Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-09-21
2001-09-11
Trammell, James P. (Department: 2161)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06289458
ABSTRACT:
FIELD
This invention relates generally to software access control, and more particularly to providing access control on a per property basis.
BACKGROUND
Multi-user computer systems and systems connected to a multi-user network of computers require the ability to control and restrict access to various components and services provided within the computer system. Windows NT® is an operating system available from Microsoft Corporation, Redmond Washington, and is an example of a multi-user system implementing access control. Several reasons exist for providing access control, however primary reasons are to protect the privacy of each user's data, and to protect system data from intentional or inadvertent corruption causing system failure or inefficient operation.
Examples of the components typically requiring an access control mechanism include file systems, electronic mail (E-mail) services, directory services, and database systems. Each of these services is typically managed by a separate program within the operating system, and each typically provides its own access control mechanism.
Each of these components is generally represented by objects having a plurality of properties describing various aspects of the object. For example, a file system, as is known in the art, is typically comprised of a set of folders organized in a tree structure. The folders contain files. Objects representing folders and files typically have properties such as the creation date and time, the last modification date and time, the last access date and time, the file size, an indicator of who owns the file or folder and multiple data streams associated with the file.
Another example is a directory service. Directory services maintain a database of objects describing various resources available on the computer system. The Active Directory™ system available from Microsoft Corporation, Redmond Washington provides such a service. Directory services typically need to maintain a variety of objects to represent the various types of resources available on modem computer systems. One example of such an object represents a system user. A user object in the directory service will typically be defined by properties comprising the user's name, E-mail address, company postal address, physical office location, telephone number, and the user's password in encrypted form. The list provided is meant to be representative of the types of properties, and does not necessarily include all the properties of a directory entry.
Typically, there are several major concepts common to access control systems provided by prior systems. The first concept is that users of the system are assigned a user identifier (USERID). The USERID uniquely identifies a user to the system. The USERID is used to control and track access to the various components of the computer system. The USERID is generally associated with a password, which must be correctly supplied before a user is allowed access to the system.
In addition to the USERID, some operating systems, including Windows NT®, also support the concept of a group identifier (GROUPID). A group identifier allows the system to treat a related group of users in a similar way. For example, there may be a group of users assigned to a backup group whose function is to provide daily backups of the data contained within the computer system. Since the members of this group would all need similar system permissions, it is easier and more convenient to include them in a user group and assign the permissions to the group, rather than to each individual within the group.
The second concept supported by access control systems is the concept of access rights associated with an object. Access rights define who is allowed to manipulate an object. In the context of a file system, access rights associated with files include the right to create a file, read a file, write a file, update a file, and delete a file. In the context of a directory service, access rights associated with directory entries include the right to create an entry, read an entry, update an entry, and delete an entry. Access rights are also referred to as access control rights, or permissions.
Access rights are typically granted or denied based on the USERID or GROUPID associated with an application making a service request.
A primary problem with the above-described mechanism is that the rights are associated with the whole object. In other words, the same permission applies to each and every property defined in the object. For example, a user having write attribute permission for a file, can also update the creation, modification and access times associated with the file.
The problem is more acute with a directory service. Directory entries typically contain a number of properties with varying purposes. As a result, many different sets of users need to read and write the properties. For example, a building receptionist may be interested in updating the telephone number and office address properties of an employee's directory entry, while a system administrator may be interested in maintaining the E-mail and password properties within the same employee's directory entry. In prior systems, both the receptionist and the system administrator would need to be granted write access to the object's entire set of properties in order to perform their respective functions. This leads to the potentially undesirable result of the receptionist having the ability to update the user's password and the system administrator inadvertently updating the user's telephone number.
A secondary problem with the access control mechanisms of prior systems is the fact that each service provides its own access control mechanism. For example, the file system service, directory service, E-mail service, and database service each provide its own access control methods and procedures. This leads to inconsistencies between the services, and also to redundant code.
Therefore, there is a need in the art for an access control system that provides a mechanism for defining a higher granularity of access control rights for a service. The system should support previous mechanisms where the access rights apply to the entire object. In addition, the system provides a consistent, non-redundant interface.
SUMMARY
The above-identified problems, shortcomings and disadvantages with the prior art, as well as other problems, shortcoming and disadvantages, are solved by the present invention, which will be understood by reading and studying the specification and the drawings. In one configuration, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.
One aspect of the invention is that service modules providing object management functions for varying types of objects can define separate access control rights for each individual property within an object using the data structures defined by the invention. The data structures and methods of the invention allow a user to both grant and deny multiple types of access permissions to both individual users and groups of users. In addition, sets of related properties can be assigned similar access permissions.
One of the data structures defined in the invention includes fields defining whether access is being granted or denied, and the type of access to grant or deny. The data structure also defines the user or group to whom the permission is granted or denied. Finally, the data structure includes an identifier used to indicate a specific object, property or set of properties to which the permissions apply.
A second data structure defined in the invention allows groups of related properties to be included in a set. The data structure is implemented as a graph structure, with the ro
Brundrett Peter T.
Garg Praerit
Swift Michael M.
Van Dyke Clifford P.
Ward Richard B.
Elisca Pierre E.
Lee & Hayes PLLC
Microsoft Corporation
Trammell James P.
LandOfFree
Per property access control mechanism does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Per property access control mechanism, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Per property access control mechanism will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2533059