Method and system for controlling user access to a resource in a networked computing environment

US 5,956,715 A
Filed: 09/23/1996
Issued: 09/21/1999
Est. Priority Date: 12/13/1994
Status: Expired due to Term

First Claim

Patent Images

1. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:

receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;

in response to the receiving step, determining whether the first element has an associated access control list;

upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;

after the identifying of the second element generating a copy of the access control list of the second element;

modifying the generated copy of the access control list to incorporate the requested change into the generated copy; and

associating the modified copy of the access control list with the first element to establish an updated access control list associated with the first element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unified and straightforward approach to managing file and other resource security in a networked computing environment is disclosed. The invention can be implemented in a multi-user computer network that includes a client computer, a server computer that controls a resource sharable among users of the network, such as a shared file folder or directory, and a communications pathway between the client computer and the server computer. The resource is organized as a hierarchy of elements with a root element at the top of the hierarchy and additional elements below the root element. According to the invention, a request is received to change a protection, such as an access permission, of an element of the resource hierarchy (other than the root) with respect to a particular network user. If the element in question lacks an associated access control list, a nearest ancestor element of the hierarchy is located that has an associated access control list. The first (descendant) element inherits the access control list of the second (ancestor) element. This inheritance is done by generating a copy of the access control list of the second element and associating the generated copy with the first element. The requested change in protection is then incorporated into the generated copy that has been associated with the first element so as to establish an updated access control list for the first element. Further, the requested change can be propagated downwards in the hierarchy from the first element to its descendants having access control lists.

322 Citations

35 Claims

1. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
- receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;
  
  in response to the receiving step, determining whether the first element has an associated access control list;
  
  upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
  
  after the identifying of the second element generating a copy of the access control list of the second element;
  
  modifying the generated copy of the access control list to incorporate the requested change into the generated copy; and
  
  associating the modified copy of the access control list with the first element to establish an updated access control list associated with the first element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the step of receiving a request comprises receiving a request to change a protection of the first element of the hierarchy with respect to all users in a user group, the user group comprising a collection of users of the network.
  - 3. The method of claim 1 wherein:
    - the step of receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network comprises receiving a request to add a permission for said user to access the first element of the hierarchy; and
      
      the step of incorporating the requested change into the generated copy of the access control list comprises adding an entry to the generated copy of the access control list.
  - 4. The method of claim 1 wherein:
    - the step of receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network comprises receiving a request to modify a permission for said user to access the first element of the hierarchy; and
      
      the step of incorporating the requested change into the generated copy thus associated with the first element comprises modifying an entry of the access control list of the generated copy thus associated with the first element.
  - 5. The method of claim 1 wherein:
    - the step of receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network comprises receiving a request to remove a permission for said user to access the first element of the hierarchy; and
      
      the step of incorporating the requested change into the generated copy thus associated with the first element comprises removing an entry from the access control list of the generated copy thus associated with the first element.
  - 6. The method of claim 1 wherein:
    - the step of receiving a request to change a protection of a first element of the hierarchy comprises receiving a request to remove permissions for all users of the network to access the first element of the hierarchy; and
      
      the step of incorporating the requested change into the generated copy of the access control list comprises removing all entries from the generated copy of the access control list to establish an empty access control list associated with the first element, such that no user of the network is authorized to access the first element.
  - 7. The method of claim 1 and further comprising the step of:
    - propagating the requested change downwards in the hierarchy from the first element to every element of the hierarchy that is a descendant of the first element in the hierarchy and has an associated access control list by merging the requested change into the access control list of every such element.
  - 8. The method of claim 1 and further comprising the steps of:
    - identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy; and
      
      upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element.
  - 9. The method of claim 1 wherein the computer network further comprises a client computer and a communications pathway between the client computer and the server computer, and further comprising the steps of:
    - issuing from the client computer a request for a user of the network to access an element of the resource;
      
      receiving the issued request in the server computer; and
      
      responding to the issued request in a manner consistent with the updated access control list.

10. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
- determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements;
  
  upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
  
  upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element;
  
  displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element;
  
  receiving via the user interface a command to modify the permissions list; and
  
  responsively to the received command;
  
  initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource; and
  
  incorporating the requested change into the generated copy of the access control list associated with the first element to establish an updated access control list associated with the first element.
- View Dependent Claims (11, 12, 13, 14, 15, 30, 31, 32)
- - 11. The method of claim 10 wherein the step of displaying permission information from a permissions list comprises displaying permission information from the generated copy of the access control list of the second element.
  - 12. The method of claim 10 wherein the displaying step includes displaying permission information from a permissions list including an association between a user group comprising a collection of users and an access permission with respect to the users of the user group.
  - 13. The method of claim 10 wherein the computer network further comprises a remote computer that includes the user interface and a communications pathway between the remote computer and the server computer, and wherein the initiating step comprises sending a communication between the remote computer and the server computer via the communications pathway.
  - 14. The method of claim 10 and further comprising the steps, performed responsively to the received command, of:
    - identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy; and
      
      upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element.
  - 15. The method of claim 10 wherein the computer network further comprises a client computer and a communications pathway between the client computer and the server computer, and further comprising the steps of:
    - issuing from the client computer a request for a user of the network to access an element of the resource;
      
      receiving the issued request in the server computer; and
      
      responding to the issued request in a manner consistent with the updated access control list.
  - 30. The method of claim 10 wherein the receiving step includes the step of receiving via the user interface a command to add to the permissions list an association between a user not displayed in the displaying step and access permissions with respect to that user.
  - 31. The method of claim 10 wherein the receiving step includes the step of receiving via the user interface a command to modify access permissions associated with an identified user, the command generated in response to receiving from the user interface a command to identify the user.
  - 32. The method of claim 10 wherein the receiving step includes the step of receiving via the user interface a command to delete an association between an identified user and access permissions with respect to the identified user generated in response to receiving via the user interface a command to identify the identified user.

16. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
- receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;
  
  p1 after the receiving of the request, associating the first element with an access control list by inheriting in the first element an access control list from an element that is a proximate ancestor of the first element in the hierarchy;
  
  identifying a second element of the hierarchy, the second element having an associated access control list and being a descendant of the first element in the hierarchy; and
  
  upon identifying the second element, propagating the requested change downwards in the hierarchy from the first element to the second element by merging the requested change into the access control list of the second element.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 wherein the step of receiving a request comprises receiving a request to change a protection of the first element with respect to all users in a user group, the user group comprising a collection of users of the network.
  - 18. The method of claim 16 wherein the computer network further comprises a client computer and a communications pathway between the client computer and the server computer, and further comprising the steps of:
    - issuing from the client computer a request for a user of the network to access an element of the resource;
      
      receiving the issued request in the server computer; and
      
      responding to the issued request in a manner consistent with the propagated requested change.

19. In a computer network providing a shareable resource comprising components and having a first set of access permissions for a first component of the resource, a method of controlling access to the resource, the method comprising the computer-implemented steps of:
- designating a second component of the resource for which no set of access permissions has been established;
  
  making a copy of the first set of access permissions;
  
  generating a second set of access permissions by modifying the copy of the first set of access permissions;
  
  associating the second set of access permissions with the second component of the resource; and
  
  merging the second set of access permissions with a third set of access permissions for a third component of the resource.
- View Dependent Claims (20)
- - 20. The method of claim 19 wherein components of the resource are organized in a hierarchy, wherein the designating step comprises designating a second component that is a descendant of the first component in the hierarchy, and wherein the merging step comprises merging the second set of access permissions with a third set of access permissions for a third component of the resource that is a descendant of the second component in the hierarchy.

21. A computer network system for use by a plurality of users, comprising:
- a shareable resource comprising a hierarchy of elements;
  
  a server computer mediating user access to the resource;
  
  a client computer;
  
  communications means for operatively coupling the client computer to the server computer;
  
  resource protection means for controlling user access permissions for the resource;
  
  means for designating an element of the hierarchy;
  
  means for indicating a set of user access permissions for the designated element;
  
  means for conveying a request to the resource protection means, the request communicating the designated element and the indicated set of user access permissions for the designated element to the server computer; and
  
  means for responding to the conveyed request, comprising;
  
  means for locating an established set of user access permissions, the established set most preferentially being associated with the designated element, the established set less preferentially being associated with a nearest ancestor element located above the designated element in the hierarchy;
  
  means for generating a modified version of the established set responsively to the indicated set of user access permissions; and
  
  means for associating the modified version of the established set with the designated element to establish a new set of access permissions for the designated element.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21 and further comprising:
    - means for accessing the resource from the client computer consistently with the new set of access permissions established for the designated element.
  - 23. The system of claim 21 wherein the means for responding to the conveyed request further comprises:
    - means for locating an additional established set of user access permissions, the additional established set being associated with a selected element that is a descendant of the designated element in the hierarchy;
      
      means for modifying the additional established set responsively to the indicated set of user access permissions by merging modifications in the modified version of the established set into the additional established set; and
      
      means for associating the modified additional established set with the selected element to establish a new set of access permissions for the selected element.
  - 24. The system of claim 21 wherein the shareable resource comprises a hierarchical file system.
  - 25. The system of claim 24 wherein the hierarchical file system comprises files and folders, and the designated element comprises a folder.
  - 26. The system of claim 24 wherein the shareable resource includes a configuration database.
  - 27. The system of claim 21 and further comprising an additional shareable resource.
  - 28. The system of claim 27 wherein the additional shareable resource includes a printer.
  - 29. The system of claim 27 wherein the additional shareable resource includes a modem.

33. In a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of providing security for the resource, the method comprising the computer-implemented steps of:
- determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements;
  
  upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
  
  upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element;
  
  displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element;
  
  receiving via the user interface a command to modify the permissions list;
  
  responsively to the received command;
  
  initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource;
  
  incorporating the requested change into the generated copy associated with the first element to establish an updated access control list associated with the first element;
  
  in response to the step of receiving a command identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy;
  
  upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element;
  
  displaying via the user interface a prompt enabling a user of the user interface to select whether the requested change should be propagated downward in the hierarchy from the first element; and
  
  receiving via the user interface a selection that the requested change should be propagated downward in the hierarchy from the first element, and wherein the propagating step is performed in response to a step of receiving a selection that the requested change should be propagated downward in the hierarchy from the first element.

34. An article of computer-readable media having contents that cause a computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, to provide security for the resource by performing the computer-implemented steps of:
- receiving a request to change a protection of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements, the protection comprising an access permission for the resource;
  
  determining whether the first element has an associated access control list;
  
  upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
  
  upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element; and
  
  incorporating the requested change into the generated copy thus associated with the first element to establish an updated access control list associated with the first element.

35. A computer-readable medium whose contents cause a computer network to provide security for a resource, the computer network having a plurality of users and comprising a server computer controlling a resource sharable by users of the network and a user interface for controlling access permissions for the resource, the resource being organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, by performing the steps of:
- determining whether a first element of the hierarchy has an associated access control list, the first element being a specified one of the additional elements;
  
  upon determining that the first element lacks an associated access control list, identifying a second element of the hierarchy, the second element having an associated access control list and being a proximate ancestor of the first element in the hierarchy;
  
  upon identifying the second element, inheriting in the first element the access control list of the second element by generating a copy of the access control list of the second element and associating the generated copy with the first element;
  
  displaying via the user interface permission information from a permissions list comprising a set of associations between selected users of the network and access permissions with respect to the selected users for the first element;
  
  receiving via the user interface a command to modify the permissions list;
  
  responsively to the received command;
  
  initiating a request to change a protection of the first element of the hierarchy with respect to a user of the network, the protection comprising an access permission for the resource;
  
  incorporating the requested change into the generated copy associated with the first element to establish an updated access control list associated with the first element;
  
  in response to the step of receiving a command identifying a third element of the hierarchy, the third element having an associated access control list and being a descendant of the first element in the hierarchy;
  
  upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the access control list of the third element;
  
  displaying via the user interface a prompt enabling a user of the user interface to select whether the requested change should be propagated downward in the hierarchy from the first element; and
  
  receiving via the user interface a selection that the requested change should be propagated downward in the hierarchy from the first element, and wherein the propagating step is performed in response to a step of receiving a selection that the requested change should be propagated downward in the hierarchy from the first element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Price, Robert M., Glasser, Daniel S., McCurdy, Ann Elizabeth
Primary Examiner(s)
Sheikh, Ayaz R.
Assistant Examiner(s)
Myers, Paul R.

Application Number

US08/710,975
Time in Patent Office

1,093 Days
Field of Search

395/200.12, 395/726, 395/188.01, 395/200.57, 395/186, 340/825.34, 380/25, 380/49, 707/9, 707/103
US Class Current

1/1
CPC Class Codes

G06F 16/185   Hierarchical storage manage...

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Y10S 707/99944   Object-oriented database st...

Method and system for controlling user access to a resource in a networked computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

322 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling user access to a resource in a networked computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

322 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links