Community access control in a multi-community node
First Claim
1. A method of community access control in a Multi-Community Node (MCN), said method comprising:
- receiving a request for access to an object;
consulting a community information base (CIB) responsive to said request, wherein said CIB includes;
a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community;
an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and
an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it;
permitting access to said object in response to detecting;
said request is from a first user; and
a UCS of the first user is a superset of an OCS of said object;
denying access to said object in response to detecting;
said request is from the first user; and
a UCS of the first user is not a superset of an OCS of said object;
permitting access to said object in response to detecting;
said request is from a process; and
an ACS of said process is a superset of an OCS of said object; and
denying access to said object in response to detecting;
said request is from said process; and
an ACS of said process is not a superset of an OCS of said object;
wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of enforcing community access control in a computer network, wherein access to objects by users and processes is controlled. A Multi-Community Node (MCN) processes information for users in multiple communities and must enforce a community separation policy. The enforcement method and mechanism use a database of associations of sets of communities corresponding to users, processes, and system objects. Upon receiving a request for access to an object by a user, the MCN permits access if a user community set (UCS) of the user is a superset of an object community set (OCS) of the object; otherwise, access is denied. Upon receiving a request for access to an object by a process, the MCN permits access if an application process community set (ACS) of the process is a superset the OCS of the object; otherwise, access is denied.
39 Citations
28 Claims
-
1. A method of community access control in a Multi-Community Node (MCN), said method comprising:
-
receiving a request for access to an object; consulting a community information base (CIB) responsive to said request, wherein said CIB includes; a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community; an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it; permitting access to said object in response to detecting; said request is from a first user; and a UCS of the first user is a superset of an OCS of said object; denying access to said object in response to detecting; said request is from the first user; and a UCS of the first user is not a superset of an OCS of said object; permitting access to said object in response to detecting; said request is from a process; and an ACS of said process is a superset of an OCS of said object; and denying access to said object in response to detecting; said request is from said process; and an ACS of said process is not a superset of an OCS of said object; wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A Multi-Community Node (MCN) comprising:
-
a community information base (CIB), wherein said CIB includes; a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community; an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it; a processing unit configured to; receive a request for access to an object; consult said CIB responsive to said request; permit access to said object in response to detecting; said request is from a first user; and a UCS of the first user is a superset of an object community set (OCS) of said object; deny access to said object in response to detecting; said request is from the first user; and a UCS of the first user is not a superset of an OCS of said object; permit access to said object in response to detecting; said request is from a process; and an ACS of said process is a superset of said OCS; and deny access to said object in response to detecting; said request is from said process; and an ACS of said process is not a superset of an OCS of said object; wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system comprising:
-
a computer network; and a multi-community node (MCN) coupled to said computer network, wherein said MCN comprises; a community information base (CIB), wherein said CIB includes; a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community; an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it; a processing unit configured to; receive a request for access to an object; consult said CIB responsive to said request; permit access to said object in response to detecting; said request is from a first user; and a UCS of the first user is a superset of an object community set (OCS) of said object; deny access to said object in response to detecting; said request is from the first user; and a UCS of the first user is not a superset of an OCS of said object; permit access to said object in response to detecting; said request is from a process; and an ACS of said process is a superset of said OCS; and deny access to said object in response to detecting; said request is from said process; and an ACS of said process is not a superset of an OCS of said object; wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A storage media comprising program instructions, wherein said program instructions are executable to:
-
receive a request for access to an object; consult a community information base (CIB) responsive to said request, wherein said CIB includes; a user community set (UCS) for each user of said MCN, wherein for a given user and associated UCS, a given community is a member of the UCS if the given user is a member of the given community; an application community set (ACS) for each application on said MCN, wherein for a given application and associated ACS, a given community is a member of the ACS if the given application runs on behalf of a user in the given community; and an object community set (OCS) for each object residing within said MCN, wherein each OCS is included in an ACS of a process which created it; permit access to said object in response to detecting; said request is from a first user; and a UCS of the first user is a superset of an OCS of said object; and deny access to said object in response to detecting; said request is from the first user; and a UCS of the first user is not a superset of an OCS of said object; permit access to said object in response to detecting; said request is from a process; and an ACS of said process is a superset of an OCS of said object; and deny access to said object in response to detecting; said request is from said process; and an ACS of said process is not a superset of an OCS of said object; wherein a given OCS comprises a first set of communities, a given UCS is a superset of the given OCS if at least all of the first set of communities are also included in the given UCS, and a given ACS is a superset of the given OCS if at least all of the first set of communities are also included in the given ACS. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification