Inheritance of controls within a hierarchy of data processing system resources

US 20030188198A1
Filed: 12/13/2002
Published: 10/02/2003
Est. Priority Date: 03/28/2002
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus including means for applying access controls to hierarchically organized data processing system resources, the means for applying access controls including:

means for associating a scope of applicability with an access control for a first resource; and

means for controlling the performance of an operation in accordance with the access control, wherein the means for controlling is responsive to a first scope of applicability associated with an access control to limit access control inheritability to less than all descendants of the first resource in the hierarchy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods, apparatus and computer programs for applying access controls to control operations on hierarchically organized data processing system resources. A number of different scopes of applicability can be set in association with an access control, such as an ACL, and this will determine the inheritability, non-inheritability or limited inheritability of the access control for resources in the hierarchy. When a request is received to perform an operation, the access controls for the relevant branch of the hierarchy are processed to determine an applicable access control—taking account of inheritance attributes which have been set for individual access controls. The invention is useful for controlling the application of ACLs to topics in a topic tree within a publish/subscribe message broker.

121 Citations

View as Search Results

20 Claims

1. A data processing apparatus including means for applying access controls to hierarchically organized data processing system resources, the means for applying access controls including:
- means for associating a scope of applicability with an access control for a first resource; and
  
  means for controlling the performance of an operation in accordance with the access control, wherein the means for controlling is responsive to a first scope of applicability associated with an access control to limit access control inheritability to less than all descendants of the first resource in the hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A data processing apparatus according to claim 1, wherein the means for controlling is also responsive to an alternative scope of applicability for an access control to enable access control inheritability by all resources which are descendants of the first resource in the hierarchy.
  - 3. A data processing apparatus according to claim 1, wherein said means for controlling is responsive to said first scope of applicability to prevent access control inheritance.
  - 4. A data processing apparatus according to claim 1, wherein said means for controlling is responsive to a particular scope of applicability to limit access control inheritability to a subset of one or more of said descendants which is less than all descendants.
  - 5. A data processing apparatus according to claim 1, wherein said means for controlling is responsive to a particular scope of applicability to limit the applicability of an access control to one or more descendants such that the first resource is excluded from said scope of applicability.
  - 6. A data processing apparatus according to claim 1, wherein said access controls are implemented using ACLs.
  - 7. A data processing apparatus according to claim 3, wherein said access controls are implemented using ACLs and wherein said means for associating said first scope of applicability with an access control comprises means for setting a non-inheritability attribute on an ACL.
  - 8. A data processing apparatus according to claim 1, wherein said first resource is located on a branch of the hierarchy which has a set of access controls associated therewith, and wherein said means for controlling includes means for evaluating the set of access controls in accordance with their respective associated scopes of applicability to determine an applicable access control for a resource.
  - 9. A data processing apparatus according to claim 8, wherein said means for evaluating is adapted to determine the applicability of inheritable access controls to resources on said branch of the hierarchy and subsequently to evaluate the effect of non-inheritable access controls on said resources on said branch, thereby to determine an applicable access control for the resource.
  - 10. A data processing apparatus according to claim 1, wherein said hierarchically organized data processing system resources comprise an hierarchy of message topics within a message broker.

11. A message broker for distributing messages to subscriber application programs in accordance with topic-based subscriptions, the broker including means for applying access controls to hierarchically organized message topics, the means for applying access controls including:
- means for associating a scope of applicability with an access control for a first message topic; and
  
  means for controlling the performance of an operation in accordance with the access control, wherein the means for controlling is responsive to a first scope of applicability for an access control to limit access control inheritability to less than all descendants of the first message topic in the hierarchy.
- View Dependent Claims (12, 13)
- - 12. A message broker according to claim 11, wherein the means for controlling is also responsive to an alternative scope of applicability for an access control to enable access control inheritability by all topics which are descendants of the first topic in the hierarchy.
  - 13. A message broker according to claim 11, wherein the means for controlling is responsive to said first scope of applicability to prevent access control inheritance.

14. A method for applying access controls to hierarchically organized data processing system resources, the method including:
- associating a scope of applicability with an access control for a first resource; and
  
  controlling the performance of an operation in accordance with the access control, wherein the step of controlling is responsive to a first scope of applicability for an access control to limit access control inheritability to less than all descendants of the first resource in the hierarchy.
- View Dependent Claims (15, 16)
- - 15. A method according to claim 14, wherein the step of controlling is also responsive to an alternative scope of applicability for an access control to provide inheritability of said access control by all resources which are descendants of the first resource in the hierarchy.
  - 16. A method according to claim 14, wherein said first resource is located on a branch of the hierarchy which has a set of access controls associated therewith, and wherein said step of controlling includes evaluating the set of access controls in accordance with their respective associated scopes of applicability to determine an applicable access control for a resource.

17. A method for evaluating access controls associated with an hierarchically organized set of data processing system resources, for use in a system in which a scope of applicability can be selected for an access control, wherein the method comprises:
- responsive to an operation request, traversing a branch of the hierarchy corresponding to the resources of the hierarchy which are relevant to a requested operation, to identify access controls associated with the resources of the branch;
  
  determining which of the identified access controls is applicable to the requested operation; and
  
  controlling the requested operation in accordance with the determined applicable access controls;
  
  wherein the step of determining the applicable access controls comprises evaluating a scope of applicability attribute associated with at least one of the identified access controls to determine which data processing system resources inherit access controls from which other resources within the hierarchy.
- View Dependent Claims (18)
- - 18. A method according to claim 17, wherein evaluating a scope of applicability attribute comprises checking whether a flag has been set to indicate non-inheritability of an access control, and determining that an access control is non-inheritable by descendants of the resource within the hierarchy if the flag has been set or, alternatively, determining that an access control is inheritable by all descendant resources if the flag has not been set.

19. A computer program comprising program code for controlling the performance of operations on a data processing apparatus on which the program code executes, to implement a method for applying access controls to hierarchically organized data processing system resources, wherein the method includes:
- associating a scope of applicability with an access control for a first resource; and
  
  controlling the performance of an operation in accordance with the access control, wherein the step of controlling is responsive to a first scope of applicability for an access control to limit access control inheritability to less than all descendants of the first resource in the hierarchy.
- View Dependent Claims (20)
- - 20. A computer program according to claim 19, wherein the step of controlling is also responsive to an alternative scope of applicability for an access control to provide inheritability of said access control by all resources which are descendants of the first resource in the hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Young, Neil G S, Holdsworth, Simon A J

Granted Patent

US 7,917,940 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Inheritance of controls within a hierarchy of data processing system resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Inheritance of controls within a hierarchy of data processing system resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links