Access control system and methods

US 7,409,390 B2
Filed: 09/07/2001
Issued: 08/05/2008
Est. Priority Date: 09/08/2000
Status: Expired due to Term

First Claim

Patent Images

1. An access control system, for exercising access control upon receipt of a request to access an object that is an information resource, comprising:

an access request determination unit for, in accordance with said access request, employing an access control rule defining an access right for said object to determine whether or not access to said object should be permitted;

an object storage unit for storing said access control rule for said object; and

an object manager configured to extract from the object storage unit an access control tagged object that represents the access control rule for the object;

wherein, upon receipt of a request to access an access control rule, said access request determination unit determines whether or not access to said access control rule should be permitted.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides access control methods, apparatus and systems that employ an access control rule and that does not distinguish between data and the access control rule, so that the same flexible access control that is available for the data can also be provided for the access control rule. In an example embodiment, an access control system comprises: an access controller for, in accordance with the access request, employing an access control rule defining an access right for the object to determine whether or not access to the object should be permitted; and an object storage unit for storing a set of access control rules as objects equivalent to common data objects, wherein, upon the receipt of a request to access an access control rule, the access controller determines whether or not access to the access control rule should be permitted.

12 Citations

View as Search Results

23 Claims

1. An access control system, for exercising access control upon receipt of a request to access an object that is an information resource, comprising:
- an access request determination unit for, in accordance with said access request, employing an access control rule defining an access right for said object to determine whether or not access to said object should be permitted;
  
  an object storage unit for storing said access control rule for said object; and
  
  an object manager configured to extract from the object storage unit an access control tagged object that represents the access control rule for the object;
  
  wherein, upon receipt of a request to access an access control rule, said access request determination unit determines whether or not access to said access control rule should be permitted.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The access control system according to claim 1, wherein, upon the receipt of a request to access a predetermined object, including said access control rule, said access request determination unit extracts, from said object storage unit, said object and an access control rule for said object, and determines, based on said access control rule, whether access to said object should be permitted.
  - 3. The access control system according to claim 1, wherein a set of access control rules stored as objects in said object storage unit includes an access control rule that defines an access right for the access control rule.
  - 4. The access control system according to claim 1, further comprising:
    - an object correlation manager for managing a correlation between an object for which an access request is issued and an access control rule for said object.
  - 5. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing access control, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of the elements of claim 1.
  - 6. The access control system of claim 1, wherein the access control rule includes:
    - an access target tag configured to represent the object to be accessed;
      
      an access subject tag configured to represent a subject permitted to access the object;
      
      an access type tag configured to represent a type of process performed for the object;
      
      an access flag tag configured to determine whether an access should be permitted; and
      
      an access condition tag configured to represent a condition for applying the access control rule.

7. An access control system, for exercising access control upon the receipt of a request to access a specific information resource, comprising:
- storage means, for storing an access control rule that defines an access right for said specific information resource and a higher level control rule that defines an access right for said access control rule; and
  
  determination means, for employing said higher level control rule, in accordance with a request to access said access control rule, to determine whether access to said access control rule should be permitted,wherein a higher level control rule for controlling access to another access control rule is included as said access control rule stored in said storage means; and
  
  an object manager means configured to extract from the object storage unit an access control tagged object that represents the access control rule for the object.
- View Dependent Claims (8, 9, 10)
- - 8. The access control system according to claim 7, wherein, said access control rule stored in said storage means is written as an object that includes designation information specifying a higher level control rule that is to be used for access control.
  - 9. The access control system according to claim 7, further comprising:
    - processing means, for generating, changing or deleting, in accordance with an access request that is granted by said determination means, said access control rule and said higher level control rule therefor.
  - 10. The access control system according to claim 7, wherein said higher level control rule is a rule permitting one part of an access right for said access control rule to be provided for a specific subject.

11. An access control system, for receiving a tagged object, having a tag that represents control information for data elements, and for exercising access control for said tagged object, comprising:
- access control rule storage means, for storing a set of access control rules each for defining an access right for said tagged object; and
  
  an access request determination means, for employing one of said access control rules to determine, in accordance with said access request, whether access to said tagged object should be permitted,wherein said access control rules stored in said access control rule storage means are written as tagged objects, for which said tags each represent control information for controlling the elements of said access control rule, andwherein said access request determination means, in accordance with said access request for said access control rule, determines whether access to said access control rule, which is said tagged object, should be permitted.
- View Dependent Claims (12, 13, 14)
- - 12. The access control system according to claim 11, further comprising:
    - data object storage means, for storing a data object having a tag, a tagged object, or a data object having no tag, an un-tagged object, and said access request determination means, for determining whether access to said access control rule, which is either said tagged data object or said un-tagged data object, should be permitted.
  - 13. The access control system according to claim 12, further comprising:
    - management means, for holding information concerning an access control rule for said tagged data object when an access request for said tagged data object is issued,wherein, when an access request is issued for said un-tagged data object, which accompanies said tagged data object, said access request determination means, based on information held by said management means, obtains an access control rule for said tagged data object, and based on said access control rule, determines whether access to said un-tagged data object should be permitted.
  - 14. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing access control, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of the elements of claim 11.

15. A server for receiving an access request from a client and for, in accordance with said access request, processing an object that is a target of said access request comprising:
- an access request determination unit, for determining, based on an access control rule defining an access right for said object, whether the accessing of said object should be permitted; and
  
  an object processor, for performing corresponding processing for said object in accordance with access permission granted by said access request determination unit; and
  
  an object storage unit for storing, as an object, said access control rule for said object, andan object manager configured to extract from the object storage unit an access control tagged object that represents the access control rule for the object;
  
  wherein said access request determination unit, in accordance with an access request for said access control rule, determines whether the accessing of said access control rule should be permitted.
- View Dependent Claims (16, 17)
- - 16. The sever according to claim 15, wherein said object processor generates, changes or deletes said access control rule in accordance with an access request for said access control rule.
  - 17. The server according to claim 15, wherein said object processor generates an access control rule permitting one part of an access right for said access control rule to be provided for a specific subject.

18. An access control method, for exercising access control upon the receipt of an access request for an object that is an information resource, comprising the steps of:
- sorting general data objects into tagged objects and untagged objects;
  
  receiving an access request for an access control rule that is an object;
  
  obtaining an access control rule defining an access right for said object targeted by said access request;
  
  determining, based on said access control rule, whether the accessing of said object should be permitted; and
  
  determining, in accordance with said access request for said access control rule, whether access to said access control rule should be permitted.
- View Dependent Claims (19, 20)
- - 19. An access control method as recited in claim 18, wherein the step of obtaining a rule includes:
    - receiving a request for generating the access control rule, and determining, based on said access control rule relative to said request for generating, whether said request for generating should be granted; and
      
      generating said access control rule, when said request for generating is granted, in accordance with said request for generating, and adding information to said request for generating that designates said access control rule.
  - 20. An access control method as recited in claim 18, further comprising providing a storage medium on which is stored a computer-readable program, which permits a computer to perform the steps of:
    - receiving the access request for the access control rule that is the object;
      
      obtaining the access control rule defining the access right for said object targeted by said access request; and
      
      determining, based on said access control rule, whether the accessing of said object should be permitted.

21. An access control method, for exercising access control upon the receipt of an access request for a tagged object, which has a tag that represents information for controlling elements of data, comprising the steps of:
- holding information for an access control rule for said tagged object upon said receipt of an access request for said tagged object;
  
  obtaining, upon the receipt of an access request for an un-tagged object, which accompanies said tagged object, said access control rule for said tagged object based on said information that is held at said step of holding said information concerning said access control rule; and
  
  employing said access control rule to determine whether the accessing of said un-tagged object should be permitted; and
  
  determining, in accordance with said access request for said access control rule, whether access to said access control rule should be permitted.

22. A storage medium on which is stored on a computer-readable program, which permits said computer to perform processes comprising:
- a process for sorting general data objects into tagged objects and untagged objects;
  
  a process for receiving an access request for an access control rule that is an object;
  
  a process for obtaining an access control rule defining an access right for said object targeted by said access request;
  
  a process for determining, based on said access control rule, whether the accessing of said object should be permitted; and
  
  a process for determining, in accordance with said access request for said access control rule, whether access to said access control rule should be permitted.

23. A program transmission apparatus comprising:
- storage means for storing a computer-readable program, which permits said computer to perform processes comprising;
  
  a process for sorting general data objects into tagged objects and untagged objects;
  
  a process for receiving an access request for an access control rule that is an object,a process for obtaining an access control rule defining an access right for said object targeted by said access request,a process for determining, based on said access control rule, whether the accessing of said object should be permitted;
  
  transmission means for reading said program from said storage means and for transmitting said program; and
  
  a process for determining, in accordance with said access request for said access control rule, whether access to said access control rule should be permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Amano, Tomio, Kudoh, Michiharu
Primary Examiner(s)
ROBINSON, GRETA LEE

Application Number

US09/948,286
Publication Number

US 20020077803A1
Time in Patent Office

2,524 Days
Field of Search

707/9, 707/10, 707/1, 709/229
US Class Current

1/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Access control system and methods

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Access control system and methods

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links