Extending the Output Values of Storage ACLs to Control Restricted Access

IP.com Prior Art Database Disclosure
IP.com Disclosure Number: IPCOM000234924D
Publication Date: 16-Feb-2014
Find Similar Download

Publishing Venue

The IP.com Prior Art Database

Abstract

In certain situations, the standard allow/deny output of the access control module are sub-optimal (e.g., if access to a resource is not to be fully denied, but limited). We propose to extend the (allow | deny) set to (allow | deny | allow_with_limitations). The new "allow_with_limitations" may serve a correspondigly extended logic to decide (per policy) on the limited access actions that are to be performed. The proposed method provides the framework for an enhanced storage access control mechanism that is more flexible and efficient (concise) than the state of the art.

Language

English (United States)

Document File

3 pages / 34.6 KB

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 34% of the total text.

Page 01 of 3

Extending the Output Values of Storage ACLs to Control Restricted Access

Field Topic:


The invention area is an access control module that is common in most computer systems. Typically, access to system resources is limited. Hence, prior to accessing a resource an access control module is invoked to query the access rights of the requesting process. This invention addresses the way the access control module functions.

Background:

Access control modules in computer systems carry the responsibility to permit/deny

access to system resources. Typically, the module receives as input various inputs that describe the access request and the requestor credentials, then it uses some policies to process the request, and eventually arrives at a conclusions whether to allow or reject the access request. The parameters of the access request typically include the accessed resource (e.g., disk file), the type of the requested access (e.g., write), the user attributes (e.g., user name, user group) and additional system specific input data. Depending on the access control methodology, these parameters are then compared to either policies or Access Control Lists (ACLs), which describe the access control rules. In file systems, ACLs are stored as part of the file i-node and contain a list of users and groups that are allowed to access the resource (e.g. POSIX ACLs). Recently, the NFSv4 standard (see RFC 3530) extended this model to ACLs containing lists of permissions-granting or permissions-denying entries called access control entries (ACEs). In this specification, ACEs were extended to the following 4 types: (1) ALLOW

- an entry specifying a condition which allows access. (2) DENY - an entry specifying the condition which denies access. (3) AUDIT - specifies when the access should be

reported to the audit LOG; (4) ALARM - specifies when the access should generate a

system alarm. The conditions required for the access control decision are described in the ACE fields "who", "flags" and "access_mask", which detail the users/groups, conditions (e.g. inheritance flags) and operations, respectively. Note that ACEs of type

ALARM and AUDIT do not affect the requester's access, and are used for triggering internal system events following an access attempt. Thus, even in the most advanced NFSv4 model of ACLs, the output of the access control decision is either allow or deny, and there is no support for restricted operations that grant the user a limited or restricted access. The current disclosure addresses this issue.

Alternative access control models are Role-based access control (RBAC), or

Attribute Based Access Control system (ABAC), which define policies specifying how to

deal with situations that are likely to occur via priorities and access control rules for various system resources. Policy management is usually centralized and most of the existing systems comprise a policy decision point (PDP) for interpreting the policies and a policy enforcement p...

First page image
Due to required maintenance on our servers, the ip.com and related websites (including Prior Art publishing) will be temporarily unavailable
on Wednesday, September 3rd, starting at 8:00PM EDT and lasting an estimated 15 to 30 minutes.

We thank you for your patience and apologize in advance for any inconvenience this may cause.
You are not signed in. If you have an IP.com account, your download price may be lower or waived. Click here if you want to sign-in now.
Loading PayPal...
The full document comprises 3 pages and is available as a PDF document as well as a ZIP archive. The cost is $40.00 USD (depending on your billing address, sales tax may apply); payment may be made directly using your credit card or your PayPal account.

If you've already purchased this document, and wish to download it now you may enter the download access code you received in your original email receipt.