Grouped access control list actions
First Claim
1. A method for extending and grouping actions and permissions for authorization of a requesting user to access or use a requested protected system resource in a computer system, said method comprising the steps of:
- providing in a computer readable medium an access control policy associated with said requested protected system resource containing a permission list of permitted identities and at least one action group tag with associated action indicators;
reusing a finite quantity of action indicators among a plurality of action group tags to control a number of unique permissions less than or equal to the product of the quantity of allowable action indicators and a quantity of allowable action group tags;
evaluating said permission list according to a specific permission definition associated with said action group tag, said permission definition providing a correlation between permissible actions and members of a set of action indicators; and
granting to a requesting computer or program authorization to perform actions on said requested protected system resource to said requesting user if said access control policy permission list includes an appropriate action indicator correlated to an action group tag.
5 Assignments
0 Petitions
Accused Products
Abstract
Access Control Lists (ACLs) are used to describe the permitted actions (permissions) on protected network computer system resources or objects associated with an client or user identity. An identity may be an individual user or group of users. The actions are used to represent the different access methods available on a particular projected object or resource. A new action grouping mechanism is provided which tags each action with an action group name. The grouping of actions facilitates a larger permission set to be defined in an ACL, whereas action permission indicators can be reused for unique action definitions within various action groups. This effectively extends the finite total number of permissions available within a security system, allows a more descriptive and extensible permission mechanism in an Access Control List, as well as aiding in the simplification of management and definition of security policies.
-
Citations
8 Claims
-
1. A method for extending and grouping actions and permissions for authorization of a requesting user to access or use a requested protected system resource in a computer system, said method comprising the steps of:
-
providing in a computer readable medium an access control policy associated with said requested protected system resource containing a permission list of permitted identities and at least one action group tag with associated action indicators; reusing a finite quantity of action indicators among a plurality of action group tags to control a number of unique permissions less than or equal to the product of the quantity of allowable action indicators and a quantity of allowable action group tags; evaluating said permission list according to a specific permission definition associated with said action group tag, said permission definition providing a correlation between permissible actions and members of a set of action indicators; and granting to a requesting computer or program authorization to perform actions on said requested protected system resource to said requesting user if said access control policy permission list includes an appropriate action indicator correlated to an action group tag. - View Dependent Claims (2, 3)
-
-
4. A method for managing permission indicators for computer system protected objects comprising the steps of:
-
providing in a computer readable medium a plurality of permission indicator containers in an access control list; associating a first set of permission indicators with a primary permission indicator container; associating in a computer readable medium accessible by an authorization control system one or more additional sets of permission indicators with additional permission indicator containers, wherein said permission indicators are reused among said containers such that permission indicators may be categorized and grouped logically to control a number of unique permissions less than or equal to the product of a quantity of allowable action indicators and a quantity of allowable action group tags; and granting authorization to a requesting computer or program to perform actions on said requested protected system resource according to said permission indicators in said permission indicator containers. - View Dependent Claims (5, 6, 7, 8)
-
Specification