Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-11-05
2001-02-13
Lim, Krisna (Department: 2758)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S225000
Reexamination Certificate
active
06189036
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to access control in computer systems and, in particular, to the use of prime numbers to facilitate group based access control to information resources in the computer system.
2. Description of the Related Art
Group based access control is an access control model in which the authorization to access an object from a user is based on some group information associated with the user and/or the object. This model is commonly employed in popular operating systems, database managers, special-purpose applications, and cross-platform computing infrastructures (e.g., The Open Group Distributed Computing Environment or DCE), due to its close fit human organizational structures. Implementation of this model, however, often results in a large amount of overhead in storage, operation, and administration.
The known group based access control paradigm involves users, groups, and information resource objects. A user is the entity who can access an object with some operations. Each user typically belongs to a number of groups. A group is the entity solely defined for the purpose of access control. Each group typically contains as its members a number of users. An object is the entity that can be accessed by a user. Each object can be accessed with a number of operations, depending upon the object's type. Access control on each operation of an object is group based, i.e. whether a user can access an object with an operation depends upon the groups to which the user belongs. Therefore, each object needs to be associated with some access control information that indicates what group of users are allowed to access the object and in what ways (operations).
The traditional and most commonly used mechanism to implement this model is by an Access Control List (ACL). In this known scheme, each object is associated with an ACL that either lists, for each defined access operation, all the groups that are allowed to access the object (a so-called per-operation based ACL) or lists, for each group that is allowed to access the object, all the operations the group can perform (a so-called per-group based ACL). Each group is also associated with a member list that lists all the users belonging to the group. For ease of user administration, each user can also be associated with a group list that lists all the groups to which the user belongs.
In an enterprise environment whose computing systems and applications employ an ACL group based access control mechanism, each operation request from a user to access an object is potentially expensive. This is because the access control modules of these systems and applications need to traverse the whole ACL associated with the object for that access operation and then check if the user belongs to any one of the groups. Such checking may require traversal of the whole member list of each group or the whole group list of the user. The object authorization is costly at run time (especially the I/O operation to load the ACL from persistent storage to volatile memory), and this mechanism also requires a significant amount of space to store ACLs off-line.
Moreover, multiple groups may require access to multiple resources creating a compound and complex access list problem. For each user, a list must be stored listing each group to which the user belongs. Also, for each resource, a list must be stored listing each group which has access to that resource. It is known in the art to assign a prime number to each group, and the access list for resources and the group list for users may be stored as multipliers of these groups of primes. This approach provides an easy storage method, but prior art techniques require computationally intensive methods for decomposing the multipliers to their primes to determine whether a prime number is present on both the users group list and the resources group access list. This technique is illustrated, for example, by Hwang et al. in an article titled “A New Access Control Method Using Prime Factorisation,” the Computer Law Journal, Volume 35, No. 1, 1992.
Another known access control technique is to use a prime number assigned to each information resource object. The user is then assigned a number that is a multiple of all of those prime numbers encompassing all access authorities for that user. The determination of whether that particular user has access to a particular resource object is then determined by dividing the prime number assigned to the resource into the access product for the user. If the result is an integer, then access is granted because the prime number for that resource group must be one of the prime numbers used for the access product. This approach, however, is computationally inefficient and also creates a significant administrative burden. In particular, determining every single resource to which a user is entitled access in a system with a large number of resources requires system administrators to tag all of these resources to create the resource access multiplier. In a large system, this technique is simply not feasible.
There remains a need to provide new and efficient techniques for group based access control to information resource objects that do not require ACLs, computationally intensive parsing of prime multiplication factors, or other inefficient or expensive schemes. The present invention solves this important problem.
BRIEF SUMMARY OF THE INVENTION
It is a primary object of the present invention to provide an improved group based access control mechanism.
It is another primary object of this invention to facilitate group based access to information resource objects within a computer system using a simple numerical computation based on prime numbers.
It is still another object of this invention to supplant or supplement the Access Control Lists (ACLs) used to implement a group based access control mechanism.
Yet another object of this invention is to reduce the administration costs associated with known group based access control methods.
It is still another important object of this invention to expedite group based access control to information resource objects in an enterprise environment whose computing systems and applications typically employ an ACL based access control mechanism.
Still another object of the present invention is to enhance the performance and reduce the cost of group based access control in a computer enterprise environment.
These and other objects of the present invention are achieved using an efficient group based access control mechanism based on prime numbers. The efficiency of this inventive scheme results from a unique property of prime numbers. The scheme may be used to completely replace the traditional ACL based access control mechanism or the technique may be integrated to the existing ACL based mechanism to expedite the authorization process.
The described embodiment of the present invention provides an access control system using a grouping system whereby each group is assigned a prime number greater than one. The resources to be accessed are assigned a product that is determined by multiplying all of the group prime numbers from the groups which have access to that resource. Also, each user is assigned to one or more groups and each user has an access number that is a product of the prime numbers assigned to each group. When a particular user desires access to a particular information resource object, the greatest common devisor between the resource product and the user product is determined. If the resulting greatest common devisor is greater than one, then the user is allowed access. If the greatest common devisor is one (the lowest prime), the user is denied access.
Generalizing, the present invention is implemented in a group based access control mechanism wherein each of a plurality of access control groups has an associated group number and a set of one or more users assigned thereto. In particular, a method for controlling access to objects begins by associating each group'
International Business Machines - Corporation
Judson David
LaBaw Jeffrey S.
Lim Krisna
LandOfFree
User access to objects in group based access control based... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with User access to objects in group based access control based..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and User access to objects in group based access control based... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2585057