System for providing user access control within a distributed data processing system having multiple resource managers
First Claim
1. A computer implemented method of providing variable authority level user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
- storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user;
querying an associated reference monitor service by a selected one of said resource managers in order to vary access control for a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager;
transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
utilizing said selected resource manager to selectively modify said access control information in said selected access control profile; and
storing said selectively modified access control information in said selected access control profile within an associated reference monitor service wherein subsequent access to said particular resource object may be variably controlled.
1 Assignment
0 Petitions
Accused Products
Abstract
The method of the present invention may be utilized to provide user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers. A reference monitor service is established and a plurality of access control profiles are stored therein. Thereafter, selected access control profile information may be communicated between the reference monitor service and a resource manager in response to an attempted access of a particular resource object controlled by that resource manager. A resource manager may utilize this communication technique to retrieve, modify, or delete a selected access control profile, as desired. Further, the resource manager may utilize this communication technique to control access to a resource object by utilizing the information contained within the access control profile to determine if the requester is authorized to access the resource object and whether or not the requester has been granted sufficient authority to take selected actions with respect to that resource object. In a preferred embodiment of the present invention, each access control profile may include access control information relating to a selected user; a selected resource object; a selected group of users; a specified level of authority associated with a selected user; a selected set of resource objects; or, a predetermined set of resource objects and a selected list of users each authorized to access at least a portion of said predetermined set of resource objects.
240 Citations
4 Claims
-
1. A computer implemented method of providing variable authority level user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
-
storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user; querying an associated reference monitor service by a selected one of said resource managers in order to vary access control for a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager; transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;utilizing said selected resource manager to selectively modify said access control information in said selected access control profile; and storing said selectively modified access control information in said selected access control profile within an associated reference monitor service wherein subsequent access to said particular resource object may be variably controlled. - View Dependent Claims (2)
-
-
3. A data processing system for providing variable authority level user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said data processing system comprising:
-
means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user; means for querying an associated reference monitor service by a selected one of said resource managers in order to vary access control for a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager; means for transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service; and
if not, for attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;means for utilizing said selected resource manager to selectively modify said access control information in said selected access control profile; and means for storing said selectively modified access control information in said selected control profile within an associated reference monitor service wherein subsequent access to said particular resource object may be variably controlled. - View Dependent Claims (4)
-
Specification