NIST
Office of Technology Partnerships (OTP) Data Services
|
Contact Us: |
What is claimed is: 1. A method for improving access control administration in computer environments, the method comprising the steps of: associating individual users with roles or groups having identical access requirements to one or more sets of particular objects in the environment; creating an object access type (OAT) mechanism for managing a plurality of OATs, each OAT being a separate entity for associating one or more objects with one or more roles or groups and sets of object access permissions associated therewith; and employing said OATs to associate each said role or group with a specific set of permissions defining allowable accesses to a particular set of objects. 2. The method of claim 1, wherein each said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT by adding the identifications of said corresponding individuals or groups of individuals and the permissions permitted thereto to access control lists corresponding to each of the objects or groups of objects assigned to said OAT. 3. The method of claim 1, wherein said computer system comprises one or more discrete processor devices operated effectively as a single resource controlled by a single operating system, and wherein said operating system comprises means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects. 4. The method of claim 1, wherein said computer system comprises an undefined number of processor devices connected by reconfigurable connections, such that objects or groups of objects within said system may be located by universal resource locator (URL) inquiries, and wherein local processors controlling access to particular objects or groups of objects comprise means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects. 5. The method of claim 1, wherein said computer system comprises one or more discrete processor devices, and said objects are organized in a relational data base controlled by a server computer comprising means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects. 6. In a computer system comprising a plurality of objects controlled by means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects, whereby individuals or groups of individuals are listed on said access control lists together with a set of permissions authorized to the corresponding individuals or groups of individuals with respect to each of the objects or groups of objects to which said access control list corresponds, and wherein said access control lists are treated by said computer system as attributes of the corresponding objects or groups of objects, the improvement comprising: providing a mechanism within said computer system whereby an Object Access Type (OAT) may be defined, said OATs being treated by said computer system as independent entities that may be created, edited, and/or deleted, separate from objects or groups of objects, and separately from individuals or groups of individuals; said mechanism allowing said OATs to be assigned to or removed from objects and groups of objects, and allowing individuals or groups of individuals to be assigned to said OATs; said mechanism further allowing each said OAT to contain lists of permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT; whereby each said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT. 7. The computer system of claim 6, wherein said OAT associates the permissions permitted to the corresponding individuals or groups of individuals assigned to said OAT to the objects or groups of objects assigned to said OAT by adding the identifications of said corresponding individuals or groups of individuals and the permissions permitted thereto to the access control lists of each of the objects or groups of objects assigned to said OAT. 8. The computer system of claim 6, wherein said computer system comprises one or more discrete processor devices operated effectively as a single resource controlled by a single operating system, and wherein said operating system comprises said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects. 9. The computer system of claim 6, wherein said computer system comprises an undefined number of processor devices connected by reconfigurable connections, such that objects or groups of objects within said system may be located by universal resource locator (URL) inquiries, and wherein said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects is provided by local processors controlling access to particular objects or groups of objects. 10. The computer system of claim 6, wherein said computer system comprises one or more discrete processor devices, and said means providing the capability to restrict access to objects or groups of objects by means of an access control list provided separately with respect to each said object or group of objects is a relational data base controlling access to particular objects or groups of objects.