Methods and arrangements for controlling resource access in a networked computing environment
First Claim
1. A method in a computer system for providing access control in a file system hierarchy, the file system hierarchy comprising a plurality of nodes arranged hierarchically such that each node may have one or more ancestor nodes and one or more descendant nodes, each node further capable of having an access control list identifying users that are permitted to access the node, the method comprising the steps of:
- receiving a request to modify, for a specified node having an access control list, the list of users permitted to access the specified node;
modifying the access control list of the specified node in accordance with the received request;
displaying a prompt for user input indicating whether the requested modification should be propagated to a descendant node of the specified node; and
selectively merging the requested modification into an access list associated with the descendant node only if user input received in response to displaying the prompt indicates that the requested modification should be propagated to the descendant of the specified node.
1 Assignment
0 Petitions
Accused Products
Abstract
A unified and straightforward approach to managing file and other resource security in a networked computing environment is disclosed. The invention can be implemented in a multi-user computer network that includes a client computer, a server computer that controls a resource sharable among users of the network, such as a shared file folder or directory, and a communications pathway between the client computer and the server computer. The resource is organized as a hierarchy of elements with a root elemnent at the top of the hierarchy and additional elements below the root element. According to the invention, a request is received to change a protection, such as an access permission, of an element of the resource hierarchy (other than the root) with respect to a particular network user. If the element in question lacks an associated access control list, a nearest ancestor element of the hierarchy is located that has an associated access control list. The first (descendant) element inherits the access control list of the second (ancestor) element. This inheritance is done by generating a copy of the access control list of the second element and associating the generated copy with the first element. The requested change in protection is then incorporated into the generated copy that has been associated with the first element so as to establish an updated access control list for the first element. Further, the requested change can be propagated downwards in the hierarchy from the first element to its descendants having access control lists.
-
Citations
12 Claims
-
1. A method in a computer system for providing access control in a file system hierarchy, the file system hierarchy comprising a plurality of nodes arranged hierarchically such that each node may have one or more ancestor nodes and one or more descendant nodes, each node further capable of having an access control list identifying users that are permitted to access the node, the method comprising the steps of:
-
receiving a request to modify, for a specified node having an access control list, the list of users permitted to access the specified node;
modifying the access control list of the specified node in accordance with the received request;
displaying a prompt for user input indicating whether the requested modification should be propagated to a descendant node of the specified node; and
selectively merging the requested modification into an access list associated with the descendant node only if user input received in response to displaying the prompt indicates that the requested modification should be propagated to the descendant of the specified node. - View Dependent Claims (2)
-
-
3. A method in a computer system for providing access control in a file system hierarchy, the file system hierarchy comprising a plurality of nodes arranged hierarchically such that each node may have one or more ancestor nodes and one or more descendant nodes, each node further capable of having associated with it an access control list identifying users that are permitted to access the node, the method comprising the steps of:
-
receiving a request to modify, for a specified node having an access control list, the list of users permitted to access the specified node;
modifying the access control list of the specified node in accordance with the received request;
displaying a prompt for user input selecting one or more nodes that are descendants of the specified node to which the requested modification should be propagated;
receiving user input selecting one or more nodes that are descendants of the specified node to which the requested modification should be propagated; and
selectively merging the requested modification into access lists associated with the descendant nodes as selected by the received user input.
-
-
4. In a computer network having a plurality of users and comprising a server computer controlling a shareable resource organized as a hierarchy of elements, the hierarchy including a root element at a topmost point in the hierarchy and additional elements that are descendants of the root element in the hierarchy, a method of modifying attributes of the resource, the method comprising the computer-implemented steps of:
-
receiving a request to change an attribute of a first element of the hierarchy with respect to a user of the network, the first element being a specified one of the additional elements;
in response to the receiving step, determining whether the first element has an associated list of attributes;
upon determining that the first element lacks an associated list of attributes, identifying a second element of the hierarchy, the second element having an associated list of attributes and being a proximate ancestor of the first element in the hierarchy; and
based on the list of attributes associated with the second element, selectively generating and associating the list of attributes with the first element, such that the resulting list of attributes associated with the first element includes the requested change. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
the step of receiving a request to change an attribute of a first element of the hierarchy comprises receiving a request to remove an attribute related to all users of the network; and
the step of selectively generating and associating a list of attributes with the first element comprises providing an empty list of attributes associated with the first element.
-
-
10. The method of claim 4, further comprising the step of:
propagating the requested change downwards in the hierarchy from the first element to every element of the hierarchy that is a descendant of the first element in the hierarchy and has an associated list of attributes by merging the requested change into the list of attributes of every such element.
-
11. The method of claim 4, further comprising the steps of:
-
identifying a third element of the hierarchy, the third element having an associated list of attributes and being a descendant of the first element in the hierarchy; and
upon identifying the third element, propagating the requested change downwards in the hierarchy from the first element to the third element by merging the requested change into the list of attributes of the third element.
-
-
12. The method of claim 4 wherein the computer network further comprises a client computer and a communications pathway between the client computer and the server computer, and further comprising the steps of:
-
issuing from the client computer a request for a user of the network to access an element of the resource;
receiving the issued request in the server computer; and
responding to the issued request in a manner consistent with the updated list of attributes.
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsMcCurdy, Ann Elizabeth, Price, Robert M., Glasser, Daniel S.
-
Primary Examiner(s)Myers, Paul R.
-
Application NumberUS09/501,845Time in Patent Office621 DaysField of Search710/200, 709/227, 707/9, 707/103, 713/200, 713/202US Class Current1/1CPC Class CodesG06F 16/185 Hierarchical storage manage...G06F 21/6218 to a system of files or obj...G06F 2221/2145 Inheriting rights or proper...H04L 63/101 Access control lists [ACL]H04L 63/20 for managing network securi...Y10S 707/99939 Privileged accessY10S 707/99944 Object-oriented database st...
