Inheritance of controls within a hierarchy of data processing system resources
First Claim
1. A method for managing access to data nodes in a hierarchically organized data tree, the method comprising:
- applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL overrides, in the child node, an access control of an ancestor node, wherein the hierarchically organized data tree describes files in a distributed computing environment (DCE) file system, wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifies whether a principal can receive messages persistently, and wherein the override ACL passes the access control to a descendent of the child node; and
assigning priority to and utilizing a user override ACL over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user;
graphically displaying on a user interface device an operations button in a node of a graphically displayed hierarchically organized data tree;
in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option;
receiving a name of the user that has been inputted into the box; and
in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods, apparatus and computer programs for applying access controls to control operations on hierarchically organized data processing system resources. A number of different scopes of applicability can be set in association with an access control, such as an ACL, and this will determine the inheritability, non-inheritability or limited inheritability of the access control for resources in the hierarchy. When a request is received to perform an operation, the access controls for the relevant branch of the hierarchy are processed to determine an applicable access control—taking account of inheritance attributes which have been set for individual access controls. The invention is useful for controlling the application of ACLs to topics in a topic tree within a publish/subscribe message broker.
42 Citations
9 Claims
-
1. A method for managing access to data nodes in a hierarchically organized data tree, the method comprising:
-
applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL overrides, in the child node, an access control of an ancestor node, wherein the hierarchically organized data tree describes files in a distributed computing environment (DCE) file system, wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifies whether a principal can receive messages persistently, and wherein the override ACL passes the access control to a descendent of the child node; and assigning priority to and utilizing a user override ACL over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user; graphically displaying on a user interface device an operations button in a node of a graphically displayed hierarchically organized data tree; in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option; receiving a name of the user that has been inputted into the box; and in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable storage device on which is stored a set of program instructions for controlling a computer, the program instructions being configured for:
-
applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL applies a parent ACL, which is inherited by the child node from an ancestor node, to the child node and down to a user-defined nth level of descendents of the child node, wherein the hierarchically organized data tree describes messages used by a message broker for distributing messages to subscriber application programs in accordance with topic-based subscriptions, and wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifics whether a principal can receive messages persistently; assigning priority to and utilizing a user override ACL, over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user; graphically displaying an operations button in a node of a graphically displayed hierarchically organized data tree; in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option; receiving a name of the user that has been inputted into the box; and in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user. - View Dependent Claims (7, 8, 9)
-
Specification