Access control subsystem and method for distributed computer system using compound principals
First Claim
1. A distributed computer system, comprising:
- a multiplicity of interconnected computers;
wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of;
(A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
(B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and
(C) conjunctions of said simple, qualified and compound principals; and
object access control apparatus, said object access control apparatus comprising;
membership means for storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals;
a multiplicity of objects, each stored in one of said multiplicity of interconnected computers and having an associated access control list;
each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; and
a plurality of reference monitors, each in a trusted computing base within a different one of said multiplicity of interconnected computers, wherein each reference monitor receives access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request;
each reference monitor including access checking means for (A) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (B) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (C) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list.
4 Assignments
0 Petitions
Accused Products
Abstract
A distributed computer system has a number of computers coupled thereto at distinct nodes and a naming service with a membership table that defines a list of assumptions concerning which principals in the system are stronger than other principals, and which roles adopted by principals are stronger than other roles. Each object in the system has an access control list (ACL) having a list of entries. Each entry is either a simple principal or a compound principal. The set of allowed compound principals is limited to a predefined set of allowed combinations of simple principals, roles, delegations and conjunctions in accordance with a defined hierarchical ordering of the conjunction, delegation and role portions of each compound principal. The assumptions in the membership table reduce the number of entries needed in an ACL by allowing an entry to state only the weakest principals and roles that are to be allowed access. The reference checking process, handled by a reference monitor found at each node of the distributed system, grants an access request if the requestor is stronger than any one of the entries in the access control list for the resource requested. Furthermore, one entry is stronger than another entry if for each of the conjuncts in the latter entry there is a stronger conjunct in the former. Additional rules used by the reference monitor during the reference checking process govern the processes of comparing conjuncts in a requestor principal with the conjuncts in an access control list entry and of using assumptions to compare the relative strengths of principals and roles.
-
Citations
14 Claims
-
1. A distributed computer system, comprising:
-
a multiplicity of interconnected computers;
wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of;
(A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
(B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and
(C) conjunctions of said simple, qualified and compound principals; andobject access control apparatus, said object access control apparatus comprising; membership means for storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals; a multiplicity of objects, each stored in one of said multiplicity of interconnected computers and having an associated access control list;
each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; anda plurality of reference monitors, each in a trusted computing base within a different one of said multiplicity of interconnected computers, wherein each reference monitor receives access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request; each reference monitor including access checking means for (A) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (B) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (C) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of controlling access to objects in a distributed computer system having a multiplicity of interconnected computers, wherein principals working on said multiplicity of computers include simple principals and compound principals, each compound principal being selected from the set consisting essentially of:
- (A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
(B) any first one of said principals whose object access authority is qualified by delegation of said first principal'"'"'s object access authority to any designated second one of said principals; and
(C) conjunctions of said simple, qualified and compound principals;the method comprising the steps of; storing a list of assumptions, said list of assumptions including (A) a first set of assumptions, each assumption in said first set defining relative strengths of at least two specified ones of said principals for purposes of object access authority, and (B) a second set of assumptions, each assumption in said second set defining relative strengths of roles that can be adopted by ones of said principals for purposes of qualifying object access authority of said principals; storing a multiplicity of objects in ones of said multiplicity of interconnected computers and storing an access control list for each object;
each object'"'"'s access control list having a list of entries, wherein each entry represents one of said simple principals or compound principals that are authorized to access said object; andat a plurality of said computers, (A) receiving access requests transmitted by ones of said principals working on any of the computers in said distributed computer system, each access request specifying one of said multiplicity of objects for which access is requested and a request principal, said request principal comprising the principal that transmitted said access request, (B) comparing said request principal with each entry in the list of entries in said specified object'"'"'s access control list, (C) retrieving from said membership means information concerning relative strengths of said request principal and the principal represented by each said entry and relative strengths of roles adopted by said request principal and roles adopted by the principal represented by each said entry, and (D) granting access to said specified object by said request principal only if said request principal is at least as strong as at least one of said entries in the list of entries in said specified object'"'"'s access control list. - View Dependent Claims (9, 10, 11, 12, 13, 14)
- (A) qualified principals, each qualified principle comprising any one of said simple principals whose object access authority is qualified by at least one role adopted by that simple principal;
Specification