Enhanced security for computer system resources with a resource access authorization control facility that creates files and provides increased granularity of resource permission
First Claim
1. A method for providing increased granularity of resource access authorization control for computer resource security for operating systems in which a set of operating system permissions are defined for use in the authorization of subjects to perform operations in relation to specific resources, the method comprising:
- creating a set of files including a set of definitions of correspondence between the defined operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource, said definitions defining separate resource authorities for said different aspects and said different aspects comprising a plurality of resource aspects selected from the group comprising resource data, resource class security attributes, configuration information and other attributes, such that (wherein) particular instances of said resource aspects are characteristic of a particular computer resource;
storing said created files for association with a resource to be protected; and
setting subjects'"'"' authorizations for resource access for each of said resource aspects using the defined operating system permissions, thereby setting, via said defined correspondences within said created files, the authorities which said subjects have in relation to the different resource aspects at the level of granularity of the resource aspects.
2 Assignments
0 Petitions
Accused Products
Abstract
Provided is a scheme for implementing flexible control of subject authorizations (i.e. the authorizations which users or processes have) to perform operations in relation to computer resources. The methods, computer systems and authorization facilities which are provided by the invention enhance the security provisions of operating systems which have only very limited authorization facilities, by mapping the available operating system permissions to specified resource authorities for each of a set of aspects or characteristics of a computer system resource. Thus, the standard operating system permissions (e.g. read, write, execute) can have different meanings for different resource aspects, and an individual subject can have separate authorization levels set for the different resource aspects. The mappings between authorities and the available permissions may be different for different types of resources. The invention provides great flexibility in setting the authorizations that a subject may have in relation to particular resources.
-
Citations
15 Claims
-
1. A method for providing increased granularity of resource access authorization control for computer resource security for operating systems in which a set of operating system permissions are defined for use in the authorization of subjects to perform operations in relation to specific resources, the method comprising:
-
creating a set of files including a set of definitions of correspondence between the defined operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource, said definitions defining separate resource authorities for said different aspects and said different aspects comprising a plurality of resource aspects selected from the group comprising resource data, resource class security attributes, configuration information and other attributes, such that (wherein) particular instances of said resource aspects are characteristic of a particular computer resource;
storing said created files for association with a resource to be protected; and
setting subjects'"'"' authorizations for resource access for each of said resource aspects using the defined operating system permissions, thereby setting, via said defined correspondences within said created files, the authorities which said subjects have in relation to the different resource aspects at the level of granularity of the resource aspects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
responsive to a subject requesting performance of an operation in relation to a protected resource, comparing the operating system permissions of the subject with said set of definitions of correspondence within the created files to determine whether the subject is authorized to perform the operation in relation to the protected resource; and
permitting the operation to be performed if the subject is authorized and rejecting the request if the subject is not authorized.
-
-
3. A method according to claim 1 or claim 2, for use with operating system software in which operating system files are organised in directories and for which both file permissions and directory permissions are defined, wherein operating system file permissions are mapped to resource authorities by the definitions of correspondence within said created files and operating system directory permissions are used to protect said created files.
-
4. A method according to claim 3, for use with operating system software in which the defined directory permissions are read, write, and execute permissions, wherein said step of setting subjects'"'"' authorizations includes the step of giving subjects execute permission to the directories which contain said created files but wherein read and write permissions to said directories are not given.
-
5. A method according to claim 1, wherein a single created file is used to represent the resource authorities for each resource aspect.
-
6. A method according to claim 1 wherein said step of creating files is performed automatically when a resource is created, using a predefined set of said definitions of correspondence.
-
7. A method according to claim 1, wherein a subject which creates a resource has default authorizations automatically assigned to it and/or to its subject group when the resource is created.
-
8. A method according to claim 1, wherein the resource aspects for which resource authorities are specified are the resource class, resource attributes, resource data and resource security.
-
9. A method for providing increased granularity of resource access authorization control in a computer system, the method comprising:
-
for each of a set of computer resources which are to be protected, identifying a plurality of resource aspects selected from the group comprising resource data, resource class, security attributes, configuration information and other attributes, particular instances of which are characteristic of a particular computer resource;
defining resource authorities which subjects may have separately for each of said plurality of resource aspects of a particular resource, and storing within authorisation files associated with said resources definitions of the correspondence between said defined resource authorities and available operating system permissions, for each of said plurality of resource aspects; and
setting subject'"'"'s authorizations for resource access for each of said resource aspects using said available operating system permissions, thereby to set, via said defined correspondences between defined resource authorities and available operating system permissions, the authorities which subjects have in relation to the different resource aspects at the level of granularity of the resource aspects.
-
-
10. A computer program product comprising computer readable program code stored on a data carrier, including a resource access authorisation control facility for use with operating system software having security facilities including a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the control facility including:
-
means for creating a set of files including a set of definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource, said definitions defining separate resource authorities for said different aspects and said different aspects comprising a plurality of resource aspects selected from the noun comprising resource data, resource class, security attributes, configuration information and other attributes, such that (wherein) particular instances of said resource aspects are characteristic of a particular computer resource;
means for storing said created files in association with a resource to be protected; and
means for setting subjects'"'"' authorizations for access to specific resources for each of said resource aspects using said operating system permissions, thereby setting, via said defined correspondences within said created files, the authorities which said subjects have in relation to and at the level of granularity of the different resource aspects. - View Dependent Claims (11, 12, 13)
means, responsive to a subject requirement for an operation to be performed, for comparing the subject'"'"'s operating system permissions with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorized to perform the operation.
-
-
12. A computer program product according to claim 10 or claim 11, wherein the set of definitions of correspondence between said operating system permissions and specified resource authorities are predefined within the control facility for a plurality of different resource types, said control facility being adapted to create said set of files for a resource automatically when said resource is created.
-
13. A computer program product according to claim 10, which is adapted to automatically assign default authorizations in relation to a resource to a subject and/or to the subject group when the subject creates the resource.
-
14. A computer system having operating system software installed therein, which operating system software'"'"'s security provision includes a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the system including:
-
means for creating a set of files including a set of definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource, said definitions defining separate resource authorities for said different aspects and said different aspects comprising a plurality of resource aspects selected from the group comprising resource data, resource class, security attributes, configuration information and other attributes, such that (wherein) particular instances of said resource aspects are characteristic of a particular computer resource;
means for storing said created files in association with a resource to be protected;
means for setting subjects'"'"' authorizations for access to specific resources for each of said resource aspects using said operating system permissions, thereby setting, via said defined correspondences within said created files, the authorities which said subjects have in relation to and at the level of granularity of the different resource aspects; and
means, responsive to a subject requiring an operation to be performed in relation to a resource, for comparing the subject'"'"'s operating system permissions with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorised to perform the operation.
-
-
15. A computer system including:
-
computer resource access authorisation control means for defining, for computer resources for which access authorisation control is required, authorities which subjects may be given to perform operations in relation to said resources, said means for defining being adapted to define authorities separately for each of a plurality of different aspects of said resources, wherein said different aspects comprise a plurality of resource aspects selected from the group comprising resource data, resource class, security attributes, configuration information and other attributes, such that particular instances of said resource aspects are (being) characteristic of a particular computer resource;
means, responsive to said resource access authorisation control means, for storing within authorisation files associated with said resources definitions of correspondences between said defined resource authorities and available operating system permissions, for each of a plurality of said resource aspects; and
means for setting subject'"'"'s authorizations for resource access for each of said resource aspects using said available operating system permissions, thereby to set, via said defined correspondences between defined resource authorities and available operating system permissions, the authorities which subjects have in relation to the different resource aspects at the level of granularity of resource aspects.
-
Specification