Processing

Please wait...

Settings

Settings

Goto Application

1. EP0834132 - SECURITY FOR COMPUTER SYSTEM RESOURCES

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

Claims

1. A method of implementing resource access authorization control for computer resource security for operating systems in which a set of operating system permissions are defined for use in the authorization of subjects to perform operations in relation to specific resources, the method comprising:

creating (120) a set of files containing a set of definitions of correspondence between the defined operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

storing (130) said created files for association with a resource to be protected; and

setting (140) subjects' authorizations in relation to said different aspects of said resource in terms of the defined operating system permissions for said created files, thereby setting via said defined correspondences within said created files the authorities which said subjects have in relation to the different resource aspects.


  2. A method according to claim 1, including:

responsive to a subject requesting performance of an operation in relation to a protected resource, comparing the operating system permissions of the subject for said created files with said set of definitions of correspondence within the created files to determine whether the subject is authorised to perform the operation in relation to the protected resource; and

permitting the operation to be performed if the subject is authorised and rejecting the request if the subject is not authorised.


  3. A method according to claim 1 or claim 2, for use with operating system software in which operating system files are organised in directories and for which both file permissions and directory permissions are defined, wherein operating system file permissions are mapped to resource authorities by the definitions of correspondence within said created files and operating system directory permissions are used to protect said created files.
  4. A method according to claim 3, for use with operating system software in which the defined directory permissions are read, write, and execute permissions, wherein said step of setting subjects' authorizations includes the step of giving subjects execute permission to the directories which contain said created files but wherein read and write permissions to said directories are not given.
  5. A method according to any one of the preceding claims, wherein a single created file is used to represent the resource authorities for each resource aspect.
  6. A method according to any one of the preceding claims, wherein said step of creating files is performed automatically when a resource is created, using a predefined set of said definitions of correspondence.
  7. A method according to any one of the preceding claims, wherein a subject which creates a resource has default authorisations automatically assigned to it and/or to its subject group when the resource is created.
  8. A method according to any one of the preceding claims, wherein the resource aspects for which resource authorities are specified are the resource class, resource attributes, resource data and resource security.
  9. A method of implementing resource access authorization control in a computer system, the method comprising:

for computer resources which are to be protected, identifying a set of resource aspects, particular instances of which are characteristic of a particular computer resource;

defining resource authorities which subjects may have for each of said resource aspects, and storing within authorisation files associated with said resources definitions of the correspondence between said defined resource authorities and available operating system permissions, for each of a plurality of said resource aspects; and

setting subject's authorizations for resource access using said available operating system permissions for said authorization files, thereby to set, via said defined correspondences between defined resource authorities and available operating system permissions, the authorities which subjects have in relation to the different resource aspects at the level of granularity of resource aspects.


  10. A computer program product stored on a data carrier, having a resource access authorisation control facility (80) for use with operating system software (30) having security facilities including a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the control facility including:

means for creating (120) a set of files containing a set of definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

means for storing (130) said created files in association with a resource to be protected; and

means for setting (140) subjects' authorizations in relation to specific resources using said operating system permissions for said created files thereby setting via said defined correspondences within said created files the authorities which said subjects have in relation to the different resource aspects.


  11. A computer program product according to claim 10, including:

means, responsive to a subject requesting an operation to be performed in relation to said resource, for comparing the subject's operating system permissions for said created files with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorised to perform the operation.


  12. A computer program product according to claim 10 or claim 11, wherein the set of definitions of correspondence between said operating system permissions and specified resource authorities are predefined within the control facility for a plurality of different resource types, said control facility being adapted to create said set of files for a resource automatically when said resource is created.
  13. A computer program product according to any one of claims 10 to 12, which is adapted to automatically assign default authorizations in relation to a resource to a subject and/or to the subject group when the subject creates the resource.
  14. A computer system having operating system software installed therein, which operating system software's security provision includes a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the system including:

means for creating a set of files containing a set of definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

means for storing said created files in association with a resource to be protected;

means for setting subjects' authorizations in relation to specific resources using said operating system permissions for said created files thereby setting via said defined correspondences within said created files the authorities which said subjects have in relation to the different resource aspects; and

means, responsive to a subject requiring an operation to be performed in relation to said resource, for comparing the subject's operating system permissions for said created files with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorised to perform the operation.


  15. A computer system including:

computer resource access authorisation control means for defining, for computer resources for which access authorisation control is required, authorities which subjects may be given to perform operations in relation to said resources, said means for defining being adapted to define authorities for each of a plurality of different aspects of said resources, particular instances of said resource aspects being characteristic of a particular computer resource;

means, responsive to said resource access authorisation control means, for storing within authorisation files associated with said resources definitions of correspondences between said defined resource authorities and available operating system permissions, for each of a plurality of said resource aspects; and

means for setting subject's authorizations for resource access using said available operating system permissions for said authorization files, thereby to set, via said defined correspondences between defined resource authorities and available operating system permissions, the authorities which subjects have in relation to the different resource aspects at the level of granularity of resource aspects.