Method and system for controlling access to objects in a data processing system based on temporal constraints

US 5,450,593 A
Filed: 12/18/1992
Issued: 09/12/1995
Est. Priority Date: 12/18/1992
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method of controlling access in a data processing system, comprising the steps of:

a) providing a schedule of access for a security subject to access an object of said data processing system, said schedule containing one or more times, for each time there being a corresponding change in said access of said security subject to said object;

b) automatically determining if any one of said times in said schedule has occurred, said automatic determination occurring independently from actions taken by said security subject;

c) automatically implementing said change in said access to said object according to said schedule, said implementation of said change in access corresponding to said occurred time in said schedule;

d) repeating steps b) and c) if none of said times in said schedule have yet occurred or if there are other of said times in said schedule that have not yet occurred;

e) wherein said step of automatically implementing said access change further comprises the step of determining if there is authorization to implement said access change, and preventing implementation of said access change if it is determined that no authorization to implement the access change exists.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access by a security subject to an object on a data processing system is automatically controlled in accordance with a time based schedule. In accordance with times contained in the schedule, an access control list of an object is modified by either adding, to invoke access, or deleting, to revoke access, a security subject. The schedule is made up of one or more requests for single access or cyclical accesses that are stored in a request queue. The request queue is periodically polled to determine if any requests qualify for further processing. A request is processed if the time for changing the status of the security subject on the access control list, as specified by the request, is either the same as or less than the current time of the data processing system. Processing the request modifies the access control list by either adding or deleting the security subject to or from the access control list.

Citations

10 Claims

1. A computer implemented method of controlling access in a data processing system, comprising the steps of:
- a) providing a schedule of access for a security subject to access an object of said data processing system, said schedule containing one or more times, for each time there being a corresponding change in said access of said security subject to said object;
  
  b) automatically determining if any one of said times in said schedule has occurred, said automatic determination occurring independently from actions taken by said security subject;
  
  c) automatically implementing said change in said access to said object according to said schedule, said implementation of said change in access corresponding to said occurred time in said schedule;
  
  d) repeating steps b) and c) if none of said times in said schedule have yet occurred or if there are other of said times in said schedule that have not yet occurred;
  
  e) wherein said step of automatically implementing said access change further comprises the step of determining if there is authorization to implement said access change, and preventing implementation of said access change if it is determined that no authorization to implement the access change exists.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein:
    - a) said step of providing said schedule further comprises the step of providing a request for periodic access by providing a beginning of schedule time, an end of schedule time, a first window of time units and a second window of time units;
      
      b) said step of automatically determining if any one of said times has occurred further comprises the steps of automatically determining if the beginning of schedule time has occurred, and automatically determining if the end of schedule time has occurred, andc) said step of automatically implementing a change in said access further comprises the steps of alternately invoking said access for a length of time determined by said first window and revoking access for a length of time determined by said second window upon a determination that the beginning of schedule time has occurred, and revoking said access upon a determination that the end of schedule time has occurred.
  - 3. The method of claim 1 wherein said step of providing said schedule further comprises the step of providing a request for a single access by providing a first time for invoking access of said security subject to said object and a second time for revoking said access.
  - 4. The method of claim 1 wherein said step of automatically determining if any one of said times in said schedule has occurred further comprises periodically polling said schedule.
  - 5. The method of claim 1 wherein said step of automatically implementing said access change further comprises the step of modifying an access control list of said object.

6. A data processing system having controlled access, comprising:
- a) means for providing a schedule of access for a security subject to access an object of said data processing system, said schedule containing one or more times, for each time there being a corresponding change in said access of said security subject to said object;
  
  b) means for automatically determining if any one of said times in said schedule has occurred, said means for automatically determining being coupled to said means for providing a schedule of access, said means for automatically determining operating independently from actions taken by said security subject; and
  
  c) means for automatically implementing said access change that corresponds to said occurred time, said means for automatically implementing being coupled to said means for automatically determining and said means for automatically implementing being invoked by said means for automatically determining upon the determination that one of said times has occurred wherein said means for automatically implementing said access change further comprises means for automatically determining if there is authorization to implement said access change, and means for preventing implementation of said access change if it is determined that no authorization to implement the access change exists.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein:
    - a) said means for providing a schedule further comprises means for providing a request for periodic access that has a beginning of schedule time, an end of schedule time, a first window of time units and a second window of time units;
      
      b) said means for automatically determining if any one of said times has occurred further comprises;
      
      i) means for automatically determining if the beginning of schedule time has occurred;
      
      ii) means for automatically determining if the end of schedule time has occurred;
      
      c) said means for automatically implementing a change in access further comprises;
      
      i) means for alternately invoking said access for a length of time determined by said first window and revoking said access for a length of time determined by said second window, said means for alternately invoking and revoking said access being responsive to said means for automatically determining if the beginning of schedule time has occurred; and
      
      ii) means for revoking said access, said means for revoking said access being responsive to said means for automatically determining if the end of schedule time has occurred.
  - 8. The system of claim 6 wherein said means for providing said schedule further comprises means for providing a request for a single access having a first time for invoking access of said security subject to said object and a second time for revoking said access.
  - 9. The system of claim 6 wherein said means for automatically determining if any one of said times in said schedule has occurred further comprises means for periodically polling said schedule.
  - 10. The system of claim 6 wherein said means for automatically implementing said access change further comprises means for modifying an access control list of said object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Howell, William E., Reddy, Hari N.
Primary Examiner(s)
Ray, Gopal C.

Application Number

US07/993,283
Time in Patent Office

998 Days
Field of Search

395/725, 395/425, 395/325, 395/575, 395/700, 395/650, 380/4, 380/25, 380/23, 380/49, 340/825.31, 340/825.34
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Method and system for controlling access to objects in a data processing system based on temporal constraints

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling access to objects in a data processing system based on temporal constraints

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links