Method and system for variable authority level user access control in a distributed data processing system having multiple resource manager
First Claim
1. A computer implemented method of providing variable authority level user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
- storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user;
querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager;
transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;
utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and
denying access to said particular resource object by said selected user in response to a failure to retrieve said selected access control profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Variable authority level user access control for a plurality of resource objects within a distributed data processing system having a plurality of resource managers. A reference monitor service is established and a plurality of access control profiles are stored therein, each including an identification of a selected user and a specified level of authority associated with that selected user. Thereafter, selected access control profiles are exchanged between the reference monitor service and a resource manager in response to an attempted access of a particular resource object controlled by that resource manager. The resource manager may then control access to the resource object by utilizing the exchanged access control profile to determine the extent access is permitted by means of the specified level of authority contained therein. In a preferred embodiment of the present invention, the access intent of a selected user is determined in conjunction with an attempted access of a particular resource object and stored. Thereafter, a comparison of the stated access intent with the specified level of authority contained within the access control profile may be utilized to grant or deny access.
355 Citations
4 Claims
-
1. A computer implemented method of providing variable authority level user access control for a plurality of resource objects within a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said resource managers associated with a reference monitor service, said method comprising the computer implemented steps of:
-
storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user; querying an associated reference monitor service by a selected one of said resource managers in response to an attempted access of a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager; transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service;
if not, attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and denying access to said particular resource object by said selected user in response to a failure to retrieve said selected access control profile. - View Dependent Claims (2)
-
-
3. A data processing system for providing variable authority level user access control for a plurality of resource objects with a distributed data processing system having at least one reference monitor service and a plurality of resource managers associated with said plurality of resource objects, each of said plurality of resource managers controlling access to different selected ones of said resource objects, each of said source managers associated with a reference monitor service, said data processing system comprising:
-
means for storing a plurality of unique access control profiles within each said reference monitor service, wherein selected ones of said plurality of access control profiles each include an identification of a selected user and a specified level of authority associated with said selected user; means for querying an associated reference monitor service by a selected one of said source managers in response to an attempted access of a particular resource object by a selected user, wherein access to said particular resource object is controlled by said selected resource manager; means for transmitting a selected access control profile associated with said selected user from said associated reference monitor service to said selected one of said resource managers if said selected access control profile existed in said associated reference monitor service; and
if not, for attempting to retrieve said selected access control profile from another said reference monitor service and thereafter transmitting said retrieved access control profile to said selected one of said resource managers;means for utilizing said selected resource manager to control access to said particular resource object in accordance with access control information in said selected access control profile; and means for denying access to said particular resource object by said selected user in response to a failure to retrieve said selected access control profile. - View Dependent Claims (4)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsJanis, Frederick L.
-
Primary Examiner(s)Lee, Thomas C.
-
Assistant Examiner(s)Lim, Krisna
-
Application NumberUS07/480,440Time in Patent Office1,370 DaysField of Search395/425, 395/600, 380/4, 380/23, 340/825.31, 340/825.34US Class Current1/1CPC Class CodesG06F 21/6218 to a system of files or obj...G06F 9/468 Specific access rights for ...Y10S 707/99931 Database or file accessing
