Filter-based attribute value access control

US 7,024,693 B2
Filed: 11/13/2001
Issued: 04/04/2006
Est. Priority Date: 11/13/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

storing an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity;

in response to a request for an operation on the target entity from a requester, determining whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set;

in response to determining that the operation does not violate the acceptability criteria, performing the operation; and

in response to determining that the operation violates the acceptability criteria, indicating that the request is denied.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of systems and methods for implementing filter-based attribute value access control are disclosed. In one embodiment, a method involves designating a location in the directory server, providing attribute related data that includes a filter expression, and selectively controlling access to an entry situated at the designated location using the filter expression in the attribute related data. For example, access to an attribute of the entry may be denied if a criterion defined by the filter expression associated with the attribute is not met by a first value of the attribute.

39 Citations

View as Search Results

31 Claims

1. A computer-implemented method, comprising:
- storing an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity;
  
  in response to a request for an operation on the target entity from a requester, determining whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set;
  
  in response to determining that the operation does not violate the acceptability criteria, performing the operation; and
  
  in response to determining that the operation violates the acceptability criteria, indicating that the request is denied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the acceptability criterion includes a respective acceptable set for each attribute of a plurality of attributes, and an indication of whether it is necessary to determine the acceptability of each attribute in order to determine that the operation does not violate the acceptability criteria, or whether the acceptability of any one of the attributes is sufficient to determine that the operation does not violate the acceptability criterion.
  - 3. The method as recited in claim 1, wherein said determining whether the operation violates the acceptability criterion comprises:
    - determining whether a value of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if a value of the attribute prior to the request is outside the acceptable set.
  - 4. The method as recited in claim 1, wherein the attribute is a multi-valued attribute, and wherein, prior to the request, the attribute has a plurality of values, wherein said determining whether the operation violates the acceptability criterion further comprises:
    - determining whether each of the plurality of values of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if at least one of the plurality of values prior to the request is outside the acceptable set.
  - 5. The method as recited in claim 1, wherein the access control specification specifies a category of directory server operations to which the acceptability criterion is to be applied.
  - 6. The method as recited in claim 1, wherein the acceptability criterion is comprised within an access control instruction stored at the directory server.
  - 7. The method as recited in claim 1, further comprising:
    - receiving input from an operator indicating the acceptability criterion; and
      
      validating the acceptability criterion, wherein said validating comprises;
      
      checking syntax of the input in accordance with a predefined syntax for specifying acceptability criteria; and
      
      validating the set of acceptable values specified in the input.
  - 8. The method as recited in claim 5, wherein the category of directory server operations comprises at least one of:
    - operations that create attribute values, operations that delete attribute values, operations that modify existing attribute values, and operations that search for attribute values.
  - 9. The method as recited in claim 5, wherein the access control specification specifies a plurality of categories of directory server operations and a respective acceptability criterion for each category of the plurality of categories.
  - 10. The method as recited in claim 6, wherein the location of the acceptability criterion within the access control instruction is indicated by a keyword.

11. A system, comprising:
- a processor; and
  
  memory coupled to the processor, wherein the memory stores program instructions executable by the processor to;
  
  store an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity;
  
  in response to a request for an operation on the target entity from a requester, determine whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set;
  
  in response to determining that the operation does not violate the acceptability criteria, perform the operation; and
  
  in response to determining that the operation violates the acceptability criteria, indicate that the request is denied.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system as recited in claim 11, wherein the acceptability criterion includes a respective acceptable set for each attribute of a plurality of attributes, and an indication of whether it is necessary to determine the acceptability of each attribute in order to determine that the operation does not violate the acceptability criteria, or whether the acceptability of any one of the attributes is sufficient to determine that the operation does not violate the acceptability criterion.
  - 13. The system as recited in claim 11, wherein said determining whether the operation violates the acceptability criterion comprises:
    - determining whether a value of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if a value of the attribute prior to the request is outside the acceptable set.
  - 14. The system as recited in claim 11, wherein the attribute is a multi-valued attribute, and wherein, prior to the request, the attribute has a plurality of values, wherein said determining whether the operation violates the acceptability criterion further comprises:
    - determining whether each of the plurality of values of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if at least one of the plurality of values prior to the request is outside the acceptable set.
  - 15. The system as recited in claim 11, wherein the access control specification specifies a category of directory server operations to which the acceptability criterion is to be applied.
  - 16. The system as recited in claim 11, wherein the acceptability criterion is comprised within an access control instruction stored at the directory server.
  - 17. The system as recited in claim 11, wherein the instructions are further executable to:
    - receive input from an operator indicating the acceptability criterion; and
      
      validate the acceptability criterion specified in the input, wherein said validating comprises;
      
      checking syntax of the input in accordance with a predefined syntax for specifying acceptability criteria; and
      
      validating the set of acceptable values specified in the input.
  - 18. The method as recited in claim 15, wherein the category of directory server operations comprises at least one of:
    - operations that create attribute values, operations that delete attribute values, operations that modify existing attribute values, and operations that search for attribute values.
  - 19. The system as recited in claim 15, wherein the access control specification specifies a plurality of categories of directory server operations and a respective acceptability criterion for each category of the plurality of categories.
  - 20. The system as recited in claim 16, wherein the location of the acceptability criterion within the access control instruction is indicated by a keyword.

21. A tangible, computer-readable medium, comprising program instructions, wherein the instructions are computer-executable to:
- store an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity;
  
  in response to a request for an operation on the target entity from a requester, determine whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set;
  
  in response to determining that the operation does not violate the acceptability criteria, perform the operation; and
  
  in response to determining that the operation violates the acceptability criteria, indicate that the request is denied.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer-readable medium as recited in claim 21, wherein the acceptability criterion includes a respective acceptable set for each attribute of a plurality of attributes, and an indication of whether it is necessary to determine the acceptability of each attribute in order to determine that the operation does not violate the acceptability criteria, or whether the acceptability of any one of the attributes is sufficient to determine that the operation does not violate the acceptability criterion.
  - 23. The computer readable medium as recited in claim 21, wherein said determining whether the operation violates the acceptability criterion comprises:
    - determining whether a value of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if a value of the attribute prior to the request is outside the acceptable set.
  - 24. The computer readable medium as recited in claim 21, wherein the attribute is a multi-valued attribute, and wherein, prior to the request, the attribute has a plurality of values, wherein said determining whether the operation violates the acceptability criterion further comprises:
    - determining whether each of the plurality of values of the attribute prior to the request is within the acceptable set; and
      
      determining that the operation violates the acceptability criterion if at least one of the plurality of values prior to the request is outside the acceptable set.
  - 25. The computer readable medium as recited in claim 21, wherein the access control specification specifies a category of directory server operations to which the acceptability criterion is to be applied.
  - 26. The computer-readable medium as recited in claim 21, wherein the acceptability criterion is comprised within an access control instruction stored at the directory server.
  - 27. The computer-readable medium as recited in claim 21, wherein the instructions are further executable to:
    - receive input from an operator indicating the acceptability criterion; and
      
      validate the acceptability criterion specified in the input, wherein said validating comprises;
      
      checking syntax of the input in accordance with a predefined syntax for specifying acceptability criteria; and
      
      validating the set of acceptable values specified in the input.
  - 28. The computer-readable medium as recited in claim 25, wherein the category of directory server operations comprises at least one of:
    - operations that create attribute values, operations that delete attribute values, operations that modify existing attribute values, and operations that search for attribute values.
  - 29. The computer-readable medium as recited in claim 25, wherein the access control specification specifies a plurality of categories of directory server operations and a respective acceptability criterion for each category of the plurality of categories.
  - 30. The computer-readable medium as recited in claim 26, wherein the location of the acceptability criterion within the access control instruction is indicated by a keyword.

31. A directory server, comprising:
- a database storing directory entnes representing a plurality of entities managed using the directory server;
  
  an access control instruction builder configured to receive as input from an operator an acceptability criterion for an access control instruction indicating, based on specified acceptable values of an attribute of a particular entity of the plurality of entities, whether a directory server operation is permissible on the particular entity;
  
  an access control processor configured to;
  
  in response to a request for the operation on the particular entity from a requester, determine whether the operation violates the acceptability criterion by setting the attribute to an unacceptable value;
  
  in response to determining that the operation does not violate the acceptability criteria, permit the operation to be performed; and
  
  in response to determining that the operation violates the acceptability criteria, disallow the operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Byrne, Robert
Primary Examiner(s)
Barrón, Jr., Gilberto
Assistant Examiner(s)
Khomassi, Nima

Application Number

US10/010,748
Publication Number

US 20030105978A1
Time in Patent Office

1,603 Days
Field of Search

726/21, 726/26
US Class Current

726/21
CPC Class Codes

G06F 16/10   File systems; File servers

H04L 61/4523   using lightweight directory...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

Filter-based attribute value access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Filter-based attribute value access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links