Community access control in a multi-community node

US 7,447,782 B2
Filed: 10/16/2001
Issued: 11/04/2008
Est. Priority Date: 12/18/2000
Status: Active Grant

First Claim

Patent Images

1. A method of community access control in a Multi-Community Node (MCN), said method comprising:

receiving a request for access to an object;

consulting a community information base (CIB) responsive to said request, wherein said CIB includes;

a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;

an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and

an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;

permitting access to said object in response to detecting;

said request is from a first user; and

a UCS of the first user is a superset of an OCS of said object;

denying access to said object in response to detecting;

said request is from the first user; and

a UCS of the first user is not a superset of an OCS of said object;

permitting access to said object in response to detecting;

said request is from a process; and

an ACS of said process is a superset of an OCS of said object; and

denying access to said object in response to detecting;

said request is from said process; and

an ACS of said process is not a superset of an OCS of said object;

wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and mechanism of enforcing community access control in a computer network, wherein access to objects by users and processes is controlled. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce a community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to users, processes, and system objects. Upon receiving a request for access to an object by a user, the MCN permits access if a user community set (UCS) of the user is a superset of an object community set (OCS) of the object; otherwise, access is denied. Upon receiving a request for access to an object by a process, the MCN permits access if an application process community set (ACS) of the process is a superset the OCS of the object; otherwise, access is denied.

39 Citations

View as Search Results

28 Claims

1. A method of community access control in a Multi-Community Node (MCN), said method comprising:
- receiving a request for access to an object;
  
  consulting a community information base (CIB) responsive to said request, wherein said CIB includes;
  
  a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;
  
  an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and
  
  an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;
  
  permitting access to said object in response to detecting;
  
  said request is from a first user; and
  
  a UCS of the first user is a superset of an OCS of said object;
  
  denying access to said object in response to detecting;
  
  said request is from the first user; and
  
  a UCS of the first user is not a superset of an OCS of said object;
  
  permitting access to said object in response to detecting;
  
  said request is from a process; and
  
  an ACS of said process is a superset of an OCS of said object; and
  
  denying access to said object in response to detecting;
  
  said request is from said process; and
  
  an ACS of said process is not a superset of an OCS of said object;
  
  wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said object is an operating system controlled resource.
  - 3. The method of claim 2, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 4. The method of claim 1, wherein an initial owner of said object is a creator of said object.
  - 5. The method of claim 1, further comprising permitting an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 6. The method of claim 1, further comprising allowing a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 7. The method of claim 1, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

8. A Multi-Community Node (MCN) comprising:
- a community information base (CIB), wherein said CIB includes;
  
  a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;
  
  an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and
  
  an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;
  
  a processing unit configured to;
  
  receive a request for access to an object;
  
  consult said CIB responsive to said request;
  
  permit access to said object in response to detecting;
  
  said request is from a first user; and
  
  a UCS of the first user is a superset of an object community set (OCS) of said object;
  
  deny access to said object in response to detecting;
  
  said request is from the first user; and
  
  a UCS of the first user is not a superset of an OCS of said object;
  
  permit access to said object in response to detecting;
  
  said request is from a process; and
  
  an ACS of said process is a superset of said OCS; and
  
  deny access to said object in response to detecting;
  
  said request is from said process; and
  
  an ACS of said process is not a superset of an OCS of said object;
  
  wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The MCN of claim 8, wherein said object is an operating system controlled resource.
  - 10. The MCN of claim 9, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 11. The MCN of claim 8, wherein an initial owner of said object is a creator of said object.
  - 12. The MCN of claim 8, wherein said processing unit is further configured to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 13. The MCN of claim 8, wherein said processing unit is further configured to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 14. The MCN of claim 8, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

15. A computer system comprising:
- a computer network; and
  
  a multi-community node (MCN) coupled to said computer network, wherein said MCN comprises;
  
  a community information base (CIB), wherein said CIB includes;
  
  a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;
  
  an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and
  
  an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;
  
  a processing unit configured to;
  
  receive a request for access to an object;
  
  consult said CIB responsive to said request;
  
  permit access to said object in response to detecting;
  
  said request is from a first user; and
  
  a UCS of the first user is a superset of an object community set (OCS) of said object;
  
  deny access to said object in response to detecting;
  
  said request is from the first user; and
  
  a UCS of the first user is not a superset of an OCS of said object;
  
  permit access to said object in response to detecting;
  
  said request is from a process; and
  
  an ACS of said process is a superset of said OCS; and
  
  deny access to said object in response to detecting;
  
  said request is from said process; and
  
  an ACS of said process is not a superset of an OCS of said object;
  
  wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15, wherein said object is an operating system controlled resource.
  - 17. The computer system of claim 16, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 18. The computer system of claim 15, wherein an initial owner of said object is a creator of said object.
  - 19. The computer system of claim 15, wherein said processing unit is further configured to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 20. The computer system of claim 15, wherein said processing unit is further configured to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 21. The computer system of claim 15, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

22. A storage media comprising program instructions, wherein said program instructions are executable to:
- receive a request for access to an object;
  
  consult a community information base (CIB) responsive to said request, wherein said CIB includes;
  
  a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;
  
  an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and
  
  an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;
  
  permit access to said object in response to detecting;
  
  said request is from a first user; and
  
  a UCS of the first user is a superset of an OCS of said object; and
  
  deny access to said object in response to detecting;
  
  said request is from the first user; and
  
  a UCS of the first user is not a superset of an OCS of said object;
  
  permit access to said object in response to detecting;
  
  said request is from a process; and
  
  an ACS of said process is a superset of an OCS of said object; and
  
  deny access to said object in response to detecting;
  
  said request is from said process; and
  
  an ACS of said process is not a superset of an OCS of said object;
  
  wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The storage media of claim 22, wherein said object is an operating system controlled resource.
  - 24. The storage media of claim 23, wherein said object is selected from the group consisting of a file system, a storage volume, a directory, a file, a record, a memory region, a queue, a pipe, a socket, a port, or an input/output device.
  - 25. The storage media of claim 22, wherein an initial owner of said object is a creator of said object.
  - 26. The storage media of claim 22, wherein said program instructions are further executable to permit an owner of said object to designate a first user as a new owner of said object, in response to detecting a UCS of said first user is a superset of said OCS.
  - 27. The storage media of claim 22, wherein said program instructions are further executable to allow a first process to change said OCS of said object to a subset of said ACS of said first process, in response to detecting an owner of said first process is an owner of said object and said ACS is a superset of said OCS.
  - 28. The storage media of claim 22, wherein said CIB further includes a creator and a current owner for each object residing within said MCN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Tahan, Thomas E.
Primary Examiner(s)
Flynn; Nathan J.
Assistant Examiner(s)
BILGRAMI, ASGHAR H

Application Number

US09/981,608
Publication Number

US 20020078215A1
Time in Patent Office

2,576 Days
Field of Search

709/229, 709/225, 709/228, 713/201, 713165-167, 707/9, 711/163
US Class Current

709/229
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

Community access control in a multi-community node

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Community access control in a multi-community node

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links