Inheritance of controls within a hierarchy of data processing system resources

US 7,917,940 B2
Filed: 12/13/2002
Issued: 03/29/2011
Est. Priority Date: 03/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing access to data nodes in a hierarchically organized data tree, the method comprising:

applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL overrides, in the child node, an access control of an ancestor node, wherein the hierarchically organized data tree describes files in a distributed computing environment (DCE) file system, wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifies whether a principal can receive messages persistently, and wherein the override ACL passes the access control to a descendent of the child node; and

assigning priority to and utilizing a user override ACL over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user;

graphically displaying on a user interface device an operations button in a node of a graphically displayed hierarchically organized data tree;

in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option;

receiving a name of the user that has been inputted into the box; and

in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods, apparatus and computer programs for applying access controls to control operations on hierarchically organized data processing system resources. A number of different scopes of applicability can be set in association with an access control, such as an ACL, and this will determine the inheritability, non-inheritability or limited inheritability of the access control for resources in the hierarchy. When a request is received to perform an operation, the access controls for the relevant branch of the hierarchy are processed to determine an applicable access control—taking account of inheritance attributes which have been set for individual access controls. The invention is useful for controlling the application of ACLs to topics in a topic tree within a publish/subscribe message broker.

42 Citations

View as Search Results

9 Claims

1. A method for managing access to data nodes in a hierarchically organized data tree, the method comprising:
- applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL overrides, in the child node, an access control of an ancestor node, wherein the hierarchically organized data tree describes files in a distributed computing environment (DCE) file system, wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifies whether a principal can receive messages persistently, and wherein the override ACL passes the access control to a descendent of the child node; and
  
  assigning priority to and utilizing a user override ACL over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user;
  
  graphically displaying on a user interface device an operations button in a node of a graphically displayed hierarchically organized data tree;
  
  in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option;
  
  receiving a name of the user that has been inputted into the box; and
  
  in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the hierarchically organized data tree describes entries in a lightweight directory access protocol (LDAP).
  - 3. The method of claim 1, wherein the hierarchically organized data tree describes messages used by a message broker for distributing messages to subscriber application programs in accordance with topic-based subscriptions.
  - 4. The method of claim 1, wherein the publish option, the subscribe option and the persistent option are displayed, for a named principal at a node in the hierarchically organized data tree, as same-shaped symbols that are color-coded, wherein a first-colored symbol indicates that an operation is authorized for the named principal, a second-colored symbol indicates that the operation is not authorized for the named principal, and a grayed-out-symbol indicates that an ACL does not specify whether the named principal has permission for the operation.
  - 5. The method of claim 1, wherein the hierarchically organized data tree is visually represented as a displayed tree, and wherein the method further comprises:
    - highlighting, in the displayed tree, all ACL'"'"'s whose policies are used to determine a principal'"'"'s access to a specific node in the displayed tree; and
      
      lowlighting, in the displayed tree, all other ACL'"'"'s that are not used to determine the principal'"'"'s access to the specific node in the displayed tree.

6. A computer-readable storage device on which is stored a set of program instructions for controlling a computer, the program instructions being configured for:
- applying an override Access Control List (ACL) to a child node in a hierarchically organized data tree, wherein the override ACL applies a parent ACL, which is inherited by the child node from an ancestor node, to the child node and down to a user-defined nth level of descendents of the child node, wherein the hierarchically organized data tree describes messages used by a message broker for distributing messages to subscriber application programs in accordance with topic-based subscriptions, and wherein the override ACL contains a publish option that specifies whether a principal can publish messages on a topic, a subscribe option that specifies whether a principal can subscribe to messages on the topic, and a persistent option that specifics whether a principal can receive messages persistently;
  
  assigning priority to and utilizing a user override ACL, over a group override ACL, wherein the group override ACL is based on a group to which a user belongs, and wherein the user override ACL is based on an identity of the user, and wherein the child node contains both the group override ACL and the user override ACL for a same user;
  
  graphically displaying an operations button in a node of a graphically displayed hierarchically organized data tree;
  
  in response to the operations button being activated, presenting a dialog box that includes three buttons and a box for entering a user'"'"'s name, wherein the three buttons are respectively associated with functions for the publish option, the subscribe option, and the persistent option;
  
  receiving a name of the user that has been inputted into the box; and
  
  in response to one of the three buttons being activated, visually displaying a description of an operation, for a chosen option, that is authorized for the user.
- View Dependent Claims (7, 8, 9)
- - 7. The computer-readable storage device of claim 6, wherein the hierarchically organized data tree describes entries in a lightweight directory access protocol (LDAP).
  - 8. The computer-readable storage device of claim 6, wherein the hierarchically organized data tree describes files in a distributed computing environment (DCE) file system.
  - 9. The computer-readable storage device of claim 6, wherein the publish option, the subscribe option and the persistent option are displayed, for a named principal at a node in the hierarchically organized data tree, as same-shaped symbols that are color-coded, wherein a first-colored symbol indicates that an operation is authorized for the named principal, a second-colored symbol indicates that the operation is not authorized for the named principal, and a grayed-out-symbol indicates that an ACL does not specify whether the named principal has permission for the operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Young, Neil G S, Holdsworth, Simon A J
Primary Examiner(s)
GERGISO, TECHANE

Application Number

US10/319,199
Publication Number

US 20030188198A1
Time in Patent Office

3,028 Days
Field of Search

713/182, 713/170, 726/2, 726/16, 726/26
US Class Current

726/2
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Inheritance of controls within a hierarchy of data processing system resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Inheritance of controls within a hierarchy of data processing system resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others