GB2242295A - Access control in a data processing system - Google Patents
Access control in a data processing system Download PDFInfo
- Publication number
- GB2242295A GB2242295A GB9102940A GB9102940A GB2242295A GB 2242295 A GB2242295 A GB 2242295A GB 9102940 A GB9102940 A GB 9102940A GB 9102940 A GB9102940 A GB 9102940A GB 2242295 A GB2242295 A GB 2242295A
- Authority
- GB
- United Kingdom
- Prior art keywords
- class
- accessor
- classes
- access
- classification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
In a method of controlling access in a data processing system, firstly a set of attributes is defined for targets that may be accessed and for accessors that may access the targets. A set of access security classes is then defined in terms of these attributes or other classes. Each class has a set of allowable operations associated with it. Each target is assigned a classification comprising one of the classes and a set of allowed operations. Each accessor is assigned an authority consisting of one of the classes and a set of allowed operations. An accessor is allowed to access a target only if there is a common sub-class contained in both the accessor's authority and in the target's classification, 21 and if the required operation is defined for that subclass and appears in both the accessor's authority and in the target's classification, 22. <IMAGE>
Description
ACCESS CONTROL MECHANISM
This invention relates to an access control mechanism data processing system.
According to te invention there is provided a method of controlling access in a data processing system, comprising (a) defining a set o attributes for targets that
may be accessed and for accessors that may
access the targets, (b) defining a set of security classes, each
security class comprising a combination of
said attributes and/or other classes, (c) associating with each security class a set of
operations applicable to that class, (#) assigning a c cat-on to to each target,
comprising one of sal classes an- a set of
allowed operations, (e) assigning an o each accessor, allowed operations, estons re request accessor accessor
perform ar operation on one o the target, permitting tro -operation only - there is a common subclass contained both in the
accessor's authority and in the target's
classification, and if the operation is
defined for that subclass and appears both in
the accessor's authority and in the target's
classification.
One embodiment of the invention will now be described by way of example,with reference to the accompanying drawings, of which:
Figure 1 is a block diagram of a distributed data processing system embodying the invention;
Figure 2 is a flow chart showing the way in which access is controlled; and
Figure 3 is a schematic diagram showing an example of a set of security classes.
Referring to Figure 1, the distributed data processing system comprises a plurality of data processing installations 10, which communicate with each other by way of an interconnection network 12. The data processing installations may be individual workstations, or may be computers with attached workstations. The network may be a local area network, or telecommunications lines, or a combination of both.
The system includes a number of objects to wnlcfl it is recurred to control access, these objects being referred to herein as targets. For example, te targets may Include data tens such as documents or t-#es, stored in the IndI:- uai data pro#- C installations.
These targets .may be accessed bv various entities, reerred to herein as acoessors.
an accessor may be a human end user, an individual work station or a software entity within a computer.
The access control mechanism for the system is implemented as follows.
First, a set of attributes is declared for the system. Each attribute is a unique identifier within the set for the system. The attributes are chosen as names for individual characteristics of the system components which are known to be significant to access control. Thus, for example, data items may have the attributes "confidential", project N", staff pay1 etc., and end users may have the attributes "employee", "manager" etc.
A set of security classes is then defined, each class consisting of a logical combination of one or more of the attributes and/or of other defined classes.
Each of these classes may consist of one or more subclasses, where a subclass is defined as the result of deleting zero or more logical OR alternatives from a class, or replacing one or more of its qualifiers by a subclass of the qualifier. (See the definition of a class below).
A set of allowable operations is then assigned to each class and attribute. Typica operations mIt:#t be, for example "interrogate", "modl=v or "summarise".
fae f te the to Is assizes a classification consisting of one of the security classes, a#or.= it a set o, allowable operations, chosen from those of its class.
Similarly, each of the accessors is assigned an authority consisting of one of the security classes, along with a set of allowable operations, chosen from those of the class. An accessor which may itself be accessed has both a classification and an authority.
The definitions of the classes, the authorities, and the classifications are all stored in a database in the system, so that they can be accessed by the access control mechanism.
Referring now to Figure 2, when a particular accessor requires to access a particular target to perform a specified operation, the operation of the access control mechanism is as follows:
First, the access control mechanism checks (21) whether there is a common subclass contained both in the accessor's authority and in the target's classification. If not, then no access is permitted.
If, however, there is a common subclass, the access control mechanism now checks (22) whether there are any operations defined for this common subclass which appear both in the accessor's authority and in the target's classification. If not, then again no access is permitted.
If there are se operatIons, then the accessor is allowed to perform those, but no others, on the target. The operation requires -s, therefore, allowed F; It 5 one of t:-ese.
The form of a security class may be expressed as follows, sing an extended Backus-Naur notation:
class-definition ::= class-name, ':' , definition-list, 1;1; definition-list ::= and-list I or-list;
and-list ::= qualifier, [and qualifier];
or-list ::= qualifier, for qualifier];
qualifier ::= attribute i class-name;
An and-list allows the expression of a list of qualifiers which must always be present in an instance of the class defined. An or-list allows the expression of a list of qualifiers one or more of which must be present in an instance of the class defined. Other forms of expression could be provided such as, for example, to specify the combination 1any N of", or exclusive OR".They could then be used to allow more concise class definitions and be represented in the access control mechanism for greater efficiency. A qualifier is defined as an attribute or a class-name so that a class may be expressed in terms of other classes.
As an example, consider a system in which documents are stored electronically and in which access to the documents is to be controlled according to the trustworthiness and position of the accessors. The documents are classified using the attributes "confidential", "pay" and "plans1. Some documents about pay are confidential, some are not. Some documents about plans are confidential, some are not. Some documents are confidential but are not concerned with either pay or plans.
In this example, the following security classes may be defined: (i) all: all-conf or topic; (ii) all-conf: other-conf or conf-topic (iii) oter-conf: con ; (iv) conf-topic: conf and topic; (v) topic: pay or plans;
Figure 3 shows these classes schematically.
A set of operations is defined for each of these classes. For example, the class wally may have the operation "interrogate" and "modify" associated with it, while the class "topic" may have the operation "summarise" associated with it.
Each document held in the system has one of these classes assigned to it as its security classification, along with a set of allowed operations. For example, one particular document may be assigned the classification "conf-topic1.
Similarly, each accessor of the system is assigned one of the classes as an authority along with a set of allowed operations. For example, a particular grade of employee may have the authority "topic".
It will be seen that this employee would not be allowed to access documents with the classification "conf-topic" since conf-topic and topic do not have any common sub-class. (Topic is not a subclass of conf-topic since conf-topic consists of an AND combination, rather than an OR). However, this employee would be allowed to access documents with classification "topic", to perform operations which appear both in the employee's authority and the documents classification.
By way of example, the following format may be used for representing the security classes, and storing them in the system. These format definitions refer to "rights" rather than operations. A right is a collection of operations to all of which the same access control ruses apply. Thus "right" may be substituted for "operation in the previous description.
class name(l2 bits): an identifier chosen to be
unique for the system within
which access is controlled.
class designator(4 bits): value 0000 signifies an OR list;
i.e. combination of qualifiers
may appear in an instance of
this class,
value 0001 signifies an AND
list; i.e. all qualifiers must
appear in an instance of this
class,
other values reserved for
possible use.
authority(16 bits): this is a pointer to the
definition of an authority
(which is a security class with
rights and therefore has this
same format); a value of sixteen
zeros indicates that no
authority is associated with the
class.
number of qualifiers(8 bits): an unsigned binary number
indicating the number of
qualifiers which follow.
qualifier: this may occur one or more times
as indicated by "number of
qualifiers". Each occurrence
has the following format:
kind of qualifier (1 bit):
value 0 means class,
value 1 means attribute.
qualifier value (15 bits)
If "kind of qualifier" has the
value 0 this is a pointer to
another class; if "kind of
qualifier" has the value 1 this
is a binary string representing
an attribute.
rights pointer(15 bits): a pointer to the list of rights
which apply to the class.
A list of rights has the following format: number of rights(8 bits): an unsigned binary number
indicating the number of rights
which follow.
right: this may occur one or more times
as indicated by number of
rights. Each occurrence has the
following format:
right name(16 bits): a binary
string representing a right of
the class.
list of operations(16 bits): a
pointer to a list of operations
made available to the possessor
of the right.
For example, the above-mentioned "all : all-conf or topic; a would be represented as follows: class name all.
class designator 0, meaning 'or' authority 0, meaning 'none' number of qualifiers 2.
qualifier kind 0, meaning that the qualifier is
a class.
value pointer to a definition of
'all-conf'.
qualifier kind 0, meaning that the qualifier is
a class.
value pointer to a definition of
'topic'.
rights pointer pointer to a list which defines
'interrogate' and 'modify'.
Claims (6)
1. A method of controlling access in a data processing system, comprising (a) defining a set of attributes for targets that may
be accessed and for accessors that may access the
targets, (b) defining a set of security classes, each security
class comprising a combination of said attributes
and/or other classes, (c) associating with each security class a set of
operations applicable to that class, (d) assigning a classification to each target,
comprising one of said classes and a set of
allowed operations, (e) assigning an authority to each accessor,
comprising one of said classes and a set of
allowed operations, (f) in response to a request by an accessor to
perform an operation on one of the targets,
permitting the operation only if there is a
common subclass contained both in the accessor's
authority and in the target's classIfIcation, and
if the operation is defined for that subclass and
appears both in the accessor's authority and in
the target's classification.
2. A method according to claim 1 wherein an access class is defined as either an AND list consisting of a list of qualifiers all of which must be present, or an OR-l~st consisting of a list of qualifiers any one of which must be present.
3. A method according to claim 2 wherein each qualifier is either an attribute or an indication of another class.
4. An access control method substantially as hereinbefore described, with reference to the accompanying drawings.
5. A data processing system, comprising (a) means for storing a set of access classes, each
access class comprising a combination of
attributes for targets that may be accessed and
for accessors that may access the targets, each
access class having associated with it a set of
operations applicable to that class, (b) means for storing a classification for each
target, the classification comprising one of said
classes and a set of allowed operations, (c) means for storing a clearance for each accessor,
the clearance comprising one of said classes and
a set of allowed operations, and (d) means operable in response to a request by an
accessor to perform an operation on one of the
targets for permitting the operation only if
there is a common subclass contained both in the
accessor's clearance and in the target's
classification, and if the operation is defined
for that subclass and appears both in the
accessor's clearance and in the target's
classification.
6. A data processing system having an access control mechanism substantially as hereinbefore described with reference to the accompanying drawings.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB9003112A GB9003112D0 (en) | 1990-02-12 | 1990-02-12 | Access control mechanism |
Publications (3)
Publication Number | Publication Date |
---|---|
GB9102940D0 GB9102940D0 (en) | 1991-03-27 |
GB2242295A true GB2242295A (en) | 1991-09-25 |
GB2242295B GB2242295B (en) | 1993-10-20 |
Family
ID=10670835
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB9003112A Pending GB9003112D0 (en) | 1990-02-12 | 1990-02-12 | Access control mechanism |
GB9102940A Expired - Fee Related GB2242295B (en) | 1990-02-12 | 1991-02-12 | Access control mechanism |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB9003112A Pending GB9003112D0 (en) | 1990-02-12 | 1990-02-12 | Access control mechanism |
Country Status (1)
Country | Link |
---|---|
GB (2) | GB9003112D0 (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5586301A (en) * | 1994-11-09 | 1996-12-17 | Ybm Technologies, Inc. | Personal computer hard disk protection system |
GB2301912A (en) * | 1995-06-09 | 1996-12-18 | Ibm | Security for computer system resources |
US5657470A (en) * | 1994-11-09 | 1997-08-12 | Ybm Technologies, Inc. | Personal computer hard disk protection system |
US5819091A (en) * | 1994-12-22 | 1998-10-06 | Arendt; James Wendell | User level control of degree of client-side processing |
GB2371127A (en) * | 2001-01-16 | 2002-07-17 | Abattia Group Ltd | Protection of personal information in a database |
GB2384874A (en) * | 2002-01-31 | 2003-08-06 | Hewlett Packard Co | Apparatus for determining access rights to a computer |
GB2398656A (en) * | 2003-01-27 | 2004-08-25 | Hewlett Packard Development Co | Operating system data management |
EP1688856A3 (en) * | 2005-02-04 | 2006-09-06 | Microsoft Corporation | Security critical data containers |
US7594266B2 (en) | 2001-11-23 | 2009-09-22 | Protegrity Corporation | Data security and intrusion detection |
US8402281B2 (en) | 1996-06-20 | 2013-03-19 | Protegrity Corporation | Data security system for a database |
US8443426B2 (en) | 2007-06-11 | 2013-05-14 | Protegrity Corporation | Method and system for preventing impersonation of a computer system user |
US8826449B2 (en) | 2007-09-27 | 2014-09-02 | Protegrity Corporation | Data security in a disconnected environment |
US8935787B2 (en) | 2005-02-18 | 2015-01-13 | Protegrity Corporation | Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3893084A (en) * | 1973-05-01 | 1975-07-01 | Digital Equipment Corp | Memory access control system |
EP0008355A1 (en) * | 1978-08-25 | 1980-03-05 | Siemens Aktiengesellschaft | Device for the protection of data stored in computers against unauthorized access |
EP0152900A2 (en) * | 1984-02-16 | 1985-08-28 | Secure Computing Technology Corporation | Data processing system having protected system files |
EP0192243A2 (en) * | 1985-02-21 | 1986-08-27 | Secure Computing Technology Corporation | Method of protecting system files and data processing unit for implementing said method |
-
1990
- 1990-02-12 GB GB9003112A patent/GB9003112D0/en active Pending
-
1991
- 1991-02-12 GB GB9102940A patent/GB2242295B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3893084A (en) * | 1973-05-01 | 1975-07-01 | Digital Equipment Corp | Memory access control system |
EP0008355A1 (en) * | 1978-08-25 | 1980-03-05 | Siemens Aktiengesellschaft | Device for the protection of data stored in computers against unauthorized access |
EP0152900A2 (en) * | 1984-02-16 | 1985-08-28 | Secure Computing Technology Corporation | Data processing system having protected system files |
EP0192243A2 (en) * | 1985-02-21 | 1986-08-27 | Secure Computing Technology Corporation | Method of protecting system files and data processing unit for implementing said method |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5586301A (en) * | 1994-11-09 | 1996-12-17 | Ybm Technologies, Inc. | Personal computer hard disk protection system |
US5657470A (en) * | 1994-11-09 | 1997-08-12 | Ybm Technologies, Inc. | Personal computer hard disk protection system |
US5819091A (en) * | 1994-12-22 | 1998-10-06 | Arendt; James Wendell | User level control of degree of client-side processing |
GB2301912A (en) * | 1995-06-09 | 1996-12-18 | Ibm | Security for computer system resources |
US8402281B2 (en) | 1996-06-20 | 2013-03-19 | Protegrity Corporation | Data security system for a database |
GB2371127A (en) * | 2001-01-16 | 2002-07-17 | Abattia Group Ltd | Protection of personal information in a database |
GB2371127B (en) * | 2001-01-16 | 2005-04-06 | Abattia Group Ltd | Consensus protected database |
US7594266B2 (en) | 2001-11-23 | 2009-09-22 | Protegrity Corporation | Data security and intrusion detection |
GB2384874B (en) * | 2002-01-31 | 2005-12-21 | Hewlett Packard Co | Apparatus for setting access requirements |
GB2384874A (en) * | 2002-01-31 | 2003-08-06 | Hewlett Packard Co | Apparatus for determining access rights to a computer |
GB2398656B (en) * | 2003-01-27 | 2006-06-14 | Hewlett Packard Development Co | Improvements in and relating to computer operating system data management |
GB2398656A (en) * | 2003-01-27 | 2004-08-25 | Hewlett Packard Development Co | Operating system data management |
EP1688856A3 (en) * | 2005-02-04 | 2006-09-06 | Microsoft Corporation | Security critical data containers |
US7600256B2 (en) | 2005-02-04 | 2009-10-06 | Microsoft Corporation | Security critical data containers |
US8935787B2 (en) | 2005-02-18 | 2015-01-13 | Protegrity Corporation | Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior |
US10552622B2 (en) | 2005-02-18 | 2020-02-04 | Protegrity Corporation | Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior |
US9705670B2 (en) | 2006-08-25 | 2017-07-11 | Protegrity Corporation | Data security in a disconnected environment |
US8443426B2 (en) | 2007-06-11 | 2013-05-14 | Protegrity Corporation | Method and system for preventing impersonation of a computer system user |
US8826449B2 (en) | 2007-09-27 | 2014-09-02 | Protegrity Corporation | Data security in a disconnected environment |
Also Published As
Publication number | Publication date |
---|---|
GB2242295B (en) | 1993-10-20 |
GB9102940D0 (en) | 1991-03-27 |
GB9003112D0 (en) | 1990-04-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6006193A (en) | Computer executable workflow control system | |
US6308224B1 (en) | Method of generating an implementation of a workflow process model in an object environment | |
US6405202B1 (en) | System and method for adding property level security to an object oriented database | |
JP2986051B2 (en) | Object oriented computer system and object execution method | |
US6073111A (en) | Container materialization/dematerialization for reduced dataload and improved data-coherency in workflow-management systems | |
GB2242295A (en) | Access control in a data processing system | |
Beilner et al. | Towards a performance modelling environment: news on HIT | |
US6941309B2 (en) | Object integrated management system | |
US6847957B1 (en) | Dynamically extensible rule-based expert-system shell for database-computing environments | |
US20020138322A1 (en) | Secure workflow system and method for the same | |
Ram et al. | A model for database allocation incorporating a concurrency control mechanism | |
US6405360B1 (en) | Property container type objects | |
US20040049520A1 (en) | System, method, and apparatus for sharing revision control databases | |
Varadharajan et al. | A multilevel security model for a distributed object-oriented system | |
Thuraisingharn | Security in_i () bject-Oriented Database Systems | |
US7500231B2 (en) | Method, software product and system for carrying out universal, computer-aided information processing | |
US6408299B1 (en) | Type convertor registry | |
Stotz et al. | SIGMA—An interactive message service for the Military Message Experiment | |
EP0872805A2 (en) | Container materialization/dematerialization for reduced dataload and improved data-coherency in workflow-management systems | |
EP0323029A2 (en) | Method of operating an electronic information system for distributing documents grouped into folders | |
Rudmik | Choosing an environment data model | |
Burger et al. | Usability of groupware products for supporting publishing workflows | |
Chapin et al. | Distributed Policies for Data Management—Making Policies Mobile | |
Boudewijns et al. | Design of an event handling | |
VanHorn et al. | Experience with D-BUS architecture for a design automation framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 20100212 |