Community access control in a multi-community node

US 20020078215A1
Filed: 10/16/2001
Published: 06/20/2002
Est. Priority Date: 12/18/2000
Status: Active Grant

First Claim

Patent Images

1. A method of community access control in a Multi-Community Node (MCN), said method comprising:

receiving a request for access to an object;

permitting access to said object in response to detecting said request is from a user, wherein a user community set (UCS) of said user is a superset of an object community set (OCS) of said object; and

permitting access to said object in response to detecting said request is from a process, wherein an application process community set (ACS) of said process is a superset of said OCS.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and mechanism of enforcing community access control in a computer network, wherein access to objects by users and processes is controlled. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce a community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to users, processes, and system objects. Upon receiving a request for access to an object by a user, the MCN permits access if a user community set (UCS) of the user is a superset of an object community set (OCS) of the object; otherwise, access is denied. Upon receiving a request for access to an object by a process, the MCN permits access if an application process community set (ACS) of the process is a superset the OCS of the object; otherwise, access is denied.

Citations

34 Claims

1. A method of community access control in a Multi-Community Node (MCN), said method comprising:
- receiving a request for access to an object;
  
  permitting access to said object in response to detecting said request is from a user, wherein a user community set (UCS) of said user is a superset of an object community set (OCS) of said object; and
  
  permitting access to said object in response to detecting said request is from a process, wherein an application process community set (ACS) of said process is a superset of said OCS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said object is an operating system controlled resource.
  - 3. The method of claim 2, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 4. The method of claim 1, wherein the initial owner of said object is the creator of said object.
  - 5. The method of claim 1, further comprising permitting an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 6. The method of claim 1, further comprising allowing a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 7. The method of claim 1, further comprising consulting a Community Information Base (CIB).
  - 8. The method of claim 7, wherein said CIB includes a UCS for each user of said MCN, an ACS for application on said MCN, and an OCS for each object residing within said MCN.
  - 9. The method of claim 8, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

10. A Multi-Community Node (MCN) comprising:
- a processing unit configured to receive a request for access to an object, wherein said processing unit is configured to permit access to said object in response to detecting said request is from a user, wherein a user community set (UCS) of said user is a superset of an object community set (OCS) of said object, and wherein said processing unit is configured to permit access to said object in response to detecting said request is from a process, wherein an application process community set (ACS) of said process is a superset of said OCS; and
  
  a community information base.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34)
- - 11. The MCN of claim 10, wherein said object is an operating system controlled resource.
  - 12. The MCN of claim 11, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 13. The MCN of claim 10, wherein the initial owner of said object is the creator of said object.
  - 14. The MCN of claim 10, wherein said processing unit is further configured to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 15. The MCN of claim 10, wherein said processing unit is further configured to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 16. The MCN of claim 10, wherein said CIB includes a UCS for each user of said MCN, an ACS for application on said MCN, and an OCS for each object residing within said MCN.
  - 17. The MCN of claim 16, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.
  - 19. The computer system of claim 18, wherein said object is an operating system controlled resource.
  - 20. The computer system of claim 19, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 21. The computer system of claim 18, wherein the initial owner of said object is the creator of said object.
  - 22. The computer system of claim 18, wherein said processing unit is further configured to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 23. The computer system of claim 18, wherein said processing unit is further configured to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 24. The computer system of claim 18, wherein said CIB includes a UCS for each user of said MCN, an ACS for application on said MCN, and an OCS for each object residing within said MCN.
  - 25. The computer system of claim 24, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.
  - 27. The carrier medium of claim 26, wherein said object is an operating system controlled resource.
  - 28. The carrier medium of claim 27, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 29. The carrier medium of claim 26, wherein the initial owner of said object is the creator of said object.
  - 30. The carrier medium of claim 26, wherein said program instructions are further executable to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 31. The carrier medium of claim 26, wherein said program instructions are further executable to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 32. The carrier medium of claim 26, wherein said program instructions are further executable to consult a Community Information Base (CIB).
  - 33. The carrier medium of claim 32, wherein said CIB includes a UCS for each user of said MCN, an ACS for application on said MCN, and an OCS for each object residing within said MCN.
  - 34. The carrier medium of claim 33, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

18. A computer system comprising:
- a computer network; and
  
  a multi-community node (MCN) coupled to said computer network, wherein said MCN comprises;
  
  a processing unit configured to receive a request for access to an object, wherein said processing unit is configured to permit access to said object in response to detecting said request is from a user, wherein a user community set (UCS) of said user is a superset of an object community set (OCS) of said object, and wherein said processing unit is configured to permit access to said object in response to detecting said request is from a process, wherein an application process community set (ACS) of said process is a superset of said OCS; and
  
  a community information base.

26. A carrier medium comprising program instructions, wherein said program instructions are executable to:
- receive a request for access to an object;
  
  permit access to said object in response to detecting said request is from a user, wherein a user community set (UCS) of said user is a superset of an object community set (OCS) of said object; and
  
  permit access to said object in response to detecting said request is from a process, wherein an application process community set (ACS) of said process is a superset of said OCS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Tahan, Thomas E.

Granted Patent

US 7,447,782 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

Community access control in a multi-community node

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Community access control in a multi-community node

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links