Authorization model for administration
First Claim
1. A computer implemented method for administering managed resources, comprising:
- defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
wherein the access control list controls access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy, without directly associating a copy of the access control list with the at least one second managed resource.
1 Assignment
0 Petitions
Accused Products
Abstract
An administration model is provided that uses access control lists to define permissions for users and groups of users. The model identifies a number of objects to be administered. Associated with each of these objects is a set of administrative operations that can be performed on the object. For each of these operations a permission in an access control list entry is defined. The protected resources are arranged in a hierarchical fashion and an access control list can be associated with any point in the hierarchy. The access control list provides fine-grained control over the protected resources. At the time an administrator requests to perform an operation, the administrator'"'"'s identification is used to look up the prevailing access control list to determine whether the operation is permitted.
68 Citations
33 Claims
-
1. A computer implemented method for administering managed resources, comprising:
-
defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
wherein the access control list controls access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy, without directly associating a copy of the access control list with the at least one second managed resource. - View Dependent Claims (2, 3, 4, 14)
-
-
5. A computer implemented method for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
-
defining a first set of permissions for the at least one first level resource; and
attaching a first access control list to a first object that represents a first managed resource;
wherein the first managed resource is a first level resource and the first access control list controls access, by a first entity, to the first managed resource and the at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource, without directly associating a copy of the first access control list with the at least one second level resource. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A computer implemented method for administering managed resources, comprising:
-
receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
finding an access control list corresponding to the first managed resource; and
determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource of the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource. - View Dependent Claims (11, 12, 13, 15)
-
-
16. A computer apparatus for administering managed resources, comprising:
-
definition means for defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
attachment means for attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
controlling means for controlling access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy based on the access control list, without directly associating a copy of the access control list with the at least one second managed resource. - View Dependent Claims (17, 18, 19)
-
-
20. A computer apparatus for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
-
definition means for defining a first set of permissions for the at least one first level resource; and
attachment means for attaching a first access control list to a first object that represents a first managed resource;
wherein the first managed resource is a first level resources and the first access control list controls access, by a first entity, to the first managed resource and the at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource without directly associating a copy of the first access control list with the at least one second level resource. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A computer apparatus for administering managed resources, comprising:
-
receipt means for receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
search means for finding an access control list corresponding to the first managed resource; and
determination means for determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource in the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A computer program product, in a computer readable medium, for administering managed resources, comprising:
-
instructions for defining a set of privileges for the at least a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
instructions for attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
instructions for controlling access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy based on the access control list, without directly associating a copy of the access control list with the at least one second managed resource.
-
-
32. A computer program product, in a computer readable medium, for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
-
instructions for defining a first set of permissions for the at least one first level resource;
instructions for attaching a first access control list to a first object that represents a first managed resource, wherein the first managed resource is a first level resource and the first access control list controls access to the first managed resource and at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource without directly associating a copy of the first access control list with the at least one second level resource.
-
-
33. A computer program product, in a computer readable medium, for administering managed resources, comprising:
-
instructions for receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
instructions for finding an access control list corresponding to the first managed resource; and
instructions for determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource in the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource.
-
Specification