Rule-based access control list management
First Claim
1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
- providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, whereinthe access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object,the access control list rule store contains access control rules applicable to the object and a user, andthe access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system;
receiving a request from a requesting user to access a file system object;
in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object;
in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request;
in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and
in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification;
wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system;
wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and
wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.
2 Assignments
0 Petitions
Accused Products
Abstract
Access control list entries are managed as a function of access control list entry metadata for the object and the requesting user, and of an access control list rule applicable to the requesting user and the requested object. The access control list entry metadata for the object and the user is updated in response to request authorizations and denials. The access control list entry metadata for the object and the user is linked to the object and the user. Updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
-
Citations
20 Claims
-
1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
-
providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, wherein the access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object, the access control list rule store contains access control rules applicable to the object and a user, and the access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system; receiving a request from a requesting user to access a file system object; in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object; in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request; in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification; wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system; wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
-
integrating computer-readable program code into a computer system comprising a processor, a computer readable memory and a computer readable tangible storage medium, wherein the computer readable program code is embodied on the computer readable tangible storage medium and comprises instructions that, when executed by the processor via the computer readable memory, cause the processor to; providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, wherein the access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object, the access control list rule store contains access control rules applicable to the object and a user, and the access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system; receiving a request from a requesting user to access a file system object; in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object; in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request; in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to indicate a date and time of the object modification; wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system; wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user.
-
-
10. A system on hardware, comprising:
-
a processor in communication with a computer readable memory and a tangible computer-readable storage medium; wherein the processor, when executing program instructions stored on the tangible computer-readable storage medium via the computer readable memory; providing to a plurality of users access to a file system, the file system including a plurality of file system objects, each object having, at a level of the file system object, an access control list metadata storage device and an access control list rule storage device, wherein the access control list metadata storage device contains access control list entries that include one each of an access control list time metadata entry (atime), an access control list modification time metadata entry (mtime), a duration constraint metadata entry (dtime), a valid time entry metadata entry (vtime) and an access control list access count metadata entry (nuse) for each of the plurality of different users and the object, the access control list rule store contains access control rules applicable to the object and a user, and the access control list metadata entries for each object and each user are linked to the corresponding objects and users within the file system; receiving a request from a requesting user to access a file system object; in response to the request, a processor determining whether the request by the requesting user is authorized for access to the object as a function the atime and mtime metadata entries for the object and the requesting user by determining that the date and time of the request falls within a begin date and time of the dtime entry for the requesting user and the requested object and an end date and time of the dtime field for the requesting user and the requested object and by determining a first-modification time period that is elapse from a date and time of a first modification of the requested object by the requesting user that is indicated by a validity field within the vtime metadata entry for the requesting user and the requested object to the date and time of the request and comparing the elapsed first-modification time period to the validity time period and as a function of the access control list rule that is applicable to the requesting user and the requested object; in response to determining that the request by the requesting user is not authorized for access to the object, denying by the processor access to the object by the requesting user, and updating a date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the denying of the request; in response to determining that the request by the requesting user is authorized for access to the object, granting by the processor access to the object by the user permitting modification of the object, and updating the date/timestamp field of the access control list atime metadata entry for the object and the requesting user to a date and time of the granting of the request, and incrementing the nuse metadata entry that is applicable to the requesting user and the requested object; and in response to determining that the requesting user modifies the object in response to the granted access of the object, updating by the processor the date/timestamp field of the access control list mtime metadata entry for the object and the requesting user to a date and time of the object modification; wherein the access control list entry metadata for the object and the requesting user is linked to the object within the file system; wherein the updating of the access control list entry metadata entry date/timestamp field for the object and the user comprises at least one of entering a date and time of the request input as a last object metadata entry, incrementing a count of access of the nuse metadata entry for the object and the user and invalidating the user access control list entry; and wherein the updating of the access control list atime and mtime entry date/timestamp fields and the incrementing the access control list nuse metadata entry for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An article of manufacture, comprising:
-
a computer readable tangible storage device having computer readable program code embodied therewith, the computer readable program code comprising instructions that, when executed by a computer processor, cause the computer processor to; in response to an object access request input that is associated with a file system object and a user having an access control list entry within a file system at a level of the file system object, determine whether a request by the user is authorized for access to the object as a function of an access control list access time metadata entry (atime) and an access control list modification time metadata entry (mtime) for the object and the requesting user that are each stored in an access control list metadata storage device, and as a function of an access control list rule that is stored in an access control list rule storage device that is applicable to the requesting user and the requested object, wherein the stored access control list metadata entries comprise one each of a plurality of different atime and mtime entries for the object for each of a plurality of different users that includes the requesting user; in response to a determination that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update a date/timestamp field of the access control list metadata entry for the object and the user to indicate the date and time of the request as a date and time of the denial, wherein the stored access control list metadata entries comprise one each of a plurality of different atime and mtime entries for the object for each of a plurality of different users that includes the requesting user; in response to a determination that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the granted access, and increments an access control list access count metadata entry (nuse) that is stored in the access control list rule storage device and applicable to the requesting user and the requested object, wherein the access control list metadata comprises one each of a plurality of different nuse metadata entries for the object for each of the plurality of different users that includes the requesting user; and in response to a determination that the user modifies the object in response to the granted access to the object, update the date/timestamp field of the access control list atime metadata entry for the object and the user to indicate the date and time of the request as a date and time of the object modification; and wherein the access control list metadata entry for the object and the user is linked to the object and the user within the file system; wherein the update of the access control list date/timestamp field of the metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, incrementing a count of accesses of the nuse metadata entry for the object and the user, and invalidating the user access control list metadata entry for the object and the user; and wherein the update of the access control list date/timestamp fields of the atime and mtime metadata entries, and the increment of the access control list nuse metadata entry, for the object and the user does not overwrite any other ones of the stored plurality of different atime, mtime and nuse metadata entries that are each associated with the object and with others of the plurality of users that are each different from the user. - View Dependent Claims (17, 18, 19, 20)
-
Specification