公开(公告)号：DE69427347T2

公开(公告)日：2001-10-31

申请号：DE69427347

申请日：1994-08-15

Applicant: IBM

Inventor： DEINHART KLAUS ,  GLIGOR VIRGIL D ,  LINGENFELDER DR ,  LORENZ DR

IPC: G06F12/14 ,  G06F1/00 ,  G06F12/00 ,  G06F21/00 ,  G06F21/20 ,  G06F21/24 ,  H04L29/08

Abstract: A method and system for registration, authorization, and control of access rights in a computer system are disclosed in the present invention. The inventive method for controlling access rights of subjects (1) on objects (4) in a computer system uses parameterized role types (2) that can be instantiated into role instances (4) equivalent to roles or groups as known from the prior art. The required parameters are provided by the subject (1) of the computer system, e.g. by a person (5), a job position (6) or an organization unit (7). Furthermore, the inventive method provides relative resource sets (8) which are instantiated into concrete resource sets (9) and individual resources (10) by using the same parameter values as for instantiating the role types. The inventive system for authorization and control of access rights as disclosed in the present invention comprises capability lists (30) providing the access rights of the subjects (1) on the objects (4) of a computer system on a per-subject basis. Furthermore, the inventive system comprises means for deriving (32) access control lists (31) from capability lists (30), wherein said access rights of the subjects (1) on the respective objects (4) are provided.

公开(公告)号：DE69427347D1

公开(公告)日：2001-07-05

申请号：DE69427347

申请日：1994-08-15

Applicant: IBM

Inventor： DEINHART KLAUS ,  GLIGOR VIRGIL D ,  LINGENFELDER DR ,  LORENZ DR

IPC: G06F12/14 ,  G06F1/00 ,  G06F12/00 ,  G06F21/00 ,  G06F21/20 ,  G06F21/24 ,  H04L29/08

Abstract: A method and system for registration, authorization, and control of access rights in a computer system are disclosed in the present invention. The inventive method for controlling access rights of subjects (1) on objects (4) in a computer system uses parameterized role types (2) that can be instantiated into role instances (4) equivalent to roles or groups as known from the prior art. The required parameters are provided by the subject (1) of the computer system, e.g. by a person (5), a job position (6) or an organization unit (7). Furthermore, the inventive method provides relative resource sets (8) which are instantiated into concrete resource sets (9) and individual resources (10) by using the same parameter values as for instantiating the role types. The inventive system for authorization and control of access rights as disclosed in the present invention comprises capability lists (30) providing the access rights of the subjects (1) on the objects (4) of a computer system on a per-subject basis. Furthermore, the inventive system comprises means for deriving (32) access control lists (31) from capability lists (30), wherein said access rights of the subjects (1) on the respective objects (4) are provided.