System and method for representing multiple security groups as a single data object

US 20050021952A1
Filed: 06/05/2003
Published: 01/27/2005
Est. Priority Date: 06/05/2003
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating an access request in a data processing system, comprising:

receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;

retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and

authenticating the access request based on the group identifier, group set value and mask value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for representing multiple security groups as a single data object are provided. With the system and method, a complex group object is created that consists of a group set value and a mask value. The complex group object represents a plurality of groups by the group set value. The mask value is used to apply to group identifiers received during an authentication process to generate a value that is compared against the group set value to determine if the group identifiers are part of the complex group. For example, in a first step of authorization processing, the group identifier received in an authorization request is bit-wise AND'"'"'d with the mask value for the complex group data object. In a second step, the masked group identifier from the received request is compared to the group set value of the complex group object. Such comparison may take the form of masking the group set value and comparing the masked group set value to the masked group identifier from the received request, for example. If the two values match, then access is granted. If the two values do not match, then access is denied.

48 Citations

View as Search Results

24 Claims

1. A method of authenticating an access request in a data processing system, comprising:
- receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
  
  retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and
  
  authenticating the access request based on the group identifier, group set value and mask value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein authenticating the request based on the group identifier, group set value, and mask value includes:
    - applying the mask value to the group identifier to generate a masked group identifier; and
      
      comparing the masked group identifier to the group set value.
  - 3. The method of claim 2, wherein comparing the masked group identifier to the group set value includes:
    - applying the mask value to the group set value to generate a masked group set value; and
      
      comparing the masked group identifier to the masked group set value.
  - 4. The method of claim 3, wherein if the masked group identifier matches the masked group set value, then the access request is authorized.
  - 5. The method of claim 3, wherein if the masked group identifier does not match the masked group set value, then the access request is denied.
  - 6. The method of claim 2, wherein applying the mask value to the group identifier includes bitwise ANDing the mask value with the group identifier.
  - 7. The method of claim 3, wherein applying the mask value to the group set value includes bitwise ANDing the mask value with the group set value.
  - 8. The method of claim 1, wherein the mask value is one of a hierarchical group membership mask value, a group category membership mask value, and a hybrid mask value.

9. A computer program product in a computer readable medium for authenticating an access request in a data processing system, comprising:
- first instructions for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
  
  second instructions for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requester groups and a mask value; and
  
  third instructions for authenticating the access request based on the group identifier, group set value and mask value.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the third instructions for authenticating the request based on the group identifier, group set value, and mask value include:
    - instructions for applying the mask value to the group identifier to generate a masked group identifier; and
      
      instructions for comparing the masked group identifier to the group set value.
  - 11. The computer program product of claim 10, wherein the instructions for comparing the masked group identifier to the group set value include:
    - instructions for applying the mask value to the group set value to generate a masked group set value; and
      
      instructions for comparing the masked group identifier to the masked group set value.
  - 12. The computer program product of claim 11, wherein if the masked group identifier matches the masked group set value, then the access request is authorized.
  - 13. The computer program product of claim 11, wherein if the masked group identifier does not match the masked group set value, then the access request is denied.
  - 14. The computer program product of claim 10, wherein the instructions for applying the mask value to the group identifier include instructions for bitwise ANDing the mask value with the group identifier.
  - 15. The computer program product of claim 11, wherein the instructions for applying the mask value to the group set value include instructions for bitwise ANDing the mask value with the group set value.
  - 16. The computer program product of claim 9, wherein the mask value is one of a hierarchical group membership mask value, a group category membership mask value, and a hybrid mask value.

17. An apparatus for authenticating an access request in a data processing system, comprising:
- means for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
  
  means for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and
  
  means for authenticating the access request based on the group identifier, group set value and mask value.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein the means for authenticating the request based on the group identifier, group set value, and mask value includes:
    - means for applying the mask value to the group identifier to generate a masked group identifier; and
      
      means for comparing the masked group identifier to the group set value.
  - 19. The apparatus of claim 18, wherein the means for comparing the masked group identifier to the group set value includes:
    - means for applying the mask value to the group set value to generate a masked group set value; and
      
      means for comparing the masked group identifier to the masked group set value.
  - 20. The apparatus of claim 19, wherein if the masked group identifier matches the masked group set value, then the access request is authorized.
  - 21. The apparatus of claim 19, wherein if the masked group identifier does not match the masked group set value, then the access request is denied.
  - 22. The apparatus of claim 18, wherein the means for applying the mask value to the group identifier includes means for bitwise ANDing the mask value with the group identifier.
  - 23. The apparatus of claim 19, wherein the means for applying the mask value to the group set value includes means for bitwise ANDing the mask value with the group set value.
  - 24. The apparatus of claim 17, wherein the mask value is one of a hierarchical group membership mask value, a group category membership mask value, and a hybrid mask value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Haugh, Julianne Frances

Granted Patent

US 7,480,798 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 21/6227 where protection concerns t...

System and method for representing multiple security groups as a single data object

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for representing multiple security groups as a single data object

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others