Object-oriented access control method and system for military and commercial file systems
First Claim
1. A computer program product including a computer-readable medium, comprising:
- a computer-readable protected resource program code, including a data manager and a protected resource element;
a computer-readable protecting resource program code including a protecting resource manager and an access control element; and
a computer-readable client program code, sending a request to the protected resource program code for access to the protected element,wherein in response to the request from said client program code said data manager identifies said protecting resource manager based on the request for access to the protected element and sends a request to said protecting resource program code, and in response to said request from said data manager said protecting resource manager determines based on the access control element whether to grant access to said protected element,wherein said protected resource program code and said protecting resource program code are to be operated in computing devices arranged in a distributed manner.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system are provided for controlling a client'"'"'s access to a protected element, in which the protected element is contained in a protected resource which includes a data manager. The invention provides efficient access control for existing data elements while requiring only minimal changes to existing software components. In response to a request for access to the protected element the data manager sends an authorization checking request to a protecting resource. The protecting resource, which is in a distributed arrangement with the protected resource, determines, based on an access control element which can be associated with one or more protected elements, whether the client has permission to be provided the requested access to the protected element. It then sends an access control message (e.g. YES/NO) to the data manager based on the determination, and optionally send explanatory information if access is denied. Access to the protected element is provided or denied based on that message. The protected element can be a file, a data block within a database, an object, method or object-method in an object-oriented system.
140 Citations
31 Claims
-
1. A computer program product including a computer-readable medium, comprising:
-
a computer-readable protected resource program code, including a data manager and a protected resource element; a computer-readable protecting resource program code including a protecting resource manager and an access control element; and a computer-readable client program code, sending a request to the protected resource program code for access to the protected element, wherein in response to the request from said client program code said data manager identifies said protecting resource manager based on the request for access to the protected element and sends a request to said protecting resource program code, and in response to said request from said data manager said protecting resource manager determines based on the access control element whether to grant access to said protected element, wherein said protected resource program code and said protecting resource program code are to be operated in computing devices arranged in a distributed manner. - View Dependent Claims (3, 4)
-
-
2. A method for controlling access to a protected element, wherein the protected element is included in a protected resource, the method comprising:
-
identifying a protecting resource including an access control element associated with the protected element; sending from the protected resource to the protecting resource information for deciding whether a requested access to the protected element is to be permitted; checking the access control element, in response to receipt of said information, for permission of a client to be provided the requested access to the protected element; and providing the client with the requested access to the protected element if and only if the checked access control element indicates that the client has permission to be provided the requested access to the protected element, wherein the access control element and protected element are in a distributed arrangement.
-
-
5. A method for controlling a client'"'"'s access to a protected element, in which the protected element is contained in a protected resource having a data manager, the method comprising:
-
the data manager receiving a request from the client for an access to the protected element; the data manager identifying a protecting resource associated with the protected element and sending an authorization checking request to the protecting resource in response to receiving the client'"'"'s request for the access; the protecting resource, in response to the authorization checking request, determining whether the client has permission to be provided the access to the protected element and sending, based on the determination, an access control message to the data manager; and the data manager providing the access to the protected element if the access control message indicates the access is permitted. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 25, 26)
-
-
19. A system for controlling access to a protected element, comprising:
-
a protected resource including a data manager and the protected element; a protecting resource including a protecting resource manager and an access control element associated with the protected element; and a client, sending a request to the protected resource for an access to the protected element, wherein in response to the request from said client the data manager identifies said protecting resource based on the request for the access and sends a request to said protecting resource, and in response to said request from said data manager said protecting resource manager determines based on the access control element whether to grant the requested access to said protected element, wherein said protected resource and said protecting resource are in a distributed arrangement. - View Dependent Claims (20, 21, 22, 23, 24, 27, 28, 29, 30, 31)
-
Specification