Network device management interface having fine-grain access control using regular expressions
First Claim
Patent Images
1. A method comprising:
- storing configuration data for a device, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data;
storing authorization data defining a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, and a fine-grain access control attribute and an associated regular expression defining a textual pattern that identifies a second set of one or more of the objects within the configuration hierarchy;
applying the regular expression to a command to determine whether the command requests access to any of the objects within the second set; and
controlling access to configuration data of the device based on the determination by;
allowing access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern; and
denying access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for controlling access to resources within a device are described. A device is described, for example, that includes a computer-readable medium and a management interface. The computer-readable medium stores configuration data and authorization data. The authorization data defines an access control attribute and an associated regular expression specifying a textual pattern. The management interface receives a text-based command to access the configuration data of the device, evaluates the command using the regular expression, and controls access to the configuration data based on the evaluation.
-
Citations
14 Claims
-
1. A method comprising:
-
storing configuration data for a device, wherein the configuration data is arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data; storing authorization data defining a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, and a fine-grain access control attribute and an associated regular expression defining a textual pattern that identifies a second set of one or more of the objects within the configuration hierarchy; applying the regular expression to a command to determine whether the command requests access to any of the objects within the second set; and controlling access to configuration data of the device based on the determination by; allowing access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern; and denying access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
-
-
2. A device comprising:
-
a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines a fine-grain access control attribute and an associated regular expression specifying a textual pattern, and wherein the authorization data further includes a coarse-grain access control attribute defining access control rights for respective groups of resources provided by the device; and a management interface that receives a text-based command to access the configuration data, wherein the management interface evaluates the command using the regular expression and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the regular expression, wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern, and wherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A device comprising:
-
a computer-readable medium comprising; configuration data arranged in the form of a multi-level configuration hierarchy having a plurality of objects, each of the objects having a textual label and representing a portion of the configuration data, and authorization data that defines a coarse-grain access control attribute defining access control rights to a first set of one or more objects at and below a level of the hierarchy, the authorization data further defining a fine-grain access control attribute and an associated regular expression specifying a textual pattern, wherein the textual pattern identifies a second set of one or more of the objects within the configuration hierarchy; and a management interface that applies the regular expression to a command to determine whether the command requests access to any of the objects within the set, and controls access to the configuration data based on the determination, wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern, and wherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
-
-
12. A device comprising:
-
a computer-readable medium that stores configuration data, wherein the configuration data defines a coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device, a command line interface to receive a command from a client; and a management interface that receives input defining a fine-grain access control attribute and an associated regular expression that specifies a textual pattern, wherein the management interface pre-processes the regular expression to automatically insert one or more meta-characters into the regular expression, and stores the access control attribute and the pre-processed regular expression as authorization data to control access to the configuration data, wherein the management interface evaluates the command in real-time using the pre-processed regular expression as the client enters the command, and wherein, before the command has been fully received, the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between a portion of the command that has been processed in real time and the textual pattern.
-
-
13. A device comprising:
-
a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines; a fine-grain access control attribute and an associated regular expression specifying a textual pattern, and a coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device; and a management interface that evaluates a command received from a client using the regular expression of the fine-grain access control attribute, and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the command, wherein the management interface allows access to the configuration data when the coarse-grain access control attribute does not allow access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
-
-
14. A device comprising:
-
a computer-readable medium storing configuration data and authorization data, wherein the authorization data defines; a fine-grain access control attribute and an associated regular expression specifying a textual pattern, and a coarse-grain access control attribute that defines access control rights for respective groups of resources provided by the device; and a management interface that evaluates a command received from a client using the regular expression of the fine-grain access control attribute, and controls access to the configuration data based on the coarse-grain access control attribute and the evaluation of the command, wherein the management interface denies access to the configuration data when the coarse-grain access control attribute allows access to a requested portion of the configuration data and the regular expression of the fine-grain access control attribute identifies a match between the command and the textual pattern.
-
Specification