System and method for managing access rights and privileges in a data processing system
First Claim
1. For use in a data processing system that stores objects, wherein users of the data processing system are allowed access to the objects based on assigned access rights, a method for controlling access to the objects, comprising:
- a.) creating at least one group stored on the data processing system, each identifying one or more of the users of the data processing system without regard to any access rights granted to the one or more users;
b.) creating at least one access control record (ACR), each identifying at least one group and that further identifies a set of one or more of the access rights for the group;
c.) for each of the objects, storing an identifier of exactly one ACR associated with the object; and
d.) for each object, allowing a user that is identified by a group that is identified by the associated ACR to access the object according to the set of access rights identified for the group.
13 Assignments
0 Petitions
Accused Products
Abstract
An improved system and method is provided for managing system-level privileges and for granting access rights to system resources within a data processing system. System-level privileges are assigned directly to individual users. In contrast, access rights are assigned to individual users and/or to groups of users using data constructs known as Access Control Records (ACRs). Each ACR associates one or more user groups and/or one or more individual users with a set of access rights. A system resource is then associated with an ACR. The users identified within the associated ACR are thereby granted access to the object using the access rights specified by the ACR. An ACR may define multiple sets of access rights, with each set of access rights being associated with one or more user groups and/or one or more individual users.
128 Citations
40 Claims
-
1. For use in a data processing system that stores objects, wherein users of the data processing system are allowed access to the objects based on assigned access rights, a method for controlling access to the objects, comprising:
-
a.) creating at least one group stored on the data processing system, each identifying one or more of the users of the data processing system without regard to any access rights granted to the one or more users; b.) creating at least one access control record (ACR), each identifying at least one group and that further identifies a set of one or more of the access rights for the group; c.) for each of the objects, storing an identifier of exactly one ACR associated with the object; and d.) for each object, allowing a user that is identified by a group that is identified by the associated ACR to access the object according to the set of access rights identified for the group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. For use within a data processing system having at least one storage device to store objects, a system for granting users of the data processor access to the objects according to assigned access rights, comprising:
-
first circuits included within the at least one storage device to store one or more groups, each group identifying one or more of the users without identifying any access rights; second circuits included within the at least one storage device to store one or more access control records (ACRs), each ACR associating at least one of the groups to a set of one or more of the access rights; and third circuits included within the at least one storage device to store, for each of the objects, an identifier that associates an object with exactly one of the ACRs, whereby the users identified by the at least one of the groups that is associated by the ACR are granted the associated set of access rights to access the object. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A system for controlling access to objects managed by a data processing system, comprising:
-
means for creating groups of users of the data processing system without regard to access rights used to access the objects; means for creating ACRs, each ACR identifying at least one of the groups, and further identifying one or more of the access rights; and means for associating each object with exactly one of the ACRs, whereby users included in the at least one of the groups identified by the associated ACR are granted the identified one or more access rights to access the object. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification