Method and system for access and accounting control in a data processing system by using a single resource account for a user or a group of users
First Claim
1. A method for controlling resource allocation in a data processing system having user identifiers, processes and resources, comprising the steps of:
- segregating system resources into a single pool and a plurality of group accounts;
establishing a resource allocation account for each of said group accounts and said pool account, said account specifying resource control information including resource quotas for the account;
assigning one or more of said user identifiers to said resource allocation group account;
testing a user process resource request against the specified resource control information for the group account to which said user identifier is assigned;
granting said resource request, if said request does not exceed resources available to said group account and decrementing group resources available by the amount granted;
testing said resource request against said pool account information, if said request exceed resources available to the resource allocation group account;
denying said resource request, if said request exceeds resources available to the resource allocation pool account; and
granting said resource request, if said request does not exceed resources available to said pool account and decrementing pool resources available by the amount granted.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a method and system for allowing resource control in a UNIX-based system to be done on an aggregate, or group, basis. This enables both access control and accounting to be done in units of groups instead of units of users. This design is upwardly compatible with the current implementation which does resource allocation and accounting in units of users. In addition, the method and system provides greater flexibility in selecting the system availability policy to be enforced. A resource quota scheme is introduced wherein a pooled resource account allows a system administrator to segregate processes into critical/non-critical classifications.
-
Citations
6 Claims
-
1. A method for controlling resource allocation in a data processing system having user identifiers, processes and resources, comprising the steps of:
-
segregating system resources into a single pool and a plurality of group accounts; establishing a resource allocation account for each of said group accounts and said pool account, said account specifying resource control information including resource quotas for the account; assigning one or more of said user identifiers to said resource allocation group account; testing a user process resource request against the specified resource control information for the group account to which said user identifier is assigned; granting said resource request, if said request does not exceed resources available to said group account and decrementing group resources available by the amount granted; testing said resource request against said pool account information, if said request exceed resources available to the resource allocation group account; denying said resource request, if said request exceeds resources available to the resource allocation pool account; and granting said resource request, if said request does not exceed resources available to said pool account and decrementing pool resources available by the amount granted. - View Dependent Claims (2)
-
-
3. A method for modifying a UNIX compatible operating system, having credential, audit, and quota subsystems, to provide group resource control, comprising the steps of:
-
storing a plurality of administrative objects, each having group resource quota information, one of said administrative objects being a global pool object, said administrative objects being accessible to said credential subsystem; assigning zero, one or more user identifiers to each administrative object other than said pool object; providing said group resource quota information to said audit subsystem; testing said group resource quota information for the assigned administrative object by said quota subsystem when allocating or deallocating resources for a process for a user identifier; allocating or deallocating resources for said process if said quota is not exceeded; testing said pool object group resource quota information, if said allocation or deallocation exceeds the group resource quota information for the assigned administrative object; and rejecting requests to allocate resources when said requests exceeds the pool object group resource quota information.
-
-
4. A system for controlling resource allocation in a data processing system having user identifiers, processes, and resources comprising:
-
means for segregating system resources into a single pool account and a plurality of group accounts; means for establishing a resource allocation account for each of said group accounts and for said pool account, said account specifying resource control information including resource quotas; storage means for storing said resource allocation accounts; means for assigning zero, one or more user identifiers to each of said resource allocation accounts and resource allocation means for testing a user process resource request against the specified resource control information for the account to which said user identifier is assigned, granting the request and decrementing the resources available if the group account resources are available or, if account resources are not available, testing against the resource control information of said pool account, and denying said resource request if said request exceeds resources available to said pool account, or granting the request and decrementing the pool resources available if the request does not exceed available resources in said pool account. - View Dependent Claims (5)
-
-
6. A system for modifying a UNIX compatible operating system, having credential, audit, and quota subsystems, to provide group resource control, comprising:
-
means for storing administrative objects, having group resource quota information one of said administrative objects being a global pool object, said administrative objects being accessible to said credential subsystem; means for assigning access methods to said administrative objects; means for assigning zero one or more user identifiers to each administrative object other than said pool object; means for providing said group resource quota information to said audit subsystem; means for testing said group resource quota information for said assigned administrative object by said quota subsystem when allocating or deallocating resources for a process for a user identifier; means for allocating or deallocating resources for said process if said quota is not exceeded; means for testing said pool object group resource quota information, if said allocation or deallocation exceeds the group resource quota information for the assigned administrative object; and rejecting allocation requests that exceed available pool resource quotas.
-
Specification