Grouped access control list actions

US 7,380,271 B2
Filed: 07/12/2001
Issued: 05/27/2008
Est. Priority Date: 07/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for extending and grouping actions and permissions for authorization of a requesting user to access or use a requested protected system resource in a computer system, said method comprising the steps of:

providing in a computer readable medium an access control policy associated with said requested protected system resource containing a permission list of permitted identities and at least one action group tag with associated action indicators;

reusing a finite quantity of action indicators among a plurality of action group tags to control a number of unique permissions less than or equal to the product of the quantity of allowable action indicators and a quantity of allowable action group tags;

evaluating said permission list according to a specific permission definition associated with said action group tag, said permission definition providing a correlation between permissible actions and members of a set of action indicators; and

granting to a requesting computer or program authorization to perform actions on said requested protected system resource to said requesting user if said access control policy permission list includes an appropriate action indicator correlated to an action group tag.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access Control Lists (ACLs) are used to describe the permitted actions (permissions) on protected network computer system resources or objects associated with an client or user identity. An identity may be an individual user or group of users. The actions are used to represent the different access methods available on a particular projected object or resource. A new action grouping mechanism is provided which tags each action with an action group name. The grouping of actions facilitates a larger permission set to be defined in an ACL, whereas action permission indicators can be reused for unique action definitions within various action groups. This effectively extends the finite total number of permissions available within a security system, allows a more descriptive and extensible permission mechanism in an Access Control List, as well as aiding in the simplification of management and definition of security policies.

Citations

8 Claims

1. A method for extending and grouping actions and permissions for authorization of a requesting user to access or use a requested protected system resource in a computer system, said method comprising the steps of:
- providing in a computer readable medium an access control policy associated with said requested protected system resource containing a permission list of permitted identities and at least one action group tag with associated action indicators;
  
  reusing a finite quantity of action indicators among a plurality of action group tags to control a number of unique permissions less than or equal to the product of the quantity of allowable action indicators and a quantity of allowable action group tags;
  
  evaluating said permission list according to a specific permission definition associated with said action group tag, said permission definition providing a correlation between permissible actions and members of a set of action indicators; and
  
  granting to a requesting computer or program authorization to perform actions on said requested protected system resource to said requesting user if said access control policy permission list includes an appropriate action indicator correlated to an action group tag.
- View Dependent Claims (2, 3)
- - 2. The method as set forth in claim 1 further comprising providing in an access control policy permission list a plurality of action group tags, each action group tag having one or more associated action indicators, such that resultant granting of authorization to act on said requested protected object is completed if the requested action is allowed by any of the associated action indicators of any of the action groups.
  - 3. The method as set forth in claim 1 wherein said requested protected system resource comprises a computer file sent to a local computer from a remote computer over a computer network.

4. A method for managing permission indicators for computer system protected objects comprising the steps of:
- providing in a computer readable medium a plurality of permission indicator containers in an access control list;
  
  associating a first set of permission indicators with a primary permission indicator container;
  
  associating in a computer readable medium accessible by an authorization control system one or more additional sets of permission indicators with additional permission indicator containers, wherein said permission indicators are reused among said containers such that permission indicators may be categorized and grouped logically to control a number of unique permissions less than or equal to the product of a quantity of allowable action indicators and a quantity of allowable action group tags; and
  
  granting authorization to a requesting computer or program to perform actions on said requested protected system resource according to said permission indicators in said permission indicator containers.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The method as set forth in claim 4 wherein said step of providing a first set of permission indicators comprises providing at least one other (additional) permission indicator set having equivalent permission indicators to said first set such that permission indicators may be assigned unique permissive control according to a permission indicator container with which they are associated.
  - 6. The method as set forth in claim 5 wherein said step of providing an equivalent set of permission indicators comprises providing the characters “
    - a”
      
      through “
      
      z” and
      
      “
      
      A”
      
      through “
      
      Z”
      
      as permission indicators.
  - 7. The method as set forth in claim 4 further comprising associating an action group tag with a permission indicator container.
  - 8. The method as set forth in claim 7 further comprising the step of providing an action group tag with an associated list of permission indicators in an access control list entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Turner, Brian James, Calvert, Peter Sean, Moran, Anthony Scott
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Abrishamkar; Kaveh

Application Number

US09/903,704
Publication Number

US 20030088786A1
Time in Patent Office

2,511 Days
Field of Search

713/154, 713/201, 707/9
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Grouped access control list actions

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Grouped access control list actions

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links