Simplified LDAP access control language system

US 6,950,819 B1
Filed: 11/22/1999
Issued: 09/27/2005
Est. Priority Date: 11/22/1999
Status: Expired due to Term

First Claim

Patent Images

1. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:

a system administrator creating a read access control list (ACL) command for a user, wherein saidread access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;

said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes;

storing said read access control list command in a directory, said directory containing said user attributes; and

responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A simplified LDAP access language system provides user-defined attributes that tell the directory system who the user wants to give read or write access to a specific set of his attributes. The read and write attributes are separate lists and may, in fact, differ, thereby giving the user the flexibility to better manage access to his attributes. The value of the read and write attributes are in an LDAP Filter format which is an Internet standard (RFC 2254) which allows the user to specify not only users local to his intranet, but users across the Internet as well. Access control lists (ACL) are created by the System Administrators and list the specific attributes that the user is allowed to control read or write access, giving the Administrators full control of what information the user can give out. The ACLs are stored in the directory along with the entries. When a user accesses an entry in a directory, the server checks the ACL specified for the attributes being accessed. The read or write attribute for the owner of the attributes being accessed are used by the server when it checks the ACL. The combination of the read or write attribute and the ACL determine whether the user has permission to perform the read or write access to the attribute being accessed.

Citations

27 Claims

1. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a read access control list (ACL) command for a user, wherein saidread access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes;
  
  storing said read access control list command in a directory, said directory containing said user attributes; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes.
- View Dependent Claims (2, 3, 4)
- - 2. The process of claim 1, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.
  - 3. The process of claim 1, further comprising the steps of:
    - providing a user defined write list containing user identifications that are allowed to write a specified set of attributes;
      
      providing a system administrator defined write access control command;
      
      said write access control command listing the user attributes that said administrator has selected for user defined write access; and
      
      said write access control command referring to said user defined write list thereby allowing said write user identifications write access to said user attributes.
  - 4. The process of claim 3, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.

5. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a read access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, said user selecting a subset of said LDAP user attributes from said list for read access to one or more other users;
  
  a system administrator creating a write access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users;
  
  providing a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access;
  
  providing a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and
  
  storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes;
  
  wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and
  
  wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.

6. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a write access control list (ACL) command for a user, wherein saidwrite access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have write access to said subset of said system administrator defined LDAP user attributes;
  
  storing said write access control list command in a directory, said directory containing said user attributes; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes.
- View Dependent Claims (7, 8, 9)
- - 7. The process of claim 6, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.
  - 8. The process of claim 6, further comprising the steps of:
    - providing a user defined read list containing user identifications that are allowed to read a specified set of attributes; and
      
      providing a system administrator defined read access control command;
      
      wherein said read access control command lists the user attributes that said administrator has selected for user defined read access; and
      
      wherein said read access control command refers to said user defined read list thereby allowing said read user identifications read access to said user attributes.
  - 9. The process of claim 8, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.

10. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
- means for a system administrator creating a read access control list (ACL) command for a user, wherein saidread access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  means for said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users; and
  
  , by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes;
  
  means for storing said read access control list command in a directory, said directory containing said user attributes; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, means for said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes.
- View Dependent Claims (11, 12, 13)
- - 11. The apparatus of claim 10, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.
  - 12. The apparatus of claim 10, further comprising:
    - a user defined write list containing user identifications that are allowed to write a specified set of attributes; and
      
      a system administrator defined write access control command;
      
      wherein said write access control command lists the user attributes that said administrator has selected for user defined write access; and
      
      wherein said write access control command refers to said user defined write list thereby allowing said write user identifications write access to said user attributes.
  - 13. The apparatus of claim 12, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.

14. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
- means for a system administrator creating a read access control list (ACL) command for a user that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, said user selecting a subset of said LDAP user attributes from said list for read access to one or more other users;
  
  means for a system administrator creating a write access'"'"' control list (ACL) command for a user that lists LDAP user attributes that said administrator has created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users;
  
  a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access;
  
  a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and
  
  storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes;
  
  wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and
  
  wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.

15. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
- means for a system administrator creating a write access control list (ACL) command for a user, wherein saidwrite access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  means for said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have write access to said subset of said system administrator defined LDAP user attributes;
  
  means for storing said write access control list command in a directory, said directory containing said user attributes; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, means for said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.
  - 17. The apparatus of claim 15, further comprising:
    - a user defined read list containing user identifications that are allowed to read a specified set of attributes;
      
      a system administrator defined read access control command;
      
      wherein said read access control command lists the user attributes that said administrator has selected for user defined read access; and
      
      wherein said read access control command refers to said user defined read list thereby allowing said read user identifications read access to said user attributes.
  - 18. The apparatus of claim 17, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.

19. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a read access control list (ACL) command for a user, wherein saidread access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  said user applying said read access control list command by listing subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes;
  
  storing said read access control list command in a directory, said directory containing said user attributes; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.
  - 21. The method of claim 19, further comprising the steps of:
    - providing a user defined write list containing user identifications that are allowed to write a specified set of attributes;
      
      providing a system administrator defined write access control command;
      
      said write access control command listing the user attributes that said administrator has selected for user defined write access; and
      
      said write access control command referring to said user defined write list thereby allowing said write user identifications write access to said user attributes.
  - 22. The method of claim 21, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.

23. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a read access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, read access to one or more other users;
  
  a system administrator creating a write access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has selected created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users;
  
  providing a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access;
  
  providing a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and
  
  storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes;
  
  wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and
  
  wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.

24. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a write access control list command for a user, wherein saidwrite access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
  
  said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are allowed authorized to have write access to said subset of said system administrator defined LDAP user attributes;
  
  storing said write access control list command in a directory, said directory containing said user attribute; and
  
  responsive to one or more other users accessing any of said user attributes in said directory, said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein upon a client write access, the directory server selects a specific write access control command according to the attribute being accessed and refers to the write list of the owner of the attribute being accessed to determine if said client has permission to execute said write access.
  - 26. The method of claim 24, further comprising the steps of:
    - providing a user defined read list containing user identifications that are allowed to read a specified set of attributes; and
      
      providing a system administrator defined read access control command;
      
      wherein said read access control command lists the user attributes that said administrator has selected for user defined read access; and
      
      wherein said read access control command refers to said user defined read list thereby allowing said read user identifications read access to said user attributes.
  - 27. The method of claim 26, wherein upon a client read access, the directory server selects a specific read access control command according to the attribute being accessed and refers to the read list of the owner of the attribute being accessed to determine if said client has permission to execute said read access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Netscape Communications Corporation (Apollo Global Management, Inc.)
Inventors
Behera, Prasanta
Primary Examiner(s)
Robinson, Greta
Assistant Examiner(s)
DODDS, HAROLD E

Application Number

US09/447,443
Time in Patent Office

2,136 Days
Field of Search

707 1- 4, 707 8- 10, 707100-1041, 707200-202, 707/217, 707/223, 707/225, 345/751, 709200-203, 709217-219, 709/223, 709/225, 709/223.225, 713/200, 713/201
US Class Current

1/1
CPC Class Codes

G06F 9/468 Specific access rights for ...

Y10S 707/99939 Privileged access

Simplified LDAP access control language system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Simplified LDAP access control language system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links