Method for protecting data in a computer system

US 5,414,852 A
Filed: 10/30/1992
Issued: 05/09/1995
Est. Priority Date: 10/30/1992
Status: Expired due to Term

First Claim

Patent Images

1. In a data processing system, a computer-implemented method for controlling access to a plurality of data objects, comprising the steps of:

when each of the plurality of objects is created, associating with such object at least one user identifier, and at least one list of data manager identifiers;

invoking a first data manager using a user identifier to identify an invoking user;

invoking a second data manager from the first data manager; and

when the second data manager later attempts to access a data object, allowing such access only if one of the lists of data manager identifiers associated with the data object contains both the first and second data managers, and the first data manager has been invoked with a user identifier associated with the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system include a plurality of data objects which are accessible by application programs through a system level interface. Each data object has an associated user access list. In addition, each object has at least one key indicating which applications can access that object. The key is preferably maintained in a protected storage area, accessible only by the low level system interface. Both the application identifier key and the user who invoked that application must match the identifier information in the data object for access to be allowed to that object. If an unauthorized user attempts access to the data object through the correct application, or an authorized user attempts access through an incorrect application, access to the data object will be denied by the low level interface.

263 Citations

14 Claims

1. In a data processing system, a computer-implemented method for controlling access to a plurality of data objects, comprising the steps of:
- when each of the plurality of objects is created, associating with such object at least one user identifier, and at least one list of data manager identifiers;
  
  invoking a first data manager using a user identifier to identify an invoking user;
  
  invoking a second data manager from the first data manager; and
  
  when the second data manager later attempts to access a data object, allowing such access only if one of the lists of data manager identifiers associated with the data object contains both the first and second data managers, and the first data manager has been invoked with a user identifier associated with the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each data object is created by a data manager, and an identifier of the creating data manager is included in one of the lists of data managers associated with each created object.
  - 3. The method of claim 2, wherein identifiers for at least three data managers are included in one of the lists associated with at least one selected data object.
  - 4. The method of claim 2, wherein a list of user identifiers associated with a data object can be modified by the data manager which created the data object.
  - 5. The method of claim 2, wherein data objects are created by data managers through a system level interface, and the data manager identifier associated with each data object is accessible only by the system level interface.
  - 6. The method of claim 1, wherein each user identifier associated with each data object has a type of access permission, and access to that data object by a process utilizing any particular user identifier is allowed to perform only those actions defined by the access permission type.
  - 7. The method of claim 6, wherein the access permission types include read for read only access, write for write access, and delete for delete access.
  - 8. The method of claim 1, wherein each data manager associated with any particular data object has a type of access permission, and access to that data object by a process utilizing any particular data manager identifier is allowed to perform only those actions defined by the access permission type.
  - 9. The method of claim 8, wherein the access permission types include read for read only access, write for write access, delete for delete access, and update for access to the associated user identifiers for modification thereof.

10. A computer-implemented method for controlling access to a plurality of data objects in a data processing system, comprising the steps of:
- for each data object, providing a user list containing at least one user identifier, and a data manager list containing at least two data manager identifiers;
  
  each time a data manager accesses a data object, comparing an identifier for such data manager with the data manager list for such object, and comparing a user identifier of a user which invoked the data manager with the user list for such object; and
  
  permitting access to the data object only if the user identifier is contained in the user identifier list, each of the data manager identifiers are contained in the data manager identifier list, and each of the data managers in the data manager list has been invoked in a chain to access the selected data object.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein each user identifier contained in the user identifier list of each data object has a type of access permission, and access to that data object by a data manager utilizing any particular user identifier is allowed to perform only those actions defined by the access permission type.
  - 12. The method of claim 11, wherein the access permission types include read for read only access, write for write access, and delete for delete access.
  - 13. The method of claim 10, wherein each data manager contained in the data manager identifier list of each data object has a type of access permission, and access to that data object by a data manager utilizing any particular data manager identifier is allowed to perform only those actions defined by the access permission type.
  - 14. The method of claim 13, wherein,the access permission types include read for read only access, write for write access, delete for delete access, and update for access to the associated user identifiers for modification thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tate, Kay A., Kramer, Paul H.
Primary Examiner(s)
Kriess, Kevin A.
Assistant Examiner(s)
BACKENSTOSE, JONATHAN

Application Number

US07/969,678
Time in Patent Office

921 Days
Field of Search

364/969.4, 364/969, 364/969.2, 364/969.3, 364/246.6, 364/246.8, 364/246.9, 395/700, 395/246.6, 395/246.8, 395/246.9, 395/969, 395/969.2, 395/969.3, 395/969.4
US Class Current

718/104
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Method for protecting data in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

263 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Method for protecting data in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

263 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others