Authorization model for administration

US 6,910,041 B2
Filed: 08/23/2001
Issued: 06/21/2005
Est. Priority Date: 08/23/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for administering managed resources, comprising:

defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;

attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and

wherein the access control list controls access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy, without directly associating a copy of the access control list with the at least one second managed resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An administration model is provided that uses access control lists to define permissions for users and groups of users. The model identifies a number of objects to be administered. Associated with each of these objects is a set of administrative operations that can be performed on the object. For each of these operations a permission in an access control list entry is defined. The protected resources are arranged in a hierarchical fashion and an access control list can be associated with any point in the hierarchy. The access control list provides fine-grained control over the protected resources. At the time an administrator requests to perform an operation, the administrator'"'"'s identification is used to look up the prevailing access control list to determine whether the operation is permitted.

68 Citations

View as Search Results

33 Claims

1. A computer implemented method for administering managed resources, comprising:
- defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
  
  wherein the access control list controls access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy, without directly associating a copy of the access control list with the at least one second managed resource.
- View Dependent Claims (2, 3, 4, 14)
- - 2. The method of claim 1, wherein the entity is an individual user.
  - 3. The method of claim 1, wherein the entity is a group of users.
  - 4. The method of claim 1, wherein the set of privileges comprises a set of operations that may be performed for the managed resource and at least one second managed resource of the plurality of managed resources at the level below the first managed resource in the hierarchy.
  - 14. The method of claim 2, wherein the first permission identifies a first set of operations from the set of operations permitted for the user and the second permission identifies a second set of operations from the set of operations permitted for the user, andwherein the step of determining whether the operation is permitted for the user comprises performing an OR operation on the first set of operations and the second set of operations.

5. A computer implemented method for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
- defining a first set of permissions for the at least one first level resource; and
  
  attaching a first access control list to a first object that represents a first managed resource;
  
  wherein the first managed resource is a first level resource and the first access control list controls access, by a first entity, to the first managed resource and the at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource, without directly associating a copy of the first access control list with the at least one second level resource.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, wherein the first entity is an individual user.
  - 7. The method of claim 5, wherein the first entity is a group of users.
  - 8. The method of claim 5, wherein the first set of permissions comprises a set of operations that may be performed for the at least one first level resource.
  - 9. The method of claim 5, further comprising:
    - defining a second set of permissions for a second managed resource; and
      
      attaching a second access control list to a second object that represents the second managed resource, wherein the second access control list controls access to the second managed resource and at least one subresource of the second managed resource based on the second set of permissions, and wherein the second access control list controls access to the second managed resource and the at least one subresource without directly associating a copy of the second access control list with the at least one subresource.

10. A computer implemented method for administering managed resources, comprising:
- receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  finding an access control list corresponding to the first managed resource; and
  
  determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource of the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource.
- View Dependent Claims (11, 12, 13, 15)
- - 11. The method of claim 10, wherein the step of finding an access control list comprises searching the hierarchy for an access control list which is attached closest to the first managed resource.
  - 12. The method of claim 10, wherein the step of finding an access control list comprises finding a first access control list that assigns a first permission from the set of permissions for the user and a second access control list that assigns a second permission from the set of permissions for the user.
  - 13. The method of claim 12, wherein the step of determining whether the operation is permitted for the user comprises selecting the access control list, from the first access control list and the second access control list, with a permission that least specifically matches the user.
  - 15. The method of claim 10, wherein the method is performed by an authorization server.

16. A computer apparatus for administering managed resources, comprising:
- definition means for defining a set of privileges for a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  attachment means for attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
  
  controlling means for controlling access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy based on the access control list, without directly associating a copy of the access control list with the at least one second managed resource.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus of claim 16, wherein the entity is an individual user.
  - 18. The apparatus of claim 16, wherein the entity is a group of users.
  - 19. The apparatus of claim 16, wherein the set of privileges comprises a set of operations that may be performed for the first managed resource and at one least one second managed resource of the plurality of managed resources at the level below the first managed resource in the hierarchy.

20. A computer apparatus for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
- definition means for defining a first set of permissions for the at least one first level resource; and
  
  attachment means for attaching a first access control list to a first object that represents a first managed resource;
  
  wherein the first managed resource is a first level resources and the first access control list controls access, by a first entity, to the first managed resource and the at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource without directly associating a copy of the first access control list with the at least one second level resource.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The apparatus of claim 20, wherein the first entity is an individual user.
  - 22. The apparatus of claim 20, wherein the first entity is a group of users.
  - 23. The apparatus of claim 20, wherein the first set of permissions comprises a set of operations that may be performed for the at least one first level resource.
  - 24. The apparatus of claim 20, further comprising:
    - means for defining a second set of permissions for a second managed resource; and
      
      means for attaching a second access control list to a second object that represents the second managed resource, where the second access control list controls access to the second managed resource and at least one subresource of the second managed resource based on the second set of permissions, and wherein the second access control list controls access to the second managed resource and the at least one subresource without directly associating a copy of the second access control list with the at least one subresource.

25. A computer apparatus for administering managed resources, comprising:
- receipt means for receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  search means for finding an access control list corresponding to the first managed resource; and
  
  determination means for determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource in the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The apparatus of claim 25, wherein wherein the search means comprises means for searching the hierarchy for an access control list which is attached closest to the first managed resource.
  - 27. The apparatus of claim 25, wherein the search means comprises means for finding a first access control list that assigns a first permission from the set of permissions for the user and a second access control list that assigns a second permission from the set of permissions for the user.
  - 28. The apparatus of claim 27, wherein the determination means comprises means for selecting the access control list, from the first access control list and the second access control list, with a permission that least specifically matches the user.
  - 29. The apparatus of claim 27, wherein the first permission identifies a first set of operations from the set of operations permitted for the user and the second permission identifies a second set of operations from the set of operations permitted for the user, andwherein the determination means comprises means for performing an OR operation on the first set of operations and the second set of operations.
  - 30. The apparatus of claim 27, wherein the apparatus comprises an authorization server.

31. A computer program product, in a computer readable medium, for administering managed resources, comprising:
- instructions for defining a set of privileges for the at least a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  instructions for attaching an access control list to an object that represents the first managed resource, wherein the access control list assigns at least one privilege from the set of privileges to an entity; and
  
  instructions for controlling access to the first managed resource and at least one second managed resource of the plurality of managed resources at a level below the first managed resource in the hierarchy based on the access control list, without directly associating a copy of the access control list with the at least one second managed resource.

32. A computer program product, in a computer readable medium, for administering a plurality of managed resources including at least one first level resource and at least one second level resource, wherein each of the at least one second level resource is a subresource of a first level resource, comprising:
- instructions for defining a first set of permissions for the at least one first level resource;
  
  instructions for attaching a first access control list to a first object that represents a first managed resource, wherein the first managed resource is a first level resource and the first access control list controls access to the first managed resource and at least one second level resource based on the first set of permissions, and wherein the first access control list controls access to the first managed resource and the at least one second level resource without directly associating a copy of the first access control list with the at least one second level resource.

33. A computer program product, in a computer readable medium, for administering managed resources, comprising:
- instructions for receiving a request from a user to perform an operation on a first managed resource, wherein the first managed resource is one of a plurality of managed resources arranged in a hierarchy;
  
  instructions for finding an access control list corresponding to the first managed resource; and
  
  instructions for determining whether the operation is permitted for the user based on the access control list, wherein the access control list includes a set of permissions for performing a set of operations on the first managed resource and at least one second managed resource in the plurality of managed resources at a level above the first managed resource in the hierarchy, and wherein the access control list is not directly associated with the first managed resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Exton, Scott Anthony, Powell, Michael, Turner, Brian James
Primary Examiner(s)
Coby, Frantz
Assistant Examiner(s)
NGUYEN, MERILYN P

Application Number

US09/935,394
Publication Number

US 20030041198A1
Time in Patent Office

1,398 Days
Field of Search

707/9, 707/103.R, 709/200, 709/225, 709/229
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/99939   Privileged access

Y10S 707/99944   Object-oriented database st...

Authorization model for administration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization model for administration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links