costs of administering services by maximizing the simplicity and consistency of the specific configuration tasks. The primary user of this component is typically the system administrator or others with administrator authority.
User authorization 212 provides control over which applications may be accessed by a particular user or group. User authorization component 212 preferably provides security by authenticating users securely rather than transmitting plain text passwords. Furthermore, client software may be provided with the ability to verify the integrity of applets delivered from the server to insure that they are free of viruses and have not been modified during delivery. Access to various application applets may be controlled, consistent with the permissions granted by administrators, using the configuration framework interface 224 at the administration console 200. Access to the server system 22 through configuration framework 224 may be limited to administrator authority users.
Hardware inventory component 214 provides for modification of applications as necessary to adapt to the type of hardware and/or operating system from which a user is requesting execution of an instance of an application (i.e. device specific characteristics). System management component 218 provides similar capabilities at a network management level. System management component 218 may further be provided to allow Tivoli ready system administration by acting as an agent to extend Tivoli management and control to clients supported by server system 22. As will be described further herein, integration may provide for software distribution, event logging support, remote operation and distributed monitoring through a network management server 20. Examples of systems utilizing operating environment information to establish preferences or modify content are described in U.S. patent application Ser. No. 09/211,529 entitled Methods, Systems and Computer Program Products for Management of Preferences in a Heterogeneous Computing Environment, and U.S. patent application Ser. No. 09/211,527 entitled Methods, Systems and Computer Program Products for Policy Based Network Control of Characteristics of User Sessions, which are incorporated herein by reference in their entirety.
Finally, license management component 216 may be utilized to monitor the usage of applications executing as JAVA applets to insure that the usage is within specified guidelines. The license management component 216 may be provided as a JAVA bean which provides status information to a license management JAVA servlet. The servlet then sends the appropriate management information to a license management server which may be integrated within server system 22 or maintained in a separate device. The license management component 216 thereby provides a convenient tool for tracking the usage of specified applications.
As also shown in FIG. 3, administrator console 200 includes web browser 222 and configuration framework 224. Web browser 222 provides a base for administrator console 200. Configuration framework 224 is preferably provided as a JAVA applet. The console 200 thereby provides a common, centralized user interface on which configuration management tasks for services for the particular server system 22 occur. As described previously, by providing configuration framework 224 interfacing through JAVA-enabled web browser 222, access to multiple server systems 22 is possible from a single administration console station 200. Client interface 202 is similarly provided as a desktop interface on the user console regardless of device type. Similarly to administrator console 200, client interface 202 includes a JAVA-enabled web browser or desktop 226 which provides, for example, an operating environment for network-client applications. A given user may, therefore, move among various machines so long as the console has access to the server system 22 which has the user's information. The available applications on the user desktop 226 are defined by system server 22 as described previously and will be further described with reference to the flowcharts. User console 202 preferably accesses client management server 204 using JAVA beans and/or Application Program Interfaces (APIs). Client access component 228 is preferably provided by JAVA beans and APIs within the framework of the network client environment provided by server system 22 allowing access to configuration information, license management and event logging.
Operations of the present invention will now be described with respect to the flowcharts of FIGS. 4 through 9C. It will be understood that each block of the flowchart illustrations, and combinations of blocks in the flowchart illustrations, can be implemented by computer program instructions. These program instructions may be provided to a processor to produce a machine, such that the instructions which execute on the processor create means for implementing the functions specified in the flowchart block or blocks. The computer program instructions may be executed by a processor to cause a series of operational steps to be performed by the processor to produce a computer implemented process such that the instructions which execute on the processor provide steps for implementing the functions specified in the flowchart block or blocks.
Accordingly, blocks of the flowchart illustrations support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that each block of the flowchart illustrations, and combinations of blocks in the flowchart illustrations, can be implemented by special purpose hardware-based systems which perform the specified functions or steps, or combinations of special purpose hardware and computer instructions.
Referring now to FIG. 4, operations for on-demand server system 22 will now be further described. At block 230, server system 22 determines whether a new software application has been received for installation on server system 22. If so, configuration operations including setting up the users and software to be managed are executed (block 232). At block 234, server system 22 determines if a received request is the start of a new user session. Preferably, operations at block 234 are based on receipt at server system 22 of a communication from a client 202 which includes the user credentials from a login exchange performed locally at the client station.
In one embodiment of the present invention, the operations at block 234 are preceded by a user opening a browser at the client station and entering a designated URL associated with establishing a user desktop interface. The appropriate URL may be saved by the browser application using various techniques known to those of skill in the art. An application launcher associated with the user desktop interface is then downloaded to the client station and executed by the browser. The user desktop interface application launcher then obtains the user identification and password, either from a memory location or by prompting the user. Only a portion of the user desktop interface application launcher code need be initially downloaded sufficient to obtain the user information with additional associated code downloaded subsequently during establishment of the user desktop interface at the client.
If a user identification and password information is contained in the request at block 234, user login operations are executed including bringing up a user desktop and establishing the user's credentials and application access authorization, based, for example, on stored ID and password information (block 236). Additional session information may be determined from the login operations such as configuration information related to the hardware and operating system in use for the session. Finally, if it is determined that the request has been received from an already logged in user at block 238 requesting execution of an application (as opposed to initial setup of a user desktop interface) application access management operations are executed to bring up an instance of the managed application for the user (block 240).
Referring now to FIG. 5, configuration operations from block 232 will now be further described. To implement a new or updated software application, server system 22 accepts definitions of the application that describe the location and description of the application. This information may be provided by an import file containing location information such as path directories and file name definitions. The server system 22 further accepts definitions of users and groups that will access the system and the specific application (block 252). This information similarly may be provided as an import file or entered by a user with administrator authority. In addition, in the illustrated embodiment of the present invention, server system 22 also accepts license policies describing the licensing characteristics for the new application (block 254). The server system 22 further accepts control specifications defining which users and groups are authorized to access the new or updated application (block 256). License policy and control specifications may be obtained from an administrator at console 200 or obtained as an import file. Finally, server system 22 updates database 208 to maintain the input definitions and specifications for the new or updated application in a format accessible to server system 22 (block 258).
Log in operations from block 236 of FIG. 4 will now be further described with reference to the embodiment of the flowchart of FIG. 6. The server system 22 receives a request to initiate a user desktop interface from a user console 202 as described above for an embodiment of the operations of block 234 (block 260). In other words, in the JAVA-based embodiment described above, an HTTP request may be received by server system 22 requesting that a desktop instance be executed for a user at user console 202. Note that the desktop application itself may be structured and provided as a pre-defined application which has the same managed characteristics as any other application provided in the network management environment supported by server system 22.
On receipt of a request to initiate an instance of a desktop application, the server system 22 first confirms that identification and password information is available (i.e., that the user successfully previously logged on and provided the appropriate information previously or included the information in the request). If the appropriate identification is not available, server system 22 obtains an identification and password from the user for use in establishing the authorization credentials of the user (block 262). Alternatively, in another embodiment, the application launcher code at the client may only communicate a request if a user identification and password have been successfully obtained, thereby not requiring the operations of block 262. At block 264, the server system 22 checks the user's credentials to see if the user is authorized to bring up the user desktop interface application, preferably using the same authorization and checking procedures as used by any other managed application as described in U.S. patent application Ser. No. 09/211,529 now U.S. Pat. No. 6,324,578
If the user is not authorized at block 264, an error message is displayed and processing stops (block 266). If the user is authorized, server system 22 processes a license request to determine if a license is available for the desktop application (block 268). If no license is available at block 268, an error message is displayed and processing stops (block 266). If a license is available, the server system 22 displays the desktop framework 226 (FIG. 3) suited for the particular user and hardware device being utilized by the user and further determines what other applications the user is authorized to access and puts an icon for the authorized applications on the user's desktop display (block 270). In addition, error and trace log entries associated with the desktop application may be enabled for logging and receipt by the server system 22 (block 270).
While, as described above, operations were identified as being performed at server system 22, it is to be understand that functions may be divided differently between server and client according to the teachings of the present invention. For example, the user desktop interface application launcher at the client may, responsive to the request to initiate a session, be provided the desktop application program code and the appropriate code to obtain preferences and license availability information. The operations as described for FIG. 6 may then be executed, in part, at the client, and in part at the server where the data base containing preference information and, optionally, license information is preferably maintained. Accordingly, it is to be understood that the preference and license information are preferably obtained by the application launcher which further includes the application program itself for execution at the client. As with the initial split in downloading code, the code for obtaining preference and license information may be separately downloaded before the code for the application program itself.
As used herein, the term application program generally refers to the code associated with the underlying program functions, for example, Lotus Notes or a terminal emulator program. However, it is to be understood that the application program will preferably be included as part of the application launcher which will further include the code associated with managing usage of the application program on a network according to the teachings of the present invention. Further it is to be understood that, as used herein, the term application launcher program may refer to the entire program provided by a software vendor or to merely a portion thereof distibuted to a client to per