Object-oriented trusted application framework
First Claim
1. A data processing system including an access control system for controlling access to portions of a resource and capable of running an application, said access control system includinga trusted framework including a credential class and a label class of objects, anda policy manager including a policy manager class of objects including means for creating label objects for portions of said resource and credential objects corresponding to users of said data processing system and instantiating said label objects and said credential objects in a respective one of said label class and said credential class, and p1 means for comparing a credential object created by said policy manager with a label object created by said policy manager for operation of said access control system.
2 Assignments
0 Petitions
Accused Products
Abstract
An object-oriented framework provides ease of development and alteration of access control systems for arbitrary applications and accomodates arbitrary security policies while providing fine-grained security by providing for creation of labels for portions of a resource such as an application or portions of files, credentials corresponding to users and any other objects of the access control system by providing templates for such objects within at least one policy manager class of objects and which can be selected or modified at will. Provision for creation of label and credential objects which are later compared or correlated for granting or denying access to portions of a resource effectively decouples security policy from security enforcement and allows reconciliation of security policies having inconsistent requirements as well as development of hybrid and customized security policies.
449 Citations
6 Claims
-
1. A data processing system including an access control system for controlling access to portions of a resource and capable of running an application, said access control system including
a trusted framework including a credential class and a label class of objects, and a policy manager including a policy manager class of objects including means for creating label objects for portions of said resource and credential objects corresponding to users of said data processing system and instantiating said label objects and said credential objects in a respective one of said label class and said credential class, and p1 means for comparing a credential object created by said policy manager with a label object created by said policy manager for operation of said access control system.
Specification