System and method for managing access rights and privileges in a data processing system

US 7,219,234 B1
Filed: 07/24/2002
Issued: 05/15/2007
Est. Priority Date: 07/24/2002
Status: Active Grant

First Claim

Patent Images

1. For use in a data processing system that stores objects, wherein users of the data processing system are allowed access to the objects based on assigned access rights, a method for controlling access to the objects, comprising:

a.) creating at least one group stored on the data processing system, each identifying one or more of the users of the data processing system without regard to any access rights granted to the one or more users;

b.) creating at least one access control record (ACR), each identifying at least one group and that further identifies a set of one or more of the access rights for the group;

c.) for each of the objects, storing an identifier of exactly one ACR associated with the object; and

d.) for each object, allowing a user that is identified by a group that is identified by the associated ACR to access the object according to the set of access rights identified for the group.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved system and method is provided for managing system-level privileges and for granting access rights to system resources within a data processing system. System-level privileges are assigned directly to individual users. In contrast, access rights are assigned to individual users and/or to groups of users using data constructs known as Access Control Records (ACRs). Each ACR associates one or more user groups and/or one or more individual users with a set of access rights. A system resource is then associated with an ACR. The users identified within the associated ACR are thereby granted access to the object using the access rights specified by the ACR. An ACR may define multiple sets of access rights, with each set of access rights being associated with one or more user groups and/or one or more individual users.

128 Citations

40 Claims

1. For use in a data processing system that stores objects, wherein users of the data processing system are allowed access to the objects based on assigned access rights, a method for controlling access to the objects, comprising:
- a.) creating at least one group stored on the data processing system, each identifying one or more of the users of the data processing system without regard to any access rights granted to the one or more users;
  
  b.) creating at least one access control record (ACR), each identifying at least one group and that further identifies a set of one or more of the access rights for the group;
  
  c.) for each of the objects, storing an identifier of exactly one ACR associated with the object; and
  
  d.) for each object, allowing a user that is identified by a group that is identified by the associated ACR to access the object according to the set of access rights identified for the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein step a.) includes creating multiple groups.
  - 3. The method of claim 2, and further including creating at least one group that identifies one or more other ones of the multiple groups.
  - 4. The method of claim 2, wherein the multiple groups define a hierarchical structure.
  - 5. The method of claim 2, wherein each of the users are assigned a respective userid, and wherein step a.) includes identifying a respective userid for each of the one or more users.
  - 6. The method of claim 5, and further including identifying all of the multiple groups that identify a userid.
  - 7. The method of claim 6, and further including:
    - deleting the userid; and
      
      causing the userid to be automatically deleted from all of the multiple groups that identify the userid.
  - 8. The method of claim 2, wherein at least one of the one or more objects is one of the groups.
  - 9. The method of claim 2, wherein step b.) includes creating an ACR that identifies more than one of the multiple groups.
  - 10. The method of claim 9, wherein the ACR identifies at least one of the users by identifying a userid.
  - 11. The method of claim 1, wherein the users are allowed to perform restricted operations within the data processing system based on assigned privileges, and further including assigning privileges directly to the one or more users.
  - 12. The method of claim 11, wherein step a.) includes identifying respective userids for the one or more users, and further including associating assigned privileges with a respective userid for each of the one or more users.
  - 13. The method of claim 1, and including:
    - accepting a request from one of the one or more users, the request requiring access to one of the one or more objects; and
      
      using the ACR to control access to the one of the one or more objects based on the one or more access rights identified by the ACR.
  - 14. The method of claim 13, wherein the data processing system includes a software cache, and further including storing at least one of the groups and the ACR in the software cache.
  - 15. The method of claim 14, wherein storing at least one of the groups and the ACR in the software cache is performed only if the request is a predetermined type of request.
  - 16. The method of claim 15, and further including determining whether the one or the one or more users is assigned a privilege that allows making the predetermined type of request.
  - 17. The method of claim 1, and further including assigning to a user an ability to create a predetermined number of groups.
  - 18. The method of claim 1, and further including:
    - selecting a system default number of groups; and
      
      allowing a user to create up to the system default number of groups;
      
      over-riding the system default number by assigning a different secondnumber of groups to the user; and
      
      allowing the user to create up to the second number of groups.
  - 19. The method of claim 1, wherein the ACR identifies multiple sets of access rights, and wherein the ACR associates each of the multiple sets of access rights with respective ones of the users.
  - 20. The method of claim 1, wherein step c.) includes recording an identifier for the ACR within each of the one or more objects.

21. For use within a data processing system having at least one storage device to store objects, a system for granting users of the data processor access to the objects according to assigned access rights, comprising:
- first circuits included within the at least one storage device to store one or more groups, each group identifying one or more of the users without identifying any access rights;
  
  second circuits included within the at least one storage device to store one or more access control records (ACRs), each ACR associating at least one of the groups to a set of one or more of the access rights; and
  
  third circuits included within the at least one storage device to store, for each of the objects, an identifier that associates an object with exactly one of the ACRs, whereby the users identified by the at least one of the groups that is associated by the ACR are granted the associated set of access rights to access the object.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21, wherein the first circuits include circuits to store, for each of the one or more of the users, a respective userid.
  - 23. The system of claim 21, wherein the second circuits include circuits to store, for each of the ACRs, multiple sets of the access rights, and to associate any of the sets to one or more of the groups.
  - 24. The system of claim 23, wherein the second circuits include circuits to associate any of the sets directly to one or more users.
  - 25. The system of claim 21, wherein the data processing system includes a mass storage facility, and wherein at least ones of the first, second, and third circuits reside within the mass storage facility.
  - 26. The system of claim 21, wherein the data processing system includes a software cache, and wherein at least ones of the first, second, and third circuits reside within the software cache.
  - 27. The system of claim 21, wherein the first circuits include circuits to store, for each of the one or more groups, identifiers identifying one or more other groups.
  - 28. The system of claim 21, and further including fourth circuits included within the at least one storage device to associate ones of the users with system privileges.
  - 29. The system of claim 28, wherein the fourth circuits include circuits to associate respective userids for the ones of the users with system privileges.

30. A system for controlling access to objects managed by a data processing system, comprising:
- means for creating groups of users of the data processing system without regard to access rights used to access the objects;
  
  means for creating ACRs, each ACR identifying at least one of the groups, and further identifying one or more of the access rights; and
  
  means for associating each object with exactly one of the ACRs, whereby users included in the at least one of the groups identified by the associated ACR are granted the identified one or more access rights to access the object.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The system of claim 30, wherein the means for creating groups includes means for allowing a group of users to be defined by identifying at least one other of the groups of users.
  - 32. The system of claim 30, wherein the means for creating groups includes means for identifying a userid for each of the users included within a group.
  - 33. The system of claim 32, and further including means for storing the identified userids;
    - andmeans for storing, for each of the identified userids, a list of the groups that identify the userid.
  - 34. The system of claim 30, wherein the means for creating ACRs includes means for identifying one or more sets of access rights, each of the sets including one or more of the access rights, ones of the sets being associated with one or more groups, whereby users included within the one or more groups are granted the associated set of access rights to access an object that is associated with the ACR.
  - 35. The system of claim 34, wherein the means for creating recording includes means for associating any of the one or more sets of the access rights with one or more individual users.
  - 36. The system of claim 30, wherein the means for associating any of the objects includes means for storing a record identifier for the one of the records within the object.
  - 37. The system of claim 30, and further including means for storing system privileges, and for granting ones of the users one or more of the system privileges.
  - 38. The system of claim 37, and further including means for storing the userids for the ones of the users, and further for storing, for each of the userids, any of the system privileges granted to the user of the userid.
  - 39. The system of claim 30, and further including means for associating one or more of the groups each with a respective one of the ACRs, whereby access to the one or more of the groups is controlled using the access rights and groups of users identified by the respective one of the ACRs.
  - 40. The system of claim 30, and further including software cache means for storing ones of the groups and ones of the ACRs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Ashland, Richard E., Clouse, Roland G.
Primary Examiner(s)
CHAI, LONGBIT

Application Number

US10/202,111
Time in Patent Office

1,756 Days
Field of Search

None
US Class Current

713/182
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

System and method for managing access rights and privileges in a data processing system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

System and method for managing access rights and privileges in a data processing system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others