Rule-based access control list management

US 9,002,890 B2
Filed: 03/14/2012
Issued: 04/07/2015
Est. Priority Date: 03/14/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:

providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, whereinthe access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object,the access control list rule store contains access control rules applicable to the object and a user, andthe access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system;

receiving a request from a requesting user to access a file system object;

in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object;

in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request;

in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and

in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification;

wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system;

wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and

wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control list entries are managed as a function of access control list entry metadata for the object and the requesting user, and of an access control list rule applicable to the requesting user and the requested object. The access control list entry metadata for the object and the user is updated in response to request authorizations and denials. The access control list entry metadata for the object and the user is linked to the object and the user. Updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.

20 Citations

View as Search Results

20 Claims

1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
- providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, whereinthe access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object,the access control list rule store contains access control rules applicable to the object and a user, andthe access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system;
  
  receiving a request from a requesting user to access a file system object;
  
  in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object;
  
  in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request;
  
  in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and
  
  in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification;
  
  wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system;
  
  wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and
  
  wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the object access request input associated with the specific file system object is at least one of:
    - a periodic query of the access control list entry metadata for the object and the user by an access control list administrator or owner of the file system object, and the updating of the access control list entry metadata for the object and the user comprises pruning a plurality of access control list entries by invalidating the user access control list entry; and
      
      a request by the user to access the object, and the updating of the access control list entry metadata for the object and the user comprises at least one of entering the time and date of the request input in the date/timestamp field of the access control list atime and the mtime metadata entries as the last object access metadata entry, and incrementing the count of accesses of the access control list nuse metadata entry for the object and the user.
  - 3. The method of claim 1,the method further comprising:
    - in response to determining that the date and time of the request falls within a begin date and time of a Begin Date/Time field of the access control list dtime entry for the user and the object, and an end date and time of an End Date/Time field of user access control list dtime entry for the user and the object, granting access to the object by the user for modification of the object and updating the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as the date and time of the granted access; and
      
      in response to determining that the date and time of the request does not fall within the dates and times of the Begin Date/Time field and the End Date/Time field of the access control list dtime entry for the user and the object, denying access to the object by the user and updating the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as the date and time of the denied access.
  - 4. The method of claim 2, wherein the access control list metadata that is applicable to the requesting user and the requested object comprises an inactivity time period metadata entry (itime) for the requesting user that specifies an inactivity time period wherein a permission for access to the object by the requesting user expires upon an elapse of the inactivity time period, wherein the stored access control list metadata entries comprise one each of a plurality of different itime entries for the object for each of the plurality of different users that includes the requesting user;
    - andthe method further comprising;
      
      determining a last-modification time period elapsed since a date and time of a last modification of the object by the user that is indicated by the mtime metadata entry for the user and the object;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      in response to determining that the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user, and updating the access control list atime and mtime metadata entries for the user and the object to indicate the date and time of the request as a date and time of an access to the object by the user pursuant to the granted access; and
      
      in response to determining that the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list atime entry metadata for the object and the user to indicate the date and time of the request as a date and time of the denying the access to the object by the user.
  - 5. The method of claim 1,the method further comprising:
    - in response to determining that the elapsed first-modification time period is less than the validity time period, granting access to the object by the user for modification of the object and updating the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to determining that the elapsed first-modification time period is not less than the validity time period, denying access to the object by the user and updating the access control list atime entry metadata for the object and the user to indicate the date and time of the request as a date and time of the denying the access to the object by the user.
  - 6. The method of claim 2, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user;
    - andthe method further comprising;
      
      comparing the incremented total number of accesses of the object by the user indicated by an access count field within the nuse metadata entry for the object and the requesting user to the specified threshold number of permitted accesses;
      
      in response to determining that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the requesting user and the object is less than the specified threshold number of permitted accesses, granting access to the object by the user for modification of the object and updating the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to determining that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the requesting user and the object is not less than the specified threshold number of permitted accesses;
      
      denying access to the object by the user and updating the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denying the access to the object by the user;
      
      orgranting access to the object by the user for modification of the object and updating the date/timestamp field of the access control list mtime metadata entry for the object and the user with the date and time of the request as a threshold event date and time.
  - 7. The method of claim 6, wherein the access control list metadata that is applicable to the requesting user and the requested object further comprises an inactivity time period metadata entry (itime) for the requesting user that specifies an inactivity time period wherein a permission for access to the object by the requesting user expires upon an elapse of the inactivity time period, wherein the stored access control list metadata entries comprise one each of a plurality of different itime entries for the object for each of the plurality of different users that includes the requesting user;
    - andthe method further comprising;
      
      in response to the step of determining that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the requesting user and the object is not less than the specified threshold number of permitted accesses, updating the access control list itime metadata entry for the object and the user with the threshold date and time of the request as an initial inactivity time period event date and time;
      
      in response to another object access request input associated with the object and the user, determining a last-modification time period elapsed since the threshold event date and time set within the access control list itime metadata entry;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      in response to determining that the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user for modification of the object and updating the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to determining that the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list atime entry metadata for the object and the user to indicate the date and time of the request as a date and time of the denying the access to the object by the user.
  - 8. The method of claim 6, wherein the access control list metadata that is applicable to the requesting user and the requested object further comprises a valid time metadata entry (vtime) for the requesting user that specifies a validity time period that commences upon a first date and time of access of the object by the requesting user that is indicated by a validity field within the vtime metadata entry, wherein the stored access control list metadata entries comprise one each of a plurality of different vtime entries for the object for each of the plurality of different users that includes the requesting user;
    - andthe method further comprising;
      
      in response to the step of determining that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the requesting user and the object is not less than the specified threshold number of permitted accesses, updating the access control list vtime metadata entry for the object and the user with the threshold date and time of the request as the first date and time of access of the object by the requesting user that is indicated by the validity field within the vtime metadata entry;
      
      in response to another object access request input associated with the object and the user, determining a last-modification time period elapsed since the threshold event date and time set within the access control list vtime metadata;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      in response to determining that the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user for modification of the object and updating the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to determining that the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list entry atime metadata for the object and the user to indicate the date and time of the request as a date and time of the denying the access to the object by the user.

9. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
- integrating computer-readable program code into a computer system comprising a processor, a computer readable memory and a computer readable tangible storage medium, wherein the computer readable program code is embodied on the computer readable tangible storage medium and comprises instructions that, when executed by the processor via the computer readable memory, cause the processor to;
  
  providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, whereinthe access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object,the access control list rule store contains access control rules applicable to the object and a user, andthe access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system;
  
  receiving a request from a requesting user to access a file system object;
  
  in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object;
  
  in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request;
  
  in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and
  
  in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to indicate a date and time of the object modification;
  
  wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system;
  
  wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and
  
  wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.

10. A system on hardware, comprising:
- a processor in communication with a computer readable memory and a tangible computer-readable storage medium;
  
  wherein the processor, when executing program instructions stored on the tangible computer-readable storage medium via the computer readable memory;
  
  providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, whereinthe access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object,the access control list rule store contains access control rules applicable to the object and a user, andthe access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system;
  
  receiving a request from a requesting user to access a file system object;
  
  in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object;
  
  in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request;
  
  in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and
  
  in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification;
  
  wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system;
  
  wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and
  
  wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the object access request input associated with the specific file system object is at least one of:
    - a periodic query of the access control list entry metadata for the object and the user by an access control list administrator or owner of the file system object, and the update of the access control list entry metadata for the object and the user comprises pruning a plurality of access control list entries by invalidating the user access control list entry; and
      
      a request by the user to access the object, and the update of the access control list entry metadata for the object and the user comprises at least one of entering the time and date of the request input in the date/timestamp field of the access control list atime and the mtime metadata entries as the last object access metadata entry, and incrementing the count of accesses of the access control list nuse metadata entry for the object and the user.
  - 12. The system of claim 10, further comprising:
    - in response to a determination that the date and time of the request falls within a begin date and time of a Begin Date/Time field of the access control list dtime entry for the requesting user and the object, and an end date and time of an End Date/Time field of the access control list dtime entry for the requesting user and the object, grants access to the object by the user for modification of the object and updates the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as the date and time of the granted access; and
      
      in response to a determination that the date and time of the request does not fall within the dates and times of the Begin Date/Time field and the End Date/Time field of the access control list dtime entry for the user and the object, denies access to the object by the user and updates the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as the date and time of the denial of the request.
  - 13. The system of claim 11, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user, and wherein the processor, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - compares the incremented total number of accesses of the object by the user indicated by an access count field within the nuse metadata entry for the object and the user to the specified threshold number of permitted accesses;
      
      in response to a determination that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the object and the user is less than the specified threshold number of permitted accesses, grants access to the object by the user for modification of the object and updates the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the user and the object is not less than the specified threshold number of permitted accesses;
      
      denies access to the object by the user and updates the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial the access to the object by the user;
      
      orgrants access to the object by the user for modification of the object and updates the date/timestamp field of the access control list mtime metadata entry for the object and the user with the date and time of the request as a threshold event date and time.
  - 14. The system of claim 13, wherein the access control list metadata that is applicable to the requesting user and the requested object further comprises an inactivity time period metadata entry (itime) for the requesting user that specifies an inactivity time period, wherein the stored access control list metadata entries comprise one each of a plurality of different itime entries for the object for each of the plurality of different users that includes the requesting user, and wherein the processor, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - in response to another object access request input associated with the object and the user, determines a last-modification time period elapsed since the threshold event date and time set within the mtime metadata entry for the user and the object;
      
      compares the elapsed last-modification time period to the inactivity time period;
      
      in response to a determination that the elapsed last-modification time period is less than the inactivity time period, grants access to the object by the user for modification of the object and updates the date/timestamp field of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the elapsed last-modification time period is not less than the inactivity time period, denies access to the object by the user and updates the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial.
  - 15. The system of claim 10, further comprising:
    - in response to another object access request input associated with the object and the user, determines a last-modification time period elapsed since the threshold event date and time setwithin the vtime metadata entry for the user and the object to the date and time of the request;
      
      compares the elapsed last-modification time period to the inactivity time period;
      
      in response to a determination that the elapsed last-modification time period is less than the inactivity time period, grants access to the object by the user for modification of the object and updates the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the elapsed last-modification time period is not less than the inactivity time period, denies access to the object by the user and updates the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial of the access to the object by the user.

16. An article of manufacture, comprising:
- a computer readable tangible storage device having computer readable program code embodied therewith, the computer readable program code comprising instructions that, when executed by a computer processor, cause the computer processor to;
  
  in response to an object access request input that is associated with a file system object and a user having an access control list entry within a file system at a level of the file system object, determine whether a request by the user is authorized for access to the object as a function of an access control list access time metadata entry (atime) and an access control list modification time metadata entry (mtime) for the object and the requesting user that are each stored in an access control list metadata storage device, and as a function of an access control list rule that is stored in an access control list rule storage device that is applicable to the requesting user and the requested object, wherein the stored access control list metadata entries comprise one each of a plurality of different atime and mtime entries for the object for each of a plurality of different users that includes the requesting user;
  
  in response to a determination that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update a date/timestamp field of the access control list metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial, wherein the stored access control list metadata entries comprise one each of a plurality of different atime and mtime entries for the object for each of a plurality of different users that includes the requesting user;
  
  in response to a determination that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the granted access, and increments an access control list access count metadata entry (nuse) that is stored in the access control list rule storage device and applicable to the requesting user and the requested object, wherein the access control list metadata comprises one each of a plurality of different nuse metadata entries for the object for each of the plurality of different users that includes the requesting user; and
  
  in response to a determination that the user modifies the object in response to the granted access to the object, update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the object modification; and
  
  wherein the access control list metadata entry for the object and the user is linked to the object and the user within the file system;
  
  wherein the update of the access control list date/timestamp field of the metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, incrementing a count of accesses of the nuse metadata entry for the object and the user, and invalidating the user access control list metadata entry for the object and the user; and
  
  wherein the update of the access control list date/timestamp fields of the atime and mtime metadata entries, and the increment of the access control list nuse metadata entry, for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of manufacture of claim 16, wherein the access control list metadata that is applicable to the requesting user and the requested object comprises an inactivity time period metadata entry (itime) for the requesting user that specifies an inactivity time period wherein a permission for access to the object by the requesting user expires upon an elapse of the inactivity time period, wherein the stored access control list metadata entries comprise one each of a plurality of different itime entries for the object for each of the plurality of different users that includes the requesting user, and wherein the computer readable program code instructions, when executed by the computer processor, further cause the computer processor to:
    - determine a last-modification time period elapsed since a date and time of a last modification of the object by the user that is indicated by an access field within the mtime metadata entry for the user and the object;
      
      compare the elapsed last-modification time period to the inactivity time period;
      
      in response to a determination that the elapsed last-modification time period is less than the inactivity time period, grant access to the object by the user, and update the date/timestamp field of the access control list atime and mtime metadata entries to indicate the date and time of the request as a date and time of an access to the object by user pursuant to the granted access; and
      
      in response to a determination that the elapsed last-modification time period is not less than the inactivity time period, deny access to the object by the user and update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial.
  - 18. The article of manufacture of claim 17, wherein the access control list metadata that is applicable to the requesting user and the requested object comprises a valid time metadata entry (vtime) for the requesting user that specifies a validity time period that commences upon a first date and time of access of the object by the user that is indicated by a validity field within the vtime metadata entry for the requesting user and the object to the date and time of the request, wherein the stored access control list metadata entries comprise one each of a plurality of different vtime entries for the object for each of the plurality of different users that includes the requesting user, and wherein the computer readable program code instructions, when executed by the computer processor, further cause the computer processor to:
    - determine a first-modification time period elapsed since a date and time of a first modification of the object by the user that is indicated by a validity field within the vtime metadata entry;
      
      compare the elapsed first-modification time period to the validity time period;
      
      in response to a determination that the elapsed first-modification time period is less than the validity time period, grant access to the object by the user for modification of the object and update the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the elapsed first-modification time period is not less than the validity time period, deny access to the object by the user and update the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial.
  - 19. The article of manufacture of claim 18, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user, and wherein the computer readable program code instructions, when executed by the computer processor, further cause the computer processor to:
    - compare the incremented total number of accesses of the object by the user indicated by an access count field within the nuse metadata entry for the user and the object to the specified threshold number of permitted accesses;
      
      in response to a determination that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the user and the object is less than the specified threshold number of permitted accesses, grant access to the object by the user for modification of the object and update the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the incremented total number of accesses of the object by the user indicated by the access count field within the nuse metadata entry for the user and the object is not less than the specified threshold number of permitted accesses;
      
      deny access to the object by the user and update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial;
      
      orgrant access to the object by the user for modification of the object and update the date/timestamp field of the access control list mtime metadata entry for the object and the user with the date and time of the request as a threshold event date and time.
  - 20. The article of manufacture of claim 19, wherein the access control list metadata that is applicable to the requesting user and the requested object further comprises an inactivity time period metadata entry (itime) for the requesting user that specifies an inactivity time period, wherein the stored access control list metadata entries comprise one each of a plurality of different itime entries for the object for each of the plurality of different users that includes the requesting user, and wherein the computer readable program code instructions, when executed by the computer processor, further cause the computer processor to:
    - in response to another object access request input associated with the object and the user, determine a last-modification time period elapsed since the threshold event date and time set within the mtime metadata entry for the user and the object;
      
      compare the elapsed last-modification time period to the inactivity time period;
      
      in response to a determination that the elapsed last-modification time period is less than the inactivity time period, grant access to the object by the user for modification of the object and update the date/timestamp fields of the access control list atime and mtime metadata entries for the object and the user to indicate the date and time of the request as a date and time of the granted access; and
      
      in response to a determination that the elapsed last-modification time period is not less than the inactivity time period, deny access to the object by the user and update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Price, Jeffrey K., Wentworth, Robert R., Wood, Stanley C., Sur, Prabhat
Primary Examiner(s)
Jalil, Neveen Abel
Assistant Examiner(s)
ELLIS, MATTHEW J

Application Number

US13/419,517
Publication Number

US 20130246470A1
Time in Patent Office

1,119 Days
Field of Search

707/783, 707/782, 707/790
US Class Current

707/783
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/604   Tools and structures for ma...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Rule-based access control list management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based access control list management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links