Processing

Please wait...

Settings

Settings

Goto Application

1. WO1996042057 - SECURITY FOR COMPUTER SYSTEM RESOURCES

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

CLAIMS

1. A method of implementing resource access authorization control for computer resource security for operating systems in which a set of operating system permissions are defined for use in the authorization of subjects to perform operations in relation to specific resources, the method comprising:

creating (120) a set of files including a set of definitions of correspondence between the defined operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

storing (130) said created files for association with a resource to be protected; and

setting (140) subjects' authorizations in relation to said resource in terms of the defined operating system permissions, thereby defining the authorities which said subjects have in relation to the different resource aspects.

2. A method according to claim 1, including:

responsive to a subject requesting performance of an operation in relation to a protected resource, comparing the operating system
permissions of the subject with said set of definitions of correspondence within the created files to determine whether the subject is authorised to perform the operation in relation to the protected resource; and

permitting the operation to be performed if the subject is
authorised and rejecting the request if the subject is not authorised.

3. A method according to claim 1 or claim 2, for use with operating system software in which operating system files are organised in
directories and for which both file permissions and directory permissions are defined, wherein operating system file permissions are mapped to resource authorities by the definitions of correspondence within said created files and operating system directory permissions are used to protect said created files.

4. A method according to claim 3, for use with operating system software in which the defined directory permissions are read, write, and execute permissions, wherein said step of setting subjects' authorizations includes the step of giving subjects execute permission to the directories which contain said created files but wherein read and write permissions to said directories are not given.

5. A method according to any one of the preceding claims, wherein a single created file is used to represent the resource authorities for each resource aspect.

6. A method according to any one of the preceding claims, wherein said step of creating files is performed automatically when a resource is created, using a predefined set of said definitions of correspondence'.

7. A method according to any one of the preceding claims, wherein a subject which creates a resource has default authorisations automatically assigned to it and/or to its subject group when the resource is created.

8. A method according to any one of the preceding claims, wherein the resource aspects for which resource authorities are specified are the resource class, resource attributes, resource data and resource security.

9. A method of implementing resource access authorization control in a computer system, the method comprising:

for computer resources which are to be protected, identifying a set of resource aspects, particular instances of which are characteristic of a particular computer resource;

defining resource authorities which subjects may have for each of said resource aspects, and storing said authorities in association with said resources; and

defining subject authorizations for resource access in accordance with said defined resource authorities for said resource aspects, such that the subject authorizations are defined at the level of granularity of resource aspects .

10. A computer program product stored on a data carrier, having a resource access authorisation control facility (80) for use with operating system software (30) having security facilities including a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the control facility including:

means for creating (120) a set of files including a set of
definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

means for storing (130) said created files in. association with a resource to be protected; and

means for setting (140) subjects' authorizations in relation to specific resources using said operating system permissions, thereby to set the authorities which said subjects have in relation to the different resource aspects.

11. A computer program product according to claim 10, including:

means, responsive to a subject requirement for an operation to be performed, for comparing the subject's operating system permissions with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorised to perform the operation.

12. A computer program product according to claim 10 or claim 11, wherein the set of definitions of correspondence between said operating system permissions and specified resource authorities are predefined within the control facility for a plurality of different resource types, said control facility being adapted to create said set of files for a resource automatically when said resource is created.

13. A computer program product according to any one of claims 10 to 12, which is adapted to automatically assign default authorizations in relation to a resource to a subject and/or to the subject group when the subject creates the resource.

14. A computer system having operating system software installed therein, which operating system software's security provision includes a set of definitions of operating system permissions for use in the authorization of subjects of system resources to perform operations in relation to said resources, the system including:

means for creating a set of files including a set of definitions of correspondence between said operating system permissions and specified resource authorities for each of a plurality of different aspects of a resource;

means for storing said created files in association with a resource to be protected;

means for setting subjects' authorizations in relation to specific resources using said operating system permissions, thereby to set the authorities which said subjects have in relation to the different resource aspects; and

means, responsive to a subject requiring an operation to be performed, for comparing the subject's operating system permissions with the set of definitions of correspondence within the created files, thereby to determine whether the subject is authorised to perform the operation.

15. A computer system including:

computer resource access authorisation control means defining, for computer resources for which access authorisation control is required, permissions which subjects may be given to perform operations in relation to said resources, said means for defining being adapted to define permissions for each of a plurality of different aspects of said
resources, particular instances of said resource aspects being
characteristic of a particular computer resource.