Method and system for controlling user access to a resource in a networked computing environment
First Claim
1. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
- receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;
in response to the receiving step, determining whether the first element has an associated access control list;
upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
after the identifying of the second element generating a copy of the access control list of the second element;
modifying the generated copy of the access control list to incorporate the requested change into the generated copy; and
associating the modified copy of the access control list with the first element to establish an updated access control list associated with the first element.
1 Assignment
0 Petitions
Accused Products
Abstract
A unified and straightforward approach to managing file and other resource security in a networked computing environment is disclosed. The invention can be implemented in a multi-user computer network that includes a client computer, a server computer that controls a resource sharable among users of the network, such as a shared file folder or directory, and a communications pathway between the client computer and the server computer. The resource is organized as a hierarchy of elements with a root element at the top of the hierarchy and additional elements below the root element. According to the invention, a request is received to change a protection, such as an access permission, of an element of the resource hierarchy (other than the root) with respect to a particular network user. If the element in question lacks an associated access control list, a nearest ancestor element of the hierarchy is located that has an associated access control list. The first (descendant) element inherits the access control list of the second (ancestor) element. This inheritance is done by generating a copy of the access control list of the second element and associating the generated copy with the first element. The requested change in protection is then incorporated into the generated copy that has been associated with the first element so as to establish an updated access control list for the first element. Further, the requested change can be propagated downwards in the hierarchy from the first element to its descendants having access control lists.
322 Citations
35 Claims
-
1. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
-
receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource; in response to the receiving step, determining whether the first element has an associated access control list; upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy; after the identifying of the second element generating a copy of the access control list of the second element; modifying the generated copy of the access control list to incorporate the requested change into the generated copy; and associating the modified copy of the access control list with the first element to establish an updated access control list associated with the first element. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
-
determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements; upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy; upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element; displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element; receiving via the user interface a command to modify the permissions list; and responsively to the received command; initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource; and incorporating the requested change into the generated copy of the access control list associated with the first element to establish an updated access control list associated with the first element. - View Dependent Claims (11, 12, 13, 14, 15, 30, 31, 32)
-
-
16. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
-
receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;
p1 after the receiving of the request, associating the first element with an access control list by inheriting in the first element an access control list from an element that is a proximate ancestor of the first element in the hierarchy;identifying a second element of the hierarchy, the second element having an associated access control list and being a descendant of the first element in the hierarchy; and upon identifying the second element, propagating the requested change downwards in the hierarchy from the first element to the second element by merging the requested change into the access control list of the second element. - View Dependent Claims (17, 18)
-
-
19. In a computer network providing a shareable resource comprising components and having a first set of access permissions for a first component of the resource, a method of controlling access to the resource, the method comprising the computer-implemented steps of:
-
designating a second component of the resource for which no set of access permissions has been established; making a copy of the first set of access permissions; generating a second set of access permissions by modifying the copy of the first set of access permissions; associating the second set of access permissions with the second component of the resource; and merging the second set of access permissions with a third set of access permissions for a third component of the resource. - View Dependent Claims (20)
-
-
21. A computer network system for use by a plurality of users, comprising:
-
a shareable resource comprising a hierarchy of elements; a server computer mediating user access to the resource; a client computer; communications means for operatively coupling the client computer to the server computer; resource protection means for controlling user access permissions for the resource; means for designating an element of the hierarchy; means for indicating a set of user access permissions for the designated element; means for conveying a request to the resource protection means, the request communicating the designated element and the indicated set of user access permissions for the designated element to the server computer; and means for responding to the conveyed request, comprising; means for locating an established set of user access permissions, the established set most preferentially being associated with the designated element, the established set less preferentially being associated with a nearest ancestor element located above the designated element in the hierarchy; means for generating a modified version of the established set responsively to the indicated set of user access permissions; and means for associating the modified version of the established set with the designated element to establish a new set of access permissions for the designated element. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
33. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
-
determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements; upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy; upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element; displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element; receiving via the user interface a command to modify the permissions list; responsively to the received command; initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource; incorporating the requested change into the generated copy associated with the first element to establish an updated access control list associated with the first element; in response to the step of receiving a command identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy; upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element; displaying via the user interface a prompt enabling a user of the user interface to select whether the requested change should be propagated downward in the hierarchy from the first element; and receiving via the user interface a selection that the requested change should be propagated downward in the hierarchy from the first element, and wherein the propagating step is performed in response to a step of receiving a selection that the requested change should be propagated downward in the hierarchy from the first element.
-
-
34. An article of computer-readable media having contents that cause a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, to provide security for the resource by performing the computer-implemented steps of:
-
receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource; determining whether the first element has an associated access control list; upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy; upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element; and incorporating the requested change into the generated copy thus associated with the first element to establish an updated access control list associated with the first element.
-
-
35. A computer-readable medium whose contents cause a computer network to provide security for a resource, the computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, by performing the steps of:
-
determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements; upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy; upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element; displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element; receiving via the user interface a command to modify the permissions list; responsively to the received command; initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource; incorporating the requested change into the generated copy associated with the first element to establish an updated access control list associated with the first element; in response to the step of receiving a command identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy; upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element; displaying via the user interface a prompt enabling a user of the user interface to select whether the requested change should be propagated downward in the hierarchy from the first element; and receiving via the user interface a selection that the requested change should be propagated downward in the hierarchy from the first element, and wherein the propagating step is performed in response to a step of receiving a selection that the requested change should be propagated downward in the hierarchy from the first element.
-
Specification