Method for protecting data in a computer system
First Claim
1. In a data processing system, a computer-implemented method for controlling access to a plurality of data objects, comprising the steps of:
- when each of the plurality of objects is created, associating with such object at least one user identifier, and at least one list of data manager identifiers;
invoking a first data manager using a user identifier to identify an invoking user;
invoking a second data manager from the first data manager; and
when the second data manager later attempts to access a data object, allowing such access only if one of the lists of data manager identifiers associated with the data object contains both the first and second data managers, and the first data manager has been invoked with a user identifier associated with the object.
1 Assignment
0 Petitions
Accused Products
Abstract
A data processing system include a plurality of data objects which are accessible by application programs through a system level interface. Each data object has an associated user access list. In addition, each object has at least one key indicating which applications can access that object. The key is preferably maintained in a protected storage area, accessible only by the low level system interface. Both the application identifier key and the user who invoked that application must match the identifier information in the data object for access to be allowed to that object. If an unauthorized user attempts access to the data object through the correct application, or an authorized user attempts access through an incorrect application, access to the data object will be denied by the low level interface.
263 Citations
14 Claims
-
1. In a data processing system, a computer-implemented method for controlling access to a plurality of data objects, comprising the steps of:
-
when each of the plurality of objects is created, associating with such object at least one user identifier, and at least one list of data manager identifiers; invoking a first data manager using a user identifier to identify an invoking user; invoking a second data manager from the first data manager; and when the second data manager later attempts to access a data object, allowing such access only if one of the lists of data manager identifiers associated with the data object contains both the first and second data managers, and the first data manager has been invoked with a user identifier associated with the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for controlling access to a plurality of data objects in a data processing system, comprising the steps of:
-
for each data object, providing a user list containing at least one user identifier, and a data manager list containing at least two data manager identifiers; each time a data manager accesses a data object, comparing an identifier for such data manager with the data manager list for such object, and comparing a user identifier of a user which invoked the data manager with the user list for such object; and permitting access to the data object only if the user identifier is contained in the user identifier list, each of the data manager identifiers are contained in the data manager identifier list, and each of the data managers in the data manager list has been invoked in a chain to access the selected data object. - View Dependent Claims (11, 12, 13, 14)
-
Specification