Filter-based attribute value access control
First Claim
Patent Images
1. A computer-implemented method, comprising:
- storing an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity;
in response to a request for an operation on the target entity from a requester, determining whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set;
in response to determining that the operation does not violate the acceptability criteria, performing the operation; and
in response to determining that the operation violates the acceptability criteria, indicating that the request is denied.
2 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments of systems and methods for implementing filter-based attribute value access control are disclosed. In one embodiment, a method involves designating a location in the directory server, providing attribute related data that includes a filter expression, and selectively controlling access to an entry situated at the designated location using the filter expression in the attribute related data. For example, access to an attribute of the entry may be denied if a criterion defined by the filter expression associated with the attribute is not met by a first value of the attribute.
39 Citations
31 Claims
-
1. A computer-implemented method, comprising:
-
storing an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity; in response to a request for an operation on the target entity from a requester, determining whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set; in response to determining that the operation does not violate the acceptability criteria, performing the operation; and in response to determining that the operation violates the acceptability criteria, indicating that the request is denied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
a processor; and memory coupled to the processor, wherein the memory stores program instructions executable by the processor to; store an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity; in response to a request for an operation on the target entity from a requester, determine whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set; in response to determining that the operation does not violate the acceptability criteria, perform the operation; and in response to determining that the operation violates the acceptability criteria, indicate that the request is denied. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A tangible, computer-readable medium, comprising program instructions, wherein the instructions are computer-executable to:
-
store an access control specification identifying a target entity to which access is to be controlled at a directory server, wherein the access control specification includes an acceptability criterion for operations on the target entity, wherein the acceptability criterion specifies a set of one or more acceptable values for an attribute of the target entity; in response to a request for an operation on the target entity from a requester, determine whether the operation violates the acceptability criterion, wherein said determining comprises determining whether the operation modifies the attribute value to a value outside the set; in response to determining that the operation does not violate the acceptability criteria, perform the operation; and in response to determining that the operation violates the acceptability criteria, indicate that the request is denied. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A directory server, comprising:
-
a database storing directory entnes representing a plurality of entities managed using the directory server; an access control instruction builder configured to receive as input from an operator an acceptability criterion for an access control instruction indicating, based on specified acceptable values of an attribute of a particular entity of the plurality of entities, whether a directory server operation is permissible on the particular entity; an access control processor configured to; in response to a request for the operation on the particular entity from a requester, determine whether the operation violates the acceptability criterion by setting the attribute to an unacceptable value; in response to determining that the operation does not violate the acceptability criteria, permit the operation to be performed; and in response to determining that the operation violates the acceptability criteria, disallow the operation.
-
Specification