Method and apparatus for extensible security authorization grouping
First Claim
1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and
an authorization service, which is separate from the group service, that determines permission for one of the plurality of users to perform a first action using a first software product with respect to a first object based on group information for the one of the plurality of users obtained from the group service and based on corresponding permission information held by the authorization service and stored separately from the store of groups of the group service, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products;
wherein the permission information held by the authorization service comprises;
securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information;
object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and
authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator.
17 Citations
18 Claims
-
1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
-
a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and an authorization service, which is separate from the group service, that determines permission for one of the plurality of users to perform a first action using a first software product with respect to a first object based on group information for the one of the plurality of users obtained from the group service and based on corresponding permission information held by the authorization service and stored separately from the store of groups of the group service, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products; wherein the permission information held by the authorization service comprises; securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information; object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
-
a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and an authorization service, which is separate from the group service, that determines permission for at least one user to perform an action with respect to an object based on group information for the at least one user obtained from the group service and based on permission information held by the authorization service and stored separately from the store of groups of the group service, the permission information corresponding to the obtained group information and indicating at least one action that may be performed with respect to an object by at least one group or user; wherein the permission information held by the authorization service comprises; securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information; object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership; and wherein at least one non-system administrator defines at least some of the permission information to assign authorization to one or more groups or users to perform a first action with respect to a first object using a first software product, and wherein at least one non-system administrator assigns authorization to one or more groups or users to perform a second action with respect to a second object using second software product. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer-implemented method for operating a computer system, comprising:
-
receiving a first request regarding a first action requested to be performed by a first user with respect to a first object using a first software product, access to the first object being unrestricted by permissions established by a systems administrator; obtaining first group information from a group service having a store of groups that does not include permission information, the information indicating that the first user is associated with at least one group; determining authorization, using a processor of the computer system, for the first user to perform the first action using the first software product based on the first group information obtained from the group service and permission information, which is stored separately from store of groups of the group service, the permission information defining authorization for at least one group to perform at least one action with respect to at least one object;
wherein the permission information comprises;securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, and wherein the securable object class information does not include user information or group information; object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, and wherein each authorization entry corresponds to an object identifier in the object registration information; receiving a second request regarding a second action requested to be performed by a second user with respect to a second object using a second software product, access to the second object being unrestricted by permissions established by a systems administrator; obtaining second group information from the group service indicating that the second user is associated with at least one group; and determining authorization, using the processor of the computer system, for the second user to perform the second action using the second software product based on the obtained second group information and the permission information. - View Dependent Claims (16, 17, 18)
-
Specification