RULE-BASED ACCESS CONTROL LIST MANAGEMENT
First Claim
1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
- in response to an object access request input associated with a file system object and a user having an access control list entry, a processing unit determining whether a request by the user is authorized for access to the object as a function of access control list entry metadata for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;
if determined that the request by the user is not authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, denying by the processing unit access to the object by the user, and updating the access control list entry metadata for the object and the user to indicate the denying;
if determined that the request by the user is authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, granting by the processing unit access to the object by the user for modification of the object, and updating the access control list entry metadata for the object and the user to indicate the granted access; and
if the user modifies the object in response to the granted access to the object, updating by the processing unit the access control list entry metadata for the object and the user to indicate the object modification; and
wherein the access control list entry metadata for the object and the user is linked to the object and the user;
wherein the updating of the access control list entry metadata for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list entry; and
wherein the updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
2 Assignments
0 Petitions
Accused Products
Abstract
Access control list entries are managed as a function of access control list entry metadata for the object and the requesting user, and of an access control list rule applicable to the requesting user and the requested object. The access control list entry metadata for the object and the user is updated in response to request authorizations and denials. The access control list entry metadata for the object and the user is linked to the object and the user. Updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
57 Citations
20 Claims
-
1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
-
in response to an object access request input associated with a file system object and a user having an access control list entry, a processing unit determining whether a request by the user is authorized for access to the object as a function of access control list entry metadata for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object; if determined that the request by the user is not authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, denying by the processing unit access to the object by the user, and updating the access control list entry metadata for the object and the user to indicate the denying; if determined that the request by the user is authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, granting by the processing unit access to the object by the user for modification of the object, and updating the access control list entry metadata for the object and the user to indicate the granted access; and if the user modifies the object in response to the granted access to the object, updating by the processing unit the access control list entry metadata for the object and the user to indicate the object modification; and wherein the access control list entry metadata for the object and the user is linked to the object and the user; wherein the updating of the access control list entry metadata for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list entry; and wherein the updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for providing a service for managing access control list entries as a function of user-specific object access data the method comprising:
-
integrating computer-readable program code into a computer system comprising a processing unit, a computer readable memory and a computer readable tangible storage medium, wherein the computer readable program code is embodied on the computer readable tangible storage medium and comprises instructions that, when executed by the processing unit via the computer readable memory, cause the processing unit to; in response to an object access request input associated with a file system object and a user having an access control list entry, determine whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object; if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update the access control list metadata entry for the object and the user to indicate the denial; if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the access control list metadata entry for the object and the user to indicate the granted access; and if the user modifies the object in response to the granted access to the object, update the access control list metadata entry for the object and the user to indicate the object modification; and wherein the access control list metadata entry for the object and the user is linked to the object and the user; wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
-
-
10. A system, comprising:
-
a processing unit in communication with a computer readable memory and a tangible computer-readable storage medium; wherein the processing unit, when executing program instructions stored on the tangible computer-readable storage medium via the computer readable memory; in response to an object access request input associated with a file system object and a user having an access control list entry, determines whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object; if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, denies access to the object by the user, and updates the access control list metadata entry for the object and the user to indicate the denial; if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grants access to the object by the user for modification of the object, and updates the access control list metadata entry for the object and the user to indicate the granted access; and if the user modifies the object in response to the granted access to the object, updates the access control list metadata entry for the object and the user to indicate the object modification; and wherein the access control list metadata entry for the object and the user is linked to the object and the user; wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An article of manufacture, comprising:
-
a computer readable tangible storage device having computer readable program code embodied therewith, the computer readable program code comprising instructions that, when executed by a computer processing unit, cause the computer processing unit to; in response to an object access request input associated with a file system object and a user having an access control list entry, determine whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object; if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update the access control list metadata entry for the object and the user to indicate the denial; if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the access control list metadata entry for the object and the user to indicate the granted access; and if the user modifies the object in response to the granted access to the object, update the access control list metadata entry for the object and the user to indicate the object modification; and wherein the access control list metadata entry for the object and the user is linked to the object and the user; wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user. - View Dependent Claims (17, 18, 19, 20)
-
Specification