Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1998-09-09
2001-09-18
Alam, Hosain T. (Department: 2172)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000, C707S793000, C709S201000, C709S205000, C709S217000, C709S225000, C709S229000, C713S152000
Reexamination Certificate
active
06292798
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to security systems for protecting computer system resources from unauthorized access and, more particularly, to a method and apparatus for reducing the amount of required memory to implement the security system.
BACKGROUND OF THE INVENTION
Many methods of computing system security exist. Examples include: access control lists, public/group/private access, User ID, password, etc. Basically all such security methods answer the same question: “May this Function happen, yes or no?”
The problem with many of the security systems is that their memory requirements increase at an exponential rate, dependent upon the number of securable objects which can be accessed by a number of users to carry out a variety of functions. In this regard, a User is identified by an identifier, an Object by a name and a Function by a brief descriptor of its operation. For example a Function may be a read, a write or a delete function (or any combination thereof) with respect to a database entry. Further, the function may evidence a constraint, e.g. access allowed only during set business hours; access allowed at all hours; etc.
In the prior art some systems have required that all permutations of (Objects, Users, Functions) be maintained. In such a case when User-Y wants to perform Function-Z with respect to Object-X, the security check examines the security state for (Object-X, User-Y, Function-Z).
The problem with this solution is that X*Y*Z security states need to be maintained (where X=number of Objects, Y=number of Users, and Z=number of Functions). The storage required is of the order of N
3
for a large value of N.
Different security systems may require more than Object, User, and Function. Examples might be when the Object is acted upon or the location of the User attempting the access the Object. For systems of this type, the storage costs grow at the rate of N
4
, N
5
, or more. In such cases, the value of N has a more profound effect. Hereafter, the discussion will focus on N
3
storage costs.
The prior art includes a variety of teachings regarding security systems for protecting data. For instance, U.S. Pat. No. 5,539,906 to Abraham et al. (assigned to the same Assignee as this application) describes a security system which protects data pertaining to an industrial process (or a series of industrial process steps). Abraham et al. enable access to data that derives from a process step which is currently active, but only to a select group. Thus, access to the process data is prevented, based on the status of the data, in addition to the category or type of data. For instance, users may have access to data elements at some steps in the process, but are denied access to those data elements at other steps in the process. Abraham et al. further suggest that their method for controlling security based on the data status and location may be used with password control, security level control and other classifications based on groups of users or type of data.
U.S. Pat. No. 5,504,814 to Miyahara describes a computer security mechanism that includes an access control table that specifies predetermined access rights of each of a plurality of predetermined security subjects relative to predetermined security objects. The access control table further includes a collection of mutually exclusive execution domains for each of the security subjects so that the executing processes of the security subject can only directly access code and data contained within the collection of domains of such security subject.
Howell et al. in U.S. Pat. No. 5,450,590, assigned to the same assignee as this Application, describe a security system wherein data access is controlled in accord with a time-based schedule.
Fabbio et al. in U.S. Pat. No. 5,335,346, assigned to the same Assignee as this Application, describe a security system wherein entries in an access control list include permissions for read write and execute. Those entries can be assigned to each of a number of identifiers that represent users or groups of users. Upon receiving a list of user IDs and group IDs, the access control routine performs a logical AND operation across the set of credentials represented by the different IDs and returns the least amount of privilege.
Notwithstanding the many and varied teachings in the prior art regarding security systems, there is still a need for a security system which evidences reduced memory requirements, even in the event of multiple security interrelationships.
SUMMARY OF THE INVENTION
The invention controls access to data resources by performing the steps of: providing (i) a first directory which relates data objects to object groups, each object group including all data objects having a common assigned security attribute; (ii) a second directory which relates functions to function groups, each function group including functions having a common execution attribute; (iii) a third directory which relates users to user groups, each user group including users having a common user attribute; and a permission directory which lists allowed combinations of (user group, function group, object group). In response to a request from a user to perform a function with respect to an object, the permission directory is examined to determine if the access request is to be allowed or not allowed
REFERENCES:
patent: 4956769 (1990-09-01), Smith
patent: 5265221 (1993-11-01), Miller
patent: 5276901 (1994-01-01), Howell et al.
patent: 5335346 (1994-08-01), Fabbio
patent: 5446903 (1995-08-01), Abraham et al.
patent: 5450593 (1995-09-01), Howell et al.
patent: 5504814 (1996-04-01), Miyahara
patent: 5539906 (1996-07-01), Abraham et al.
patent: 5572673 (1996-11-01), Shurtz
patent: 5613099 (1997-03-01), Erickson et al.
patent: 5627967 (1997-05-01), Dauerer et al.
patent: 5727145 (1998-03-01), Nesett et al.
patent: 5742759 (1998-04-01), Nesett et al.
patent: 5941947 (1999-08-01), Brown et al.
patent: 6029246 (2000-02-01), Bahr
patent: 6052688 (2000-04-01), Thorsen
patent: 6064656 (2000-05-01), Angal et al.
patent: 7-271693 (1995-10-01), None
patent: WO95/14266 (1994-10-01), None
IBM Technical Disclosure Bulletin, vol. 40, No. 05, May 1997, pp. 115-116, “Tagging Objects to Form an Arbitrary Group”.
Dockter Michael Jon
Farber Joel Frank
Lynn Ronald William
Richardt Randal James
Alam Hosain T.
Corrielus Jean M.
Foerster, Esq. Ingrid M.
International Business Machines - Corporation
Ohlandt Greeley Ruggiero & Perle LLP
LandOfFree
Method and system for controlling access to data resources... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for controlling access to data resources..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for controlling access to data resources... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2498681