Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Page images | Web History | Sign in

Patents

  

Illlllllllllllllllllllllllllllllllllllllllllllllllll

US007392383B2

United States Patent

Basibes et al.

(io) Patent No.: (45) Date of Patent:

US 7,392,383 B2 Jun. 24, 2008

METHOD AND APPARATUS FOR
PROVIDING PROCESS-BASED ACCESS
CONTROLS ON COMPUTER RESOURCES

Inventors: Mounir Emil Basibes, Austin, TX (US);
Julianne Frances Haugh, Austin, TX
(US)

Assignee: International Business Machines
Corporation, Armonk, NY (US)

Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 660 days.

Appl.No.: 10/672,261

Filed: Sep. 25, 2003

Prior Publication Data

US 2005/0071641 Al Mar. 31, 2005

Int. CI.

H04L 9/00 (2006.01)
H04K1/00 (2006.01)
H04L 9/32 (2006.01)

U.S. CI 713/167; 713/185; 726/5;

726/19

Field of Classification Search None

See application file for complete search history.

References Cited

U.S. PATENT DOCUMENTS

[blocks in formation]
[blocks in formation]

A method, apparatus, and computer instructions for processbased access controls on computer resources to processes. An access mechanism is provided in which a specific invoker obtains an object access identity (ACI). Another mechanism is provided in which a specific object, such as a file system resource, requires a specific object access identity to obtain one of the forms of access denoted by an access control list. A process may "grant" an identifier that is later "required" for a system resource access. Objects may specify their own access requirements and permitted access modes. The granted identifier, ACI, is stored in the process's credentials once these credentials match a specific "grant" entry in the access control list. This identifier has no meaning outside of being used to make an access decision for a specific resource. When a process tries to access the object, the object's access control list is scanned for "required" entries. If a match occurs between the "required" entry's identifier and the ACI stored, access to the object is granted with access rights specified in the "require" entries.

9 Claims, 5 Drawing Sheets

[graphic][graphic][merged small][merged small]
[merged small][merged small][graphic][merged small][merged small][graphic][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][graphic][merged small]
[merged small][merged small][merged small][merged small][merged small][graphic][merged small][merged small][merged small][merged small][merged small][merged small]

FIG. 4

402-
428-

410-
426-

418438

440

-create new user:

406"^-group:administrators:grant_oai:create_new_user
408-^-user:root:grant_oai:create_new_user

404

v-admin_change_password:

430-^-group:administrators:grant_oai.admin_change_password

432-^-user:root:grant_oai:admin_change_password

434-^-user;security_adrnin:grant_oai.admin_change_password

v 414 416

^-userjistjile: * I, , * ,

412-^-require_oai:create_new_user:read,write

[blocks in formation]
[merged small][merged small][table][merged small][merged small][merged small][merged small][merged small][merged small][merged small][table][merged small][merged small][table][merged small][merged small][table][merged small]
« PreviousContinue »