User access to objects in group based access control based on result of greatest common divisor of assigned unique prime numbers of user and object
First Claim
1. In a group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto, a method for controlling access to objects, comprising the steps of:
- associating each group'"'"'s group number with a unique prime number;
assigning each user a user number that is a given function of the group numbers for the groups to which the user is assigned;
assigning each object an object number that is a given function of the group numbers of the groups having access to the object; and
determining a greatest common divisor of a given user'"'"'s user number and a given object'"'"'s object number to determine whether the given user may access the given object.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control mechanism using a grouping system whereby each group is assigned a unique prime number. The resource objects to be accessed are assigned a value that is determined by multiplying all of the group prime numbers from the groups that have access to that resource. Also, each user is assigned to one or more groups and each user has an access number that is a product of the prime numbers assigned to each group. When a particular user desires access to a particular resource object, the greatest common divisor between the resource product and the user product is determined. If the resulting greatest common divisor is greater than one, then the user is allowed access. If the greatest common divisor is one (the lowest prime), the user is denied access.
-
Citations
20 Claims
-
1. In a group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto, a method for controlling access to objects, comprising the steps of:
-
associating each group'"'"'s group number with a unique prime number;
assigning each user a user number that is a given function of the group numbers for the groups to which the user is assigned;
assigning each object an object number that is a given function of the group numbers of the groups having access to the object; and
determining a greatest common divisor of a given user'"'"'s user number and a given object'"'"'s object number to determine whether the given user may access the given object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
permitting the given user to access the given object if the greatest common divisor is greater than a predetermined value indicating that the user number and the object number have no common factors.
-
-
4. The method as described in claim 3 wherein the given object is a file.
-
5. The method as described in claim 4 wherein the given object is accessed for a given operation selected from the set of operations consisting essentially of create, read, write, execute and remove.
-
6. The method as described in claim 1 further including the step of:
denying the given user access to the given object if the greatest common divisor is the predetermined value.
-
7. The method as described in claim 1 wherein the greatest common divisor is evaluated using Euclid'"'"'s theorem.
-
8. A method for controlling access to objects, comprising the steps of:
-
for each of a plurality of access groups to which one or more users are assigned, associating each access group'"'"'s group number with a unique prime number;
assigning each user a user number that is a product of the group numbers for the groups to which the user is assigned;
assigning each object an object number that is a product of the group numbers of the groups having access to the object;
permitting a given user to access a given object if a numerical computation derived from the given user'"'"'s user number and the given object'"'"'s object number is a predetermined value. - View Dependent Claims (9)
-
-
10. A computer program product in a computer readable medium for use in a group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto, the computer program product comprising:
-
means for associating each group'"'"'s group number with a unique prime number greater than one;
means for assigning each user a user number that is a product of the group numbers for the groups to which the user is assigned;
means for assigning each object an object number that is a product of the group numbers of the groups having access to the object; and
means for determining a greatest common divisor of a given user'"'"'s user number and a given object'"'"'s object number to determine whether the given user may access the given object. - View Dependent Claims (11, 12, 13, 14)
means for permitting the given user to access the given object if the greatest common divisor is greater than a predetermined value indicating that the user number and the object number have no common factors.
-
-
12. The computer program product as described in claim 10 further including:
means for denying the given user access to the given object if the greatest common divisor is the predetermined value.
-
13. The computer program product as described in claim 10 wherein the greatest common divisor is evaluated using a numerical computation.
-
14. The computer program product as described in claim 13 wherein the numerical computation is Euclid'"'"'s algorithm.
-
15. In a group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto, the improvement comprising:
-
means for associating each group'"'"'s group number with a unique prime number greater than one;
means for assigning each user a user number that is a product of the group numbers for the groups to which the user is assigned;
means for assigning each object an object number that is a product of the group numbers of the groups having access to the object; and
means for evaluating a greatest common divisor of a given user'"'"'s user number and a given object'"'"'s object number to determine whether the given user may access the given object. - View Dependent Claims (16, 17)
means for permitting the given user to access the given object if the greatest common divisor is greater than a predetermined value indicating that the user number and the object number have no common factors.
-
-
17. In the group based access control mechanism of claim 15, wherein the improvement further includes:
means for denying the given user access to the given object if the greatest common divisor is the predetermined value.
-
18. A group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto, comprising:
-
means for associating each group'"'"'s group number with a unique prime number greater than one;
means for assigning each user a user number that is a product of the group numbers for the groups to which the user is assigned;
means for assigning each object an object number that is a product of the group numbers of the groups having access to the object;
means for evaluating a greatest common divisor of a given user'"'"'s user number and a given object'"'"'s object number; and
means for permitting the given user to access the given object if the greatest common divisor is greater than a predetermined value indicating that the user number and the object number have no common factors.
-
-
19. A method for managing a group, comprising the steps of:
-
for each of a plurality of access groups to which one or more users are assigned, associating each access group'"'"'s group number with a unique prime number PGi;
assigning each user a number MUi that is a product of the group numbers for the groups to which the user is assigned;
assigning each object Oi a number MOi — A that is a product of the group numbers of the groups having access to the object;
determining whether a given user Ui belongs to a given group Gi by testing if PGi divides MUi.
-
-
20. A method of managing a group, comprising the steps of:
-
for each of a plurality of access groups to which one or more users are assigned, associating each access group'"'"'s group number with a unique prime number PGi;
assigning each user a number MUi that is a product of the group numbers for the groups to which the user is assigned;
assigning each object a number MOi — A that is a product of the group numbers of the groups having access to the object;
determining whether an object Oi can be accessed with an operation by a group Gi by testing if PGi divides MOi — A.
-
Specification