Methods and systems for synchronizing security descriptors in systems that use multiple security descriptor specifications
First Claim
1. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:
- a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;
an act of undoing the at least one security permission change in the second security descriptor;
a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
an act of changing the first security descriptor to reflect the undone permission change as represented in the converted version of the second security descriptor so that any change to the first security descriptor is non-degenerative and reversible.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for replicating security descriptors that describe security rights to the same object even though those security descriptors may follow different security descriptor specifications. As an example, the replication may occur between a first security descriptor that follows a first security descriptor specification and a second security descriptor that follows a second security descriptor specification. In order to replicate changes to the first security descriptor with the second security descriptor, the first security descriptor is converted into a version of the first security descriptor that follows the second security descriptor specification. This version is then compared to the second security descriptor. Any detected changes are then made to the second security descriptor. The conversion may be accomplished using mapping rules that map sets of one or more rights of the first security descriptor specification to sets of one or more rights of the second security descriptor specification.
36 Citations
25 Claims
-
1. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:
-
a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;
an act of undoing the at least one security permission change in the second security descriptor;
a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
an act of changing the first security descriptor to reflect the undone permission change as represented in the converted version of the second security descriptor so that any change to the first security descriptor is non-degenerative and reversible. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:
-
an act of consulting mapping rules that define mappings of rights between the first security descriptor specification and the second security descriptor specification;
for each right of the first security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification;
an act of assembling each converted right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification;
an act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification to the corresponding right in the second security descriptor;
based on the act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification, an act of detecting one or more changes in the converted first security descriptor that are not reflected in the second security descriptor;
an act of changing the second security descriptor to reflect the detected one or more changes in the first security descriptor so that changes to the second security descriptor are non-degenerative and reversible;
an act of changing one or more rights in the second security descriptor;
for each right of the second security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the second security descriptor specification to a corresponding right that follows the first security descriptor specification;
an act of assembling each converted right that follows the first security descriptor specification to form a version of the second security descriptor that follows the first security descriptor specification;
an act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification to the corresponding right in the first security descriptor;
based on the act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification, an act of detecting one or more changes in the converted second security descriptor that are not reflected in the first security descriptor; and
an act of changing the first security descriptor to reflect the detected one or more changes in the second security descriptor so that changes to the first security descriptor are non-degenerative and reversible. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer program product for use in a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, the computer program product for implementing a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
-
a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that change to the second security descriptor is non-degenerative and reversible;
an act of changing the second security descriptor;
a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
an act of changing the first security descriptor to reflect the change to the second security descriptor so that change to the first security descriptor is non-degenerative and reversible. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer program product for use in a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a computer program product for implementing a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
-
an act of consulting mapping rules that define mappings of rights between the first security descriptor specification and the second security descriptor specification;
for each right of the first security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification;
an act of assembling each converted right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification;
an act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification to the corresponding right in the second security descriptor;
based on the act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification, an act of detecting one or more changes in the converted first security descriptor that are not reflected in the second security descriptor;
an act of changing the second security descriptor to reflect the detected one or more changes in the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;
an act of undoing the change to the second security descriptor;
for each right of the second security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the second security descriptor specification to a corresponding right that follows the first security descriptor specification;
an act of assembling each converted right that follows the first security descriptor specification to form a version of the second security descriptor that follows the first security descriptor specification;
an act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification to the corresponding right in the first security descriptor;
based on the act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification, an act of detecting one or more changes in the converted second security descriptor that are not reflected in the first security descriptor; and
an act of changing the first security descriptor to reflect the detected one or more changes in the second security descriptor so that any changes to the first security descriptor are non-degenerative and reversible. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A computer system comprising the following:
-
a processing device; and
a combination of one or more computer-readable media which in combination have stored thereon the following;
a first data structure that represents a first security descriptor that follows a first security descriptor specification and that represents an object;
a second data structure that represents a second security descriptor that follows a second security descriptor specification and that also represents the object;
a third data structure that represent mapping rules that correlate sets of one or more rights of the first security descriptor specification which sets of one or more rights of the second security descriptor specification; and
computer-executable instruction that, when executed by the processor, perform the following;
a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
an act of changing the second security descriptor to reflect at least one change as represented in the converted version of the first security descriptor so that change to the second security descriptor is non-degenerative and reversible;
an act of changing the second security descriptor;
a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
an act of changing the first security descriptor to reflect the change to the second security descriptor so that change to the first security descriptor is non-degenerative and reversible.
-
Specification