System for determining the rights of object access for a server process by combining them with the rights of the client process
First Claim
Patent Images
1. A computer system, comprising:
- memory means for storing data and data structures;
a multiplicity of objects comprising data structures stored in said memory means;
a multiplicity of processes running concurrently on sid computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including at least one server process and a plurality of client processes;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each object'"'"'s access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object;
access checking means, coupled to said memory means and said multiplicity of processes, for enabling acces by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; and
impresonation means, responsive to requests from one of said client processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of one of said at least one server process, said impersonation means including means for generating said adopted set of identifiers by replacing said one server process'"'"' set of identifiers with theunion of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said one server process;
said one server process including means, coupled to said access checking means, for performing tasks on behalf of said requesting client process including accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means.
2 Assignments
0 Petitions
Accused Products
Abstract
In a multitasking, multiuser computer system, a server process temporarily impersonates the characteristics of a client process when the client process preforms a remote procedure call on the server process. Each process has an identifier list with a plurality of identifiers that characterize the process. The server process generates a new identifier list which is either the same as the client process'"'"'s list, or is the union of the server'"'"'s and the client'"'"'s lists. Each object in the system can have an access control list which defines the identifiers that a process must have in order to access the object. The operation system has access checking software for enabling a selected process access to a specified object when the identifiers for the process match the list of identifiers in the access control list of the specified object. The server can therefore access all objects accessible to the client while the server is working for the client. The server can restore its original identifier list after completing the services that it performs for the client.
556 Citations
8 Claims
-
1. A computer system, comprising:
-
memory means for storing data and data structures; a multiplicity of objects comprising data structures stored in said memory means; a multiplicity of processes running concurrently on sid computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including at least one server process and a plurality of client processes;each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each object'"'"'s access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; access checking means, coupled to said memory means and said multiplicity of processes, for enabling acces by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; and impresonation means, responsive to requests from one of said client processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of one of said at least one server process, said impersonation means including means for generating said adopted set of identifiers by replacing said one server process'"'"' set of identifiers with theunion of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said one server process; said one server process including means, coupled to said access checking means, for performing tasks on behalf of said requesting client process including accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means. - View Dependent Claims (2)
-
-
3. A computer system, comprising:
-
memory means for storing data and data structures; a multiplicity of objects comprising data structures stored in said memory means;
each object having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object;a multiplicity of process running concurrently on said computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including a plurality of server processes and a plurality of client processes;access checking means, coupled to said memory means and said multiplicity of processes, for enabling access by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; each server process includign means, coupled to said access checking means, for responding to requests from one of said client processes by performing tasks on behalf of said requesting client process, said tasks including accessing ones of said multiplicity of objects; and impersonation means, coupled to said plurality of server processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characterstic denoting means of a specified one of said server processes, said impersonation means including means for generating said adopted set of identifiers by replacing said specified one server process'"'"' set of identifiers with the union of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said specified one server process; said specified one server process accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means. - View Dependent Claims (4)
-
-
5. In a computer system, having
memory means for storing data and data structures; -
a multiplicity of objects comprising data structures stored in said memory means;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; anda multiplicity of processes running concurrently on said computer system;
said processes including at least one server process and a plurality of client processes;
each of said processes having an associated identifier list denoting a set of identifiers;a method of operating said computer system comprising the steps of; one of said at least one server process responding to requests by one of said plurality of client processes by performing tasks on behalf of the requesting client process; said one server process impersonating said requesting client process by adopting a set of identifiers to replace said identifier list associated with said one servier process, wherein said adopted set of identifiers is the union of said identifiers in said identifier list associated with said requesting client process and said identifiers in said identifier list associated with said one server process; and said one server process initiating access to a specified one of said multiplicity of objects, said system enabling access by said one server process to said one specified object when said adopted set of identifiers match the identifiers of at least one entry in said one specified object'"'"'s access control list. - View Dependent Claims (6)
-
-
7. In a comptuer system, having
memory means for storing data and data structures; -
a multiplicity of objects comprising data structures stored in said memory means;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein eahc entry includes a conjunction of one or more identifiers required to access said each object; anda multiplicity of processes running concurrently on said computer system;
said processes including a plurality of server processes and a plurality of client processes;
each of said processes having an associated identifier list denoting a set of identifiers;a method of operating said computer system comprising the steps of; dach respective server process responding to requests by respective ones of said plurality of client processes by performing tasks on behalf of the respective requesting client process; and each respecitve server process, prior to performing said tasks on behalf of the respective requesting client process, impersonating said respective requesting client process by adopting a set of identifiers to replace said identifier list associated with said respective server process;
wherein said set of identifiers adopted by said each respective server process is the union of said identifiers in said identifier list associated with said respective requesting client process and said identifiers in said identifier list associated with said respective server process; andeach respective server process initiating access to a respective one of said multiplicity of objects, said system enabling access by said respective server process to said one respective object when said set of identifiers adopted by said respective server process match the identifiers of at least one entry in saidone respective object'"'"'s access control list. - View Dependent Claims (8)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeHewlett-Packard Development Company, L.P. (HP Inc.)
-
Original AssigneeDigital Equipment Corporation (HP Inc.)
-
InventorsEast, Jeffrey A., Walker, James J., Kelly, James W. Jr., Jenness, Steven M., Ozur, Mark C.
-
Primary Examiner(s)Lee, Thomas C.
-
Assistant Examiner(s)AMSBURY, WAYNE P
-
Application NumberUS08/011,293Time in Patent Office501 DaysField of Search395/650, 395/725, 364/DIG. 1, 364/DIG. 2US Class Current718/107CPC Class CodesG06F 9/468 Specific access rights for ...G06F 9/52 Program synchronisation; Mu...
