Distributed system and method for controlling access control to network resources
First Claim
1. An access control system for controlling access to management objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects including;
group objects, each defining a group and a set of users who are members of the group; and
rule objects, a subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; and
a plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
wherein at least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;
wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;
the access control servers responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database.
2 Assignments
0 Petitions
Accused Products
Abstract
An access control database defines access rights through the use of access control objects. The access control objects include group objects, each defining a group and a set of users who are members of the group, and rule objects. Some of the rule objects each specify a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects. A plurality of access control servers are used to process access requests. Each access control server controls access to a distinct subset of the management objects in accordance with the access rights specified in the access control database. At least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing. A subset of the access requests specify operations to be performed on specified sets of the management objects. Each of these access requests is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested. The access control servers responding to the access requests from the users by granting, denying and partially granting and denying the access requested in each access request in accordance with the access rights specified in the access control database.
298 Citations
15 Claims
-
1. An access control system for controlling access to management objects in a distributed network, comprising:
-
an access control database, including access control objects, the access control objects including; group objects, each defining a group and a set of users who are members of the group; and rule objects, a subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; anda plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
wherein at least one of the access control servers receives access requests from the users and distributes the received access requests among the access control servers for processing;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;
wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;the access control servers responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of controlling access to management objects in a distributed network, comprising the steps of:
-
storing a set of access control objects, the access control objects including; group objects, each defining a group and a set of users who are members of the group; and rule objects, a subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; andreceiving access requests from the users and distributing the received access requests among a plurality of access control servers for processing;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;
each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
wherein at least one of the access control servers;
wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;at the access control servers, responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product for use in conjunction with a plurality of access control servers in a distributed network, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
an access control database, including access control objects, the access control objects including; group objects, each defining a group and a set of users who are members of the group; and rule objects, a subset of the rule objects each specifying;
a set of the group objects, a set of the management objects, and access rights by the users who are members of the groups defined by the specified set of the group objects to the specified set of management objects; andaccess control procedures, to be executed by the plurality of access control servers, each access control server controlling access to a distinct subset of the management objects in accordance with the access rights specified in the access control database;
the access control procedures including a routing procedure, to be executed by at least one of the access control servers, for receiving access requests from the users and distributing the received access requests among the access control servers for processing;
a subset of the access requests specifying operations to be performed on specified sets of the management objects;
wherein each access request in the subset is sent for processing to one or more of the access control servers in accordance with the management objects to which access is being requested by the access request;the access control procedures including instructions for responding to the access requests from the users by granting, denying and partially granting and partially denying the access requested in each access request in accordance with the access rights specified in the access control database. - View Dependent Claims (12, 13, 14, 15)
-
Specification