Access restriction facility method and apparatus

US 5,265,221 A
Filed: 12/02/1992
Issued: 11/23/1993
Est. Priority Date: 03/20/1989
Status: Expired due to Term

First Claim

Patent Images

1. An access restriction mechanism using a processor for controlling access to objects in a computer system, comprising:

subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix;

verb means for storing at least one verb name with a default rule for each of the verb names;

object means for storing at least one object name with object attributes and object rules expressed as object-boolean expressions for each of the verb names;

definition means for storing field definitions, external function declarations and strings;

rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and

evaluation means coupled to said subject means, said object means, said definition means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name, at least one rule name and at least one of the field definitions, external function declarations and strings for determining, changing, and controlling access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control mechanism for granting, revoking, and denying authorization to computer system objects using a customer supplied set of verbs, parameters, attributes, and functions. The access control mechanism employs a processor for providing access controls to objects comprising subject memory, verb memory, object memory, definition memory, rule memory and an evaluator. The processor may be embodied as a microprocessor and memory, or a computer using software. The subject memory stores specified user attributes in a matrix having information for each user on each row, with user attributes in each field. The object memory stores object names, object attributes, and rules for defined verb names. The definition memory stores field definitions, external function declarations and strings. The rule memory stores rule names with their associated boolean expressions. The evaluator determines whether or not access to a specific object is allowed according to specified or default rules, user and object attributes, and definitions. While the term "Discretionary Access Control" is used throughout this document, the mechanism described herein can be used to implement discretionary, mandatory, and nonOdiscretionary (Clark-Wilson) security models.

Citations

36 Claims

1. An access restriction mechanism using a processor for controlling access to objects in a computer system, comprising:
- subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix;
  
  verb means for storing at least one verb name with a default rule for each of the verb names;
  
  object means for storing at least one object name with object attributes and object rules expressed as object-boolean expressions for each of the verb names;
  
  definition means for storing field definitions, external function declarations and strings;
  
  rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  evaluation means coupled to said subject means, said object means, said definition means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name, at least one rule name and at least one of the field definitions, external function declarations and strings for determining, changing, and controlling access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The access control mechanism as set forth in claim 1, wherein said access restriction mechanism includes a computer using software.
  - 3. The access control mechanism as set forth in claim 1, wherein said access restriction mechanism includes a microprocessor having memory.
  - 4. The access control mechanism as set forth in claim 1, further comprising:
    - display means for displaying in a window format the contents of said subject means, said verb means, said object means, said definition means, said rule means, and said evaluation means for viewing by a user.
  - 5. The access control mechanism as set forth in claim 4, further comprising input means coupled to said evaluation means for inputting data and instructions to the predetermined algorithm.

6. An access restriction mechanism for controlling access to objects in a computer system, comprising:
- subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix;
  
  verb means for storing at least one verb name with a default rule for each of the verb names;
  
  object means for storing at least one object name with object attributes and object rules for each of the verb names;
  
  rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  evaluation means coupled to said subject means, said object means, said verb means and said rule means, responsive to the user information, at least one verb name, at least one object name and at least one rule name for determining access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of default rules, object rules, rule-boolean expressions, user attributes, or object attributes.
- View Dependent Claims (7, 8, 9)
- - 7. The access control mechanism as set forth in claim 6, wherein said access restriction mechanism includes a computer using software.
  - 8. The access control mechanism as set forth in claim 6, wherein said access restriction mechanism includes a microprocessor having memory.
  - 9. The access control mechanism as set forth in claim 6, further comprising:
    - display means for displaying in a window format the contents of said subject means, said verb means, said object means, said rule means, and said evaluation means for viewing by a user.

10. An access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism comprising:
- subject means for storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to each of the specific users in each field of the matrix;
  
  object means for storing at least one object name with object attributes;
  
  rule means for storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  evaluation means coupled to said subject means, said object means, and said rule means, responsive to user information, at least one object name, and at least one rule name for determining access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of rule-boolean expressions, user attributes, and object attributes.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The access control mechanism as set forth in claim 10, wherein said access restriction mechanism includes a computer using software.
  - 12. The access control mechanism as set forth in claim 10, wherein said access restriction mechanism includes a microprocessor having memory.
  - 13. The access control mechanism as set forth in claim 10, further comprising:
    - display means for displaying in a window format the contents of said subject means, said object means, said rule means, and said evaluation means for viewing by a user.
  - 14. The method as set forth in claim 10, further including the step of changing access authorization by said evaluation means according to a second predetermined algorithm.
  - 15. The method as set forth in claim 14, further including the step of controlling access to objects according to a second predetermined algorithm.

16. A method using a processor for controlling access to objects in a computer system, said processor having subject means, objects means, definition means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said object means, said definition means, said verb means, and said rule means, comprising the steps, using said processor, of:
- storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing in said verb means at least one verb name with a default rule for each of the at least one verb names;
  
  storing in said object means at least one object name wtih object attributes and object rules for each of the verb names;
  
  storing in said definition means field definitions, external function declarations and strings;
  
  storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names; and
  
  determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, and any one of field definitions, external function declarations and strings, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination f at least two of default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as set forth in claim 16 further including the step of changing access authorization by said evaluation means according to a second predetermined computer algorithm.
  - 18. The method as set forth in claim 16, further including the step of controlling access to objects by said evaluation means according to a second predetermined computer algorithm.
  - 19. The method using a processor as set forth in claim 16, further including the step of:
    - displaying in a window format the contents of said subject means, said verb means, said object means, said definition means, said rule means, and said evaluation means for viewing by a user.
  - 20. The method using a processor as set forth in claim 19, further including the step of inputting data and instructions to the predetermined algorithm.

21. A method using an access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism having subject means, objects means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said object means, said verb means, and said rule means, comprising the steps, using said access restriction mechanism, of:
- storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing in said verb means at least one verb name with a default rule for each of the verb names;
  
  storing in said object means at least one object name with object attributes and object rules for each of the verb names;
  
  storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names;
  
  determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination of at least any two of default rules, object rules, rule-boolean expressions, user attributes, and object attributes.
- View Dependent Claims (22, 23, 24)
- - 22. The method using a processor as set forth in claim 21, further including the step of:
    - displaying in a window format the contents of said subject means, said verb means, said object means, said rule means, and said evaluation means for viewing by a user.
  - 23. The method as set forth in claim 21, further including the step of changing access authorization by said evaluation means according to a second predetermined computer algorithm.
  - 24. The method as set forth in claim 21, further including the step of controlling access to objects by said evaluation means according to a second predetermined computer algorithm.

25. A method using an access restriction mechanism for controlling access to objects in a computer system, said access restriction mechanism having subject means, definition means, verb means, rule means and evaluation means with said evaluation means coupled to said subject means, said definition means, said verb means, and said rule means, comprising the steps, using said access restriction mechanism, of:
- storing in said subject means user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing in said verb means at least one verb name with a default rule for each of the verb names;
  
  storing in said definition means field definitions, external function declarations and strings;
  
  storing in said rule means at least one rule name with a rule-boolean expression for each of the rule names;
  
  determining, in response to user information, at least one verb name, at least one rule, and at least one of filed definitions, external function declarations and strings, access authorization by said evaluation means, wherein access is granted or denied according to a predetermined computer algorithm including a combination of at least any two of default rules, field definitions, external function declarations, strings, rule-boolean expressions, and user attributes.
- View Dependent Claims (26, 27, 28)
- - 26. The method using a processor as set forth in claim 25, further including the step of:
    - displaying in a window format the contents of said subject means, said object means, said rule means, and said evaluation means for viewing by a user.
  - 27. The method as set forth in claim 25, further including the step of changing access authorization by said evaluation means according to a second predetermined computer algorithm.
  - 28. The method as set forth in claim 25, further including the step of controlling access to objects by said evaluation means according to a second predetermined computer algorithm.

29. A method using an access restriction facility for controlling access to objects, in a computer system comprising the steps, using said access restriction facility, of:
- storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing at least one verb name with a default rule for each of the verb names;
  
  storing at least one object name with object attributes and object rules for each of the verb names;
  
  storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  determining, in response to user information, at least one verb name, at least one object name, and at least one rule names, and any one of filed definitions, external function declarations and strings, access authorization wherein access us granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, object rules, field definitions, external function declarations, strings, rule-boolean expressions, user attributes, and object attributes.
- View Dependent Claims (30, 31, 32)
- - 30. The method using a processor as set forth in claim 29, further including the step of inputting data and instructions to the predetermined algorithm.
  - 31. The method as set forth in claim 29, further including the step of changing access authorization according to a second predetermined algorithm.
  - 32. The method as set forth in claim 29, further including the step of controlling access to objects according to a second predetermined algorithm.

33. A method using an access restriction facility for controlling access to objects, in a computer system comprising the steps, using said access restriction facility, of:
- storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing at least one verb name with a default rule for each of the verb names;
  
  storing at least one object name with object attributes and object rules for each of the verb names;
  
  storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  determining, in response to user information, at least one verb name, at least one object name, and at least one rule name, access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, object rules, rule-boolean expressions, user attributes, and object attributes.

34. A method using an access restriction facility for controlling access to objects in a computer system, comprising the steps, using said access restriction facility, of:
- storing user information in a matrix having a specific user on each row of the matrix, with user attributes pertaining to the specific user in each field of the matrix;
  
  storing at least one verb name with a default rule for each of the verb names;
  
  storing field definitions, external function declarations and strings;
  
  storing at least one rule name with a rule-boolean expression for each of the rule names; and
  
  determining, in response to user information, at least one verb name, at least one rule, and at least one of filed definitions, external function declarations and strings, access authorization, wherein access is granted or denied according to a predetermined algorithm including a combination of at least any two of the default rules, field definitions, external function declarations, strings, rule-boolean expressions, and user attributes.
- View Dependent Claims (35, 36)
- - 35. The method as set forth in claim 34, further including the step of changing access authorization according to a second predetermined algorithm.
  - 36. The method as set forth in claim 34, further including the step of controlling access to objects according to a second predetermined algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tandem Computers Incorporated (HP Inc.)
Original Assignee
Tandem Computers Incorporated (HP Inc.)
Inventors
Miller, Donald V.
Primary Examiner(s)
Cosimano, Edward R.

Application Number

US07/985,234
Time in Patent Office

356 Days
Field of Search

235/382, 395/725, 364/DIG. 1, 364/DIG. 2
US Class Current

711/163
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/71   to assure secure computing ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 9/468   Specific access rights for ...

Access restriction facility method and apparatus

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Access restriction facility method and apparatus

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links