Optimizing a compiled access control table in a content management system

US 9,767,268 B2
Filed: 04/20/2011
Issued: 09/19/2017
Est. Priority Date: 04/20/2011
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

generating, by a processor, a compiled access control list from a plurality of access control lists, one or more sets of group privileges, a set of user information, and one or more sets of user privileges, wherein the compiled access control list includes for each entry a privilege flag indicating a presence of a read privilege in a set of privileges associated with that entry, and wherein the compiled access control list lacks entries for individual group members and includes at least one user group and at least one individual user lacking membership in a group;

responsive to a modification of a number of members within the at least one user group, making no change to the compiled access control list; and

processing, by the processor, a request to permit access to a data object based on one or more entries in the compiled access control list each associated with an access control list for the data object and including the privilege flag indicating the presence of the read privilege.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product, and system for improving the operation and management of a content management system, by managing data security and incremental refreshes of a compiled access control table. A user may be authorized to access an entity such as a data item by reference to a single table that compiles ACL information from a plurality of tables, without repetitive access to several system tables.

101 Citations

View as Search Results

22 Claims

1. A computer implemented method comprising:
- generating, by a processor, a compiled access control list from a plurality of access control lists, one or more sets of group privileges, a set of user information, and one or more sets of user privileges, wherein the compiled access control list includes for each entry a privilege flag indicating a presence of a read privilege in a set of privileges associated with that entry, and wherein the compiled access control list lacks entries for individual group members and includes at least one user group and at least one individual user lacking membership in a group;
  
  responsive to a modification of a number of members within the at least one user group, making no change to the compiled access control list; and
  
  processing, by the processor, a request to permit access to a data object based on one or more entries in the compiled access control list each associated with an access control list for the data object and including the privilege flag indicating the presence of the read privilege.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer implemented method of claim 1, further comprising:
    - deriving the compiled access control list from a set of relevant tables stored in memory; and
      
      selectively updating the compiled access control list responsive to run time modification of the set of relevant tables.
  - 3. The computer implemented method of claim 2, further comprising:
    - maintaining as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to insertion of a row in the user groups table, making no change to the compiled access control list.
  - 4. The computer implemented method of claim 2, further comprising:
    - maintaining as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to deletion of a row from the user groups table, making no change to the compiled access control list.
  - 5. The computer implemented method of claim 2, further comprising:
    - maintaining as one of the set of relevant tables an access codes table, the access codes table comprising code indicia uniquely identifying each of the plurality of access control lists; and
      
      responsive to insertion of a code indicia into the access codes table that impacts an individual user who has super access capability and that is a member of zero user groups, inserting a corresponding entry into the compiled access control list.
  - 6. The computer implemented method of claim 2, further comprising:
    - maintaining as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user; and
      
      maintaining as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group.
  - 7. The computer implemented method of claim 2, further comprising:
    - maintaining as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user;
      
      maintaining as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to updating of a row in the users table for an individual user who is a member of zero user groups and whose corresponding user privilege set indicia includes indicia of super access capability, updating corresponding entries in the compiled access control list for the individual user.
  - 8. The computer implemented method of claim 1, further comprising:
    - identifying one or more user groups within the compiled access control list associated with an access control list for the request to permit access, wherein the request is received from a user; and
      
      determining membership of the user within at least one of the identified one or more user groups with privileges to permit the access of the request.

9. A computer program product comprising:
- a computer readable storage device having computer readable program code stored thereon, the computer readable program code comprising computer readable program code configured to;
  
  generate a compiled access control list from a plurality of access control lists, one or more sets of group privileges, a set of user information, and one or more sets of user privileges, wherein the compiled access control list includes for each entry a privilege flag indicating a presence of a read privilege in a set of privileges associated with that entry, and wherein the compiled access control list lacks entries for individual group members and includes at least one user group and at least one individual user lacking membership in a group;
  
  responsive to a modification of a number of members within the at least one user group, making no change to the compiled access control list; and
  
  process a request to permit access to a data object based on one or more entries in the compiled access control list each associated with an access control list for the data object and including the privilege flag indicating the presence of the read privilege.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer program product of claim 9, wherein the computer readable program code is further configured to:
    - derive the compiled access control list from a set of relevant tables stored in memory; and
      
      selectively update the compiled access control list responsive to run time modification of the set of relevant tables.
  - 11. The computer program product of claim 10, wherein the computer readable program code is further configured to:
    - maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to insertion of a row in the user groups table, make no change to the compiled access control list.
  - 12. The computer program product of claim 10, wherein the computer readable program code is further configured to:
    - maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to deletion of a row from the user groups table, make no change to the compiled access control list.
  - 13. The computer program product of claim 10, wherein the computer readable program code is further configured to:
    - maintain as one of the set of relevant tables an access codes table, the access codes table comprising code indicia uniquely identifying each of the plurality of access control lists; and
      
      responsive to insertion of a code indicia into the access codes table that impacts an individual user who has super access capability and that is a member of zero user groups, insert a corresponding entry into the compiled access control list.
  - 14. The computer program product of claim 10, wherein the computer readable program code is further configured to:
    - maintain as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user; and
      
      maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group.
  - 15. The computer program product of claim 10, wherein the computer readable program code is further configured to:
    - maintain as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user;
      
      maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to updating of a row in the users table for an individual user who is a member of zero user groups and whose corresponding user privilege set indicia includes indicia of super access capability, update corresponding entries in the compiled access control list for the individual user.

16. A system comprising:
- a hardware processor configured with logic to;
  
  generate a compiled access control list from a plurality of access control lists, one or more sets of group privileges, a set of user information, and one or more sets of user privileges, wherein the compiled access control list includes for each entry a privilege flag indicating a presence of a read privilege in a set of privileges associated with that entry, and wherein the compiled access control list lacks entries for individual group members and includes at least one user group and at least one individual user lacking membership in a group;
  
  responsive to a modification of a number of members within the at least one user group, making no change to the compiled access control list; and
  
  process a request to permit access to a data object based on one or more entries in the compiled access control list each associated with an access control list for the data object and including the privilege flag indicating the presence of the read privilege.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system of claim 16, wherein the hardware processor is further configured with logic to:
    - derive the compiled access control list from a set of relevant tables stored in memory; and
      
      selectively update the compiled access control list responsive to run time modification of the set of relevant tables.
  - 18. The system of claim 17, wherein the hardware processor is further configured with logic to:
    - maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to insertion of a row in the user groups table, make no change to the compiled access control list.
  - 19. The system of claim 17, wherein the hardware processor is further configured with logic to:
    - maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to deletion of a row from the user groups table, make no change to the compiled access control list.
  - 20. The system of claim 17, wherein the hardware processor is further configured with logic to:
    - maintain as one of the set of relevant tables an access codes table, the access codes table comprising code indicia uniquely identifying each of the plurality of access control lists; and
      
      responsive to insertion of a code indicia into the access codes table that impacts an individual user who has super access capability and that is a member of zero user groups, insert a corresponding entry into the compiled access control list.
  - 21. The system of claim 17, wherein the hardware processor is further configured with logic to:
    - maintain as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user; and
      
      maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group.
  - 22. The system of claim 17, wherein the hardware processor is further configured with logic to:
    - maintain as one of the set of relevant tables a users table, columns of the users table comprising individual user identification indicia from the set of user information and corresponding user privilege set indicia for at least one individual user;
      
      maintain as one of the set of relevant tables a user groups table, columns of the user groups table comprising group user indicia and individual user identification indicia from the set of user information, and rows of the user groups table corresponding to an individual user that is a member of the at least one user group; and
      
      responsive to updating of a row in the users table for an individual user who is a member of zero user groups and whose corresponding user privilege set indicia includes indicia of super access capability, update corresponding entries in the compiled access control list for the individual user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Truong, Phong Kim, Wang, Eileen HongLian
Primary Examiner(s)
Cao, Phuong Thao

Application Number

US13/090,422
Publication Number

US 20120271854A1
Time in Patent Office

2,344 Days
Field of Search

707785
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 21/6227   where protection concerns t...

Optimizing a compiled access control table in a content management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Optimizing a compiled access control table in a content management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links