Method and system for providing user access control within a distributed data processing system by the exchange of access control profiles
First Claim
1. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
- storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects;
querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager;
transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
denying access to said particular resource object in response to a failure to retrieve said selected access control profile.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers. A reference monitor service is established and a plurality of access control profiles are stored therein. Thereafter, selected access control profiles are exchanged between the reference monitor service and a resource manager in response to an attempted access of a particular resource object controlled by that resource manager. The resource manager may then control access to the resource object by utilizing the exchanged access control profile. In a preferred embodiment of the present invention, each access control profile may include access control information relating to a selected user; a selected resource object; a selected group of users; a selected set of resource objects; or, a predetermined set of resource objects and a selected group of users.
-
Citations
6 Claims
-
1. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
-
storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects; querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager; transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and denying access to said particular resource object in response to a failure to retrieve said selected access control profile. - View Dependent Claims (2)
-
-
3. A computer implemented method of providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, said method comprising the steps of:
-
establishing at least one reference monitor service within said distributed data processing system; associating each resource manager with a reference monitor service; storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects; querying as associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager; transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and denying access to said particular resource object in response to a failure to retrieve said selected access control profile. - View Dependent Claims (4)
-
-
5. A data processing system for providing user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said data processing system comprising:
-
means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at lest a portion of said predetermined set of resource objects; means for querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager; means for transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service; and
if not, for attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;means for utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and means for denying access to said particular resource object in response to a failure to retrieve said selected access control profile.
-
-
6. A data processing system for providing user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, said data processing system comprising:
-
means for establishing at least one reference monitor service within said distributed data processing system; means for associating each resource manager with a reference monitor service; means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include access control information relating to a predetermined set of said resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects; mean for querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object among said plurality of resource objects, wherein access to said particular resource object is controlled by said selected resource manager; means for transmitting a selected access control profile associated with said particular resource object from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;means for utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and means for denying access to said particular resource object in response to a failure to retrieve said selected access control profile.
-
Specification