System and method for representing multiple security groups as a single data object
First Claim
1. A method of authenticating an access request in a data processing system, comprising:
- receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value, wherein the mask value masks out bits in the group identifier; and
authenticating the access request based on the group identifier, group set value, and mask value, wherein authenticating the request based on the group identifier, group set value, and mask value includes;
applying the mask value to the group identifier to generate a masked group identifier; and
comparing the mask group identifier to the group set value;
wherein comparing the masked group identifier to the group set value includes;
applying the mask value to the group set value to generate a masked group set value; and
comparing the masked group identifier to the masked group set value;
if the masked group identifier matches the masked group set value, then the access request is authorized;
if the masked group identifier does not match the masked group set value, then the access request is denied.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for representing multiple security groups as a single data object are provided. With the system and method, a complex group object is created that consists of a group set value and a mask value. The complex group object represents a plurality of groups by the group set value. The mask value is used to apply to group identifiers received during an authentication process to generate a value that is compared against the group set value to determine if the group identifiers are part of the complex group. For example, in a first step of authorization processing, the group identifier received in an authorization request is bit-wise AND'"'"'d with the mask value for the complex group data object. In a second step, the masked group identifier from the received request is compared to the group set value of the complex group object. Such comparison may take the form of masking the group set value and comparing the masked group set value to the masked group identifier from the received request, for example. If the two values match, then access is granted. If the two values do not match, then access is denied.
-
Citations
4 Claims
-
1. A method of authenticating an access request in a data processing system, comprising:
-
receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested; retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value, wherein the mask value masks out bits in the group identifier; and authenticating the access request based on the group identifier, group set value, and mask value, wherein authenticating the request based on the group identifier, group set value, and mask value includes; applying the mask value to the group identifier to generate a masked group identifier; and comparing the mask group identifier to the group set value; wherein comparing the masked group identifier to the group set value includes; applying the mask value to the group set value to generate a masked group set value; and
comparing the masked group identifier to the masked group set value;if the masked group identifier matches the masked group set value, then the access request is authorized; if the masked group identifier does not match the masked group set value, then the access request is denied. - View Dependent Claims (2, 3, 4)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsHaugh, Julianne Frances
-
Primary Examiner(s)Moise; Emmanuel L
-
Assistant Examiner(s)GERGISO, TECHANE
-
Application NumberUS10/455,165Publication NumberTime in Patent Office2,056 DaysField of Search713/166, 726/27, 726/17, 709/9US Class Current713/166CPC Class CodesG06F 21/6227 where protection concerns t...
