Implementation of role/group permission association using object access type

US 6,202,066 B1
Filed: 11/18/1998
Issued: 03/13/2001
Est. Priority Date: 11/19/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method for improving access control administration in computer environments, the method comprising the steps of:

associating individual users with roles or groups having identical access requirements to one or more sets of particular objects in the environment;

creating an object access type (OAT) mechanism for managing a plurality of OATs, each OAT being a separate entity for associating one or more objects with one or more roles or groups and sets of object access permissions associated therewith; and

employing said OATs to associate each said role or group with a specific set of permissions defining allowable accesses to a particular set of objects.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security administration in a computer system is simplified by defining a new and independent entity called an Object Access Type (OAT). OATs comprise access control specifications associating roles with permissions, and associating the roles with a set of objects, such as resources or files. Different roles may have differing permissions to objects associated with an OAT, and objects may be assigned to plural OATs. A mechanism is also presented whereby system administrators are provided with the capability to display and manipulate access designations by operating only on the independent OATS.

630 Citations

10 Claims

1. A method for improving access control administration in computer environments, the method comprising the steps of:
- associating individual users with roles or groups having identical access requirements to one or more sets of particular objects in the environment;
  
  creating an object access type (OAT) mechanism for managing a plurality of OATs, each OAT being a separate entity for associating one or more objects with one or more roles or groups and sets of object access permissions associated therewith; and
  
  employing said OATs to associate each said role or group with a specific set of permissions defining allowable accesses to a particular set of objects.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein each said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT by adding the identifications of said corresponding individuals or groups of individuals and the permissions permitted thereto to access control lists corresponding to each of the objects or groups of objects assigned to said OAT.
  - 3. The method of claim 1, wherein said computer system comprises one or more discrete processor devices operated effectively as a single resource controlled by a single operating system, and wherein said operating system comprises means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects.
  - 4. The method of claim 1, wherein said computer system comprises an undefined number of processor devices connected by reconfigurable connections, such that objects or groups of objects within said system may be located by universal resource locator (URL) inquiries, and wherein local processors controlling access to particular objects or groups of objects comprise means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects.
  - 5. The method of claim 1, wherein said computer system comprises one or more discrete processor devices, and said objects are organized in a relational data base controlled by a server computer comprising means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects.

6. In a computer system comprising a plurality of objects controlled by means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects, whereby individuals or groups of individuals are listed on said access control lists together with a set of permissions authorized to the corresponding individuals or groups of individuals with respect to each of the objects or groups of objects to which said access control list corresponds, and wherein said access control lists are treated by said computer system as attributes of the corresponding objects or groups of objects, the improvement comprising:
- providing a mechanism within said computer system whereby an Object Access Type (OAT) may be defined, said OATs being treated by said computer system as independent entities that may be created, edited, and/or deleted, separate from objects or groups of objects, and separately from individuals or groups of individuals;
  
  said mechanism allowing said OATs to be assigned to or removed from objects and groups of objects, and allowing individuals or groups of individuals to be assigned to said OATs;
  
  said mechanism further allowing each said OAT to contain lists of permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT;
  
  whereby each said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer system of claim 6, wherein said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT by adding the identifications of said corresponding individuals or groups of individuals and the permissions permitted thereto to the access control lists of each of the objects or groups of objects assigned to said OAT.
  - 8. The computer system of claim 6, wherein said computer system comprises one or more discrete processor devices operated effectively as a single resource controlled by a single operating system, and wherein said operating system comprises said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects.
  - 9. The computer system of claim 6, wherein said computer system comprises an undefined number of processor devices connected by reconfigurable connections, such that objects or groups of objects within said system may be located by universal resource locator (URL) inquiries, and wherein said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects is provided by local processors controlling access to particular objects or groups of objects.
  - 10. The computer system of claim 6, wherein said computer system comprises one or more discrete processor devices, and said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects is a relational data base controlling access to particular objects or groups of objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The United States of America As Represented By The Secretary of Agriculture
Original Assignee
THE GOVERNMENT OF THE UNITED STATES OF AMERICA, AS REPRESENTED BY THE SECRETARY OF COMMERCE
Inventors
Barkley, John, Cincotta, Anthony V.
Primary Examiner(s)
Kulik, Paul V.

Application Number

US09/195,449
Time in Patent Office

846 Days
Field of Search

713/200, 707/9, 707/103, 380/25
US Class Current

707/785
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/954   Relational

Y10S 707/955   Object-oriented

Y10S 707/99939   Privileged access

Implementation of role/group permission association using object access type

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

630 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Implementation of role/group permission association using object access type

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

630 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links