Patent application number | Description | Published |
20080271139 | DETERMINATION OF ACCESS CHECKS IN A MIXED ROLE BASED ACCESS CONTROL AND DISCRETIONARY ACCESS CONTROL ENVIRONMENT - A computer implemented method, apparatus, and computer program product for access control in a mixed discretionary access control and role based access control environment. In one embodiment, an execution access for a command is determined using a set of role based authorizations for a user invoking the command. In response to a determination that the user invoking the command is authorized based on the set of role based authorizations, a privilege in a set of privileges associated with the command is raised. Raising the privilege in the set of privileges bypasses discretionary access control checks. In response to a determination that the user invoking the command is unauthorized based on the set of role based authorizations, an execution access for the command is determined using a set of discretionary access mode bits associated with the command. | 10-30-2008 |
20080294592 | FRAMEWORK FOR MANAGING ATTRIBUTES OF OBJECTS - A computer implemented method, computer program product, and system for managing objects. Responsive to receiving a find-rule method, and a path-rule table, wherein the path-rule table contains a set of paths, wherein each path references an object, wherein a file system locates the object using the path, and wherein the object has at least one attribute not known to the file system, a path-rule table identifier is created. The path-rule table is associated with the path-rule table identifier to form an associated path-rule table. The find-rule method is associated with the path-rule table identifier to form an associated find-rule method. The path-rule table identifier, the associated path-rule table, and the associated find-rule method are stored. The path-rule table identifier is returned. | 11-27-2008 |
20090217371 | SYSTEM AND METHOD FOR DYNAMIC CREATION OF PRIVILEGES TO SECURE SYSTEM SERVICES - A system, method, and program product is provided that allows new privileges to be dynamically added to an operating system. Entities are assigned roles and these roles are associated with various authorizations. Authorizations are associated with privileges, including the new privilege. A request is received to dynamically add the new privilege to the operating system. The operating system then dynamically adds the new privilege to the system. A software service is installed that requires the new privilege. A request to execute the installed software service is received from an entity that is running on the operating system. The operating system allows the entity to execute the installed software service in response to determining that the entity has been granted the privilege. However, if the entity has not been granted the new privilege, then the operating system inhibits execution of the software service by the entity. | 08-27-2009 |
20090328129 | Customizing Policies for Process Privilege Inheritance - An approach is provided that uses policies to determine which parental privileges are inherited by the parent's child processes. A parent software process initializes a child software process, such as by executing the child process. The parent process is associated with a first set of privileges. The inheritance policies are retrieved that correspond to the parent process. A second set of privileges is identified based on the retrieved inheritance policies, and this second set of privileges is applied to the child software process. | 12-31-2009 |
20100043069 | Authorized Authorization Set in RBAC Model - The Authorized Authorization Set System comprising a modified operating system, a command table containing authorized authorization sets, and a modified RBAC security system, eliminates the need for inherited privileges that must be passed to subcommands in order for the command to run. The modified operating system accesses a table containing authorized authorization sets which identify the privileges for all subcommands within a command. When a user is assigned an accessauth for a command, and a sub-command is a privileged sub-command, the privileged sub-command is only run when the accessauth of the sub-command is included in the authorized authorization set of the command. | 02-18-2010 |
20120066760 | ACCESS CONTROL IN A VIRTUAL SYSTEM - A method comprises determining a set of one or more authorizations associated with a role of a user responsive to the user entering a command with a parameter, wherein the command with the parameter is to be implemented via a first virtual partition that is configured to control access to a plurality of virtual input/output (I/O) devices by a plurality of other virtual partitions. The first virtual partition and the plurality of other virtual partitions are instantiated on a same system. The method includes determining that the role is authorized to execute the command based on the set of one or more authorizations. The method also includes determining that the role is authorized to execute the command with the parameter responsive to determining that the role is authorized to perform the command. The method includes executing the command with the parameter via the virtual partition. | 03-15-2012 |
20120185510 | DOMAIN BASED ISOLATION OF OBJECTS - Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed. | 07-19-2012 |
20120185581 | DOMAIN BASED ISOLATION OF NETWORK PORTS - When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed. | 07-19-2012 |
20120185661 | DOMAIN BASED ACCESS CONTROL OF PHYSICAL MEMORY SPACE - Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated. | 07-19-2012 |
20120185930 | DOMAINS BASED SECURITY FOR CLUSTERS - Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied. | 07-19-2012 |
20140109189 | MANAGING ACCESS TO CLASS OBJECTS IN A SYSTEM UTILIZING A ROLE-BASED ACCESS CONTROL FRAMEWORK - According to one aspect of the present disclosure a system and technique for managing access to application-based objects in a system utilizing a role-based access control framework is disclosed. The system includes a memory and a processor coupled to the memory, wherein the processor is configured to: determine, for each object class of an application, a privilege needed for invoking a privileged operation associated with the object class; create a privilege shell for a user running the application; set the determined privilege on the privilege shell; associate an authorization to the privilege shell; and invoke the privilege shell to run the application by the user. | 04-17-2014 |
20140109193 | MANAGING ACCESS TO CLASS OBJECTS IN A SYSTEM UTILIZING A ROLE-BASED ACCESS CONTROL FRAMEWORK - According to one aspect of the present disclosure, a method and technique for managing access to application-based objects in a system utilizing a role-based access control framework is disclosed. The method includes: determining, for each object class of an application, a privilege needed for invoking a privileged operation associated with the object class; creating a privilege shell for a user running the application; setting the determined privilege on the privilege shell; associating an authorization to the privilege shell; and invoking the privilege shell to run the application by the user. | 04-17-2014 |