Patent application number | Description | Published |
20080256606 | Method and Apparatus for Privilege Management - A computer implemented method, apparatus, and computer program product for managing privileges on a data processing system. The process initiates a privilege monitor. All other entities in the data processing system are prevented from assigning privileges. The privilege monitor is the only entity authorized to assign privileges. The process monitors for requests for privileges. In response to detecting a request from a user for a privilege, the process selectively assigns the privilege to the user through the privilege monitor. | 10-16-2008 |
20080289036 | TIME-BASED CONTROL OF USER ACCESS IN A DATA PROCESSING SYSTEM INCORPORATING A ROLE-BASED ACCESS CONTROL MODEL - Computer implemented method, system and computer usable program code for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model. A computer implemented method for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model includes providing at least one timing attribute for a role, wherein each at least one timing attribute specifies a timing condition by which a user is enabled to use the role. The user is enabled to use the role pursuant to satisfying the at least one timing attribute. | 11-20-2008 |
20100106926 | SECOND FAILURE DATA CAPTURE PROBLEM DETERMINATION USING USER SELECTIVE MEMORY PROTECTION TO TRACE APPLICATION FAILURES - The present invention discloses a solution for second failure data capture problem determination using user selective memory protection to trace application failures. In the solution, one or more data structures can be selected by a user to be allocated a unique address space from a debug heap. The address space called a region can be assigned permissions for which executable code can access the contents. Permissions can include full access (e.g., read/write), read, and no access which can “lock” the region against specific types of access. The user can permit known trusted executable code to access allocated regions. Untrusted executable code attempting to access “locked” regions will result in an application failure event (e.g., segmentation fault). The failure can be used to determine the point of memory corruption through inspection of the stack trace. | 04-29-2010 |
20110125799 | Extensible Access Control List Framework - Methods, systems, and products for governing access to objects on a filesystem. In one general embodiment, the method includes providing a framework in an operating system environment for support of a plurality of access control list (ACL) types, thereby enabling governing of access to objects on a filesystem according to an associated definition of an ACL type; and accepting definitions of ACL types. The associated definition may comprise a kernel extension. | 05-26-2011 |
20110125812 | Managing Memory - Methods, systems, and products for managing memory. In one general embodiment, the method includes assigning an isolated virtual heap in a global kernel heap of a global operating system environment to each of a plurality of isolated virtual operating system environments operating in a global operating system environment; and in response to an invocation of kernel heap memory allocation from one of the isolated virtual operating system environments, dynamically allocating memory to the invoking isolated virtual operating system environment from the virtual kernel heap assigned to the invoking isolated virtual operating system environment. The method may also include running the plurality of isolated virtual operating system environments in the global operating system environment. The plurality of isolated virtual operating system environments may share a single common kernel. The isolated virtual operating system environments may run under the same operating system image. | 05-26-2011 |
20110126176 | Providing Programming Support to Debuggers - Method, system, and computer program product for providing programming support to a debugger are disclosed. The method includes defining at least one debugger programming statement, and instructing the debugger to execute the at least one debugger programming statement which modifies a least a portion of the computer program during execution of the computer program without recompiling the computer program. The debugger may be instructed to execute the at least one debugger programming statement at a specified position of the computer program. The at least one debugger programming statement may include a delete instruction that instructs the debugger to prevent one or more programming statements at a specified position in the computer program from being executed. The debugger may be instructed to execute the at least one debugger programming statement instead of one or more programming statements at a specified position in the computer program without recompiling the computer program. | 05-26-2011 |
20120144138 | Locking Access To Data Storage Shared By A Plurality Of Compute Nodes - Methods, apparatuses, and computer program products are provided for locking access to data storage shared by a plurality of compute nodes. Embodiments include maintaining, by a compute node, a queue of requests from requesting compute nodes of the plurality of compute nodes for access to the data storage, wherein possession of the queue represents possession of a mutual-exclusion lock on the data storage, the mutual-exclusion lock indicating exclusive permission for access to the data storage; and conveying, based on the order of requests in the queue, possession of the queue from the compute node to a next requesting compute node when the compute node no longer requires exclusive access to the data storage. | 06-07-2012 |
20120144235 | Reducing Application Downtime During Failover - Reducing application downtime during failover including identifying a critical line in the startup of an application, the critical line comprising the point in the startup of the application in which the application begins to use dependent resources; checkpointing the application at the critical line of startup; identifying a failure in the application; and restarting the application from the checkpointed application at the critical line. | 06-07-2012 |
20120185510 | DOMAIN BASED ISOLATION OF OBJECTS - Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed. | 07-19-2012 |
20120185581 | DOMAIN BASED ISOLATION OF NETWORK PORTS - When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed. | 07-19-2012 |
20120185661 | DOMAIN BASED ACCESS CONTROL OF PHYSICAL MEMORY SPACE - Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated. | 07-19-2012 |
20120185930 | DOMAINS BASED SECURITY FOR CLUSTERS - Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied. | 07-19-2012 |
20120198424 | Providing Programming Support to Debuggers - Method for providing programming support to a debugger are disclosed. The method includes defining at least one debugger programming statement, and instructing the debugger to execute the at least one debugger programming statement which modifies a least a portion of the computer program during execution of the computer program without recompiling the computer program. The debugger may be instructed to execute the at least one debugger programming statement at a specified position of the computer program. The at least one debugger programming statement may include a delete instruction that instructs the debugger to prevent one or more programming statements at a specified position in the computer program from being executed. The debugger may be instructed to execute the at least one debugger programming statement instead of one or more programming statements at a specified position in the computer program without recompiling the computer program. | 08-02-2012 |
20130046720 | DOMAIN BASED USER MAPPING OF OBJECTS - According to one aspect of the present disclosure, a method and technique for domain based user mapping of objects is disclosed. The method includes: responsive to determining that an operation is being attempted on an object identified with an object identifier, determining a domain identifier associated with a user attempting the operation; determining whether the operation can proceed on the object based on domain isolation rules, the domain isolation rules indicating rules for allowing or disallowing operations to proceed on objects based on object identifiers and domain identifiers; responsive to determining that the operation on the object can proceed based on the domain isolation rules, accessing user mapping rules that map specified users allowed to perform a specified operation to a specified object; and determining whether the operation can proceed on the object by the user based on the user mapping rules. | 02-21-2013 |
20130151704 | DOMAIN BASED MANAGEMENT OF PARTITIONS AND RESOURCE GROUPS - According to one aspect of the present disclosure, a method and technique for domain based partition and resource group management is disclosed. The method includes: responsive to determining that an operation is being attempted on an object, determining a partition identifier associated with the object; determining a domain identifier associated with a user attempting the operation; determining whether the operation can proceed on the partition based on domain isolation rules, the domain isolation rules indicating rules for allowing or disallowing operations to proceed on the partition based on partition identifiers and domain identifiers; and responsive to determining that the operation on the partition can proceed based on the domain isolation rules, permitting the operation. | 06-13-2013 |
20140109189 | MANAGING ACCESS TO CLASS OBJECTS IN A SYSTEM UTILIZING A ROLE-BASED ACCESS CONTROL FRAMEWORK - According to one aspect of the present disclosure a system and technique for managing access to application-based objects in a system utilizing a role-based access control framework is disclosed. The system includes a memory and a processor coupled to the memory, wherein the processor is configured to: determine, for each object class of an application, a privilege needed for invoking a privileged operation associated with the object class; create a privilege shell for a user running the application; set the determined privilege on the privilege shell; associate an authorization to the privilege shell; and invoke the privilege shell to run the application by the user. | 04-17-2014 |
20140109193 | MANAGING ACCESS TO CLASS OBJECTS IN A SYSTEM UTILIZING A ROLE-BASED ACCESS CONTROL FRAMEWORK - According to one aspect of the present disclosure, a method and technique for managing access to application-based objects in a system utilizing a role-based access control framework is disclosed. The method includes: determining, for each object class of an application, a privilege needed for invoking a privileged operation associated with the object class; creating a privilege shell for a user running the application; setting the determined privilege on the privilege shell; associating an authorization to the privilege shell; and invoking the privilege shell to run the application by the user. | 04-17-2014 |