Access control subsystem and method for distributed computer system using compound principals

US 5,173,939 A
Filed: 10/28/1991
Issued: 12/22/1992
Est. Priority Date: 09/28/1990
Status: Expired due to Term

First Claim

Patent Images

1. A distributed computer system, comprising:

a multiplicity of interconnected computers;

wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of;

(A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;

(B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and

(C) conjunctions of said simple, qualified and compound principals; and

object access control apparatus, said object access control apparatus comprising;

membership means for storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals;

a multiplicity of objects, each stored in one of said multiplicity of interconnected computers and having an associated access control list;

each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; and

a plurality of reference monitors, each in a trusted computing base within a different one of said multiplicity of interconnected computers, wherein each reference monitor receives access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request;

each reference monitor including access checking means for (A) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (B) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (C) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed computer system has a number of computers coupled thereto at distinct nodes and a naming service with a membership table that defines a list of assumptions concerning which principals in the system are stronger than other principals, and which roles adopted by principals are stronger than other roles. Each object in the system has an access control list (ACL) having a list of entries. Each entry is either a simple principal or a compound principal. The set of allowed compound principals is limited to a predefined set of allowed combinations of simple principals, roles, delegations and conjunctions in accordance with a defined hierarchical ordering of the conjunction, delegation and role portions of each compound principal. The assumptions in the membership table reduce the number of entries needed in an ACL by allowing an entry to state only the weakest principals and roles that are to be allowed access. The reference checking process, handled by a reference monitor found at each node of the distributed system, grants an access request if the requestor is stronger than any one of the entries in the access control list for the resource requested. Furthermore, one entry is stronger than another entry if for each of the conjuncts in the latter entry there is a stronger conjunct in the former. Additional rules used by the reference monitor during the reference checking process govern the processes of comparing conjuncts in a requestor principal with the conjuncts in an access control list entry and of using assumptions to compare the relative strengths of principals and roles.

Citations

14 Claims

1. A distributed computer system, comprising:
- a multiplicity of interconnected computers;
  
  wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of;
  
  (A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
  
  (B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and
  
  (C) conjunctions of said simple, qualified and compound principals; and
  
  object access control apparatus, said object access control apparatus comprising;
  
  membership means for storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals;
  
  a multiplicity of objects, each stored in one of said multiplicity of interconnected computers and having an associated access control list;
  
  each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; and
  
  a plurality of reference monitors, each in a trusted computing base within a different one of said multiplicity of interconnected computers, wherein each reference monitor receives access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request;
  
  each reference monitor including access checking means for (A) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (B) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (C) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The object access control apparatus of claim 1, whereinsaid principal represented by each entry in the list of entries in each object'"'"'s access control list is selected from the set consisting essentially of (1) said simple principals, (2) said qualified principals, (3) For-Lists, each denoting at least one simple or qualified principal which has delegated authority to another denoted simple or qualified principal, and (4) conjunctions of at least two principals selected from the set consisting of simple principals, qualified principals and For-Lists.
  - 3. The object access control apparatus of claim 2, whereinsaid request principal is selected from the set consisting essentially of (1) said simple principals, (2) said qualified principals, (3) For-Lists, each denoting at least one simple or qualified principal which has delegated authority to another denoted simple or qualified principal, and (4) conjunctions of at least two principals selected from the set consisting of simple principals, qualified principals and For-Lists.
  - 4. The object access control apparatus of claim 3, whereineach For-List'"'"'s length is defined as the number of simple principals and qualified principals in said For-List;
    - andsaid access check means, when comparing the request principal specified in one of said access requests with an entry in the list of entries in said specified object'"'"'s access control list, compares any For-List in said request principal only with the For-Lists, if any, in said entry of equal length and compares each qualified principal in said request principal only with the qualified principals, if any, in said entry.
  - 5. The object access control apparatus of claim 4, whereinany first qualified principal in said request principal is at least as strong as any second qualified principal in said entry only when (A) said first qualified principal'"'"'s simple principal is at least as strong as said second qualified principal'"'"'s simple principal, in accordance with said assumptions in said membership table, and (B) each role in said first qualified principal is at least as strong as some role in said second qualified principal, in accordance with said assumptions in said membership table.
  - 6. The object access control apparatus of claim 5, whereinany first For-List in said request principal is at least as strong as any second For-List in said entry only when each qualified principal and/or simple principal in the first For-List is stronger than a corresponding qualified principal and/or simple principal in the second For-List.
  - 7. The object access control apparatus of claim 3, whereinany first qualified principal in said request principal is at least as strong as any second qualified principal in said entry only when (A) said first qualified principal'"'"'s simple principal is at least as strong as said second qualified principal'"'"'s simple principal, in accordance with said assumptions in said membership table, and (B) each role in said first qualified principal is at least as strong as some role in said second qualified principal, in accordance with said assumptions in said membership table.

8. A method of controlling access to objects in a distributed computer system having a multiplicity of interconnected computers, wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of:
- (A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
  
  (B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and
  
  (C) conjunctions of said simple, qualified and compound principals;
  
  the method comprising the steps of;
  
  storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals;
  
  storing a multiplicity of objects in ones of said multiplicity of interconnected computers and storing an access control list for each object;
  
  each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; and
  
  at a plurality of said computers, (A) receiving access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request, (B) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (C) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (D) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, whereinsaid principal represented by each entry in the list of entries in each object'"'"'s access control list is selected from the set consisting essentially of (1) said simple principals, (2) said qualified principals, (3) For-Lists, each denoting at least one simple or qualified principal which has delegated authority to another denoted simple or qualified principal, and (4) conjunctions of at least two principals selected from the set consisting of simple principals, qualified principals and For-Lists.
  - 10. The method of claim 9, whereinsaid request principal is selected from the set consisting essentially of (1) said simple principals, (2) said qualified principals, (3) For-Lists, each denoting at least one simple or qualified principal which has delegated authority to another denoted simple or qualified principal, and (4) conjunctions of at least two principals selected from the set consisting of simple principals, qualified principals and For-Lists.
  - 11. The method of claim 10, whereineach For-List'"'"'s length is defined as the number of simple principals and qualified principals in said For-List;
    - andsaid comparing step including comparing any For-List in said request principal only with the For-Lists, if any, in said entry of equal length and comparing each qualified principal in said request principal only with the qualified principals, if any, in said entry.
  - 12. The method of claim 11, whereinany first qualified principal in said request principal is at least as strong as any second qualified principal in said entry only when (A) said first qualified principal'"'"'s simple principal is at least as strong as said second qualified principal'"'"'s simple principal, in accordance with said assumptions in said membership table, and (B) each role in said first qualified principal is at least as strong as some role in said second qualified principal, in accordance with said assumptions in said membership table.
  - 13. The method of claim 12, whereinany first For-List in said request principal is at least as strong as any second For-List in said entry only when each qualified principal and/or simple principal in the first For-List is stronger than a corresponding qualified principal and/or simple principal in the second For-List.
  - 14. The method of claim 10, whereinany first qualified principal in said request principal is at least as strong as any second qualified principal in said entry only when (A) said first qualified principal'"'"'s simple principal is at least as strong as said second qualified principal'"'"'s simple principal, in accordance with said assumptions in said membership table, and (B) each role in said first qualified principal is at least as strong as some role in said second qualified principal, in accordance with said assumptions in said membership table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Burrows, Michael, Abadi, Martin, Wobber, Edward P.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US07/783,361
Time in Patent Office

421 Days
Field of Search

395/275, 395/725, 340/825.31, 340/825.34, 380/4, 380/23, 380/25, 380/30, 380/49, 380/50
US Class Current

1/1
CPC Class Codes

G06F 9/468 Specific access rights for ...

Y10S 707/99939 Privileged access

Access control subsystem and method for distributed computer system using compound principals

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Access control subsystem and method for distributed computer system using compound principals

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links