Simplified LDAP access control language system
First Claim
1. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
- a system administrator creating a read access control list (ACL) command for a user, wherein saidread access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator;
said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes;
storing said read access control list command in a directory, said directory containing said user attributes; and
responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes.
6 Assignments
0 Petitions
Accused Products
Abstract
A simplified LDAP access language system provides user-defined attributes that tell the directory system who the user wants to give read or write access to a specific set of his attributes. The read and write attributes are separate lists and may, in fact, differ, thereby giving the user the flexibility to better manage access to his attributes. The value of the read and write attributes are in an LDAP Filter format which is an Internet standard (RFC 2254) which allows the user to specify not only users local to his intranet, but users across the Internet as well. Access control lists (ACL) are created by the System Administrators and list the specific attributes that the user is allowed to control read or write access, giving the Administrators full control of what information the user can give out. The ACLs are stored in the directory along with the entries. When a user accesses an entry in a directory, the server checks the ACL specified for the attributes being accessed. The read or write attribute for the owner of the attributes being accessed are used by the server when it checks the ACL. The combination of the read or write attribute and the ACL determine whether the user has permission to perform the read or write access to the attribute being accessed.
-
Citations
27 Claims
-
1. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a read access control list (ACL) command for a user, wherein said read access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listing user identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes; storing said read access control list command in a directory, said directory containing said user attributes; and responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes. - View Dependent Claims (2, 3, 4)
-
-
5. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a read access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, said user selecting a subset of said LDAP user attributes from said list for read access to one or more other users; a system administrator creating a write access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users; providing a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access; providing a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes; wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.
-
-
6. A process for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a write access control list (ACL) command for a user, wherein said write access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listing user identifications of said one or more other users such that said one or more other users are authorized to have write access to said subset of said system administrator defined LDAP user attributes; storing said write access control list command in a directory, said directory containing said user attributes; and responsive to one or more other users accessing any of said user attributes in said directory, said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes. - View Dependent Claims (7, 8, 9)
-
-
10. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
-
means for a system administrator creating a read access control list (ACL) command for a user, wherein said read access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; means for said user applying said read access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users; and
, by listinguser identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes; means for storing said read access control list command in a directory, said directory containing said user attributes; and responsive to one or more other users accessing any of said user attributes in said directory, means for said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes. - View Dependent Claims (11, 12, 13)
-
-
14. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
-
means for a system administrator creating a read access control list (ACL) command for a user that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, said user selecting a subset of said LDAP user attributes from said list for read access to one or more other users; means for a system administrator creating a write access'"'"' control list (ACL) command for a user that lists LDAP user attributes that said administrator has created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users; a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access; a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes; wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.
-
-
15. An apparatus for a simplified access control language that controls access to directory entries in a computer environment, comprising:
-
means for a system administrator creating a write access control list (ACL) command for a user, wherein said write access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; means for said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listing user identifications of said one or more other users such that said one or more other users are authorized to have write access to said subset of said system administrator defined LDAP user attributes; means for storing said write access control list command in a directory, said directory containing said user attributes; and responsive to one or more other users accessing any of said user attributes in said directory, means for said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes. - View Dependent Claims (16, 17, 18)
-
-
19. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a read access control list (ACL) command for a user, wherein said read access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; said user applying said read access control list command by listing subset from said system administrator defined LDAP user attributes for authorizing read access to said subset of user attributes to one or more other users, and by listing user identifications of said one or more other users such that said one or more other users are authorized to have read access to said subset of said system administrator defined LDAP user attributes; storing said read access control list command in a directory, said directory containing said user attributes; and responsive to one or more other users accessing any of said user attributes in said directory, said read access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users read access to said system administrator defined LDAP user attributes. - View Dependent Claims (20, 21, 22)
-
-
23. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a read access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has created for user defined read access, read access to one or more other users; a system administrator creating a write access control list (ACL) command that lists Lightweight Directory Access Protocol (LDAP) user attributes that said administrator has selected created for user defined write access, said user selecting a subset of said LDAP user attributes from said list for write access to one or more other users; providing a plurality of user defined access control list command attribute read lists containing user identifications of said one or more other users that are allowed to read said user defined subset from said LDAP user attributes that said administrator has created for user defined read access; providing a plurality of user defined access control list command attribute write lists containing user identifications of said one or more other users that are allowed to write said user defined subset from said LDAP user attributes that said administrator has created for user defined write access; and storing said read access control list command and said write access control list command reside in a directory containing said LDAP user attributes; wherein responsive to one or more other users requesting read access to one of the LDAP user attributes, applying said read access control list command and the read list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said read access; and wherein responsive to one or more other users requesting write access to one of the LDAP user attributes, applying said write access control list command and the write list of the owner of the attribute being accessed to determine if said one or more other users has permission to execute said write access.
-
-
24. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a simplified access control language that controls access to directory entries in a computer environment, comprising the steps of:
-
a system administrator creating a write access control list command for a user, wherein said write access control list command lists a set of Lightweight Directory Access Protocol (LDAP) user attributes that are created and controlled by said administrator; said user applying said write access control list command by listing a subset from said system administrator defined LDAP user attributes for authorizing write access to said subset of user attributes to one or more other users, and by listing user identifications of said one or more other users such that said one or more other users are allowed authorized to have write access to said subset of said system administrator defined LDAP user attributes; storing said write access control list command in a directory, said directory containing said user attribute; and responsive to one or more other users accessing any of said user attributes in said directory, said write access control list command referring to said list of user identifications at runtime thereby allowing said one or more other users write access to said system administrator defined LDAP user attributes. - View Dependent Claims (25, 26, 27)
-
Specification