Method for attachment and recognition of external authorization policy on file system resources

US 6,766,314 B2
Filed: 04/05/2001
Issued: 07/20/2004
Est. Priority Date: 04/05/2001
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:

generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;

storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;

searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and

generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is an algorithm that manages the ability of a user or software program to access certain protected file resources. This invention describes a method for file system security through techniques that control access to the file system resources using externally stored attributes. This invention accomplishes the described objectives in file system security by creating an external database containing auxiliary attributes for objects in the file system. During a file access attempt, an identifier of this file will be matched against a set of protected files in a security database. If that file is not in the database, there is not protection on the file and requester will be allowed to access the file. If a match does show that the file is protected there will be a determination as to whether the requester will be allowed access to the file. The basis for this access determination will be a set security rules defined in the external security attribute. This invention incorporates techniques and algorithms for attribute attachment, storage and organization of the associations to these attributes, and subsequent recognition of attached attributes. In this approach, the attributes would define authorization policy for controlling access to objects in the file system.

Citations

18 Claims

1. A method for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:
- generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;
  
  storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;
  
  searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and
  
  generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the search of the database is performed using the generated file identifier.
  - 3. The method as described in claim 2 wherein said search is to find a match between a file identifier and protected object name in the database.
  - 4. The method as described in claim 2 wherein access to a file is granted if a search of the database does not produce a protected object name match for the file identifier.
  - 5. The method as described in claim 3 wherein an authorization decision is to deny access to a protected file system object found during a search of the database.
  - 6. The method as described in claim 1 wherein said storing record step comprises mapping the file identifier to a protected object name for a protected file system object.
  - 7. The method as described in claim 3 wherein said decision authorization step comprises calling an access decision component to obtain an access decision for a found match between a file identifier and a protected object name.
  - 8. The method as described in claim 7 wherein said access decision is based on specific protections for the file system object for which there is a request for access, said specific protections being stored in a master database.

9. A method for enforcing security policies over file system objects in a computer system using an external authorization program and comprising the steps of:
- associating a security policy to a protected file system object, where the said security policy capable of granting access to said protected file system object, by generating a file identifier corresponding to each protected file system object by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object and storing a record of each said file identifier and associated protected object name for each said file system object in a database, such that there is a file identifier to protected object name map for each file system object;
  
  upon an access request to a file system object, checking all protected file system objects using a file identifier to determine if the access request is to a protected object file; and
  
  generating an authorization decision for access to said file system object in response to said file system object access attempt, when the attempted access is to a protected file system object.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method as described in claim 9 wherein the step of checking all protected file system objects comprise searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object.
  - 11. The method as described in claim 10 wherein said search is to find a match between a file identifier and protected object name in the database.
  - 12. The method as described in claim 9 wherein said access authorization decision step comprises determining whether to grant access to the requested file system object using security policy rules contained in the external authorization program.
  - 13. The method of claim 9 wherein access to a requested file system object is granted if a search of the database does not produce a protected object file system object.
  - 14. The method as described in claim 11 wherein an authorization decision is to deny access to a protected file system object found during a search of the database.

15. A computer program product in a computer readable medium for controlling access to file system resources in a computer system through the use of externally stored attributes comprising the steps of:
- instructions for generating a file identifier corresponding to each file system object that will have protected and controlled access by obtaining an attribute of the physical location of a file system object, obtaining the name of the file system object, and coupling the physical location attribute to the file system object name to produce the file identifier for a particular file system object;
  
  instructions for storing a record of each said file identifier and associated full path name for each said file system object in a database;
  
  instructions for searching the database, at the initiation of a file system object access attempt to determine if the attempted access is to a protected file system object; and
  
  instructions for generating an authorization decision for access to said file system object in response to said file system object access attempt, when the determination is that the attempted access is to a protected file system object.
- View Dependent Claims (16, 17, 18)
- - 16. The computer program product as described in claim 15 wherein the instructions for searching the database comprise instructions for using the generated file identifier.
  - 17. The computer program product as described in claim 15 wherein said instructions for storing a record comprising instructions for mapping the file identifier to a protected object name for a protected file system object.
  - 18. The computer program product as described in claim 15 wherein said instructions for generating an authorization decision comprise instructions for calling an access decision component to obtain an access decision for a found match between a file identifier and a protected object name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Burnett, Rodney Carlton
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
PHAM, HUNG Q

Application Number

US09/826,984
Publication Number

US 20020147706A1
Time in Patent Office

1,202 Days
Field of Search

707/2, 707/3, 707/9, 707/10, 707/102, 713/165, 716/7
US Class Current

707/694
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/6218   to a system of files or obj...

Y10S 707/955   Object-oriented

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

Y10S 707/99943   Generating database or data...

Method for attachment and recognition of external authorization policy on file system resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for attachment and recognition of external authorization policy on file system resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links