Scoped access control metadata element
First Claim
1. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:
- receiving, from a first user, a request to access a first resource;
determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes;
a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource;
a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and
a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies;
determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes;
a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource;
a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and
a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies;
determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element;
determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element;
determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element;
in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and
in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and data structures for communicating object metadata are provided. A generic metadata container is presented that allows object metadata to be described in an extensible manner using protocol-neutral and platform-independent methodologies. A metadata scope refers to a dynamic universe of targets to which the included metadata statements correspond. Metadata properties provide a mechanism to describe the metadata itself, and metadata security can be used to ensure authentic metadata is sent and received. Mechanisms are also provided to allow refinement and replacement of metadata statements. The generic metadata container can be adapted to dynamically define access control rights to a range of objects by a range of users, including granted and denied access rights.
-
Citations
17 Claims
-
1. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:
-
receiving, from a first user, a request to access a first resource; determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes; a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource; a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies; determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes; a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource; a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies; determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element; determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element; determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element; in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer comprising a processor controlling operation of the computer according to computer readable instructions stored in a memory, wherein, upon execution of the computer readable instructions by the processor, the computer performs a method for determining access rights to a range of objects by a range of users through scope information, comprising:
-
receiving, from a first user, request to access a first resource; determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes; a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource; a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies; determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes; a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource; and a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies; determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element; determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element; determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element; in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:
-
receiving, from a first user, a request to access a first resource; determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes; a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource; a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies; determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes; a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource; and a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies; determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element; determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element; determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element; in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user; wherein the scope of the first access control metadata element comprises a subdirectory; and wherein the scope of the second access control metadata element comprises a directory in which the subdirectory is located.
-
Specification