System and method for representing multiple security groups as a single data object
First Claim
1. A computer program product stored in a recordable-type storage medium having instructions embodied therein when executed by a data processing system for authenticating an access request in the data processing system, comprising:
- first instructions for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
second instructions for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value, wherein the mask value masks out bits in the group identifier; and
third instructions for authenticating the access request based on the group identifier, group set value and mask value, wherein the third instructions for authenticating the request based on the group identifier, group set value, and mask value include;
instructions for applying the mask value to the group identifier to generate a masked group identifier; and
instructions for comparing the masked group identifier to the group set value;
wherein the instructions for comparing the masked group identifier to the group set value include;
instructions for applying the mask value to the group set value to generate a masked group set value and instructions for comparing the masked group identifier to the masked group set value;
if the masked group identifier matches the masked group set value, then the access request is authorized;
if the masked group identifier does not match the masked group set value, then the access request is denied.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method for representing multiple security groups as a single data object are provided. With the system and method, a complex group object is created that consists of a group set value and a mask value. The complex group object represents a plurality of groups by the group set value. The mask value is used to apply to group identifiers received during an authentication process to generate a value that is compared against the group set value to determine if the group identifiers are part of the complex group. For example, in a first step of authorization processing, the group identifier received in an authorization request is bit-wise AND'"'"'d with the mask value for the complex group data object. In a second step, the masked group identifier from the received request is compared to the group set value of the complex group object. Such comparison may take the form of masking the group set value and comparing the masked group set value to the masked group identifier from the received request, for example. If the two values match, then access is granted. If the two values do not match, then access is denied.
51 Citations
8 Claims
-
1. A computer program product stored in a recordable-type storage medium having instructions embodied therein when executed by a data processing system for authenticating an access request in the data processing system, comprising:
-
first instructions for receiving the access request, wherein the access request includes a group identifier and designates a resource to which access is requested; second instructions for retrieving a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value, wherein the mask value masks out bits in the group identifier; and third instructions for authenticating the access request based on the group identifier, group set value and mask value, wherein the third instructions for authenticating the request based on the group identifier, group set value, and mask value include; instructions for applying the mask value to the group identifier to generate a masked group identifier; and instructions for comparing the masked group identifier to the group set value; wherein the instructions for comparing the masked group identifier to the group set value include; instructions for applying the mask value to the group set value to generate a masked group set value and instructions for comparing the masked group identifier to the masked group set value; if the masked group identifier matches the masked group set value, then the access request is authorized; if the masked group identifier does not match the masked group set value, then the access request is denied. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus for authenticating an access request in a data processing system, comprising:
-
a bus system; a storage device connected to the bus system, wherein the storage device includes a set of instuctions; and a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to receive the access request, wherein the access request includes a group identifier and designates a resource to which access is requested;
retrieve a complex group data object associated with the resource, wherein the complex group data object includes a group set value representing a plurality of requestor groups and a mask value, wherein the mask value masks out bits in the group identifier; and
means for authenticate the access request based on the group identifier, group set value and mask value, wherein authenticating the request based on the group identifier, group set value, and mask value includes;applying the mask value to the group identifier to generate a masked group identifier; and comparing the masked group identifier to the group set value; wherein comparing the masked group identifier to the group set value includes; applying the mask value to the group set value to generate a masked group set value and comparing the masked group identifier to the masked group set value; if the masked group identifier matches the masked group set value, then the access request is authorized; if the masked group identifier does not match the masked group set value, then the access request is denied. - View Dependent Claims (6, 7, 8)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsHaugh, Julianne Frances
-
Primary Examiner(s)GERGISO, TECHANE
-
Application NumberUS12/337,593Publication NumberTime in Patent Office573 DaysField of Search726/7, 726/27, 713/166US Class Current726/7CPC Class CodesG06F 21/6227 where protection concerns t...
