Access control method using token having security attributes in computer system
First Claim
1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
- a) assigning a first token having security attributes to a user process and the second token having security attributes to a file;
b) checking a request by the user process to access an arbitrary file;
c) determining whether the arbitrary file contains a third token having security attributes; and
d) if the arbitrary file contains no token, and permitting access to the arbitrary file, andif the arbitrary file contains the third token, and permitting access according to a determination based on the first token and the third token, andif the third token has a provision attribute, then removing all automatically provisioned tokens from the user process before providing the user process with a token for executing arbitrary file, then executing the arbitrary file.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an access control method using a token having security attributes in a computer system when a user gains access to a specific file. The computer system adopts a token having encryption, modification, execution, and provision attributes to determine access permission or access denial between a user and a file in such a way that a file access request is controlled. The access control method enciphers a file and stores the enciphered file in a storage unit, so that it can maintain security of the file even though the storage unit is stolen. The access control method enables a system manager to read only enciphered contents of the file when the system manager performs a data backup operation, thereby eliminating limitations in commonly operating a system simultaneously with maintaining file security. The access control method enables programs for executing operations on behalf of a user to automatically obtain a corresponding token, confirms authority to execute the file, and prevents that the authority is stolen or drained due to a program error.
-
Citations
10 Claims
-
1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
-
a) assigning a first token having security attributes to a user process and the second token having security attributes to a file; b) checking a request by the user process to access an arbitrary file; c) determining whether the arbitrary file contains a third token having security attributes; and d) if the arbitrary file contains no token, and permitting access to the arbitrary file, and if the arbitrary file contains the third token, and permitting access according to a determination based on the first token and the third token, and if the third token has a provision attribute, then removing all automatically provisioned tokens from the user process before providing the user process with a token for executing arbitrary file, then executing the arbitrary file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable recording medium for storing a program therein, the program comprising:
-
a first function for providing a token having security attributes, such as an encryption attribute, a modification attribute, an execution attribute, and a provision attribute, to a user permitted to access an arbitrary file and a corresponding file; a second function for decoding a corresponding file on condition that the user has the same token as the file and providing the user with the decoded file in the case where a user attempts to read a file having an encryption attribute, or providing a user process with an enciphered file state without decoding the file in the case where a user does not have the same token as the file; a third function for, in case of a write request of a user on a file having a modification attribute, determining an access denial on condition that a user does not have the same token as the file, determining access permission on condition that a user has the same token as the file, enciphering and storing the file on condition that a corresponding file has an encryption attribute, and directly storing the file as it is on condition that a corresponding file has no encryption attribute; a fourth function for, in case of an execution request of a file having an execution attribute, determining an access denial of a user who does not have the same token as the file, and executing a corresponding file for a user who has the same token as the file; and a fifth function for, in case of an execution request of a file having a provision attribute removing all tokens assigned to a user by the provision attribute;
before providing the user with a corresponding token, and executing a corresponding file.
-
Specification