Access restriction facility method and apparatus
First Claim
1. An access restriction mechanism using a processor for controlling access to objects in a computer system, comprising:
- subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix;
verb means for storing at least one verb name with a default rule for each of the verb names;
object means for storing at least one object name with object attributes and object rules expressed as object-boolean expressions for each of the verb names;
definition means for storing field definitions, external function declarations and strings;
rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and
evaluation means coupled to said subject means, said object means, said definition means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name, at least one rule name and at least one of the field definitions, external function declarations and strings for determining, changing, and controlling access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes.
0 Assignments
0 Petitions
Accused Products
Abstract
An access control mechanism for granting, revoking, and denying authorization to computer system objects using a customer supplied set of verbs, parameters, attributes, and functions. The access control mechanism employs a processor for providing access controls to objects comprising subject memory, verb memory, object memory, definition memory, rule memory and an evaluator. The processor may be embodied as a microprocessor and memory, or a computer using software. The subject memory stores specified user attributes in a matrix having information for each user on each row, with user attributes in each field. The object memory stores object names, object attributes, and rules for defined verb names. The definition memory stores field definitions, external function declarations and strings. The rule memory stores rule names with their associated boolean expressions. The evaluator determines whether or not access to a specific object is allowed according to specified or default rules, user and object attributes, and definitions. While the term "Discretionary Access Control" is used throughout this document, the mechanism described herein can be used to implement discretionary, mandatory, and nonOdiscretionary (Clark-Wilson) security models.
-
Citations
36 Claims
-
1. An access restriction mechanism using a processor for controlling access to objects in a computer system, comprising:
-
subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix; verb means for storing at least one verb name with a default rule for each of the verb names; object means for storing at least one object name with object attributes and object rules expressed as object-boolean expressions for each of the verb names; definition means for storing field definitions, external function declarations and strings; rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and evaluation means coupled to said subject means, said object means, said definition means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name, at least one rule name and at least one of the field definitions, external function declarations and strings for determining, changing, and controlling access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An access restriction mechanism for controlling access to objects in a computer system, comprising:
-
subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix; verb means for storing at least one verb name with a default rule for each of the verb names; object means for storing at least one object name with object attributes and object rules for each of the verb names; rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and evaluation means coupled to said subject means, said object means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name and at least one rule name for determining access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, rule-boolean expressions, user attributes, or object attributes. - View Dependent Claims (7, 8, 9)
-
-
10. An access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism comprising:
-
subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix; object means for storing at least one object name with object attributes; rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and evaluation means coupled to said subject means, said object means, and said rule means, responsive to user information, at least one object name, and at least one rule name for determining access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of rule-boolean expressions, user attributes, and object attributes. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method using a processor for controlling access to objects in a computer system, said processor having subject means, objects means, definition means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said object means, said definition means, said verb means, and said rule means, comprising the steps, using said processor, of:
-
storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing in said verb means at least one verb name with a default rule for each of the at least one verb names; storing in said object means at least one object name wtih object attributes and object rules for each of the verb names; storing in said definition means field definitions, external function declarations and strings; storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names; and determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, and any one of field definitions, external function declarations and strings, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination f at least two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method using an access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism having subject means, objects means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said object means, said verb means, and said rule means, comprising the steps, using said access restriction mechanism, of:
-
storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing in said verb means at least one verb name with a default rule for each of the verb names; storing in said object means at least one object name with object attributes and object rules for each of the verb names; storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names; determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination of at least any two of default rules, object rules, rule-boolean expressions, user attributes, and object attributes. - View Dependent Claims (22, 23, 24)
-
-
25. A method using an access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism having subject means, definition means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said definition means, said verb means, and said rule means, comprising the steps, using said access restriction mechanism, of:
-
storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing in said verb means at least one verb name with a default rule for each of the verb names; storing in said definition means field definitions, external function declarations and strings; storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names; determining, in response to user information, at least one verb name, at least one rule, and at least one of filed definitions, external function declarations and strings, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination of at least any two of default rules, field definitions, external function declarations, strings, rule-boolean expressions, and user attributes. - View Dependent Claims (26, 27, 28)
-
-
29. A method using an access restriction facility for controlling access to objects, in a computer system comprising the steps, using said access restriction facility, of:
-
storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing at least one verb name with a default rule for each of the verb names; storing at least one object name with object attributes and object rules for each of the verb names; storing at least one rule name with a rule-boolean expression for each of the rule names; and determining, in response to user information, at least one verb name, at least one object name, and at least one rule names, and any one of filed definitions, external function declarations and strings, access authorization wherein access us granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes. - View Dependent Claims (30, 31, 32)
-
-
33. A method using an access restriction facility for controlling access to objects, in a computer system comprising the steps, using said access restriction facility, of:
-
storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing at least one verb name with a default rule for each of the verb names; storing at least one object name with object attributes and object rules for each of the verb names; storing at least one rule name with a rule-boolean expression for each of the rule names; and determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, object rules, rule-boolean expressions, user attributes, and object attributes.
-
-
34. A method using an access restriction facility for controlling access to objects in a computer system, comprising the steps, using said access restriction facility, of:
-
storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix; storing at least one verb name with a default rule for each of the verb names; storing field definitions, external function declarations and strings; storing at least one rule name with a rule-boolean expression for each of the rule names; and determining, in response to user information, at least one verb name, at least one rule, and at least one of filed definitions, external function declarations and strings, access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, field definitions, external function declarations, strings, rule-boolean expressions, and user attributes. - View Dependent Claims (35, 36)
-
Specification