Client based resource isolation with domains
First Claim
1. A method performed by a computer system, comprising:
- determining, in an operating system instance executed by the computer system, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients;
determining a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities;
determining a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients;
accessing any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
accessing any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients;
evaluating one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user;
evaluating one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client;
returning a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and
returning a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object.
1 Assignment
0 Petitions
Accused Products
Abstract
A method may comprise determining, in an operating system instance, that an access control is being attempted to control an object by a user from a first client of a plurality of clients. Domain and client identifiers associated with the user may be determined. Any domain identifiers from a set and any client identifiers from a set may be accessed that may be associated with the object, where the domain identifiers may uniquely identify one or more domains and the client identifiers may uniquely identify one or more clients. One or more domain and client isolation rules may be evaluated to determine whether access control is permitted on the object based on whether a domain identifier is associated with both the object and the user and whether a client identifier is associated with both the object and the client. A permit or deny indication may be returned based on whether or not access control is permitted on the object.
44 Citations
20 Claims
-
1. A method performed by a computer system, comprising:
-
determining, in an operating system instance executed by the computer system, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients; determining a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities; determining a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients; accessing any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities; accessing any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients; evaluating one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user; evaluating one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client; returning a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and returning a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for determining access control, comprising:
-
a processor; a memory; and a records display program including a plurality of instructions stored in the memory that, in response to selection of an attribute, are executed by the processor to; determine, in an operating system instance, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients; determine a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities; determine a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients; access any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities; access any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients; evaluate one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user; evaluate one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client; return a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and return a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer program product for determining access control, the computer program product comprising:
-
a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising; computer readable program code configured to; determine, in an operating system instance, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients; determine a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities; determine a first client identifier associated with the first user, wherein the first client identifier uniquely identifies the first client from a plurality of clients; access any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities; access any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients; evaluate one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user; evaluate one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client; return a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and return a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object. - View Dependent Claims (18, 19, 20)
-
Specification