Distributed system and method for controlling access to network resources and event notifications
First Claim
1. An access control system for controlling access to management objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects including;
group objects, each defining a group and a set of users who are members of the group; and
rule objects,a first subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and
a second subset of the rule objects in the access control database each specify;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; and
an event router that receives event notifications generated by the management objects and sends corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database; and
at least one access control server that receives access requests from users and controls access to the management objects in accordance with the access rights specified in the access control database;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;
the at least one access control server responding to the access requests from the users by granting, denying and partially granting and denying the access requested in each access request in accordance with the access rights specified in the access control database.
2 Assignments
0 Petitions
Accused Products
Abstract
An access control database defines access rights through the use of access control objects. The access control objects include group objects, each defining a group and a set of users who are members of the group, and rule objects. A first subset of the rule objects each specify a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects. The access control server responds to the access requests from the users by granting, denying and partially granting and denying the access requested in each access request in accordance with the access rights specified in the access control database. A second subset of the rule objects in the access control database each specify user access rights to event notifications generated by the specified set of management objects. An event registry is used for registering event notification requests by users, each event notification request specifying event notifications from specified sets of the management objects that are being requested. An event router receives event notifications generated by the management objects. It responds to each event notification by sending corresponding event notification messages to users who have registered a corresponding event notification request with the event registry and also have access rights to the received event notification in accordance with the access rights specified in the access control database.
308 Citations
6 Claims
-
1. An access control system for controlling access to management objects in a distributed network, comprising:
-
an access control database, including access control objects, the access control objects including; group objects, each defining a group and a set of users who are members of the group; and rule objects, a first subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; anda second subset of the rule objects in the access control database each specify;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; andan event router that receives event notifications generated by the management objects and sends corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database; and at least one access control server that receives access requests from users and controls access to the management objects in accordance with the access rights specified in the access control database;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;the at least one access control server responding to the access requests from the users by granting, denying and partially granting and denying the access requested in each access request in accordance with the access rights specified in the access control database. - View Dependent Claims (2, 3)
-
-
4. A method of controlling access to management objects in a distributed network, comprising the steps of:
-
storing a set of access control objects, including; group objects, each defining a group and a set of users who are members of the group; and rule objects, a first subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; anda second subset of the rule objects in the access control database each specify;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; andreceiving event notifications generated by the management objects and sending corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database; and receiving access requests from users, a subset of the access requests specifying operations to be performed on specified sets of the management objects, and responding to the access requests by granting, denying and partially granting and denying access to the management objects in accordance with the access rights specified in the access control database. - View Dependent Claims (5, 6)
-
Specification
-
- Resources
-
Current AssigneeOracle America, Inc. (Oracle Corporation)
-
Original AssigneeSun Microsystems Incorporated (Oracle Corporation)
-
InventorsAllavarpu, Sai V.S., Angal, Rajeev, Bhat, Shivaram, Fisher, Bart Lee
-
Primary Examiner(s)Rinehart, Mark H.
-
Application NumberUS08/962,090Time in Patent Office767 DaysField of Search707/9, 709/223, 709/226, 709/229, 709/303US Class Current709/229CPC Class CodesG06F 12/1483 using an access-table, e.g....G06F 21/305 by remotely controlling dev...G06F 21/604 Tools and structures for ma...G06F 21/6218 to a system of files or obj...G06F 2221/2101 Auditing as a secondary aspectG06F 2221/2141 Access rights, e.g. capabil...G06F 2221/2145 Inheriting rights or proper...H04L 41/28 Restricting access to netwo...H04L 63/105 Multiple levels of securityY10S 707/99939 Privileged access
