Access control based on operation expiry data
First Claim
1. A method, implemented at a computer system that includes one or more processors, for controlling access to a particular file of a plurality of files within a file system, the method comprising:
- atomically associating, at the computer system, access control information with the particular file such that when the particular file is independently moved or copied, the access control information and the particular file are moved or copied atomically together, wherein the access control information includes operation expiry data that is correlated with at least one location and at least one file operation type, wherein atomically associating the access control information with the particular file Includes at least one of attaching the access control information to the particular file by using a separate file that contains the access control information for the particular file, or modifying properties of the file to include the control information, or providing or the control information in an alternate data stream;
receiving, at the computer system, an operation request to perform an operation of a particular file operation type on the particular file;
identifying, at the computer system, a location associated with the operation request;
identifying within the access control information that is atomically associated with the particular file, at the computer system, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; and
using, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to selectively penult or, alternatively, deny the requested operation of the particular file operation type on the particular file.
2 Assignments
0 Petitions
Accused Products
Abstract
The controlling of access to a file system entity based on location of the requestor and operation expiry data of the file system entity. Operation expiry data and location data are associated with a file system entity (e.g., a file, a directory, a partition, or a disk) such that the file system entity and the operation expiry data and the location data are moved or copied atomically together. Upon receiving a request to perform an operation on the file system entity, the system identifies a location status of the requestor. The system then identifies expiry data that corresponds to the location status, and that is associated with the requested operation. The system then uses the identified expiry data to determine whether or not the requested file operation is to be permitted.
-
Citations
19 Claims
-
1. A method, implemented at a computer system that includes one or more processors, for controlling access to a particular file of a plurality of files within a file system, the method comprising:
-
atomically associating, at the computer system, access control information with the particular file such that when the particular file is independently moved or copied, the access control information and the particular file are moved or copied atomically together, wherein the access control information includes operation expiry data that is correlated with at least one location and at least one file operation type, wherein atomically associating the access control information with the particular file Includes at least one of attaching the access control information to the particular file by using a separate file that contains the access control information for the particular file, or modifying properties of the file to include the control information, or providing or the control information in an alternate data stream; receiving, at the computer system, an operation request to perform an operation of a particular file operation type on the particular file; identifying, at the computer system, a location associated with the operation request;
identifying within the access control information that is atomically associated with the particular file, at the computer system, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; andusing, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to selectively penult or, alternatively, deny the requested operation of the particular file operation type on the particular file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product comprising one or more computer-readable storage media having thereon one or more computer-executable instructions that are structured such that, when executed by the one or more processors of the computing system, cause the computing system to perform the following in response to receiving an operation request to perform an operation of a particular file operation type on a particular file within a plurality of files that are managed by an operating system, the particular file having access control information atomically associated with the particular file such that when the particular file is independently moved or copied, the access control information, and the particular file are moved or copied atomically together, the access control information comprising at least one operation expiry data that, is correlated with at least one location and at least one file operation type, wherein the access control information is atomically associated with the particular file by at least one of:
- a separate file that contains the access control information for the particular file, or properties of the file that include the control information, or an alternate data stream of the file that contains the access control information;
identifying, at the computing system, a location status associated with the operation request; identifying within the access control information atomically associated with the particular file, at the computing system, the operation expiry data that corresponds to both the location associated with the operation request, and the particular file operation type of the operation request; and using, at the computer system, the identified operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to permit or deny the requested operation of the particular file operation type on the particular file. - View Dependent Claims (16, 17)
- a separate file that contains the access control information for the particular file, or properties of the file that include the control information, or an alternate data stream of the file that contains the access control information;
-
18. A computing system comprising:
-
one or more computer-readable storage media having thereon a plurality of file system entities managed by an operating system of the computing system, at least a particular file system entity of the plurality of file system entities having access control information atomically associated with the particular file system entity such that when the particular file system entity is independently moved or copied, the access control information and the particular file system entity are moved or copied atomically together, the access control information comprising at least one operation expiry data that is correlated with at least one location and at least one file operation type, wherein the access control information is atomically associated with the particular file by at least one of;
a separate file that contains the access control information for the particular file, or properties of the file that include the control information, or an alternate data stream of the file that contains the access control information; andone or more processors; the one or more computer-readable media further having thereon computer-executable instructions that are configured such that, when executed by the one or more processors, cause the computing system to perform the following in response to receiving an operation request to perform an operation of a particular file operation type on the particular file system entity; identify, at the computing system, a location associated with the operation request; identifying, at the computer system, within the access control information atomically associated with the particular file system entity, the operation expiry data that corresponds to both the location associated with the operation request and the particular file operation type of the operation request; and using, at the computer system, the expiry data that corresponds to both the location associated with the operation request and the particular file operation type, to permit or deny the requested operation of the particular file operation type on the particular file system entity. - View Dependent Claims (19)
-
Specification