Management interface having fine-grain access control using regular expressions
First Claim
Patent Images
1. A method for controlling access to a resource of a device, the method comprising:
- storing, within a device, authorization data that defines at least one class of clients that access the device, wherein the authorization data defines for each class of clients;
(i) an access control attribute that specifies coarse-grain access control rights for members of the class to configuration data for a resource provided by the device, and (ii) an associated regular expression specifying a textual pattern that specifies fine-grain access control rights for the members of the class to only a portion of the configuration data for the resource provided by the device;
receiving, with the device, a command from a client, wherein the command requests access to the portion of the configuration data for the resource of the device;
identifying the class of which the client is a member;
retrieving, from the authorization data, both the access control attribute and the regular expression for the identified class of which the client is a member;
evaluating the command using the retrieved regular expression to determine whether the command matches the textual pattern specified by the retrieved regular expression; and
controlling access to the portion of the configuration data requested by the client based on both;
(i) the coarse-grain access control rights to the configuration data of the resource specified by the access control attribute for the identified class of which the client is a members and (ii) the evaluation of the regular expression for that class,wherein controlling access comprises allowing access to the configuration data when the access control attribute denies access to the resource and the textual pattern of the regular expression matches the command, andwherein controlling access comprises denying access to the configuration data when the access control attribute grants access to the resource and the textual pattern of the regular expression matches the command.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for controlling access to resources within a device are described. A device is described, for example, that includes a computer-readable medium and a management interface. The computer-readable medium stores configuration data and authorization data. The authorization data defines an access control attribute and an associated regular expression specifying a textual pattern. The management interface receives a text-based command to access the configuration data of the device, evaluates the command using the regular expression, and controls access to the configuration data based on the evaluation.
12 Citations
24 Claims
-
1. A method for controlling access to a resource of a device, the method comprising:
-
storing, within a device, authorization data that defines at least one class of clients that access the device, wherein the authorization data defines for each class of clients;
(i) an access control attribute that specifies coarse-grain access control rights for members of the class to configuration data for a resource provided by the device, and (ii) an associated regular expression specifying a textual pattern that specifies fine-grain access control rights for the members of the class to only a portion of the configuration data for the resource provided by the device;receiving, with the device, a command from a client, wherein the command requests access to the portion of the configuration data for the resource of the device; identifying the class of which the client is a member; retrieving, from the authorization data, both the access control attribute and the regular expression for the identified class of which the client is a member; evaluating the command using the retrieved regular expression to determine whether the command matches the textual pattern specified by the retrieved regular expression; and controlling access to the portion of the configuration data requested by the client based on both;
(i) the coarse-grain access control rights to the configuration data of the resource specified by the access control attribute for the identified class of which the client is a members and (ii) the evaluation of the regular expression for that class,wherein controlling access comprises allowing access to the configuration data when the access control attribute denies access to the resource and the textual pattern of the regular expression matches the command, and wherein controlling access comprises denying access to the configuration data when the access control attribute grants access to the resource and the textual pattern of the regular expression matches the command. - View Dependent Claims (2, 3, 4, 5, 12, 24)
-
-
6. A method comprising:
-
storing, within a device, configuration data for one or more resources provided by the device, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of higher-level objects and a plurality of lower-level objects, and each of the higher-level objects represents a portion of the configuration data that relates to a respective one of the resources of the device; storing, within the device, authorization data that defines at least one class of clients that access the device, wherein the authorization data defines for each class of clients;
(i) an access control attribute that specifies coarse-grain access control rights for members of the class to the configuration data for the resource, and (ii) an associated regular expression specifying a textual pattern that specifies fine-grain access control rights for the members of the class to only a portion of the configuration data for the resource;receiving, with the device, a command from a client, wherein the command requests access to one or more of the lower-level objects of the configuration data for a particular one the resources of the device; identifying the class of which the client is a member; retrieving, from the authorization data, both the access control attribute and the regular expression for the identified class of which the client is a member; evaluating the command using the retrieved regular expression to determine whether the command matches the textual pattern specified by the retrieved regular expression; and controlling access to the one or more lower-level objects of the configuration data requested by the client based on both;
(i) the coarse-grain access control rights for the higher-level object of the configuration data for the requested resource as specified by the access control attribute for the identified class of which the client is a member, and (ii) the evaluation of the regular expression for that class with respect to the requested one or more lower-level objects of the resource,wherein controlling access comprises allowing access to the configuration data when the access control attribute denies access to the resource and the textual pattern of the regular expression matches the command, and wherein controlling access comprises denying access to the configuration data when the access control attribute grants access to the resource and the textual pattern of the regular expression matches the command. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
13. A computer-readable medium comprising instructions for causing a programmable processor to:
-
store, within a device, authorization data that defines at least one class of clients that access the device, wherein the authorization data defines for each class of clients an access control attribute and an associated regular expression defining a textual pattern, and further wherein the access control attribute is a coarse-grain access control attribute defining access control rights to a resource provided by the device and the regular expression defines fine-grain access control rights for members of the class to a portion of the resource provided by the device; receive, with the device, the command from a client, wherein the command requests access to configuration data of the device; identify the class of which the client is a member; retrieve, from the authorization data, the access control attribute and the regular expression for the identified class of which the client is a member; evaluate the command using the retrieved regular expression to determine whether the command matches the textual pattern specified by the retrieved regular expression; and control access to the configuration data by the client based on the coarse-grain access control attribute for the identified class of which the client is a member and the evaluation of the regular expression for that class, wherein the instructions cause the processor to allow access to the configuration data when the textual pattern of the regular expression matches the command, and wherein the instructions cause the programmable processor to deny access to the configuration data when the textual pattern of the regular expression matches the command. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification