Extensible security system and method for controlling access to objects in a computing environment
First Claim
1. A computer-readable medium having stored thereon a control access data structure for defining an access right to an operation of one or more objects within a computing environment, the control access data structure comprising:
- an identification field for storing a unique identifier of the control access data structure;
one or more object identification fields for associating the control access data structure with the one or more objects of the computing environment; and
wherein the control access data structure corresponds to an access control entry of the one or more objects, and wherein the access control entry associates the access right with a trusted user of the computing environment.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
-
Citations
46 Claims
-
1. A computer-readable medium having stored thereon a control access data structure for defining an access right to an operation of one or more objects within a computing environment, the control access data structure comprising:
-
an identification field for storing a unique identifier of the control access data structure;
one or more object identification fields for associating the control access data structure with the one or more objects of the computing environment; and
wherein the control access data structure corresponds to an access control entry of the one or more objects, and wherein the access control entry associates the access right with a trusted user of the computing environment. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing system comprising:
-
an operating system configured to execute on the computing system, the operating system having a set of predefined permissions for performing corresponding operations on objects within the computing system;
an administrative tool configured to execute on the computing system and direct the operating system to;
generate a control access right that defines a permission to perform a desired operation on an individual object within the computing system; and
associate the control access right with an access control entry corresponding to the individual object within the computing system. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computer program for controlling user requested operations on an object in a computing environment having a set of predefined access rights, the computer program being stored on a machine readable medium and comprising:
-
means for defining an access right component that defines a permission corresponding to a desired operation of the object;
means for associating the access right component with the object;
means for associating the access right component with an access control entry corresponding to the object; and
means for associating the access right component with a user in order to grant the desired operation. - View Dependent Claims (15, 16, 17, 18)
means for adding the access control entry (ACE) to an access control list (ACL) that corresponds to the object;
means for storing a unique identifier of a control access data structure within a first field of the ACE; and
means for storing a unique identifier of the user within a second field of the ACE.
-
-
19. A method comprising:
-
creating an access control entry as a component of an access control list that is associated with at least one object in a computing environment, the access control entry identifying a security principal;
defining an extensible access right component that defines access to one or more operations of the at least one object;
associating the extensible access right component with the access control entry such that the security principal is authorized to access the one or more operations of the at least one object. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. One or more computer-readable media maintaining an extensible control access right comprising:
-
a control access data structure that includes;
an identification field to maintain a unique identifier of the control access data structure;
an object identification field to maintain a unique identifier of an object within a computing environment, the object identification field configured to associate the control access data structure with the object; and
wherein the control access data structure defines access by an authorized security principal to one or more operations of the object. - View Dependent Claims (32, 33, 34, 35)
associate the control access data structure with the object; and
associate the authorized security principal with the object and with the control access data structure.
-
-
35. One or more computer-readable media as recited in claim 31, the extensible control access right further comprising an access control entry that is associated with the object, the access control entry configured to maintain:
-
a unique identifier of the control access data structure to associate the control access data structure with the object; and
a unique identifier of the authorized security principal to associate the authorized security principal with the object and with the control access data structure.
-
-
36. A computing system comprising:
-
an operating system to manage one or more objects within the computing system, an individual object having an access control list of predefined operating system permissions to perform corresponding operations on the individual object;
an access control entry to identify a security principal, the access control entry associated with the individual object as a component of the access control list;
an extensible access right to define access to one or more operations of the individual object, the extensible access right associated with the access control entry such that the security principal is authorized to access the one or more operations of the individual object. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
Specification