Implementation of role/group permission association using object access type
First Claim
Patent Images
1. A method for improving access control administration in computer environments, the method comprising the steps of:
- associating individual users with roles or groups having identical access requirements to one or more sets of particular objects in the environment;
creating an object access type (OAT) mechanism for managing a plurality of OATs, each OAT being a separate entity for associating one or more objects with one or more roles or groups and sets of object access permissions associated therewith; and
employing said OATs to associate each said role or group with a specific set of permissions defining allowable accesses to a particular set of objects.
1 Assignment
0 Petitions
Accused Products
Abstract
Security administration in a computer system is simplified by defining a new and independent entity called an Object Access Type (OAT). OATs comprise access control specifications associating roles with permissions, and associating the roles with a set of objects, such as resources or files. Different roles may have differing permissions to objects associated with an OAT, and objects may be assigned to plural OATs. A mechanism is also presented whereby system administrators are provided with the capability to display and manipulate access designations by operating only on the independent OATS.
-
Citations
10 Claims
-
1. A method for improving access control administration in computer environments, the method comprising the steps of:
-
associating individual users with roles or groups having identical access requirements to one or more sets of particular objects in the environment;
creating an object access type (OAT) mechanism for managing a plurality of OATs, each OAT being a separate entity for associating one or more objects with one or more roles or groups and sets of object access permissions associated therewith; and
employing said OATs to associate each said role or group with a specific set of permissions defining allowable accesses to a particular set of objects. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a computer system comprising a plurality of objects controlled by means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects, whereby individuals or groups of individuals are listed on said access control lists together with a set of permissions authorized to the corresponding individuals or groups of individuals with respect to each of the objects or groups of objects to which said access control list corresponds, and wherein said access control lists are treated by said computer system as attributes of the corresponding objects or groups of objects, the improvement comprising:
-
providing a mechanism within said computer system whereby an Object Access Type (OAT) may be defined, said OATs being treated by said computer system as independent entities that may be created, edited, and/or deleted, separate from objects or groups of objects, and separately from individuals or groups of individuals;
said mechanism allowing said OATs to be assigned to or removed from objects and groups of objects, and allowing individuals or groups of individuals to be assigned to said OATs;
said mechanism further allowing each said OAT to contain lists of permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT;
whereby each said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT. - View Dependent Claims (7, 8, 9, 10)
-
Specification