Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1999-03-31
2002-10-22
Jung, David (Department: 2175)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000, C713S182000, C713S155000
Reexamination Certificate
active
06470339
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of Invention
The present invention pertains to the field of software systems. More particularly, this invention relates to resource access control in a software system.
2. Art Background
Software programs executing on a computer system commonly make use of resources available through the computer system. Such resources commonly include resources such as files, databases, memory segments and application programs. Such resources also commonly include resources such as storage devices, printers, communication devices, and display devices to name only a few example devices. Such resources may be local resources of the computer system or may be remote resources accessible via a network connection to one or more other computer systems of a distributed system. A software program executing on the computer system that accesses resources is hereinafter referred to as a task.
Prior computer systems typically include an operating system that provides access control to the resources of the computer system. A task usually generates an access request that specifies a particular resource and that specifies a particular operation to be performed on the particular resource. For example, a task usually accesses a file by generating an access request that specifies a file name and a particular operation to be performed such as read file, write file, or read and write file. The operating system in a prior computer system usually provides access control by determining whether the requesting task is to be allowed to perform the particular operation on the particular resource.
Some prior operating systems maintain access control lists (ACLs) which are used in rendering access control decisions. An ACL for a resource typically includes a list of users and their associated permissions with respect to the resource. For example, an ACL for file
1
may specify that user
1
has read permission and user
2
has read and write permission for file
1
. Typically, the operating system denies a request from a task associated with user
1
for a write operation on file
1
in response to the ACL for file
1
. On the other hand, the operating system usually allows a request from a task associated with user
2
for a write operation on file
1
in response to the ACL for file
1
.
Unfortunately, ACLs can become prohibitively large and unwieldy if a computer system is to service potentially large numbers of users. This problem may arise in networks such as large intranets or in the Internet in which the number of users that can potentially access a resource is extremely large.
Other prior operating systems allocate capability lists (CLs) to individual users. A CL for a user typically includes a list of resources and associated permissions with respect to the resource. For example, a CL allocated to user
1
may specify read permission to file
1
and read and write permission for file
2
.
Typically, CLs are objects contained within the operating environment of a user and as such may be subject to modification by the user. Unfortunately, this may create security problems in a computer system by enabling a user to obtain greater access right than were originally allocated. In addition, CLs may create problems with the proliferation of permissions among users and may complicate the ability of an operating system to revoke the permissions of individual users.
SUMMARY OF THE INVENTION
A software system is disclosed that provides access control to resources and that disassociates access rights to resources from references to resources to prevent the formation of large and unwieldy access control lists and to enable advanced decentralized security controls. The software system includes a repository that holds a resource descriptor for each resource. Each resource descriptor includes a set of lock/permission pairs for the corresponding resource. The software system includes a resource mediator that obtains a request for access to a particular resource of the resources. The request provides a set of keys. In response, the resource mediator generates a set of unlocked permissions by comparing each key to each lock of the lock/permission pairs for the particular resource so that a permission of the lock/permission pairs is unlocked if at least one of the keys matches the corresponding lock. The resource mediator forwards the unlocked permissions to a resource handler for the particular resource which interprets the unlocked permissions.
Access to particular resources or groups of resources is provided by providing users with the appropriate keys. The keys are themselves are resources with resource descriptors in the repository. Access rights for users may be revoked by deleting keys from the repository. The software system also provides visibility fields for compartmentalizing access to resources. In addition, the software system provides decentralized authorizers that maintain audit trails for resources and that enable advanced security control for access to resources.
Other features and advantages of the present invention will be apparent from the detailed description that follows.
REFERENCES:
patent: 2002/0091809 (2002-07-01), Menzies et al.
patent: 2002/0095570 (2002-07-01), Eldridge et al.
patent: 2002/0095607 (2002-07-01), Lin-Hendel
Tzeng, “A Time-Bound Cryptographic Key Assignment Scheme for Access Control in a Hierarchy”, Knowledge and Data Engineering, IEEE Transactions on, vol. 14, Issue 1, Jan.-Feb. 2002, pp. 182-188.*
Sloman et al., “Security and management policy separation”, IEEE Network, vol. 16, Issue 2, Mar.-Apr. 2002, pp. 10-19.*
Wen et al., “A formal-compliant configurable encryption framework for access control of video”, Circuits and Systems for Video Technology, IEEE Transaction on, vol. 12, Issue 6, Jun. 2002, pp. 545-557.*
Andrew S. Tanenbaum et al. “Experiences with the Amoeba Distributed Operating System” Dec. 1, 1990 pp. 46-63.
Li Gong “A Secure Identity-Based Capability System” May 1, 1989 pp. 56-63.
Paul A. Karger “New Methods for Immediate Revocation” May 1, 1989 pp. 48-55.
Robert Van Renesse et al. “The Performance of the Amoeba Distibuted Operating System” Mar. 1, 1989 pp. 223-234.
J. J. Hwang “A New Access Control Method Using Prime Factorisation” Feb. 1, 1992 pp. 16-20.
Banerji Arindam
Chao Chia-Chiang
Gupta Rajiv
Karp Alan H.
Krishnan Venkatesh
Hewlett--Packard Company
Jung David
LandOfFree
Resource access control in a software system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Resource access control in a software system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Resource access control in a software system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2960781