RULE-BASED ACCESS CONTROL LIST MANAGEMENT

US 20130246470A1
Filed: 03/14/2012
Published: 09/19/2013
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:

in response to an object access request input associated with a file system object and a user having an access control list entry, a processing unit determining whether a request by the user is authorized for access to the object as a function of access control list entry metadata for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;

if determined that the request by the user is not authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, denying by the processing unit access to the object by the user, and updating the access control list entry metadata for the object and the user to indicate the denying;

if determined that the request by the user is authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, granting by the processing unit access to the object by the user for modification of the object, and updating the access control list entry metadata for the object and the user to indicate the granted access; and

if the user modifies the object in response to the granted access to the object, updating by the processing unit the access control list entry metadata for the object and the user to indicate the object modification; and

wherein the access control list entry metadata for the object and the user is linked to the object and the user;

wherein the updating of the access control list entry metadata for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list entry; and

wherein the updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control list entries are managed as a function of access control list entry metadata for the object and the requesting user, and of an access control list rule applicable to the requesting user and the requested object. The access control list entry metadata for the object and the user is updated in response to request authorizations and denials. The access control list entry metadata for the object and the user is linked to the object and the user. Updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.

57 Citations

View as Search Results

20 Claims

1. A method for managing access control list entries as a function of user-specific object access data, the method comprising:
- in response to an object access request input associated with a file system object and a user having an access control list entry, a processing unit determining whether a request by the user is authorized for access to the object as a function of access control list entry metadata for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;
  
  if determined that the request by the user is not authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, denying by the processing unit access to the object by the user, and updating the access control list entry metadata for the object and the user to indicate the denying;
  
  if determined that the request by the user is authorized for access to the object as a function of the access control list entry metadata for the object and the user, and of the access control list rule that is applicable to the requesting user and the requested object, granting by the processing unit access to the object by the user for modification of the object, and updating the access control list entry metadata for the object and the user to indicate the granted access; and
  
  if the user modifies the object in response to the granted access to the object, updating by the processing unit the access control list entry metadata for the object and the user to indicate the object modification; and
  
  wherein the access control list entry metadata for the object and the user is linked to the object and the user;
  
  wherein the updating of the access control list entry metadata for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list entry; and
  
  wherein the updating of the access control list entry metadata for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the object access request input associated with the specific file system object is at least one of:
    - a periodic query of the access control list entry metadata for the object and the user by an access control list administrator or owner of the file system object, and the updating of the access control list entry metadata for the object and the user comprises pruning a plurality of access control list entries by invalidating the user access control list entry; and
      
      a request by the user to access the object, and the updating of the access control list entry metadata for the object and the user comprises at least one of entering the time and date of the request input as the last object access metadata entry, and revising the count of accesses of the object by the user.
  - 3. The method of claim 2, wherein the access control list rule that is applicable to the requesting user and the requested object specifies time period duration constraints comprising begin and end date and times for which the user access control list entry is effective for access to the object by the user;
    - andthe method further comprising;
      
      determining a date and a time of the request by the user to access the object, or of a last modification of the object by the user that is saved to the access control list entry metadata for the object and the user;
      
      if the determined date and time falls within the begin and end date and times of the duration constraints, granting access to the object by the user for modification of the object and updating the access control list metadata for the object and the user to indicate the granted access; and
      
      if the determined date and time does not fall within the begin and end date and times of the duration constraints, denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying.
  - 4. The method of claim 2, wherein the access control list rule that is applicable to the requesting user and the requested object specifies an inactivity time period wherein a permission for access to the object by the user expires upon an elapse of the inactivity time period;
    - andthe method further comprising;
      
      determining a last-modification time period elapsed since a date and time of a last modification of the object by the user that is indicated by an access field within the object metadata entry;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user, and updating the access field within the object metadata entry to indicate an access to the object by user pursuant to the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying.
  - 5. The method of claim 2, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a validity time period that commences upon a first date and time of access of the object by the user that is indicated by a validity field within the object metadata entry;
    - andthe method further comprising;
      
      determining a first-modification time period elapsed since a date and time of a first modification of the object by the user that is indicated by a validity field within the object metadata entry;
      
      comparing the elapsed first-modification time period to the validity time period;
      
      if the elapsed first-modification time period is less than the validity time period, granting access to the object by the user for modification of the object and updating the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed first-modification time period is not less than the validity time period, denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying.
  - 6. The method of claim 2, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user;
    - andthe method further comprising;
      
      revising a total number of accesses of the object by the user indicated by an access count field within the object entry metadata in response to the request by the user to access the object, if the object access request input is the request by the user to access the object;
      
      comparing the total number of accesses of the object by the user indicated by an access count field within the object entry metadata to the specified threshold number of permitted accesses;
      
      if the total number of accesses of the object by the user indicated by the access count field within the object entry metadata is less than the specified threshold number of permitted accesses, granting access to the object by the user for modification of the object and updating the access control list entry metadata for the object and the user to indicate the granted access; and
      
      if the total number of accesses of the object by the user indicated by the access count field within the object entry metadata is not less than the specified threshold number of permitted accesses;
      
      denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying;
      
      orgranting access to the object by the user for modification of the object and updating the access control list entry metadata for the object and the user to set a threshold event date and time.
  - 7. The method of claim 6, wherein the access control list rule that is applicable to the requesting user and the requested object further specifies an inactivity time period;
    - andthe method further comprising;
      
      in response to another object access request input associated with the object and the user, determining a last-modification time period elapsed since the threshold event date and time set within the object metadata entry;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user for modification of the object and updating the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying.
  - 8. The method of claim 6, wherein the access control list rule that is applicable to the requesting user and the requested object further specifies a validity time period;
    - andthe method further comprising;
      
      in response to another object access request input associated with the object and the user, determining a last-modification time period elapsed since the threshold event date and time set within the object metadata;
      
      comparing the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, granting access to the object by the user for modification of the object and updating the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, denying access to the object by the user and updating the access control list entry metadata for the object and the user to indicate the denying.

9. A method for providing a service for managing access control list entries as a function of user-specific object access data the method comprising:
- integrating computer-readable program code into a computer system comprising a processing unit, a computer readable memory and a computer readable tangible storage medium, wherein the computer readable program code is embodied on the computer readable tangible storage medium and comprises instructions that, when executed by the processing unit via the computer readable memory, cause the processing unit to;
  
  in response to an object access request input associated with a file system object and a user having an access control list entry, determine whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;
  
  if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update the access control list metadata entry for the object and the user to indicate the denial;
  
  if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the access control list metadata entry for the object and the user to indicate the granted access; and
  
  if the user modifies the object in response to the granted access to the object, update the access control list metadata entry for the object and the user to indicate the object modification; and
  
  wherein the access control list metadata entry for the object and the user is linked to the object and the user;
  
  wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and
  
  wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.

10. A system, comprising:
- a processing unit in communication with a computer readable memory and a tangible computer-readable storage medium;
  
  wherein the processing unit, when executing program instructions stored on the tangible computer-readable storage medium via the computer readable memory;
  
  in response to an object access request input associated with a file system object and a user having an access control list entry, determines whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;
  
  if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, denies access to the object by the user, and updates the access control list metadata entry for the object and the user to indicate the denial;
  
  if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grants access to the object by the user for modification of the object, and updates the access control list metadata entry for the object and the user to indicate the granted access; and
  
  if the user modifies the object in response to the granted access to the object, updates the access control list metadata entry for the object and the user to indicate the object modification; and
  
  wherein the access control list metadata entry for the object and the user is linked to the object and the user;
  
  wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and
  
  wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the object access request input associated with the specific file system object is at least one of:
    - a periodic query of the access control list entry metadata for the object and the user by an access control list administrator or owner of the file system object, and the update of the access control list entry metadata for the object and the user comprises pruning a plurality of access control list entries by invalidating the user access control list entry; and
      
      a request by the user to access the object, and the update of the access control list entry metadata for the object and the user comprises at least one of entering the time and date of the request input as the last object access metadata entry, and revising the count of accesses of the object by the user.
  - 12. The system of claim 11, wherein the access control list rule that is applicable to the requesting user and the requested object specifies time period duration constraints comprising begin and end date and times for which the user access control list entry is effective for access to the object by the user, and wherein the processing unit, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - determines a date and a time of the request by the user to access the object, or of a last modification of the object by the user that is saved to the access control list entry metadata for the object and the user;
      
      if the determined date and time falls within the begin and end date and times of the duration constraints, grants access to the object by the user for modification of the object and update the access control list metadata for the object and the user to indicate the granted access; and
      
      if the determined date and time does not fall within the begin and end date and times of the duration constraints, denies access to the object by the user and updates the access control list entry metadata for the object and the user to indicate the denial.
  - 13. The system of claim 11, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user, and wherein the processing unit, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - revises a total number of accesses of the object by the user indicated by an access count field within the object entry metadata in response to the request by the user to access the object, if the object access request input is the request by the user to access the object;
      
      compares the total number of accesses of the object by the user indicated by an access count field within the object metadata entry to the specified threshold number of permitted accesses;
      
      if the total number of accesses of the object by the user indicated by the access count field within the object metadata entry is less than the specified threshold number of permitted accesses, grants access to the object by the user for modification of the object and updates the access control list metadata for the object and the user to indicate the granted access; and
      
      if the total number of accesses of the object by the user indicated by the access count field within the object metadata is not less than the specified threshold number of permitted accesses;
      
      denies access to the object by the user and updates the access control list entry metadata for the object and the user to indicate the denial;
      
      orgrants access to the object by the user for modification of the object and updates the access control list entry metadata for the object and the user to set a threshold event date and time.
  - 14. The system of claim 13, wherein the access control list rule that is applicable to the requesting user and the requested object further specifies an inactivity time period, and wherein the processing unit, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - in response to another object access request input associated with the object and the user, determines a last-modification time period elapsed since the threshold event date and time set within the object metadata entry;
      
      compares the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, grants access to the object by the user for modification of the object and updates the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, denies access to the object by the user and updates the access control list entry metadata for the object and the user to indicate the denial.
  - 15. The system of claim 13, wherein the access control list rule that is applicable to the requesting user and the requested object further specifies a validity time period, and wherein the processing unit, when executing the program instructions stored on the computer-readable storage medium via the computer readable memory, further:
    - in response to another object access request input associated with the object and the user, determines a last-modification time period elapsed since the threshold event date and time set within the object metadata;
      
      compares the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, grants access to the object by the user for modification of the object and updates the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, denies access to the object by the user and updates the access control list entry metadata for the object and the user to indicate the denial.

16. An article of manufacture, comprising:
- a computer readable tangible storage device having computer readable program code embodied therewith, the computer readable program code comprising instructions that, when executed by a computer processing unit, cause the computer processing unit to;
  
  in response to an object access request input associated with a file system object and a user having an access control list entry, determine whether a request by the user is authorized for access to the object as a function of access control list entry metadata entry for the object and the requesting user that is stored in an access control list metadata store, and as a function of an access control list rule that is stored in an access control list rule store that is applicable to the requesting user and the requested object;
  
  if determined that the request by the user is not authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, deny access to the object by the user, and update the access control list metadata entry for the object and the user to indicate the denial;
  
  if determined that the request by the user is authorized for access to the object as a function of the access control list metadata entry for the object and user, and of the access control list rule that is applicable to the requesting user and the requested object, grant access to the object by the user for modification of the object, and update the access control list metadata entry for the object and the user to indicate the granted access; and
  
  if the user modifies the object in response to the granted access to the object, update the access control list metadata entry for the object and the user to indicate the object modification; and
  
  wherein the access control list metadata entry for the object and the user is linked to the object and the user;
  
  wherein the update of the access control list metadata entry for the object and the user comprises at least one of entering a time and date of the request input as a last object access metadata entry, revising a count of accesses of the object by the user, and invalidating the user access control list metadata entry for the object and the user; and
  
  wherein the update of the access control list metadata entry for the object and the user does not overwrite metadata for another access control list entry that is associated with the object and with another user that is different from the user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of manufacture of claim 16, wherein the access control list rule that is applicable to the requesting user and the requested object specifies an inactivity time period wherein a permission for access to the object by the user expires upon an elapse of the inactivity time period, and wherein the computer readable program code instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - determine a last-modification time period elapsed since a date and time of a last modification of the object by the user that is indicated by an access field within the object metadata entry;
      
      compare the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, grant access to the object by the user, and update the access field within the object metadata entry to indicate an access to the object by user pursuant to the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, deny access to the object by the user and update the access control list entry metadata for the object and the user to indicate the denial.
  - 18. The article of manufacture of claim 17, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a validity time period that commences upon a first date and time of access of the object by the user that is indicated by a validity field within the object metadata entry, and wherein the computer readable program code instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - determine a first-modification time period elapsed since a date and time of a first modification of the object by the user that is indicated by a validity field within the object metadata entry;
      
      compare the elapsed first-modification time period to the validity time period;
      
      if the elapsed first-modification time period is less than the validity time period, grant access to the object by the user for modification of the object and update the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed first-modification time period is not less than the validity time period, deny access to the object by the user and update the access control list entry metadata for the object and the user to indicate the denial.
  - 19. The article of manufacture of claim 18, wherein the access control list rule that is applicable to the requesting user and the requested object specifies a threshold number of accesses permitted for the user, and wherein the computer readable program code instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - revise a total number of accesses of the object by the user indicated by an access count field within the object entry metadata in response to the request by the user to access the object, if the object access request input is the request by the user to access the object;
      
      compare the total number of accesses of the object by the user indicated by an access count field within the object metadata entry to the specified threshold number of permitted accesses;
      
      if the total number of accesses of the object by the user indicated by the access count field within the object metadata entry is less than the specified threshold number of permitted accesses, grant access to the object by the user for modification of the object and update the access control list metadata for the object and the user to indicate the granted access; and
      
      if the total number of accesses of the object by the user indicated by the access count field within the object metadata is not less than the specified threshold number of permitted accesses;
      
      deny access to the object by the user and update the access control list entry metadata for the object and the user to indicate the denial;
      
      orgrant access to the object by the user for modification of the object and update the access control list entry metadata for the object and the user to set a threshold event date and time.
  - 20. The article of manufacture of claim 19, wherein the access control list rule that is applicable to the requesting user and the requested object further specifies an inactivity time period, and wherein the computer readable program code instructions, when executed by the computer processing unit, further cause the computer processing unit to:
    - in response to another object access request input associated with the object and the user, determine a last-modification time period elapsed since the threshold event date and time set within the object metadata entry;
      
      compare the elapsed last-modification time period to the inactivity time period;
      
      if the elapsed last-modification time period is less than the inactivity time period, grant access to the object by the user for modification of the object and update the access control list metadata entry for the object and the user to indicate the granted access; and
      
      if the elapsed last-modification time period is not less than the inactivity time period, deny access to the object by the user and update the access control list entry metadata for the object and the user to indicate the denial.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
PRICE, Jeffrey K., SUR, Prabhat, WENTWORTH, Robert R., WOOD, Stanley C.

Granted Patent

US 9,002,890 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/783
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/604   Tools and structures for ma...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

RULE-BASED ACCESS CONTROL LIST MANAGEMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

RULE-BASED ACCESS CONTROL LIST MANAGEMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links