Method and system for advanced role-based access control in distributed and centralized computer systems
First Claim
1. A method for controlling access rights of at least one subject on at least one object in a computer system, wherein said subject is associated to at least one role, said method comprising the steps of:
- controlling said access rights dependent on a membership of said subject to said role,controlling said access rights dependent on a parameterized role type,controlling said access rights dependent on at least one parameterized relative resource set,representing said role by instantiating role instance by deriving said role instance from said role type,said step of instantiating said role instance being based on providing a parameter value to said role type, said parameter value further characterizing said subject,instantiating a concrete resource set by deriving said concrete resource set from said relative resource set,said step of instantiating said concrete resource set being based on providing said parameter value to said relative resource set,and providing said object as an element of said concrete resource sets.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for registration, authorization, and control of access rights in a computer system. Access rights of subjects on objects in a computer system are controlled using parameterized role types that can be instantiated into role instances equivalent to roles or groups. The required parameters are provided by the subject of the computer system, e.g. by a person, a job position, or an organization unit. Furthermore, relative resource sets are instantiated into concrete resource sets and individual resources by using the same parameter values as for instantiating the role types. Authorization and control of access rights include capability lists providing the access rights of the subjects on the objects of a computer system on a per subject basis. Furthermore, access control lists are derived from capability lists, so that access rights of the subjects on the respective objects are provided.
508 Citations
11 Claims
-
1. A method for controlling access rights of at least one subject on at least one object in a computer system, wherein said subject is associated to at least one role, said method comprising the steps of:
-
controlling said access rights dependent on a membership of said subject to said role, controlling said access rights dependent on a parameterized role type, controlling said access rights dependent on at least one parameterized relative resource set, representing said role by instantiating role instance by deriving said role instance from said role type, said step of instantiating said role instance being based on providing a parameter value to said role type, said parameter value further characterizing said subject, instantiating a concrete resource set by deriving said concrete resource set from said relative resource set, said step of instantiating said concrete resource set being based on providing said parameter value to said relative resource set, and providing said object as an element of said concrete resource sets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer system for registration, authorization, and control of access rights of at least one subject on at least one object, said system comprising:
-
at least one parameterized relative resource set, and a concrete resource set, instantiated and derived from said relative resource set, and said object being an element of said concrete resource set, and a parameterized role type for controlling said access rights, and a role instance derived by instantiation from said role type and providing said subject a parameter, and a capability list derived by instantiation from a capability list type, said capability list being associated with said role instance and with said subject and providing said access rights of said subject on said object, and an access control list for said object providing said access rights of subjects on said object, and means for deriving said access control lists of said objects from capability lists associated with subjects, and means for deriving said access control lists during a configuring step of said system. - View Dependent Claims (11)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsLingenfelder, Christoph, Lorenz, Sven, Gligor, Virgil, Deinhart, Klaus
-
Primary Examiner(s)Kulik, Paul V.
-
Assistant Examiner(s)Corrielus, Jean M.
-
Application NumberUS08/514,710Time in Patent Office1,394 DaysField of Search395/614, 395/650, 395/728, 395/800, 395/700, 707/103, 707/104, 707/9, 707/10US Class Current1/1CPC Class CodesG06F 21/604 Tools and structures for ma...G06F 21/6218 to a system of files or obj...G06F 2221/2141 Access rights, e.g. capabil...G06F 2221/2145 Inheriting rights or proper...Y10S 707/99939 Privileged accessY10S 707/99944 Object-oriented database st...Y10S 707/99945 Object-oriented database st...
