GB2242295A - Access control in a data processing system - Google Patents

Access control in a data processing system Download PDF

Info

Publication number
GB2242295A
GB2242295A GB9102940A GB9102940A GB2242295A GB 2242295 A GB2242295 A GB 2242295A GB 9102940 A GB9102940 A GB 9102940A GB 9102940 A GB9102940 A GB 9102940A GB 2242295 A GB2242295 A GB 2242295A
Authority
GB
United Kingdom
Prior art keywords
class
accessor
classes
access
classification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9102940A
Other versions
GB2242295B (en
GB9102940D0 (en
Inventor
Roy William Jones
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Services Ltd
Original Assignee
Fujitsu Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Services Ltd filed Critical Fujitsu Services Ltd
Publication of GB9102940D0 publication Critical patent/GB9102940D0/en
Publication of GB2242295A publication Critical patent/GB2242295A/en
Application granted granted Critical
Publication of GB2242295B publication Critical patent/GB2242295B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

In a method of controlling access in a data processing system, firstly a set of attributes is defined for targets that may be accessed and for accessors that may access the targets. A set of access security classes is then defined in terms of these attributes or other classes. Each class has a set of allowable operations associated with it. Each target is assigned a classification comprising one of the classes and a set of allowed operations. Each accessor is assigned an authority consisting of one of the classes and a set of allowed operations. An accessor is allowed to access a target only if there is a common sub-class contained in both the accessor's authority and in the target's classification, 21 and if the required operation is defined for that subclass and appears in both the accessor's authority and in the target's classification, 22. <IMAGE>

Description

ACCESS CONTROL MECHANISM This invention relates to an access control mechanism data processing system.
According to te invention there is provided a method of controlling access in a data processing system, comprising (a) defining a set o attributes for targets that may be accessed and for accessors that may access the targets, (b) defining a set of security classes, each security class comprising a combination of said attributes and/or other classes, (c) associating with each security class a set of operations applicable to that class, (#) assigning a c cat-on to to each target, comprising one of sal classes an- a set of allowed operations, (e) assigning an o each accessor, allowed operations, estons re request accessor accessor perform ar operation on one o the target, permitting tro -operation only - there is a common subclass contained both in the accessor's authority and in the target's classification, and if the operation is defined for that subclass and appears both in the accessor's authority and in the target's classification.
One embodiment of the invention will now be described by way of example,with reference to the accompanying drawings, of which: Figure 1 is a block diagram of a distributed data processing system embodying the invention; Figure 2 is a flow chart showing the way in which access is controlled; and Figure 3 is a schematic diagram showing an example of a set of security classes.
Referring to Figure 1, the distributed data processing system comprises a plurality of data processing installations 10, which communicate with each other by way of an interconnection network 12. The data processing installations may be individual workstations, or may be computers with attached workstations. The network may be a local area network, or telecommunications lines, or a combination of both.
The system includes a number of objects to wnlcfl it is recurred to control access, these objects being referred to herein as targets. For example, te targets may Include data tens such as documents or t-#es, stored in the IndI:- uai data pro#- C installations.
These targets .may be accessed bv various entities, reerred to herein as acoessors.
an accessor may be a human end user, an individual work station or a software entity within a computer.
The access control mechanism for the system is implemented as follows.
First, a set of attributes is declared for the system. Each attribute is a unique identifier within the set for the system. The attributes are chosen as names for individual characteristics of the system components which are known to be significant to access control. Thus, for example, data items may have the attributes "confidential", project N", staff pay1 etc., and end users may have the attributes "employee", "manager" etc.
A set of security classes is then defined, each class consisting of a logical combination of one or more of the attributes and/or of other defined classes.
Each of these classes may consist of one or more subclasses, where a subclass is defined as the result of deleting zero or more logical OR alternatives from a class, or replacing one or more of its qualifiers by a subclass of the qualifier. (See the definition of a class below).
A set of allowable operations is then assigned to each class and attribute. Typica operations mIt:#t be, for example "interrogate", "modl=v or "summarise".
fae f te the to Is assizes a classification consisting of one of the security classes, a#or.= it a set o, allowable operations, chosen from those of its class.
Similarly, each of the accessors is assigned an authority consisting of one of the security classes, along with a set of allowable operations, chosen from those of the class. An accessor which may itself be accessed has both a classification and an authority.
The definitions of the classes, the authorities, and the classifications are all stored in a database in the system, so that they can be accessed by the access control mechanism.
Referring now to Figure 2, when a particular accessor requires to access a particular target to perform a specified operation, the operation of the access control mechanism is as follows: First, the access control mechanism checks (21) whether there is a common subclass contained both in the accessor's authority and in the target's classification. If not, then no access is permitted.
If, however, there is a common subclass, the access control mechanism now checks (22) whether there are any operations defined for this common subclass which appear both in the accessor's authority and in the target's classification. If not, then again no access is permitted.
If there are se operatIons, then the accessor is allowed to perform those, but no others, on the target. The operation requires -s, therefore, allowed F; It 5 one of t:-ese.
The form of a security class may be expressed as follows, sing an extended Backus-Naur notation: class-definition ::= class-name, ':' , definition-list, 1;1; definition-list ::= and-list I or-list; and-list ::= qualifier, [and qualifier]; or-list ::= qualifier, for qualifier]; qualifier ::= attribute i class-name; An and-list allows the expression of a list of qualifiers which must always be present in an instance of the class defined. An or-list allows the expression of a list of qualifiers one or more of which must be present in an instance of the class defined. Other forms of expression could be provided such as, for example, to specify the combination 1any N of", or exclusive OR".They could then be used to allow more concise class definitions and be represented in the access control mechanism for greater efficiency. A qualifier is defined as an attribute or a class-name so that a class may be expressed in terms of other classes.
As an example, consider a system in which documents are stored electronically and in which access to the documents is to be controlled according to the trustworthiness and position of the accessors. The documents are classified using the attributes "confidential", "pay" and "plans1. Some documents about pay are confidential, some are not. Some documents about plans are confidential, some are not. Some documents are confidential but are not concerned with either pay or plans.
In this example, the following security classes may be defined: (i) all: all-conf or topic; (ii) all-conf: other-conf or conf-topic (iii) oter-conf: con ; (iv) conf-topic: conf and topic; (v) topic: pay or plans; Figure 3 shows these classes schematically.
A set of operations is defined for each of these classes. For example, the class wally may have the operation "interrogate" and "modify" associated with it, while the class "topic" may have the operation "summarise" associated with it.
Each document held in the system has one of these classes assigned to it as its security classification, along with a set of allowed operations. For example, one particular document may be assigned the classification "conf-topic1.
Similarly, each accessor of the system is assigned one of the classes as an authority along with a set of allowed operations. For example, a particular grade of employee may have the authority "topic".
It will be seen that this employee would not be allowed to access documents with the classification "conf-topic" since conf-topic and topic do not have any common sub-class. (Topic is not a subclass of conf-topic since conf-topic consists of an AND combination, rather than an OR). However, this employee would be allowed to access documents with classification "topic", to perform operations which appear both in the employee's authority and the documents classification.
By way of example, the following format may be used for representing the security classes, and storing them in the system. These format definitions refer to "rights" rather than operations. A right is a collection of operations to all of which the same access control ruses apply. Thus "right" may be substituted for "operation in the previous description.
class name(l2 bits): an identifier chosen to be unique for the system within which access is controlled.
class designator(4 bits): value 0000 signifies an OR list; i.e. combination of qualifiers may appear in an instance of this class, value 0001 signifies an AND list; i.e. all qualifiers must appear in an instance of this class, other values reserved for possible use.
authority(16 bits): this is a pointer to the definition of an authority (which is a security class with rights and therefore has this same format); a value of sixteen zeros indicates that no authority is associated with the class.
number of qualifiers(8 bits): an unsigned binary number indicating the number of qualifiers which follow.
qualifier: this may occur one or more times as indicated by "number of qualifiers". Each occurrence has the following format: kind of qualifier (1 bit): value 0 means class, value 1 means attribute.
qualifier value (15 bits) If "kind of qualifier" has the value 0 this is a pointer to another class; if "kind of qualifier" has the value 1 this is a binary string representing an attribute.
rights pointer(15 bits): a pointer to the list of rights which apply to the class.
A list of rights has the following format: number of rights(8 bits): an unsigned binary number indicating the number of rights which follow.
right: this may occur one or more times as indicated by number of rights. Each occurrence has the following format: right name(16 bits): a binary string representing a right of the class.
list of operations(16 bits): a pointer to a list of operations made available to the possessor of the right.
For example, the above-mentioned "all : all-conf or topic; a would be represented as follows: class name all.
class designator 0, meaning 'or' authority 0, meaning 'none' number of qualifiers 2.
qualifier kind 0, meaning that the qualifier is a class.
value pointer to a definition of 'all-conf'.
qualifier kind 0, meaning that the qualifier is a class.
value pointer to a definition of 'topic'.
rights pointer pointer to a list which defines 'interrogate' and 'modify'.

Claims (6)

1. A method of controlling access in a data processing system, comprising (a) defining a set of attributes for targets that may be accessed and for accessors that may access the targets, (b) defining a set of security classes, each security class comprising a combination of said attributes and/or other classes, (c) associating with each security class a set of operations applicable to that class, (d) assigning a classification to each target, comprising one of said classes and a set of allowed operations, (e) assigning an authority to each accessor, comprising one of said classes and a set of allowed operations, (f) in response to a request by an accessor to perform an operation on one of the targets, permitting the operation only if there is a common subclass contained both in the accessor's authority and in the target's classIfIcation, and if the operation is defined for that subclass and appears both in the accessor's authority and in the target's classification.
2. A method according to claim 1 wherein an access class is defined as either an AND list consisting of a list of qualifiers all of which must be present, or an OR-l~st consisting of a list of qualifiers any one of which must be present.
3. A method according to claim 2 wherein each qualifier is either an attribute or an indication of another class.
4. An access control method substantially as hereinbefore described, with reference to the accompanying drawings.
5. A data processing system, comprising (a) means for storing a set of access classes, each access class comprising a combination of attributes for targets that may be accessed and for accessors that may access the targets, each access class having associated with it a set of operations applicable to that class, (b) means for storing a classification for each target, the classification comprising one of said classes and a set of allowed operations, (c) means for storing a clearance for each accessor, the clearance comprising one of said classes and a set of allowed operations, and (d) means operable in response to a request by an accessor to perform an operation on one of the targets for permitting the operation only if there is a common subclass contained both in the accessor's clearance and in the target's classification, and if the operation is defined for that subclass and appears both in the accessor's clearance and in the target's classification.
6. A data processing system having an access control mechanism substantially as hereinbefore described with reference to the accompanying drawings.
GB9102940A 1990-02-12 1991-02-12 Access control mechanism Expired - Fee Related GB2242295B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9003112A GB9003112D0 (en) 1990-02-12 1990-02-12 Access control mechanism

Publications (3)

Publication Number Publication Date
GB9102940D0 GB9102940D0 (en) 1991-03-27
GB2242295A true GB2242295A (en) 1991-09-25
GB2242295B GB2242295B (en) 1993-10-20

Family

ID=10670835

Family Applications (2)

Application Number Title Priority Date Filing Date
GB9003112A Pending GB9003112D0 (en) 1990-02-12 1990-02-12 Access control mechanism
GB9102940A Expired - Fee Related GB2242295B (en) 1990-02-12 1991-02-12 Access control mechanism

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB9003112A Pending GB9003112D0 (en) 1990-02-12 1990-02-12 Access control mechanism

Country Status (1)

Country Link
GB (2) GB9003112D0 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5586301A (en) * 1994-11-09 1996-12-17 Ybm Technologies, Inc. Personal computer hard disk protection system
GB2301912A (en) * 1995-06-09 1996-12-18 Ibm Security for computer system resources
US5657470A (en) * 1994-11-09 1997-08-12 Ybm Technologies, Inc. Personal computer hard disk protection system
US5819091A (en) * 1994-12-22 1998-10-06 Arendt; James Wendell User level control of degree of client-side processing
GB2371127A (en) * 2001-01-16 2002-07-17 Abattia Group Ltd Protection of personal information in a database
GB2384874A (en) * 2002-01-31 2003-08-06 Hewlett Packard Co Apparatus for determining access rights to a computer
GB2398656A (en) * 2003-01-27 2004-08-25 Hewlett Packard Development Co Operating system data management
EP1688856A3 (en) * 2005-02-04 2006-09-06 Microsoft Corporation Security critical data containers
US7594266B2 (en) 2001-11-23 2009-09-22 Protegrity Corporation Data security and intrusion detection
US8402281B2 (en) 1996-06-20 2013-03-19 Protegrity Corporation Data security system for a database
US8443426B2 (en) 2007-06-11 2013-05-14 Protegrity Corporation Method and system for preventing impersonation of a computer system user
US8826449B2 (en) 2007-09-27 2014-09-02 Protegrity Corporation Data security in a disconnected environment
US8935787B2 (en) 2005-02-18 2015-01-13 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3893084A (en) * 1973-05-01 1975-07-01 Digital Equipment Corp Memory access control system
EP0008355A1 (en) * 1978-08-25 1980-03-05 Siemens Aktiengesellschaft Device for the protection of data stored in computers against unauthorized access
EP0152900A2 (en) * 1984-02-16 1985-08-28 Secure Computing Technology Corporation Data processing system having protected system files
EP0192243A2 (en) * 1985-02-21 1986-08-27 Secure Computing Technology Corporation Method of protecting system files and data processing unit for implementing said method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3893084A (en) * 1973-05-01 1975-07-01 Digital Equipment Corp Memory access control system
EP0008355A1 (en) * 1978-08-25 1980-03-05 Siemens Aktiengesellschaft Device for the protection of data stored in computers against unauthorized access
EP0152900A2 (en) * 1984-02-16 1985-08-28 Secure Computing Technology Corporation Data processing system having protected system files
EP0192243A2 (en) * 1985-02-21 1986-08-27 Secure Computing Technology Corporation Method of protecting system files and data processing unit for implementing said method

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5586301A (en) * 1994-11-09 1996-12-17 Ybm Technologies, Inc. Personal computer hard disk protection system
US5657470A (en) * 1994-11-09 1997-08-12 Ybm Technologies, Inc. Personal computer hard disk protection system
US5819091A (en) * 1994-12-22 1998-10-06 Arendt; James Wendell User level control of degree of client-side processing
GB2301912A (en) * 1995-06-09 1996-12-18 Ibm Security for computer system resources
US8402281B2 (en) 1996-06-20 2013-03-19 Protegrity Corporation Data security system for a database
GB2371127A (en) * 2001-01-16 2002-07-17 Abattia Group Ltd Protection of personal information in a database
GB2371127B (en) * 2001-01-16 2005-04-06 Abattia Group Ltd Consensus protected database
US7594266B2 (en) 2001-11-23 2009-09-22 Protegrity Corporation Data security and intrusion detection
GB2384874B (en) * 2002-01-31 2005-12-21 Hewlett Packard Co Apparatus for setting access requirements
GB2384874A (en) * 2002-01-31 2003-08-06 Hewlett Packard Co Apparatus for determining access rights to a computer
GB2398656B (en) * 2003-01-27 2006-06-14 Hewlett Packard Development Co Improvements in and relating to computer operating system data management
GB2398656A (en) * 2003-01-27 2004-08-25 Hewlett Packard Development Co Operating system data management
EP1688856A3 (en) * 2005-02-04 2006-09-06 Microsoft Corporation Security critical data containers
US7600256B2 (en) 2005-02-04 2009-10-06 Microsoft Corporation Security critical data containers
US8935787B2 (en) 2005-02-18 2015-01-13 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US10552622B2 (en) 2005-02-18 2020-02-04 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US9705670B2 (en) 2006-08-25 2017-07-11 Protegrity Corporation Data security in a disconnected environment
US8443426B2 (en) 2007-06-11 2013-05-14 Protegrity Corporation Method and system for preventing impersonation of a computer system user
US8826449B2 (en) 2007-09-27 2014-09-02 Protegrity Corporation Data security in a disconnected environment

Also Published As

Publication number Publication date
GB2242295B (en) 1993-10-20
GB9102940D0 (en) 1991-03-27
GB9003112D0 (en) 1990-04-11

Similar Documents

Publication Publication Date Title
US6006193A (en) Computer executable workflow control system
US6308224B1 (en) Method of generating an implementation of a workflow process model in an object environment
US6405202B1 (en) System and method for adding property level security to an object oriented database
JP2986051B2 (en) Object oriented computer system and object execution method
US6073111A (en) Container materialization/dematerialization for reduced dataload and improved data-coherency in workflow-management systems
GB2242295A (en) Access control in a data processing system
Beilner et al. Towards a performance modelling environment: news on HIT
US6941309B2 (en) Object integrated management system
US6847957B1 (en) Dynamically extensible rule-based expert-system shell for database-computing environments
US20020138322A1 (en) Secure workflow system and method for the same
Ram et al. A model for database allocation incorporating a concurrency control mechanism
US6405360B1 (en) Property container type objects
US20040049520A1 (en) System, method, and apparatus for sharing revision control databases
Varadharajan et al. A multilevel security model for a distributed object-oriented system
Thuraisingharn Security in_i () bject-Oriented Database Systems
US7500231B2 (en) Method, software product and system for carrying out universal, computer-aided information processing
US6408299B1 (en) Type convertor registry
Stotz et al. SIGMA—An interactive message service for the Military Message Experiment
EP0872805A2 (en) Container materialization/dematerialization for reduced dataload and improved data-coherency in workflow-management systems
EP0323029A2 (en) Method of operating an electronic information system for distributing documents grouped into folders
Rudmik Choosing an environment data model
Burger et al. Usability of groupware products for supporting publishing workflows
Chapin et al. Distributed Policies for Data Management—Making Policies Mobile
Boudewijns et al. Design of an event handling
VanHorn et al. Experience with D-BUS architecture for a design automation framework

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20100212