The present invention relates to the field of computer security and more particularly to techniques for controlling access to resources in a multi-domain distributed computing environment.
Advances in communication network technologies coupled with the explosive growth in the usage of computer systems have significantly increased the number of resources available to users via communication networks. Due to the rising popularity of such communication networks, an increasing number of enterprises are replacing their legacy centralized information processing models with distributed systems comprising a plurality of computer systems interconnected via a communication network, such as the Internet. The use of such distributed systems has allowed enterprises to transcend geographical boundaries and share resources between a multitude of users irrespective of the physical location of the users. For example, an enterprise having offices in Seattle, Denver, and San Francisco may have a distributed computer network which allows users in any of the three offices to access resources deployed at the other office locations. Distributed computer networks allow efficient sharing of resources among users of the distributed system in a seamless manner. Examples of resources that may be shared include information resources such as databases, files, etc., or operational resources such as devices or processes.
The increased deployment of resources via distributed networks has led to a heightened awareness of security concerns regarding the need to protect the resources from unauthorized access. Several security models have been developed to control access to resources. These models typically include a xe2x80x9cprincipalxe2x80x9d who requests an operation to be performed on a particular resource, and an xe2x80x9caccess controllerxe2x80x9d who receives the request from the principal and based on the request determines if the requesting principal is authorized to perform the requested operation on the resource. Access rights for a resource are generally defined by access rules associated with the resource. The access rules indicate the principals and the operations which may be performed on the resource. The requesting principal is allowed to perform the requested operation on the requested resource if authorized by the access rule.
Several access control systems have been developed based on the security model described above which use mechanisms such as user groups, access lists, capability lists, and lock-key mechanisms to regulate access rights to resources. With the ever-increasing use of distributed systems , the success or failure of such systems in a distributed environment is typically measured by the system""s ease of use, the access control granularity offered by the system, and the scalability of the system with respect to the number of users, resources, operations to be performed on the resources, and the number of requests. While many of the conventional systems listed above are well suited for centralized processing models, they do not always fare as well when used in a distributed environment. In particular, these conventional access control systems do not provide the desired ease of use, access control granularity, and scalability in a distributed environment. As a result, many of these systems are difficult to use and administer and do not scale well as the number of resources, requests, and users increases.
Thus, there is a need for an access control system which can efficiently control access to resources in a distributed environment. It is desired that the system be easy to use and administer, provide fine grained access control granularity, and be easily scalable as the number of principals and resources increases.
The present invention provides techniques for controlling access to resources in a distributed environment. According to one embodiment of the present invention, an access controller executing on a server is responsible for controlling access to one or more resources coupled with the server. The access controller is configured to receive a request from a particular user requesting performance of one or more operations on a particular resource. The access controller attempts to resolve permissions for the operations in the request based on access list information for the particular resource and user hierarchy information for the requesting user. An operation is considered resolved if permissions have been specifically asserted for the operation.
According to one embodiment of the present invention, the access controller determines if permissions have been asserted for the requested operations in the access list information of the particular resource for the particular user. If the permissions are not resolved for all the requested operations, the access controller attempts to resolve permissions for the unresolved operations by tracing up the user hierarchy information for the user to determine if permissions have been asserted for the unresolved operations for any of the user""s ancestors in the access list information of the particular resource. If permissions have been asserted for the user""s ancestors, those permissions are attributed to the user and the particular operations for which the permissions have been asserted are considered resolved.
According to another embodiment of the present invention, if all operations cannot be resolved based the user hierarchy information and the access list information for the particular resource, the access controller attempts to resolve the unresolved operations based on the particular user""s user hierarchy information in combination with resource hierarchy information and access list information for the resources in the resource hierarchy information.
According to one embodiment, if all the operations in the user""s request cannot be resolved based on the user hierarchy information and the access list information for the particular resource, the access controller attempts to resolve the unresolved operations by tracing up the resource hierarchy information to determine ancestor resources of the particular resource, and then determining if permissions have been ,asserted for the unresolved operations in the access list information for any one of the ancestor resources for principals in the particular user""s user hierarchy information. If permissions have been asserted, those permissions are attributed to the particular user for the resolved operations on the particular resource.
According to another embodiment of the present invention, the access controller attempts to resolve the requested operations based on the resource hierarchy information and access list information for the resources in the resource hierarchy information. If all the operations in the user""s request cannot be resolved based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information, the access controller then attempts to resolve the unresolved operations based on the resource hierarchy information in combination with the particular user""s user hierarchy information, and the access list information for the resources in the resource hierarchy information.
According to one embodiment of the present invention, positive or negative permissions may be asserted for an operation in the access list information of a resource for a user. A positive permission may indicate that the user is specifically authorized to perform the operation on the resource. A negative permission may indicate that the user is specifically prohibited from performing the operation on the resource.
The invention will be better understood by reference to the following detailed description and the accompanying figures.