TWI309775B - Method for getting user's access authority by traveling around access control list - Google Patents

Method for getting user's access authority by traveling around access control list Download PDF

Info

Publication number
TWI309775B
TWI309775B TW92129260A TW92129260A TWI309775B TW I309775 B TWI309775 B TW I309775B TW 92129260 A TW92129260 A TW 92129260A TW 92129260 A TW92129260 A TW 92129260A TW I309775 B TWI309775 B TW I309775B
Authority
TW
Taiwan
Prior art keywords
permission
user
setting value
cache memory
value
Prior art date
Application number
TW92129260A
Other languages
Chinese (zh)
Other versions
TW200515149A (en
Inventor
Cheng Meng Wu
Original Assignee
Hon Hai Prec Ind Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hon Hai Prec Ind Co Ltd filed Critical Hon Hai Prec Ind Co Ltd
Priority to TW92129260A priority Critical patent/TWI309775B/en
Publication of TW200515149A publication Critical patent/TW200515149A/en
Application granted granted Critical
Publication of TWI309775B publication Critical patent/TWI309775B/en

Links

Landscapes

  • Storage Device Security (AREA)

Description

1309775 __案號92129260_年月曰 修if___ 五、發明說明(1) 【發明所屬之技術領域】 本發明涉及檔案系統安全之領域,特別是一種遍歷訪 問控制列表中許可權方法。 【先前技術】 在一個NAS (Network Attached Storage)架構的文構 存儲系統中’用戶文樓的許可權設定至關重要。目前涉及 用戶文檔許可權設定的方法很多’但涉及用戶文檔許可權 設置值快取的方法不是很多,例如中國國家知識產權局於 20 0 2年2月5日公開之第11 CN1 395 1 78A號專利申請案,名稱 為"文件使用權限設定系統與方法"。該專利申請案係根據 權限設定數據包所含之使用者識別數據和使用者權限數據 來設定一個文件的至少,部分的權限設定數據,並且利用 一文件使用權限設定系統中的權限檢驗模塊和權限設定模 塊來實現上述功能,以便提高用戶文檔管理流程的效率及 文檔保護的安全性。該專利申請案所揭露技術之不足在於 其雖然解決了用戶文檔的權限設定問題,但是沒有解決如 何在訪問控制列表中快速獲取用戶所需之權限設置值。 舉例來說,用戶對某個文檔的存取通常會引發下列動 作:首先,檢查該用戶是否具有操作該用戶文檔之許可 權,若有所需之許可權’則允許用戶對文檔進行操作。其 中許可權設置值檢查的過程是:首先從該用戶文檔所在上 層目錄開始,逐一向下鲞詢該用戶文檔所在下層目錄之許 可權設置值,直至查詢刮該用戶文檔所在目錄。這種查詢 做法的一個不足之處在於快取記憶體每次只能暫存最近一1309775 __案号 92129260_年月曰 修修___ V. OBJECT DESCRIPTION OF THE INVENTION (1) Technical Field of the Invention The present invention relates to the field of file system security, and more particularly to a method of traversing access rights in a control list. [Prior Art] In a NAS (Network Attached Storage) architecture storage system, the permission setting of the user premises is crucial. At present, there are many methods involved in the setting of user document permission rights. However, there are not many methods related to the setting of user document permission settings. For example, the 11th CN1 395 1 78A published by the State Intellectual Property Office of China on February 5, 2020 The patent application is named "File Usage Authority Setting System and Method". The patent application sets at least part of the permission setting data of a file according to the user identification data and the user authority data contained in the permission setting data package, and uses the permission checking module and the authority in the file using the file permission setting system. The module is configured to implement the above functions in order to improve the efficiency of the user document management process and the security of document protection. The shortcoming of the technology disclosed in the patent application is that although it solves the problem of setting the rights of the user document, it does not solve the problem of quickly obtaining the permission setting value required by the user in the access control list. For example, a user's access to a document typically triggers the following actions: First, check if the user has permission to operate the user's document, and if necessary, the user is allowed to operate on the document. The process of checking the permission setting value is as follows: firstly, starting from the upper directory of the user document, the permission setting value of the lower directory of the user document is searched down one by one until the query scraps the directory where the user document is located. One shortcoming of this kind of query is that the cache memory can only be temporarily stored for the last time.

第7頁 1309775 __案號 92129260 五、發明說明(2) ^--^曰 修正___一 次的查詢中間結果,$ _ 果,當有類似查詢發生^利用上一次查詢過程之中間結 過程。第二個不足之處^ ’、只能重新進行查詢,重複上述 置值需要花費較多時間,於查詢某個用戶所需之許可權設 【發明内容】 查s旬效率較低。 針對上述方法之不& ( 種遍歷訪問控制列表中$ 本發明之主要目的在於提供一 快取記憶體和第二快取^ :權方法’其能根據暫存於第一 速獲取用戶請求之許可$憶,中之許可權設置值資訊,快Page 7 1309775 __ Case No. 92129260 V. Invention Description (2) ^--^ 曰 Correct ___ one-time query intermediate result, $ _ fruit, when a similar query occurs ^ use the middle of the last query process . The second deficiencies ^ ’ can only be re-queried. It takes more time to repeat the above-mentioned settings, and the permission required for querying a certain user is set. [Summary of the invention] It is less efficient. For the above method, the main purpose of the present invention is to provide a cache memory and a second cache method: a method for acquiring a user request based on the temporary storage at the first speed. License $ recall, in the permission setting information, fast

二快取記憶體中未找到所丄當用戶在第一快取記憶體和第 α , , 叮场許可權設置值時,從用戶所要 訪問之文fe所在下層目錄出發,逐層向上查詢其上層目 錄’直到獲取所需之吟可權設置值。當有類似許可權設置 值查詢動作時,可以從中快速查詢並獲取用戶所需之許可 權設置值,加快查詢速度。The second cache memory does not find the user in the first cache memory and the alpha and the market permission setting values, starting from the lower directory of the text that the user wants to access, and querying the upper layer layer by layer. Directory 'until you get the required privilege to set the value. When there is a similar permission setting value query action, you can quickly query and obtain the permission setting value required by the user to speed up the query.

本發明提供一種遍歷訪問控制列表中許可權方法,其 包括一第一快取記憶體,係為網路附加存儲器進行用戶許 可權設置值稽核時最先訪問之記憶體,用於存儲複數第一 資訊塊,該複數第一資訊塊係用於記錄最近一次訪問過的 用戶許可權設置值;一第二快取記憶體,係為網路附加存 錯器在第一記憶體中訪問用戶許可權設置值未命中時,始 查詢之快取記憶體,係用於存儲複數第二資訊塊,該複數 第二資訊塊係用於記錄訪問過的用戶許可權設置值的中間 叶算結果及文檔目錄的上下關係;一許可權查詢模組,係 用於在第一快取記憶體和第二快取記憶體中查詢用戶許可The present invention provides a method for traversing an access control list, which includes a first cache memory, which is the first memory accessed by the network attached memory for performing user permission setting value auditing, and is used for storing the first number. The information block, the first information block is used to record the user permission setting value that has been accessed recently; and the second cache memory is the network attached error memory device that accesses the user permission in the first memory. When the set value is missing, the cache memory of the first query is used to store a plurality of second information blocks, and the second information block is used to record the intermediate leaf calculation result and the document directory of the accessed user permission setting value. The upper and lower relationship; a permission query module is used to query the user license in the first cache memory and the second cache memory

第8頁 1309775Page 8 1309775

成複數第一資訊 和第二快取記憶 不同的許可權設 權設置值與縈計 組’係用於生成 存儲到第一快取 塊和第二資訊塊 體中;一許可權 置值資訊將當前 許可權設置值進 第一資訊塊和第 記憶體和第二快 權設置值,並生 第一快取記憶體 組’係用於根據 置值及繼承許可 一資塊生成模 塊’並將其分別 中 〇 本發明提供一種遍歷訪問控制列表中許可權 包括以:步驟:於文檔系統之根目錄中建立—啞 該元節點為一虛擬的訪問控制列表之識別字; 了貝訊塊到第一快取記憶體中,該第一資訊塊係 最近一次訪問過的用戶許可權設置值;根據甩/ 當Θ許可權識別字,在第二快取記憶體中查詢 可權識別字和一當前許可權設置值;判斷是否找 ^計許可權識別字和當前許可權設置值;如果是 第一資訊塊,如果否,則進行下述步驟:用當前 置值與繼承許可權設置值之整合結果取代該繼承 置值’並用當前許可權識別字取代上次查詢之許 字’重新開始執行上述步驟;依據索計許可權設 用戶所請求之操作是否被允許。 【實施方式】 請參閱第一圖所示,係為本發明遍歷訪問控 許可權方法之實施環境。該實施環境包括網路附 1、第—快取記憶體2、第二快取記憶體3、網路4 存儲於該 整合模 許可權設 行整合; 二資訊 取記憶體 方法,其 元節點, 添加一第 用於記錄 1識別字 一累計許 到所需之 ’則生成 許可權設 許可權設 可權識別 置值判斷 制列表中 加存儲器 和複數個The license right setting value and the trick group are used to generate the storage into the first cache block and the second information block; a permission setting information will be The current permission setting value enters the first information block and the first memory and the second quick right setting value, and the first cache memory group is used to generate a module according to the value setting and inheritance permission. The present invention provides a traversal access control list in which the permission includes: step: establishing in the root directory of the document system - the dummy node is a virtual access control list identification word; In the cache memory, the first information block is the user permission setting value that has been accessed last time; and according to the 甩/Θ permission identification word, the identifiable character and a current license are queried in the second cache memory. Set the value; determine whether to find the license identification word and the current permission setting value; if it is the first information block, if no, perform the following steps: use the current value and the integration permission setting value integration The result replaces the inheritance value 'and replaces the last query word with the current permission ID' to restart the above steps; depending on the license permission, whether the operation requested by the user is allowed. [Embodiment] Please refer to the first figure, which is an implementation environment for traversing the access control permission method of the present invention. The implementation environment includes a network attached 1, a first cache memory 2, a second cache memory 3, and a network 4 stored in the integration mode permission set line integration; a second information acquisition memory method, a meta node thereof, Add a first for the record 1 identification word, a cumulative permission to the required 'is then generate a permission set permission set to identify the value of the judgment system list plus memory and a plurality of

五、發明說明⑷ :;::'置5。所述的網路4可以是企業内部網、廣域網 电廷網,係用 連接網路 ^ 裳置5。網路附加存儲器内置第用戶終, ^意體3。所述的複數個用戶終端;和第二= 檔進杆叔从 衣罝b,係用於對用戶文 網路附力:1該操作包括讀取、寫入、刪除、•改等。該 峪^加存儲器1係用於存儲複數個用戶文衿。7寺 許可係為本發明遍歷訪V控制列表中 :儲器i、一第一快取記憶體2 組圖;括-網路附加 中網路附加存儲器i通 弟-:取記憶體3。其 快取記憶體3分別單獨鏈接。該卜網::”記請和第二 錄管理禮细1 Λ ^ ω 、”路附加存儲器1包括一目 理模組10、一許可權計算模组u、 、一許可權整合模組i 3和_ D —- ' 錄管理模組1〇,係用於對目錄進訊=成模組14。其中目 改等操作。許可權計算模組u ’ 取:;入,刪除,修 置值Pc。許可權查詢模李、j 2用、用於計算當前許可權設 第二快取記憶體3中查詢當前-快取記憶體2和 合出當前用户所訪問對象\=鬼= 和第二資訊塊30快速整 ..,0 ,,於豕炙繼承許可權設置值P丨。資訊塊 次H堍20牙第二私^生成存儲於第一快取記憶體2之第一 Ϊ Π 記憶體3之第二資訊塊3〇。 中門來存儲查詢過程…結果,該 Τ間、,,口果以弟一負訊塊2 (1 66 士 _ι; 的方式被存儲,該第一資訊塊係 1309775V. Description of invention (4) :;:: 'Set 5. The network 4 can be an intranet or a wide area network, and the connection network is used. The network attached memory is built in the user's end, ^ is the body 3. The plurality of user terminals; and the second = file entry bar is used to attach a force to the user network: 1 the operation includes reading, writing, deleting, changing, and the like. The memory 1 is used to store a plurality of user files. The 7 Temple license is the traversal visit V control list of the present invention: the memory i, a first cache memory 2 group map; the network add-on network add-on memory i-communication -: memory 3. The cache memory 3 is separately linked. The network: "" and the second recording management ceremony 1 Λ ^ ω, "the road attached memory 1 includes a directory module 10, a permission calculation module u, a permission integration module i 3 and _ D —- ' Record management module 1〇, is used to enter the directory = into module 14. Among them, the operation is changed. The permission calculation module u ‘takes:; enters, deletes, and repairs the value Pc. The permission query module, j 2 is used to calculate the current permission. The second cache memory 3 queries the current-cache memory 2 and the current user access object\= ghost= and the second information block 30. Quickly complete .., 0,, and inherit the permission setting value P丨. The information block H H20 tooth second generation generates the first information block 3 stored in the first cache memory 2 and the second information block 3 of the memory 3. In the middle door to store the query process... As a result, the day, the, and the fruit are stored in the way of a negative block 2 (1 66 士 _ι;, the first information block is 1309775

1309775 __案號92129260_年月 a 佟庀_ 五、發明說明(6) 許可權方法之許可權整合計算規則表。表中所列為當前許 可權設置值Pc與繼承許可權設置值P!之合併規則,具體運 算規則為:NA(無法存取)優先於R〇(可讀取)、w〇(可寫 入)、R W (可讀寫)和FC (完全控制),R〇 (可讀取)與w〇 (可 寫入)之合併結果為RW(可讀寫),FC(完全控制)包含RW(可 讀寫)。另外,目錄管理模組1 〇預設目錄許可權優先等級 為下層目錄優先於上層目錄’即當前許可權設置值pc優先 於繼承許可權設置值p!。當許可權整合模組1 3進行許可權 設置值整合時,只要上述許可權整合後結果為NA(無法存 取)或FC(完全控制),許可權查詢模組12就停止上層許可 權查詢’從而可以決定用戶所請求之操作是否被允許。 請參閱第四圖所示,係為本發明遍歷訪問控制列表中 許可權方法主流程圖。首先,流程開始進行目錄的權限稽 核(步驟S400 ),許可權查詢模組12以資訊塊<il,ic,u,PL>的 方式查詢當前許可權識別字Ic (步驟s4〇 1),在第一快取記 憶體2中是否存在當前用戶的繼承許可權設置值Ρι (步驟 S4〇2) °若存在,流程執行下述判斷,如果第一快取記憶 體2中存在當前用戶之景計許可權識別字IL,許可權整合模 $且1 3則將該用戶之繼承許可權設置值Ρι和縈計許可權設置 值PL整合後取代景計許可權設置值h,其中的許可權整合 係根據本發明第三圖所示許可權整合計算規則表進行相關 5午可權之整合;若第一快取記憶體2中不存在當前用戶之 ,计許可權識別字,直接用繼承許可權設置值取代紫 "十許可權設置值PL (步驟s 4 〇 3 )。接著,判斷在第二快取記1309775 __Case No. 92129260_Year of the month a 佟庀 _ _, invention description (6) permission method integration calculation rules table. The table lists the merge rule of the current permission setting value Pc and the inherited permission setting value P!, and the specific operation rule is: NA (unable to access) takes precedence over R〇 (readable), w〇 (writable) ), RW (read and write) and FC (full control), R〇 (readable) and w〇 (writable) combined result is RW (read and write), FC (full control) contains RW (can Read and write). In addition, the directory management module 1 〇 preset directory permission priority level is that the lower directory priority is higher than the upper directory ’, that is, the current permission setting value pc is prior to the inheritance permission setting value p!. When the license integration module 13 performs the license setting value integration, the permission query module 12 stops the upper layer permission query as long as the result of the above-mentioned permission integration is NA (unable to access) or FC (full control). It is thus possible to determine whether the operation requested by the user is permitted. Please refer to the fourth figure, which is the main flow chart of the permission method in the traversal access control list of the present invention. First, the process starts the permission audit of the directory (step S400), and the permission query module 12 queries the current permission identification word Ic in the manner of the information block <il, ic, u, PL> (step s4〇1), Whether the current user's inheritance permission setting value Ρι exists in the first cache memory 2 (step S4〇2) ° If yes, the flow performs the following determination if the current user's scene is present in the first cache memory 2 The license identification word IL, the license integration module $1, and the user's inheritance permission setting value Ρι and the trick permission setting value PL are combined to replace the master permission setting value h, wherein the permission integration system According to the permission integration calculation rule table shown in the third figure of the present invention, the relevant 5th time can be integrated; if the current user does not exist in the first cache 2, the license identification word is directly set by the inheritance permission. The value replaces the purple "ten permission setting value PL (step s 4 〇 3 ). Next, judge the second cache

第12頁 1309775 --~1S_92129260_年月 日 五、發明說明(7) 隐=3中是否存在當前許可權識別字丨c的當前許可權設置值 ^2^4 04),接著判斷該用戶之縈計許可權設置值匕是 =付5用戶所請求之許可權設置值(步驟S4〇5),若不符 二二2 =絕用戶請求之操作(步驟S4〇6) ’否則,允許用戶 2忍St求之操作(步驟S4〇7)。若許可權查詢模組12於步 舟以# t沒有找到當前用戶的繼承許可權設置值P:,進一 杳1二二貝讯塊<u,II,Ic,Pc>的方式在第二快取記憶體3中 二Ϊ = ί戶之當前許可權設置值匕(步驟S408 ) ’若找到, 執行下述步驟:如果找到當前用戶之景計許可權 置值ρ 可權整合模組13則將該用戶之當前許可權設 合計dm權:置叫依據第三圖所示之許可權整 接用I义」表正5後取代f計許可權設置值PL,否則,直 接用當刖許可權設置值p你 S41 ίΠ。^ ^ a ^ C代f計許可權設置值匕(步驟 641 ϋ j。右於步驟S408中、力女太a此, 進一步計算令 中」又有查到當則許可權設置值Pc,則 鍫繼摔舳"I 虽則許可權設置值pc(步驟S4〇9),接 問,是否需要繼承許可2要^可/1計算模組11發出詢 該繼承許可權設置值P —rm(步驟S4U) ’若不需要 .τ ττ ρ . ^ ^ χ 1貝矾塊生成模組1 4生成第一資訊 * J ' 、’、口入到第一快取記憶體2中(步驟 s二:要:Λ向/驟8404,執行回圈流程。若是經過判 斷退需要繼承的權限資姐 -音m塊< ϋ ί I p貝枓,則由資訊塊生成模組14生成第 J>並將其加入到第二快取記憶體3中 別字Il(步糊⑷,^可權識別^取代f計許可權識 此’許可權查詢模組1 2發出詢問,Page 12 1309775 --~1S_92129260_年月月日五, invention description (7) If there is a current permission setting value of the current permission identification word 丨c in the hidden=3 ^2^4 04), and then judge the user The trick permission setting value 匕 is = the 5 permission value set by the user (step S4 〇 5), if it does not match the 2 2 = the user request operation (step S4 〇 6) 'Otherwise, the user 2 is allowed to endure St seeks the operation (step S4〇7). If the permission query module 12 does not find the current user's inheritance permission setting value P: in the step boat, the method of entering the first and second two blocks is <u, II, Ic, Pc> Take the current permission setting value of Ϊ Ϊ 记忆 匕 (step S408) 'If found, perform the following steps: If the current user's permission permission value ρ is found, the right integration module 13 will be The user's current permission is set to the total dm right: the call is based on the license right in the third figure. The table is replaced by the f-permission setting value PL. Otherwise, it is directly used as the permission setting. The value p you S41 ίΠ. ^ ^ a ^ C generation f permission setting value 匕 (step 641 ϋ j. Right in step S408, force female too a this, further calculation order) and then find the current permission setting value Pc, then 鍫Following the wrestling "I, although the permission setting value pc (step S4〇9), the question is whether the inheritance permission 2 is required to be ^1/1 the calculation module 11 issues the inherited permission setting value P_rm (step S4U) 'If you do not need .τ ττ ρ . ^ ^ χ 1 矾 矾 block generation module 1 4 generates the first information * J ' , ', and the mouth into the first cache 2 (step s 2: : Λ / / step 8404, the loop process is executed. If it is judged that the privilege of the inheritance is required to be inherited, the information block generation module 14 generates the J> Adding to the second cache memory 3 other words Il (step paste (4), ^ can identify the right ^ replace the f count permission right this 'permission query module 1 2 to send an inquiry,

第13頁 1309775 —-案號,.立21·29260--年月 H ^ 五、發明說明⑻ &quot; ~ -- =前許可權識別字ic是否存在上層管控目錄(步驟s4i5), =存在,則用上層控制列表資訊代碼取代當前許可權識別 = IC(步驟S416),該上層控制列表資訊代碼係為目錄管理 才果組1 〇預設之各層目錄之許可權設置值資訊代碼,否則, 用啞元節點的控制列表資訊代碼取代當前許可權識別字i c (步驟S 4 1 7),該啞元節點的控制列表資訊代碼係為預設之 許可權設置值代碼,其中的啞元節點預設兩種類型用戶及 相應許可權設置值設定:管理員擁有用戶文檔的完全控制 權,一般用戶可讀可寫。 請參閱第五圖所示’係為本發明遍歷訪問控制列表中 許可權方法之查詢第二快取記憶體流程圖。流程從主流程 進入點開始執行(步驟S 5 1),將資訊塊〈ic,p! &gt;加入到堆疊S 中(步驟S52),判斷堆疊s是否為空(步驟S53),若是,則 進入回圈流程’從主流程進入點重新開始執行(步驟 S54)。若堆疊S不為空,則由堆疊s中取出一組&lt; iL,pc&gt;元件 (步驟S55) ’然後’以&lt;iL,u&gt;在第二快取記憶體3中嘗試找 出一組第二資訊塊&lt; u,iL,ic,pc &gt;,並且從第二快取記憶體 中移除該第二資訊塊(步驟S 5 6 )。若沒有找到該第二資訊 塊&lt;U,IL,Ic,pc&gt;,流程則直接轉到步驟S53進入回圈流程。 若找到該第二資訊塊&lt;u,IL,Ic,Pc&gt;,則將資訊塊 &lt; Ic,U,Mer ge ( P】,Pc) &gt;加入到第一快取記憶體2中(步驟 S57),其中的Merge(p丨,pc)係根據本發明第三圖所示之許 可權整合計算規則表將繼承許可權設置值Ρι和當前許可權 設置值Pc進行整合’整合結果取代繼承許可權設置值P!。Page 13 1309775 --- Case No., 21.29260--Year Month H ^ V. Invention Description (8) &quot; ~ -- = Whether the previous permission identification word ic exists in the upper management directory (step s4i5), = exists, Then, the upper layer control list information code is used to replace the current permission identification=IC (step S416), and the upper layer control list information code is the permission setting information code of the directory management group 1 〇 preset layer directory, otherwise, The control list information code of the dummy node replaces the current permission identification word ic (step S 4 17), and the control list information code of the dummy node is a preset permission setting value code, wherein the dummy node preset Two types of users and corresponding permission setting settings: The administrator has full control of the user's document, which is readable and writable by the average user. Referring to the fifth figure, the second cache memory flow chart of the query method for traversing the permission method in the access control list of the present invention. The process starts from the main process entry point (step S 5 1), adds the information block <ic, p! &gt; to the stack S (step S52), determines whether the stack s is empty (step S53), and if so, enters The loop process 'restarts execution from the main flow entry point (step S54). If the stack S is not empty, a set of &lt; iL, pc&gt; elements are taken out from the stack s (step S55) 'then' and try to find a set in the second cache memory 3 by &lt;iL, u&gt; The second information block &lt; u, iL, ic, pc &gt;, and the second information block is removed from the second cache (step S56). If the second information block &lt;U, IL, Ic, pc&gt; is not found, the flow goes directly to step S53 to enter the loop process. If the second information block &lt;u, IL, Ic, Pc&gt; is found, the information block &lt; Ic, U, Mer ge (P), Pc) &gt; is added to the first cache 2 (step S57), wherein Merge(p丨, pc) integrates the inheritance permission setting value Ρι and the current permission setting value Pc according to the permission integration calculation rule table shown in the third figure of the present invention. The weight is set to P!.

第14頁 1309775Page 14 1309775

接著,流程發出詢問,當前用戶之縈計許可權識別字iL是 否為有效的控制權限資訊代碼(步驟S58),若是,將 〈iL’MergeCPpPc)〉加入到堆疊s中(步驟S59),轉向步驟S56 處開始執行回圈流程。若經過判斷IL為無效的控制權限資 sfl代瑪,流粒則直接轉向步驟S 5 6處開始回圈流程。 以上所述僅為本發明之較佳實施例而已,且已達廣、乏 之使用功效’凡其他未脫離本發明所揭示之精神下所完成 之均等變化或修飾’均應包含在下述之申請專利範圍内。Next, the process issues an inquiry as to whether the current user's license permission identification word iL is a valid control authority information code (step S58), and if so, adds <iL'MergeCPpPc)> to the stack s (step S59), and proceeds to the step The loop process begins at S56. If it is judged that the IL is invalid control authority sfl dam, the flow grain directly goes to step S 56 to start the loop process. The above is only the preferred embodiment of the present invention, and has been used in a wide range of applications, and all other equivalent changes or modifications that have been made without departing from the spirit of the present invention should be included in the following application. Within the scope of the patent.

第15頁 1309775 _案號92129260_年月曰 修正_ 圖式簡單說明 【圖示簡單說明】 第一圖係為本發明遍歷訪問控制列表中許可權方法之實施 環境。 第二圖係為本發明遍歷訪問控制列表中許可權方法之功能 模組圖。 第三圖係為本發明遍歷訪問控制列表中許可權方法之許可 權整合計算規則表。 第四圖係為本發明遍歷訪問控制列表中許可權方法主流程 圖。 第五圖係為本發明遍歷訪問控制列表中許可權方法之查詢 第二快取記憶體流程圖。 主 要 元 件 標 號】 網 路 附 加 存 儲 器 1 第 — 快 取 記 憶 體 2 第 二 快 取 記 憶 體 3 網 路 4 用 戶 終 端 裝 置 5 目 錄 管 理 模 組 10 許 可 權 計 算 模 組 11 許 可 權 查 詢 模 組 12 許 可 權 整 合 模 組 13 資 訊 塊 生 成 模 組 14 第 一 資 訊 塊 20 第 _ — 資 訊 塊 30Page 15 1309775 _ Case No. 92129260_年月曰 修正 Correction _ Schematic description of the diagram [Simple description of the diagram] The first diagram is the implementation environment for the privilege method in the traversal access control list of the present invention. The second figure is a functional module diagram of the method for traversing the permission method in the access control list of the present invention. The third figure is a license integration calculation rule table for traversing the permission method in the access control list of the present invention. The fourth figure is the main flow chart of the permission method in the traversal access control list of the present invention. The fifth figure is a flow chart of the second cache memory of the method for traversing the permission method in the access control list. Main component label] Network attached memory 1 - Cache memory 2 Second cache memory 3 Network 4 User terminal device 5 Directory management module 10 License calculation module 11 License query module 12 Permission integration Module 13 information block generation module 14 first information block 20 _ - information block 30

Claims (1)

1309775 曰 、申請專利範圍 —種遍歷 附加存儲 可權設置 戶許可權 權,該操 控制列表 於文檔 為一虛 以第一 許可權 執行下 修正 列表中許可權方法’係用於存儲網路 值稽二的!戶許可權設置值’實現相同之許 設置佶快取該用戶許可權設置值,該用 t值係為用戶終端裝置對文檔的操作許可 :括讀取、寫入、刪除、修改,該遍歷訪問 ^ °午可權方法包括以下步驟: 系統之根目錄中建立一啞元節點,該啞元節點 擬的許可權識別字; ’· ^訊塊在第二快取記憶體中查詢是否存在繼承 設置值’若存在繼承許可權設置值,則進一步 述判斷; 如果第一快取記憶體中存在景計許可權識別字,則 將絷計許可權設置值和繼承許可權設置值整合后取 代縈計許可權設置值; 如果第一快取記憶體中不存在絷計許可權識別字 則直接用繼承許可權設置值取代縈計許可權設置 值; 判斷在第二快取記憶體中是否存在當前許可權設置 值,進一步判斷景計許可權設置值是否符合該用戶請 求之許可權設置值; 若第二快取記憶體中不存在繼承許可權設置值,則以 第二資訊塊進一步在第二快取記憶體中查詢當前許可 權設置值,執行下述步驟; 若第二快取記憶體t存在當前許可權設置值,進一1309775 曰, the scope of patent application - kind of traversal additional storage can be set to the user's permission right, the operation control list is in the document is a virtual permission to execute the first permission to modify the list of permission methods in the storage network value Second! The user permission setting value 'implements the same setting 佶 caches the user permission setting value, which is the operation permission of the user terminal device for the document: including reading, writing, deleting, modifying, the traversal access The ^ ° no-weight method includes the following steps: a dummy node is established in the root directory of the system, and the dummy identification character is prepared by the dummy node; the '· ^ block queries whether the inheritance setting exists in the second cache memory. If the value 'has the inheritance permission setting value, the judgment is further described; if the statistic permission identification word exists in the first cache, the sputum permission setting value and the inheritance permission setting value are integrated to replace the sputum The permission setting value; if there is no 许可 permission identification word in the first cache, the escrow permission setting value is directly replaced by the inheritance permission setting value; determining whether the current permission exists in the second cache memory The weight setting value further determines whether the setting value of the license permission meets the permission setting value requested by the user; if the inheritance permission setting does not exist in the second cache memory Value at a second information block is further query the current setting value of permissions in a second cache memory, performing the following steps; the second cache memory if the current setting value t permission exists, into a 第17頁 1309775 修正 '申請專利範圍 步查詢t計許可權識別字是否存在,若存在,則將 當前許可權設置值和景計許可權設置值合併后取代 f計許可權設置值; 若第二快取記憶體中不存在絷計許可權識別字,則 直接用當前許可權設置值取代索計許可權設置值; 若第二快取記憶體中不存在當前許可權設置值,則 計算出該用戶之當前許可權設置值,重新執行上述 步驟; 判斷是否需要繼承許可權設置值; 若需要繼承許可權設置值,則將第二資訊塊加入到 第二快取記憶體中,並用當前許可權識別字取代t 計許可權識別字;, 若不需要繼承許可權設置值,則將第一資訊塊加入 到第一快取記憶體中。 2. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其還包括下一步驟:將複數第二資訊塊存儲於 第二快取記憶體中。 3. 如申請專利範圍第1項所述之遍歷訪問控制列表中許&lt; 權方法,其中所述之第一資訊塊包括用戶識別字、當前 許可權識別字、繼承許可權設置值。 4. 如申請專利範圍第2項所述之遍歷訪問控制列表中許可 權方法,其中所述之第二資訊塊包括用戶識別字、索計 許可權識別字、當前許可權識別字、當前許可權設置 值。Page 17 1309775 Amends the 'patent application range step query t-count permission identification word exists, if it exists, the current permission setting value and the scenery permission setting value are combined to replace the f-count permission setting value; If there is no trick permission identification word in the cache memory, the current permission setting value is used instead of the system permission setting value; if the current permission setting value does not exist in the second cache, the calculation is performed. The user's current permission setting value, re-execute the above steps; determine whether the inheritance permission setting value is required; if the inheritance permission setting value is required, the second information block is added to the second cache memory, and the current permission is used. The identification word replaces the t-meter permission identification word; if the inheritance permission setting value is not required, the first information block is added to the first cache memory. 2. The traversal access control list permission method as described in claim 1 further comprising the next step of storing the plurality of second information blocks in the second cache. 3. The method of traversing an access control list as described in claim 1, wherein the first information block comprises a user identification word, a current permission identification word, and an inheritance permission setting value. 4. The traversal access control list permission method as described in claim 2, wherein the second information block comprises a user identification word, a license identification number, a current permission identification word, and a current permission. Settings. 第18頁 1309775 _案號92129260_年月曰 修正_ 六、申請專利範圍 5. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其中所述之第二快取記憶體通常容量為4KB。 6. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其中所述之第二快取記憶體每次可存儲多達1 6 個中間查詢結果。 7. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其中的整合係根據一預設之許可權整合計算規 則表進行許可權整合。 8. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其中的啞元節點係用來在資料結構中簡化程式 流程。 9. 如申請專利範圍第1項所述之遍歷訪問控制列表中許可 權方法,其中的啞元節點預設兩種類型用戶及相應許可 權設定:管理員擁有用戶文檔的完全控制權,一般用戶 可讀可寫。Page 18 1309775 _ Case No. 92129260 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Usually the capacity is 4KB. 6. The traversal access control list permission method as described in claim 1, wherein the second cache memory can store up to 16 intermediate query results at a time. 7. The privilege method in the traversal access control list described in claim 1 of the patent scope, wherein the integration is based on a predetermined license integration calculation rule table for permission integration. 8. In the traversal access control list permission method described in claim 1, the dummy node is used to simplify the program flow in the data structure. 9. In the traversal access control list permission method as described in claim 1, the dummy node presets two types of users and corresponding permission settings: the administrator has full control of the user document, the general user Readable and writable. 第19頁 1309775 _ES_92129260Page 19 1309775 _ES_92129260 列表中許可權方法。 本發明所提供之方法 好的第一快取記憶體 查找不到’則轉向第 憶體中均未找到用戶 會從該用戶文檔所在 之許可權設置值,直 置值。同日守’將查詢 苐一資訊塊分別存儲 中0 __^多正 、中文發明摘要(發明名稱:遍歷訪問控制列表中許方法/ &quot; 露了一種遍歷 本 當用戶 會依其 尋找用 二快取 所請求 下層目 至查詢 過程之 於第一 發明揭 要對某 預設的 戶所需 記憶體 之許可 錄開始 元節 中間結 快取記 個用戶 流程首 之許可 進行查 權設置 ,逐層 點,獲 果組織 憶體和 文檔操 先到一 權設置 詢。若 值,則 向上查 得所需 成第一 第二快 訪問控制 作時,則 個已配置 值’若是 於上述記 依其流程 詢該用戶 許可權設 貧訊塊和 取記憶體 五、(一)、本案代表圖為:第 四 圖 (二)、本案代表圖之元件代表符號簡單說明: 無 五、英文發明摘要(發明名稱:Method for Getting User’s Access Authority by Traveling Around Access Control List) A method for getting user’s access authority by traveling around access control list is disclosed. When a user operates one of the files, the present invention will look for the user’s authority value in a first cache memory according to a pre-set flowchart. Then the inquiry flowchart will look for in the second cache memory if can’t find the user’s permissionThe permission method in the list. The method provided by the present invention does not find the first cache memory, and then the user is not found in the memory. The user will set the value from the permission of the user document, and the value is set. On the same day, the same information will be stored in the __^ multi-positive, Chinese invention summary (invention name: traversing the access control list in the method / &quot; revealed a traversal of the user will find the use of two cache The request for the lower layer to the inquiry process is based on the first invention. The license record of the memory of a predetermined household is started in the middle of the meta-section, and the permission of the first user flow is checked. If the value is up, then if the value is up to the first second fast access control, then the configured value 'if it is in the above-mentioned record according to its process The user permission is set to the poor block and the memory is taken. (1) The representative figure of the case is: the fourth picture (2), the representative symbol of the representative figure of the case is a simple description: No. 5, English invention summary (invention name: Method For Getting User's Access Authority by Traveling Around Access Control List) A method for getting user's access authority by travelin When a user operates one of the files, the present invention will look for the user's authority value in a first cache memory according to a pre-set flowchart. Then the inquiry flowchart will look for in the second Cache memory if can't find the user's permission 1309775 _案號92129260_年月日 修正 六、指定代表圖1309775 _ Case No. 92129260_Yearly Month Day Amendment
TW92129260A 2003-10-22 2003-10-22 Method for getting user's access authority by traveling around access control list TWI309775B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW92129260A TWI309775B (en) 2003-10-22 2003-10-22 Method for getting user's access authority by traveling around access control list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW92129260A TWI309775B (en) 2003-10-22 2003-10-22 Method for getting user's access authority by traveling around access control list

Publications (2)

Publication Number Publication Date
TW200515149A TW200515149A (en) 2005-05-01
TWI309775B true TWI309775B (en) 2009-05-11

Family

ID=45072100

Family Applications (1)

Application Number Title Priority Date Filing Date
TW92129260A TWI309775B (en) 2003-10-22 2003-10-22 Method for getting user's access authority by traveling around access control list

Country Status (1)

Country Link
TW (1) TWI309775B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI587149B (en) * 2012-04-28 2017-06-11 瑞昱半導體股份有限公司 Apparatus, executing device, and method for managing access control list

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111767525B (en) * 2020-06-29 2024-03-22 北京明略昭辉科技有限公司 Data authority adjustment method and device based on data storage system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI587149B (en) * 2012-04-28 2017-06-11 瑞昱半導體股份有限公司 Apparatus, executing device, and method for managing access control list

Also Published As

Publication number Publication date
TW200515149A (en) 2005-05-01

Similar Documents

Publication Publication Date Title
US11436163B2 (en) System and method for logical deletion of stored data objects
JP4876734B2 (en) Document use management system and method, document management server and program thereof
US6381602B1 (en) Enforcing access control on resources at a location other than the source location
US20050125411A1 (en) Method and apparatus for data retention in a storage system
US6718386B1 (en) Methods, system, and article for displaying privilege state data
CN100456311C (en) System and method for actualizing content-based file system security
TWI722592B (en) Method, device and electronic equipment for reading and updating data structure
US8150820B1 (en) Mechanism for visible users and groups
CN103559231B (en) A kind of file system quota management method, apparatus and system
US20090049047A1 (en) Storing custom metadata using custom access control entries
JP2006040277A5 (en)
TW200919253A (en) Method for data protection
CN106682186A (en) File access control list (ACL) management method and related device and system
JP2008003847A (en) Document use management system, document management server, and its program
CN106104514A (en) Acceleration to the object in the object repository utilizing document storage system to implement accesses
CN107688753A (en) A kind of method and apparatus of ACL controls of authority
TW201245960A (en) Flash memory system and managing and collection methods for flash memory with invalid page information thereof
CN110287691A (en) Application program login method, device, equipment and storage medium
US7761432B2 (en) Inheritable file system properties
TWI309775B (en) Method for getting user&#39;s access authority by traveling around access control list
CA2501848C (en) Identity system for use in a computing environment
US7246201B2 (en) System and method for quickly accessing user permissions in an access control list
CN100370441C (en) Method for traversing licensing rights in access control list
CN112000971B (en) File permission recording method, system and related device
CN115268797B (en) Method for realizing system and object storage communication through WebDav

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees