Method and apparatus to secure distributed digital directory object changes

US 5,784,560 A
Filed: 12/15/1995
Issued: 07/21/1998
Est. Priority Date: 12/15/1994
Status: Expired due to Term

First Claim

Patent Images

1. A method of resolving object attributes in a computer system, wherein a first object and a second object each have at least one associated attribute and each object is part of a distributed directory having a schema, comprising the steps of:

a) determining an associated attribute of the first object;

b) checking that the second object is included in the associated attribute of the first object;

c) determining an associated attribute of the second object; and

d) checking that the first object is included in the associated attribute of the second object.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing access control to objects in a distributed network directory employing static resolution to resolve object attributes. A first object has a Security Equals attribute and a second object has an Equivalent To Me attribute. Upon receiving a request for the first object to access the second object, authorization of such access is verified by checking if the two attributes are synchronized. The attributes are synchronized when the Security Equals attribute of the first object includes the second object, and the Equivalent To Me attribute of the second object includes the first object. A method of synchronizing the two attributes is also disclosed.

Citations

26 Claims

1. A method of resolving object attributes in a computer system, wherein a first object and a second object each have at least one associated attribute and each object is part of a distributed directory having a schema, comprising the steps of:
- a) determining an associated attribute of the first object;
  
  b) checking that the second object is included in the associated attribute of the first object;
  
  c) determining an associated attribute of the second object; and
  
  d) checking that the first object is included in the associated attribute of the second object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22, 23)
- - 2. A method as recited in claim 1, further comprising the step of notifying that the attributes of the first and second objects are not synchronized if at least one of the following events occurs:
    - a) the second object is not included in the associated attribute of the first object;
      
      orb) the first object is not included in the associated attribute of the second object.
  - 3. A method as recited in claim 1, further comprising the step of allowing the first object to access the second object if:
    - a) the second object is included in the associated attribute of the first object; and
      
      b) the first object is included in the associated attribute of the second object.
  - 4. A method as recited in claim 1, wherein the first and second objects employ static resolution.
  - 5. A method as recited in claim 1, wherein the associated attribute of the first object is a Security Equals attribute, and the associated attribute of the second object is an Equivalent To Me attribute.
  - 6. A method as recited in claim 1, wherein the first and second objects are contained within different partitions in a distributed directory.
  - 7. A method as recited in claim 6, wherein the different partitions are maintained by different servers.
  - 21. A method as recited in claim 1, wherein the schema comprises a plurality of class definitions, each of the objects belonging to at least one class definition.
  - 22. A method as recited in claim 21, wherein the schema comprises a plurality of attribute definitions, each of the objects having at least one attribute definition.
  - 23. A method as recited in claim 22, wherein at least one attribute definition has a plurality of attribute values.

8. A method of synchronizing an associated attribute of a first object and an associated attribute of a second object in a computer system, wherein each object is part of a distributed directory having a schema, comprising the steps of:
- a) receiving a request to modify the associated attribute of the second object;
  
  b) verifying that the associated attribute of the second object may be modified;
  
  c) modifying the associated attribute of the second object; and
  
  d) synchronizing the associated attribute of the first object and the associated attribute of the second object by modifying the associated attribute of the first object to correspond to the modified associated attribute of the second object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A method as recited in claim 8, further comprising after Step (c) and before Step (d) the step of verifying that the associated attribute of the second object has been modified.
  - 10. A method as recited in claim 8, wherein the act of modifying an associated attribute includes one or more of the following steps:
    - a) adding a value to such an attribute;
      
      b) deleting a value to such an attribute;
      
      orc) changing a value to such an attribute.
  - 11. A method as recited in claim 8, wherein the step of modifying the associated attribute of the first object to correspond to the modified associated attribute of the second object is achieved by adding the second object to the attribute of the first object if the first attribute was added to the attribute of the second object.
  - 12. A method as recited in claim 8, wherein the step of modifying the associated attribute of the first object to correspond to the modified associated attribute of the second object is achieved by deleting the second object from the attribute of the first object if the first object was deleted from the attribute of the second object.
  - 13. A method as recited in claim 8, wherein the first and second objects are contained within different partitions in a distributed directory.
  - 14. A method as recited in claim 13, wherein the different partitions are maintained by different servers.

15. A method of verifying that a first object has authorization to access a second object in a computer system, wherein the first object and the second object each have at least one associated attribute and each object is part of a distributed directory having a schema, comprising the steps of:
- a) receiving a request for the first object to access the second object;
  
  b) determining the associated attribute of the first object and the associated attribute of the second object;
  
  c) checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and
  
  d) verifying that the first object has authorization to access the second object if;
  
  i. the second object is included in the associated attribute of the first object; and
  
  ii. the first object is included in the associated attribute of the second object.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A method as recited in claim 15, further comprising the step of:
    - notifying that an unauthorized access to the second object was attempted if one of the following events occurs;
      
      a) the second object is not included in the associated attribute of the first object;
      
      orb) the first object is not included in the associated attribute of the second object.
  - 17. A method as recited in claim 15, wherein the first and second objects employ a static resolution to resolve object attributes.
  - 18. A method as recited in claim 15, wherein the associated attribute of the first object is a Security Equals attribute, and the associated attribute of the second object is an Equivalent to Me attribute.
  - 19. A method as recited in claim 15, wherein the first and second objects are contained within different partitions in a distributed directory.
  - 20. A method as recited in claim 19, wherein the different partitions are maintained by different servers.

24. A computer system comprising a first computer and a second computer which are capable of transmitting and receiving information from one another, which first and second computers access a plurality of objects, wherein the first computer maintains a first object and the second computer maintains a second object, wherein the first and second objects are part of a distributed directory having a schema and wherein the first object has a first associated attribute which references at least the second object and the second object has a second associated attribute which references at least the first object.

25. A computer readable medium comprising a program for resolving object attributes having a first directory object and a second object, wherein each of said objects includes at least one associated attributed, wherein each object is part of a distributed directory having a schema, the program being capable of resolving object attributes by performing the steps of:
- a) receiving a request for the first object to access the second object;
  
  b) determining the associated attribute of the first object and the associated attribute of the second object;
  
  c) checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and
  
  d) verifying that the first object has authorization to access the second object if;
  
  i. the second object is included in the associated attribute of the first object; and
  
  ii. the first object is included in the associated attribute of the second object.

26. A computer system accessing a plurality of objects having associated attributes, wherein each of the objects is part of a distributed directory having a schema, the computer system comprising:
- a) means for receiving a request for a first object to access a second object;
  
  b) means for determining an associated attribute of the first object and an associated attribute of the second object;
  
  c) means for checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and
  
  d) means for verifying that the first object has authorization to access the second object if;
  
  i. the second object is included in the associated attribute of the first object; and
  
  ii. the first object is included in the associated attribute of the second object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Kingdon, Kevin, Higley, DeeAnne, Childers, Randal Earl, Olds, Dale R.
Primary Examiner(s)
Voeltz, Emanuel T.
Assistant Examiner(s)
ASSOUAD, PATRICK J

Application Number

US08/573,034
Time in Patent Office

949 Days
Field of Search

395/187.01, 395/200.31, 395/200.33, 395/200.42, 395/200.47, 395/200.48, 395/200.53, 395/200.59, 395/200.49, 395/200.56 , 395/200.68, 395/200.55, 370/908
US Class Current

709/201
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2145   Inheriting rights or proper...

Method and apparatus to secure distributed digital directory object changes

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to secure distributed digital directory object changes

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links