Method and system for providing user access control within a distributed data processing system by the exchange of access control profiles

US 5,263,157 A
Filed: 02/15/1990
Issued: 11/16/1993
Est. Priority Date: 02/15/1990
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:

storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects;

querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;

transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;

if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;

utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and

denying access to said particular resource object in response to a failure to retrieve said selected access control profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers. A reference monitor service is established and a plurality of access control profiles are stored therein. Thereafter, selected access control profiles are exchanged between the reference monitor service and a resource manager in response to an attempted access of a particular resource object controlled by that resource manager. The resource manager may then control access to the resource object by utilizing the exchanged access control profile. In a preferred embodiment of the present invention, each access control profile may include access control information relating to a selected user; a selected resource object; a selected group of users; a selected set of resource objects; or, a predetermined set of resource objects and a selected group of users.

Citations

6 Claims

1. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
- storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects;
  
  querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;
  
  transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
  
  if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
  
  utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
  
  denying access to said particular resource object in response to a failure to retrieve said selected access control profile.
- View Dependent Claims (2)
- - 2. The computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system according to claim 1 wherein selected ones of said plurality of access control profiles each include access control information relating to a selected group of users.

3. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, said method comprising the steps of:
- establishing at least one reference monitor service within said distributed data processing system;
  
  associating each resource manager with a reference monitor service;
  
  storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects;
  
  querying as associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;
  
  transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
  
  if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
  
  utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
  
  denying access to said particular resource object in response to a failure to retrieve said selected access control profile.
- View Dependent Claims (4)
- - 4. The computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system according to claim 3, wherein selected ones of said plurality of access control profiles each include access control information relating to a selected group of users.

5. A data processing system for providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said data processing system comprising:
- means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at lest a portion of said predetermined set of resource objects;
  
  means for querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;
  
  means for transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service; and
  
  if not, for attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
  
  means for utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
  
  means for denying access to said particular resource object in response to a failure to retrieve said selected access control profile.

6. A data processing system for providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, said data processing system comprising:
- means for establishing at least one reference monitor service within said distributed data processing system;
  
  means for associating each resource manager with a reference monitor service;
  
  means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects;
  
  mean for querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;
  
  means for transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
  
  if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
  
  means for utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
  
  means for denying access to said particular resource object in response to a failure to retrieve said selected access control profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Janis, Frederick L.
Primary Examiner(s)
Lee, Thomas C.
Assistant Examiner(s)
Lintz, Paul R.

Application Number

US07/480,437
Time in Patent Office

1,370 Days
Field of Search

364/DIG. 1, 364/DIG. 2, 380/4, 380/25, 395/600, 395/200, 395/725
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/99939   Privileged access

Method and system for providing user access control within a distributed data processing system by the exchange of access control profiles

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing user access control within a distributed data processing system by the exchange of access control profiles

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links