Client based resource isolation with domains

US 9,189,643 B2
Filed: 11/26/2012
Issued: 11/17/2015
Est. Priority Date: 11/26/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by a computer system, comprising:

determining, in an operating system instance executed by the computer system, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients;

determining a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities;

determining a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients;

accessing any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;

accessing any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients;

evaluating one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user;

evaluating one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client;

returning a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and

returning a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may comprise determining, in an operating system instance, that an access control is being attempted to control an object by a user from a first client of a plurality of clients. Domain and client identifiers associated with the user may be determined. Any domain identifiers from a set and any client identifiers from a set may be accessed that may be associated with the object, where the domain identifiers may uniquely identify one or more domains and the client identifiers may uniquely identify one or more clients. One or more domain and client isolation rules may be evaluated to determine whether access control is permitted on the object based on whether a domain identifier is associated with both the object and the user and whether a client identifier is associated with both the object and the client. A permit or deny indication may be returned based on whether or not access control is permitted on the object.

44 Citations

20 Claims

1. A method performed by a computer system, comprising:
- determining, in an operating system instance executed by the computer system, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients;
  
  determining a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities;
  
  determining a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients;
  
  accessing any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
  
  accessing any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients;
  
  evaluating one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user;
  
  evaluating one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client;
  
  returning a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and
  
  returning a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising returning a permit indication that the first access control is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object and if the object is associated with a client identifier from the first client making the access request.
  - 3. The method of claim 1, wherein the first client represents at least one of an internet protocol address, a range of internet protocol addresses, and a host name.
  - 4. The method of claim 3, wherein the object comprises one of a file, a file system, a volume group, a file set, a device, and any system resource.
  - 5. The method of claim 4, further comprising evaluating the first client identifier and a second client identifier that are both associated with the object, which are stored in a centralized lightweight directory access protocol (LDAP) server.
  - 6. The method of claim 1, further comprising evaluating the one or more domain and client isolation rules stored in a kernel of an operating system.
  - 7. The method of claim 6, wherein the evaluating one or more client isolation rules to determine whether the first access control is permitted on the object comprises:
    - determining that a plurality of client identifiers are indicated as having permission for the object; and
      
      determining whether the plurality of client identifiers includes the first client identifier associated with the first client.
  - 8. The method of claim 1, further comprising:
    - receiving a request for an indication regarding which of a plurality of objects the first user is permitted to access;
      
      accessing any domain identifiers and any client identifiers associated with each of the plurality of objects;
      
      evaluating the one or more domain isolation rules and the one or more client isolation rules to determine whether access by the first user is permitted on each of the plurality of objects; and
      
      returning an indication regarding which of the plurality of objects the first user is permitted to access based on evaluating;
      
      if both the domain isolation rules indicate that the first domain identifier associated with the first user represents a domain that is permitted for a particular object being evaluated of the plurality of objects and the client isolation rules indicate that the first client identifier associated with the first client represents a client permitted for the particular object; and
      
      if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the particular object and if the particular object is unassociated with all client identifiers.
  - 9. The method of claim 1, wherein the first user is a computing system.
  - 10. The method of claim 4, further comprising evaluating the first client identifier, which is fetched from or stored in a kernel of the first client'"'"'s operating system alone.
  - 11. The method of claim 4, further comprising evaluating the second client identifier, which is fetched from or stored in a kernel of the second client'"'"'s operating system alone.

12. A system for determining access control, comprising:
- a processor;
  
  a memory; and
  
  a records display program including a plurality of instructions stored in the memory that, in response to selection of an attribute, are executed by the processor to;
  
  determine, in an operating system instance, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients;
  
  determine a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities;
  
  determine a first client identifier associated with the first client, wherein the first client identifier uniquely identifies the first client from a plurality of clients;
  
  access any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
  
  access any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients;
  
  evaluate one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user;
  
  evaluate one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client;
  
  return a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and
  
  return a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the plurality of instructions stored in the memory that, in response to selection of an attribute, are also executed by the processor to return a permit indication that the first access control is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object and if the object is associated with any client identifiers from the first client making the access request.
  - 14. The system of claim 13, wherein the object comprises a system resource.
  - 15. The system of claim 14, wherein the plurality of instructions stored in the memory that, in response to selection of an attribute, are also executed by the processor to evaluate the first client identifier and a second client identifier that are both associated with the object, the first and second client identifiers being stored in a centralized lightweight directory access protocol (LDAP) server.
  - 16. The system of claim 15, wherein the plurality of instructions stored in the memory that, in response to selection of an attribute, are also executed by the processor to:
    - receive a request for an indication regarding which of a plurality of objects the first user is permitted to access;
      
      access any domain identifiers and any client identifiers associated with each of the plurality of objects;
      
      evaluate the one or more domain isolation rules and the one or more client isolation rules to determine whether access by the first user is permitted on each of the plurality of objects; and
      
      return an indication regarding which of the plurality of objects the first user is permitted to access based on evaluating;
      
      if both the domain isolation rules indicate that the first domain identifier associated with the first user represents a domain that is permitted for a particular object being evaluated of the plurality of objects and the client isolation rules indicate that the first client identifier associated with the first client represents a client permitted for the particular object; and
      
      if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the particular object and if the particular object is unassociated with all client identifiers.

17. A computer program product for determining access control, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising;
  
  computer readable program code configured to;
  
  determine, in an operating system instance, that a first access control is being attempted to control an object by a first user from a first client of a plurality of clients;
  
  determine a first domain identifier associated with the first user, wherein the first domain identifier uniquely identifies a first domain representing a first organizational entity from a plurality of domains representing a plurality of organizational entities;
  
  determine a first client identifier associated with the first user, wherein the first client identifier uniquely identifies the first client from a plurality of clients;
  
  access any domain identifiers stored in the operating system instance associated with the object, wherein any of the domain identifiers are from a set of domain identifiers that uniquely identify one or more domains of the plurality of domains representing one or more organizational entities of the plurality of organizational entities;
  
  access any client identifiers stored in the operating system instance associated with the object, wherein any of the client identifiers are from a set of client identifiers that uniquely identify one or more clients of the plurality of clients;
  
  evaluate one or more domain isolation rules to determine whether the first access control is permitted on the object based on whether the first domain identifier is associated with both the object and the first user;
  
  evaluate one or more client isolation rules to determine whether the first access control is permitted on the object based on whether the first client identifier is associated with both the object and the first client;
  
  return a permit indication that the first access control is permitted on the object if both (1) the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object based on whether the first domain identifier is associated with both the object and the first user and (2) the client isolation rules indicate that the first client identifier represents a client permitted for the object based on whether the first client identifier is associated with both the object and the first client; and
  
  return a deny indication that the first access control is not permitted on the object if either or both of the domain isolation rules indicate that the first domain identifier represents a domain that is not permitted for the object and the client isolation rules indicate that the first client identifier represents a client that is not permitted for the object.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the computer readable program code is further configured to return a permit indication that the first access control is permitted on the object if the domain isolation rules indicate that the first domain identifier represents a domain that is permitted for the object and if the object is associated with client identifiers from the client making the access request.
  - 19. The computer program product of claim 18, wherein the first client represents at least one of an internet protocol address, a range of internet protocol addresses, and a host name.
  - 20. The computer program product of claim 19, wherein the computer readable program code is further configured to evaluate the one or more domain and client isolation rules stored in a kernel of an operating system and a centralized lightweight directory access protocol (LDAP) server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Vidya, Ranganathan, Chandolu, Uma M
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/685,546
Publication Number

US 20140150066A1
Time in Patent Office

1,086 Days
Field of Search

726/1, 726/2, 726/4, 713/164, 713/167, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 61/4523   using lightweight directory...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

Client based resource isolation with domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Client based resource isolation with domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links