Method for attachment and recognition of external authorization policy on file system resources
First Claim
1. A method for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:
- generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;
storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;
searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and
generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention is an algorithm that manages the ability of a user or software program to access certain protected file resources. This invention describes a method for file system security through techniques that control access to the file system resources using externally stored attributes. This invention accomplishes the described objectives in file system security by creating an external database containing auxiliary attributes for objects in the file system. During a file access attempt, an identifier of this file will be matched against a set of protected files in a security database. If that file is not in the database, there is not protection on the file and requester will be allowed to access the file. If a match does show that the file is protected there will be a determination as to whether the requester will be allowed access to the file. The basis for this access determination will be a set security rules defined in the external security attribute. This invention incorporates techniques and algorithms for attribute attachment, storage and organization of the associations to these attributes, and subsequent recognition of attached attributes. In this approach, the attributes would define authorization policy for controlling access to objects in the file system.
-
Citations
18 Claims
-
1. A method for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:
-
generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;
storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;
searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and
generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for enforcing security policies over file system objects in a computer system using an external authorization program and comprising the steps of:
-
associating a security policy to a protected file system object, where the said security policy capable of granting access to said protected file system object, by generating a file identifier corresponding to each protected file system object by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object and storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;
upon an access request to a file system object, checking all protected file system objects using a file identifier to determine if the access request is to a protected object file; and
generating an authorization decision for access to said file system object in response to said file system object access attempt, when the attempted access is to a protected file system object. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer program product in a computer readable medium for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:
-
instructions for generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;
instructions for storing a record of each said file identifier and associated full path name for each said file system object in a database;
instructions for searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and
instructions for generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object. - View Dependent Claims (16, 17, 18)
-
Specification