System and method for representing multiple security groups as a single data object
First Claim
1. A method of authenticating an access request in a data processing system, comprising:
- receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and
authenticating the access request based on the group identifier, group set value and mask value.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for representing multiple security groups as a single data object are provided. With the system and method, a complex group object is created that consists of a group set value and a mask value. The complex group object represents a plurality of groups by the group set value. The mask value is used to apply to group identifiers received during an authentication process to generate a value that is compared against the group set value to determine if the group identifiers are part of the complex group. For example, in a first step of authorization processing, the group identifier received in an authorization request is bit-wise AND'"'"'d with the mask value for the complex group data object. In a second step, the masked group identifier from the received request is compared to the group set value of the complex group object. Such comparison may take the form of masking the group set value and comparing the masked group set value to the masked group identifier from the received request, for example. If the two values match, then access is granted. If the two values do not match, then access is denied.
48 Citations
24 Claims
-
1. A method of authenticating an access request in a data processing system, comprising:
-
receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and
authenticating the access request based on the group identifier, group set value and mask value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product in a computer readable medium for authenticating an access request in a data processing system, comprising:
-
first instructions for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
second instructions for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requester groups and a mask value; and
third instructions for authenticating the access request based on the group identifier, group set value and mask value. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus for authenticating an access request in a data processing system, comprising:
-
means for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
means for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value; and
means for authenticating the access request based on the group identifier, group set value and mask value. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification