Access control policies for an object oriented database, including access control lists which span across object boundaries
First Claim
1. A method for controlling access privileges to data, said method comprising:
- assigning at least one access control policy associated with a plurality of dynamically assignable groups across a plurality of dynamically extendable external objects in an object oriented database;
traversing objects to dynamically extend access control policies to encompass a newly extended object;
controlling a plurality of operations including an execute operation applied to execution of a plurality of methods to at least one of said plurality of dynamically extendable objects based on said assignment and at last one credential of a user requesting access to said data represented by at least one of said plurality of dynamically extendable; and
inheriting said assigned at least one access control policy by a second of said external objects descending from said at least one object;
said inheriting further including determining a least amount of privilege associated with at least one composite object accessed by said user.
1 Assignment
0 Petitions
Accused Products
Abstract
The system and method of this invention provides an access control list which spans across object boundaries in an object oriented database. In addition to providing read and write access permissions, the access control list provides execute semantics which apply to the execution of methods in an object oriented database. Within the entries of the access control lists, each of the permissions for read, write, and execute can be assigned separately to each of a number of ids representing user ids or group ids. Upon request for access to the data by the user, the user id of the user and the group ids for which the user is a member are searched for within the entries to determine whether the user has the privileges to perform the operation requested against the objects. In addition, the access control policies are inherited from an object'"'"'s superobject; resulting in a least privilege for the object.
-
Citations
2 Claims
-
1. A method for controlling access privileges to data, said method comprising:
-
assigning at least one access control policy associated with a plurality of dynamically assignable groups across a plurality of dynamically extendable external objects in an object oriented database; traversing objects to dynamically extend access control policies to encompass a newly extended object; controlling a plurality of operations including an execute operation applied to execution of a plurality of methods to at least one of said plurality of dynamically extendable objects based on said assignment and at last one credential of a user requesting access to said data represented by at least one of said plurality of dynamically extendable; and inheriting said assigned at least one access control policy by a second of said external objects descending from said at least one object;
said inheriting further including determining a least amount of privilege associated with at least one composite object accessed by said user.
-
-
2. A system for controlling access privileges to data, said system comprising:
-
means for assigning at least one access control policy associated with a plurality of dynamically assignable groups across a plurality of dynamically extendable external objects in an object oriented database; means for traversing objects to dynamically extend access control policies to encompass a newly extended object; means for controlling a plurality of operations including an execute operation applied to execution of a plurality of methods to at lest one of said plurality of dynamically extendable objects based on said assignment and at least one credential of a user requesting access to said data represented by at least one of said plurality of dynamically extendable objects; and means for inheriting said assigned at least one access control policy by a second of said external objects descending from said at least one object; said means for inheriting further including means for determining a least amount of privilege associated with at least one composite object accessed by said user.
-
Specification