Distributed system and method for controlling access control to network resources

US 6,064,656 A
Filed: 10/31/1997
Issued: 05/16/2000
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. An access control system for controlling access to management objects in a distributed network, comprising:

an access control database, including access control objects, the access control objects including;

group objects, each defining a group and a set of users who are members of the group; and

rule objects, a subset of the rule objects each specifying;

a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and

a plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;

wherein at least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing;

a subset of the access requests specifying operations to be performed on specified sets of the management objects;

wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;

the access control servers responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control database defines access rights through the use of access control objects. The access control objects include group objects, each defining a group and a set of users who are members of the group, and rule objects. Some of the rule objects each specify a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects. A plurality of access control servers are used to process access requests. Each access control server controls access to a distinct subset of the management objects in accordance with the access rights specified in the access control database. At least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing. A subset of the access requests specify operations to be performed on specified sets of the management objects. Each of these access requests is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested. The access control servers responding to the access requests from the users by granting, denying and partially granting and denying the access requested in each access request in accordance with the access rights specified in the access control database.

298 Citations

15 Claims

1. An access control system for controlling access to management objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects including;
  
  group objects, each defining a group and a set of users who are members of the group; and
  
  rule objects, a subset of the rule objects each specifying;
  
  a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and
  
  a plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
  
  wherein at least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing;
  
  a subset of the access requests specifying operations to be performed on specified sets of the management objects;
  
  wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;
  
  the access control servers responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The access control system of claim 1, whereinone of the access control servers is a management information server that receives the access requests submitted by users to the access control system;
    - the management information server includes means for partitioning an access request into two or more access sub-requests when the access to the set of management objects specified by the access request is controlled by two or more of the access control servers and sending the access sub-requests to those two or more access control servers for processing; and
      
      the management information server includes means for combining responses to the two or more access sub-requests generated by the two or more of the access control servers after processing the access sub-requests and returning a combined response to the user who submitted the access request that was partitioned.
  - 3. The access control system of claim 1, whereina second subset of the rule objects in the access control database specify:
    - a set of the group objects, a set of the access control objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of access control objects; and
      
      the access control system includes an access control database server that stores the access control database in persistent storage, receives access requests to the access control objects, grants and denies the access requests to the access control object in accordance with the access rights specified in the access control database.
  - 4. The access control system of claim 1, whereina second subset of the rule objects in the access control database each specify:
    - a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; and
      
      the access control system includes an event router that receives event notifications generated by the management objects and sends corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database.
  - 5. The access control system of claim 4, whereinthe access control system includes an event registry for registering event notification requests by users, each event notification request specifying event notifications from specified sets of the management objects that are being requested;
    - the event router including means for sending, in response to each received event notification, corresponding event notification messages to users who have registered a corresponding event notification request with the event registry and also have access rights to the received event notification in accordance with the access rights specified in the access control database.

6. A method of controlling access to management objects in a distributed network, comprising the steps of:
- storing a set of access control objects, the access control objects including;
  
  group objects, each defining a group and a set of users who are members of the group; and
  
  rule objects, a subset of the rule objects each specifying;
  
  a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and
  
  receiving access requests from the users and distributing the received access requests among a plurality of access control servers for processing;
  
  a subset of the access requests specifying operations to be performed on specified sets of the management objects;
  
  each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
  
  wherein at least one of the access control servers;
  
  wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;
  
  at the access control servers, responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The access control method of claim 6, whereinreceiving at one of the access control servers all the access requests submitted by users;
    - at the one access control server, partitioning an access request into two or more access sub-requests when the access to the set of management objects specified by the access request is controlled by two or more of the access control servers and sending the access sub-requests to those two or more access control servers for processing; and
      
      at the one access control server, combining responses to the two or more access sub-requests generated by the two or more of the access control servers after processing the access sub-requests and returning a combined response to the user who submitted the access request that was partitioned.
  - 8. The access control method of claim 6, whereina second subset of the rule objects in the access control database specify:
    - a set of the group objects, a set of the access control objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of access control objects; and
      
      at an access control database server, storing the access control database in persistent storage, receiving access requests to the access control objects, granting and denying the access requests to the access control object in accordance with the access rights specified in the access control database.
  - 9. The access control method of claim 6, whereina second subset of the rule objects in the access control database each specify:
    - a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; and
      
      at an event router, receiving event notifications generated by the management objects and sending corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database.
  - 10. The access control method of claim 9, whereinat an event registry, registering event notification requests by users, each event notification request specifying event notifications from specified sets of the management objects that are being requested;
    - at the event router, sending, in response to each received event notification, corresponding event notification messages to users who have registered a corresponding event notification request with the event registry and also have access rights to the received event notification in accordance with the access rights specified in the access control database.

11. A computer program product for use in conjunction with a plurality of access control servers in a distributed network, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
- an access control database, including access control objects, the access control objects including;
  
  group objects, each defining a group and a set of users who are members of the group; and
  
  rule objects, a subset of the rule objects each specifying;
  
  a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and
  
  access control procedures, to be executed by the plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
  
  the access control procedures including a routing procedure, to be executed by at least one of the access control servers, for receiving access requests from the users and distributing the received access requests among the access control servers for processing;
  
  a subset of the access requests specifying operations to be performed on specified sets of the management objects;
  
  wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;
  
  the access control procedures including instructions for responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product of claim 11, whereinthe routing procedure includes instructions for partitioning an access request into two or more access sub-requests when the access to the set of management objects specified by the access request is controlled by two or more of the access control servers and for sending the access sub-requests to those two or more access control servers for processing;
    - andthe access control procedures include a request response combining procedure that combines responses to the two or more access sub-requests generated by the two or more of the access control servers after processing the access sub-requests and returns a combined response to the user who submitted the access request that was partitioned.
  - 13. The computer program product of claim 11, whereina second subset of the rule objects in the access control database specify:
    - a set of the group objects, a set of the access control objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of access control objects; and
      
      the access control procedures includes instructions for receiving receives access requests to the access control objects, and grants and denies the access requests to the access control object in accordance with the access rights specified in the access control database.
  - 14. The computer program product of claim 11, whereina second subset of the rule objects in the access control database each specify:
    - a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to event notifications generated by the specified set of management objects; and
      
      the access control procedures includes an event router that receives event notifications generated by the management objects and sends corresponding event notification messages only to users in groups who have access rights to those event notifications in accordance with the access rights specified in the access control database.
  - 15. The computer program product of claim 14, further including an event registry for registering event notification requests by users, each event notification request specifying event notifications from specified sets of the management objects that are being requested;
    - wherein the event router includes instructions for sending, in response to each received event notification, corresponding event notification messages to users who have registered a corresponding event notification request with the event registry and also have access rights to the received event notification in accordance with the access rights specified in the access control database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Bhat, Shivaram, Angal, Rajeev, Luo, Ping, Allavarpu, Sai V. S., Fisher, Bart Lee
Primary Examiner(s)
Kizou, Hassan
Assistant Examiner(s)
HO, DUC CHI

Application Number

US08/962,089
Time in Patent Office

928 Days
Field of Search

370/254, 370/410, 370/431, 370/432, 370/438, 370/439, 370/466, 370/469, 340/825.31, 707/1, 707/9, 707/10, 707/100, 707/103, 707/104, 709/201, 709/213, 709/224, 709/228, 709/230, 709/300, 709/303, 709/304
US Class Current

370/254
CPC Class Codes

G06F 12/1483   using an access-table, e.g....

G06F 21/6218   to a system of files or obj...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 9/40   Network security protocols

Distributed system and method for controlling access control to network resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

298 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed system and method for controlling access control to network resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links