System for controlling group access to objects using group access control folder and group identification as individual user
First Claim
1. A method in a data processing system of controlling access by groups of users to a plurality of objects stored within a data processing system library service wherein each of said plurality of objects within said data processing system library service includes associated therewith an explicit list of individual users permitted access thereto and wherein each individual user has associated therewith an access control folder which includes a listing of privileges for selected ones of said plurality of objects which said individual user is permitted to access, said method comprising the steps of:
- establishing a group identification for a selected subset of users within said data processing system and associating a group access control folder with said group identification, said group access control folder including a listing of privileges for selected ones of said plurality of objects which each individual user within said selected subset of users is permitted to access;
inserting a reference to said group access control folder within said access control folder associated with each individual user within said selected subset of users;
listing said group identification as an individual user within said explicit list of individual users permitted access to a particular object stored within said data processing system library service; and
permitting access to any user within said selected subset of users via said group identification and said associated group access control folder by first determining if a particular user is listed within said explicit list of individual users permitted access to said particular object and, if not, determining if said access control folder associated with said particular user includes a reference to a group access control folder associated with said group identification listed within said explicit list of individual users permitted access to said particular object.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for controlling access by groups of users to multiple objects stored within a data processing system implemented library wherein each object has an access list associated therewith explicitly listing individual users permitted access to that object. A group identification is established which encompasses all users within the data processing system, a selected subset of users with the data processing system, or a single selected user and his or her designated affinity users or proxies. The group identification is then listed within an associated access list for a particular object and upon an attempted access of the particular object by a user not listed explicitly within the associated access list, a determination is made as to whether or not that user is listed within a group identification which is permitted access. In one embodiment of the present invention selected objects and users each have associated therewith a clearance level and access to a selected object by a particular user listed within a group identification may be denied if that particular user'"'"'s clearance level does not meet or exceed the clearance level of the selected object.
381 Citations
6 Claims
-
1. A method in a data processing system of controlling access by groups of users to a plurality of objects stored within a data processing system library service wherein each of said plurality of objects within said data processing system library service includes associated therewith an explicit list of individual users permitted access thereto and wherein each individual user has associated therewith an access control folder which includes a listing of privileges for selected ones of said plurality of objects which said individual user is permitted to access, said method comprising the steps of:
-
establishing a group identification for a selected subset of users within said data processing system and associating a group access control folder with said group identification, said group access control folder including a listing of privileges for selected ones of said plurality of objects which each individual user within said selected subset of users is permitted to access; inserting a reference to said group access control folder within said access control folder associated with each individual user within said selected subset of users; listing said group identification as an individual user within said explicit list of individual users permitted access to a particular object stored within said data processing system library service; and permitting access to any user within said selected subset of users via said group identification and said associated group access control folder by first determining if a particular user is listed within said explicit list of individual users permitted access to said particular object and, if not, determining if said access control folder associated with said particular user includes a reference to a group access control folder associated with said group identification listed within said explicit list of individual users permitted access to said particular object. - View Dependent Claims (2, 3)
-
-
4. A data processing system for controlling access by groups of users to a plurality of objects stored within a library service within said data processing system wherein each of said plurality of objects within said library service includes associated therewith an explicit list of individual users permitted access thereto and wherein each individual user has associated therewith an access control folder which includes a listing of a privileges for selected ones of said plurality of objects which said individual user is permitted to access, said data processing system comprising:
-
means for establishing a group identification for a selected subset of users within said data processing system and associating a group access control folder with said group identification, said group access control folder including a listing of privileges for selected ones of said plurality of objects which each individual user within said selected subset of users is permitted to access; means for inserting a reference to said group access control folder within said access control folder associated with each individual user within said selected subset of users; means for listing said group identification as an individual user within said explicit list of individual users permitted access to a particular object stored within said data processing system library service; and means for permitting access to any user within said selected subset of users via said group identification and said associated group access control folder, said permitting access means comprises means for first determining if a particular user is listed within said explicit list of individual users permitted access to said particular object and, if not, means for determining if said access control folder associated with said particular user includes a reference to a group access control folder associated with said group identification listed within said explicit list of individual users permitted access to said particular object. - View Dependent Claims (5, 6)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsHowell, William E., Wang, Diana S., Reddy, Hari N.
-
Primary Examiner(s)Lee, Thomas C.
-
Application NumberUS07/807,685Time in Patent Office750 DaysField of Search340/825.31, 340/825.34, 340/825.5, 380/4, 380/25, 395/600, 395/800US Class Current340/5.2CPC Class CodesG06F 21/6218 to a system of files or obj...Y10S 707/99939 Privileged access
