Macro-based access control

US 20030110246A1
Filed: 10/29/2001
Published: 06/12/2003
Est. Priority Date: 10/29/2001
Status: Active Grant

First Claim

Patent Images

1. A method of implementing node related conditions in a directory server having a tree structure using condition-defining data attached to nodes, the method comprising:

attaching condition-defining data to a given node in the tree structure, said condition defining data having a variable portion and a reference portion;

upon access to a subnode of said given node in the tree;

tentatively deriving a value for the variable portion, using the reference portion and a property of the subnode, changing the variable portion into the value; and

evaluating the condition in said condition defining data as interpreted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of systems and methods for using condition defining data (e.g., access control instructions) attached to nodes in a tree to implement node-related conditions in a directory server having a tree structure are disclosed. In one embodiment, a method includes attaching condition defining data that includes a variable portion and a reference portion to a given node in the tree structure, and upon access to a subnode of said given node in the tree, using the reference portion and a property of the subnode to tentatively derive a value for the variable portion, changing the variable portion into the value, and evaluating the condition in said condition defining data.

Citations

44 Claims

1. A method of implementing node related conditions in a directory server having a tree structure using condition-defining data attached to nodes, the method comprising:
- attaching condition-defining data to a given node in the tree structure, said condition defining data having a variable portion and a reference portion;
  
  upon access to a subnode of said given node in the tree;
  
  tentatively deriving a value for the variable portion, using the reference portion and a property of the subnode, changing the variable portion into the value; and
  
  evaluating the condition in said condition defining data as interpreted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein said tentatively deriving comprises comparing the reference portion with the property of the subnode.
  - 3. The method of claim 2, wherein the reference portion comprises a target identifier in the tree, wherein said tentatively deriving comprises deriving the value for the variable portion from a portion of a subnode identifier in the tree which distinguishes over a relative node identification if the subnode identifier matches the target identifier.
  - 4. The method of claim 3, wherein the subnode identifier is a portion of a distinguished name of the subnode.
  - 5. The method of claim 1, wherein said tentatively deriving comprises looking for a property of the subnode designated by the reference portion.
  - 6. The method of claim 1, further comprising controlling access to the subnode from the result of said evaluating.
  - 7. The method of claim 1, wherein said attaching comprises attaching the condition defining data as an attribute to the given node.
  - 8. The method of claim 7, wherein said attaching further comprises attaching to the given node or to a higher level node a macro capable of at least partially implementing said tentatively deriving and said changing.
  - 9. The method of claim 1, wherein the variable portion in the condition defining data comprises a predefined expression, and wherein said changing comprises substituting the predefined expression with the value as determined by said tentatively deriving.
  - 10. The method of claim 9, wherein the variable portion in the condition defining data comprises a first predefined expression, and wherein said tentatively deriving comprises determining whether the property of the subnode matches the reference portion.
  - 11. The method of claim 9, wherein the variable portion in the condition defining data comprises a second predefined expression, and wherein said tentatively deriving comprises determining whether the property of the subnode nearly matches the reference portion.
  - 12. The method of claim 9, wherein the variable portion in the condition defining data comprises a first predefined expression and a second predefined expression, wherein said tentatively deriving comprises determining whether the property of the subnode matches the reference portion, and wherein said changing comprises:
    - changing exactly the first predefined expression into the value derived by said tentatively deriving; and
      
      changing nearly the second predefined expression into the value derived by said tentatively deriving.
  - 13. The method of claim 9, wherein the predefined expression contains the reference portion.
  - 14. The method of claim 13, wherein the variable portion in the condition defining data comprises a third predefined expression that comprises an attribute name expression, and wherein said tentatively deriving comprises:
    - determining whether the subnode has an attribute matching the attribute name expression; and
      
      taking a value of the attribute as the value for the variable portion.
  - 15. The method of claim 14, wherein said determining is repeated for another value of the attribute as the value for the variable portion.

16. A directory server system comprising:
- a tree comprising a plurality of nodes; and
  
  a tree structure processor for using condition defining data attached to a given node of the plurality of nodes;
  
  wherein the condition defining data includes a reference portion and a variable portion;
  
  wherein upon access to a subnode of the given node and in response to the condition defining data having a variable portion, the tree structure processor is configured to tentatively derive a value for the variable portion using the reference portion and a property of the subnode and use a condition in said condition defining data with its variable portion changed into the value.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The directory server system of claim 16, wherein the tree structure processor is configured to compare the reference portion with the property of the subnode.
  - 18. The directory server system of claim 17, wherein the reference portion comprises a target identifier in the tree, wherein the tree structure processor is configured to derive the value for the variable from a portion of a subnode identifier in the tree that distinguishes over a relative node identification if the subnode identifier matches the target identifier.
  - 19. The directory server system of claim 18, wherein the subnode identifier is a portion of a distinguished name of the subnode.
  - 20. The directory server system of claim 16, wherein the tree structure processor is configured to look for a property of the subnode designated by the reference portion.
  - 21. The directory server system of claim 16, wherein the tree structure processor is further configured to control access to the subnode from using the condition in the condition defining data with its variable portion changed into the value.
  - 22. The directory server system of claim 16, wherein the condition defining data is attached as an attribute to the given node.
  - 23. The directory server system of claim 22, further comprising a macro for at least partially implementing tentatively deriving the value for the variable portion attached to the given node or to a higher level node.
  - 24. The directory server system of claim 16, wherein the variable portion in the condition defining data comprises a predefined expression, and wherein the tree structure processor is further configured to substitute the predefined expression with the value.
  - 25. The directory server system of claim 24, wherein the variable portion in the condition defining data comprises a first predefined expression, and wherein the tree structure processor is further configured to determine whether the property of the subnode matches the reference portion.
  - 26. The directory server system of claim 24, wherein the variable portion in the condition defining data comprises a second predefined expression, and wherein the tree structure processor is further configured to determine whether the property of the subnode nearly matches the reference portion.
  - 27. The directory server system of claim 24, wherein the variable portion in the condition defining data comprises a first predefined expression and a second predefined expression, and wherein the tree structure processor is further configured to determine whether the property of the subnode matches the reference portion, change exactly the first predefined expression into the value as derived, and change nearly the second predefined expression into the value derived.
  - 28. The directory server system of claim 24, wherein the predefined expression includes the reference portion.
  - 29. The directory server system of claim 28, wherein the variable portion in the condition defining data comprises a third predefined expression, which comprises an attribute name expression, and wherein the tree structure processor is further configured to determine whether the subnode has an attribute matching the attribute name expression, and take a value of the attribute as the value for the variable portion.
  - 30. The directory server system of claim 29, wherein wherein the tree structure processor is further configured to take another value of the attribute as the value for the variable portion.

31. A computer readable medium comprising program instructions computer executable to implement node related conditions in a directory server having a tree structure using condition-defining data attached to nodes, wherein the program instructions are configured to:
- attach condition-defining data to a given node in the tree structure, said condition defining data having a variable portion and a reference portion;
  
  upon access to a subnode of said given node in the tree;
  
  tentatively derive a value for the variable portion, using the reference portion and a property of the subnode, change the variable portion into the value; and
  
  evaluate the condition in said condition defining data as interpreted.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 32. The computer readable medium of claim 31, wherein the program instructions are configured to tentatively derive the value by comparing the reference portion with the property of the subnode.
  - 33. The computer readable medium of claim 32, wherein the reference portion comprises a target identifier in the tree, wherein the program instructions are configured to tentatively derive the value by deriving the value for the variable portion from a portion of a subnode identifier in the tree which distinguishes over a relative node identification if the subnode identifier matches the target identifier.
  - 34. The computer readable medium of claim 33, wherein the subnode identifier is a portion of a distinguished name of the subnode.
  - 35. The computer readable medium of claim 31, wherein the program instructions are configured to tentatively derive the value by looking for a property of the subnode designated by the reference portion.
  - 36. The computer readable medium of claim 31, wherein the program instructions are configured to control access to the subnode from the result of said evaluating.
  - 37. The computer readable medium of claim 31, wherein the program instructions are configured to attach the condition defining data to the given node by attaching the condition defining data as an attribute to the given node.
  - 38. The computer readable medium of claim 37, wherein the program instructions are configured to attach the condition defining data to the given node by attaching to the given node or to a higher level node a macro capable of at least partially implementing said tentatively deriving and said changing.
  - 39. The computer readable medium of claim 31, wherein the variable portion in the condition defining data comprises a predefined expression, and wherein the program instructions are configured to change the variable portion into the value by substituting the predefined expression with the value.
  - 40. The computer readable medium of claim 39, wherein the variable portion in the condition defining data comprises a first predefined expression, and wherein the program instructions are configured to tentatively derive the value by determining whether the property of the subnode matches the reference portion.
  - 41. The computer readable medium of claim 39, wherein the variable portion in the condition defining data comprises a second predefined expression, and wherein the program instructions are configured to tentatively derive the value by determining whether the property of the subnode nearly matches the reference portion.
  - 42. The computer readable medium of claim 39, wherein the variable portion in the condition defining data comprises a first predefined expression and a second predefined expression, wherein the program instructions are configured to tentatively derive the value by determining whether the property of the subnode matches the reference portion, and wherein the program instructions are configured to change the variable portion into the value by:
    - changing exactly the first predefined expression into the value derived by said tentatively deriving; and
      
      changing nearly the second predefined expression into the value derived by said tentatively deriving.
  - 43. The computer readable medium of claim 39, wherein the predefined expression contains the reference portion.
  - 44. The computer readable medium of claim 43, wherein the variable portion in the condition defining data comprises a third predefined expression that comprises an attribute name expression, and wherein the program instructions are configured to tentatively derive the value by:
    - determining whether the subnode has an attribute matching the attribute name expression; and
      
      taking a value of the attribute as the value for the variable portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Netscape Communications Corporation (Apollo Global Management, Inc.), Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Behara, Pransanta, Byrne, Robert

Granted Patent

US 7,167,918 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Macro-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Macro-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links