System and method for incremental refresh of a compiled access control table in a content management system

US 7,284,265 B2
Filed: 04/23/2002
Issued: 10/16/2007
Est. Priority Date: 04/23/2002
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for authorizing access to an entity in a content management system by a user by reference to a single table which compiles access control information from a plurality of tables including an access control list table and a table of sets of user privileges, comprising:

binding said access control list table to each said entity;

specifying for said user a set of user privileges;

intersecting said access control list and said set of user privileges in a computer generated access control list (ACL) table, columns of said table including user kind, user identifier, ACL code, a privilege set comprising a privilege set code and a privilege definition code, and a group user identifier;

incrementally refreshing said computer generated ACL table responsive to run time modification of said access control list or set of user privileges, said incrementally refreshing including, responsive to modification of said privilege set, accessing during on-line execution to affect only rows of said computer generated ACL table having a corresponding privilege set code.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for authorizing access to an entity by a user, by binding an access control list to each entity; specifying for the user a set of user privileges; intersecting the access control list and set of user privileges in a compiled ACL table; incrementally refreshing the compiled ACL table responsive to run time modification of relevant tables containing the access control list and set of user privileges; and referencing the compiled access control list to authorize a user request to access an entity.

41 Citations

View as Search Results

25 Claims

1. A computer implemented method for authorizing access to an entity in a content management system by a user by reference to a single table which compiles access control information from a plurality of tables including an access control list table and a table of sets of user privileges, comprising:
- binding said access control list table to each said entity;
  
  specifying for said user a set of user privileges;
  
  intersecting said access control list and said set of user privileges in a computer generated access control list (ACL) table, columns of said table including user kind, user identifier, ACL code, a privilege set comprising a privilege set code and a privilege definition code, and a group user identifier;
  
  incrementally refreshing said computer generated ACL table responsive to run time modification of said access control list or set of user privileges, said incrementally refreshing including, responsive to modification of said privilege set, accessing during on-line execution to affect only rows of said computer generated ACL table having a corresponding privilege set code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer implemented method of claim 1, further comprising:
    - deriving said computer generated ACL table from a set of relevant tables; and
      
      said incrementally refreshing being selectively executed to update said computer generated ACL table responsive to run time modification of said relevant tables.
  - 3. The computer implemented method of claim 2, said relevant tables comprising:
    - an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      an user groups table containing group user indicia and for each group user indicia at least one corresponding user identification indicia;
      
      an access codes table containing ACL code indicia uniquely identifying each said access control list;
      
      an access lists table containing access specifications, each said specification comprising said user identification indicia, said privilege set indicia, and said ACL code indicia;
      
      a privilege sets codes table containing privilege sets code indicia;
      
      a privilege definitions table containing privilege definition indicia; and
      
      a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica.
  - 4. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an access lists table of access specifications, said specification comprising a row including user identification indicia, privilege set indicia, and ACL code indicia;
      
      responsive to insertion of a row to said access lists table, adding row entries to said computer generated ACL table based on said ACL code indicia and said user identification indicia.
  - 5. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an access lists table of access specifications, each said specification comprising a row including user identification indicia, privilege set indicia, and ACL code indicia;
      
      responsive to updating of a row in said access lists table to change said ACL code indicia for a given user, removing and then adding entries in said computer generated ACL table for said given user.
  - 6. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an access lists table of access specifications, said specification comprising a row including user identification indicia, privilege set indicia, and ACL code indicia;
      
      responsive to removal of a given row from said access lists table, removing entries from said computer generated ACL table corresponding to said ACL code indicia and said user identification indicia of said given row.
  - 7. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an access codes table containing ACL code indicia uniquely identifying each said access control list;
      
      responsive to insertion of an ACL code indicia into said access codes table that impacts to a user who has super access capability, inserting a corresponding row to said computer generated ACL table.
  - 8. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an access codes table containing ACL code indicia uniquely identifying each said access control list;
      
      responsive to deletion of a given ACL code indicia from said access codes table, removing entries from said computer generated ACL table with said given ACL code indicia.
  - 9. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an user groups table containing group user indicia and for each group user indicia at least one corresponding user identification indicia;
      
      responsive to insertion of a group member row for a group used in any ACL rules to said users group table, adding a corresponding entry to said computer generated ACL table based on said group user indicia and said user identification indicia.
  - 10. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an user groups table containing group user indicia and for each group user indicia at least one corresponding user identification indicia;
      
      responsive to deletion of a given row from said user groups table, removing entries from said computer generated ACL table corresponding to said group user indicia and said user identification indicia for said given row.
  - 11. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      responsive to insertion of a row to said users table for a new individual user who has super access capability, adding a corresponding entry to said computer generated ACL table.
  - 12. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      responsive to updating of a row in said users table for an individual user whose general privilege set has changed, removing and then adding corresponding entries in said computer generated ACL table.
  - 13. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      responsive to deletion of a row for a given individual user from said users table, removing entries in said computer generated ACL table corresponding to said given individual user.
  - 14. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      removing from said computer generated ACL table entries for groups removed from said users table.
  - 15. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica;
      
      responsive to insertion of a row to said privilege sets table, for a user who does not have super access capability and for privilege sets used in any ACL rules, adding entries to said computer generated ACL table for an existing privilege set with a new inserted privilege set member privilege definition indicia; and
      
      for a user who has super access capability, removing and then adding corresponding entries to said computer generated ACL table.
  - 16. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica; and
      
      responsive to deletion of a given row from said privilege sets table, for a user without super access capability, removing from said computer generated ACL table entries corresponding to said given row; and
      
      for a user for which super access capability has changed, removing and then adding entries corresponding to said given row.
  - 17. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables a privilege sets codes table containing privilege sets code indicia;
      
      responsive to deletion of a row from said privilege sets codes table, removing entries from said computer generated ACL table for deleted privilege sets code indicia.
  - 18. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables a privilege definitions table containing privilege definition indicia;
      
      maintaining as one of said set of relevant tables a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica;
      
      providing a system pre-defined all privilege set privilege indicia in said privilege sets table; and
      
      responsive to insertion into a row of said privilege sets table of newly defined privilege code indicia included in said all privilege set privilege indicia, adding a corresponding entry to said computer generated ACL table.
  - 19. The computer implemented method of claim 2, further comprising:
    - maintaining as one of said set of relevant tables a privilege definitions table containing privilege definition indicia;
      
      maintaining as one of said set of relevant tables a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica;
      
      providing a system pre-defined all privilege set privilege indicia in said privilege sets table; and
      
      responsive to removal of given privilege sets code indicia from said all privilege set privilege indicia, deleting entries from said computer generated ACL table corresponding to said given privilege sets code indicia.

20. A computer system for authorizing access to an entity in content management system by a user by reference to a single table which compiles access control information from a plurality of tables including an access control list table and a table of sets of user privileges, comprising:
- an access control list bound to said entity;
  
  a set of user privileges;
  
  a computer generated access control list (ACL) table, columns of said ACL table including user kind, user identifier, ACL code, a privilege set comprising a privilege set code and privilege definition code, and a group user identifier;
  
  a content manager for intersecting said access control list and said set of user privileges in said computer generated ACL table, and for incrementally refreshing said computer generated ACL table responsive to run time modification of said access control list or said set of user privileges, said incrementally refreshing including, responsive to modification of said privilege set, accessing during on-line execution and affecting only rows of said computer generated ACL table having a corresponding privilege set code.
- View Dependent Claims (21, 22)
- - 21. The computer system of claim 20, further comprising:
    - a set of relevant tables referenced by said content manager for deriving said computer generated ACL table; and
      
      said content manager incrementally refreshing said computer generated ACL table responsive to run time modification of said relevant tables.
  - 22. The computer system of claim 21, said relevant tables comprising:
    - an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      an user groups table containing group user indicia and for each group user indicia at least one corresponding user identification indicia;
      
      an access codes table containing ACL code indicia uniquely identifying each said access control list;
      
      an access lists table containing access specifications, each said specification comprising said user identification indicia, said privilege set indicia, and said ACL code indicia;
      
      a privilege sets codes table containing privilege sets code indicia;
      
      a privilege definitions table containing privilege definition indicia; and
      
      a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica.

23. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform a method for authorizing access to an entity in a content management system by a user by reference to a single table which compiles access control information from a plurality of tables including an access control list table and a table of sets of user privileges, comprising:
- binding an access control list to each said entity;
  
  specifying for said user a set of user privileges;
  
  intersecting said access control list and said set of user privileges in a computer generated ACL table, columns of said table including user kind, user identifier, ACL code, a privilege set comprising a privilege set code and privilege definition code, and a group user identifier;
  
  incrementally refreshing said computer generated ACL table responsive to run time modification of said access control list or set of user privileges, said incrementally refreshing including, responsive to modification of said privilege set, accessing during on-line execution and affecting only rows of said computer generated ACL table having a corresponding privilege set code.
- View Dependent Claims (24, 25)
- - 24. The program storage device of claim 23, said method further comprising:
    - deriving said computer generated ACL table from a set of relevant tables; and
      
      said incrementally refreshing being selectively executed to update said computer generated ACL table responsive to run time modification said relevant tables.
  - 25. The program storage device of claim 24, said relevant tables comprising:
    - an users table containing user identification indicia and corresponding user privilege set indicia for at least one said user;
      
      an user groups table containing group user indicia and for each group user indicia at least one corresponding user identification indicia;
      
      an access codes table containing ACL code indicia uniquely identifying each said access control list;
      
      an access lists table containing access specifications, each said specification comprising said user identification indicia, said privilege set indicia, and said ACL code indicia;
      
      a privilege sets codes table containing privilege sets code indicia;
      
      a privilege definitions table containing privilege definition indicia; and
      
      a privilege sets table containing privilege indicia, each said privilege indicia including corresponding said privilege sets code indicia and said privilege definition indica.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Wang, Yuping, Yaung, Alan Tsu-I, Hu, Tawei, Choy, David Mun-Hien, Lin, Jy-Jine James
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
SZYMANSKI, THOMAS M

Application Number

US10/131,659
Publication Number

US 20030200467A1
Time in Patent Office

2,002 Days
Field of Search

726/18, 726/6
US Class Current

726/6
CPC Class Codes

G06F 21/6218 to a system of files or obj...

System and method for incremental refresh of a compiled access control table in a content management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for incremental refresh of a compiled access control table in a content management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links