1. Field of the Invention
The present invention relates to systems and methods for managing data processing systems, and especially to a system and method for controlling user authorities to access one or more databases in a data processing system.
2. Background of Related Art
In data access management, it has often been found desirable to limit various authorizations or permissions granted to users. For example, it may be desirable to limit access by certain users or groups of users to certain directories only, or to certain files only within a database of a data processing system. This helps prevent unauthorized use of sensitive data, and helps prevent damage to the data processing system through inadvertent alteration or deletion of data or other files. Examples of different permissions are authority to read, write or execute files, data or directories, and authority to modify other users' permissions and authorities.
One system used to manage access to data in a data processing system is a file system employing Access Control Lists (ACLs). ACLs identify which users may access an object such as a file or directory, and identify the type of access that a user has for a particular object. A network manager or system operator may alter such ACLs to change what a user may have access to, the type of access available, and the operations that the user is authorized to perform on the accessed data.
U.S. Pat. No. 5,701,458 entitled “System and Method for Managing Arbitrary Subsets of Access Control Lists in a Computer Network” and issued on Dec. 23, 1997 discloses a system and method for managing access to objects organized in a hierarchical structure in a data processing system. The system permits manipulation of an arbitrary set of ACLs and individual entries within an ACL. A set of actions covering all possible entry updates provides flexibility in manipulating ACLs and removing latent ambiguity. By permitting operation on the arbitrary set of ACLs rather than a resource tree, heterogeneous trees remain after an apply function. A mechanism is provided for identifying specific failures of ACL updates by resource name and error, and thereby permitting correction without necessitating re-running of the entire apply function.
However, the above-described system and method does not provide for operations such as reading, writing and modifying permissions and authorities to be assigned to a single authority. Furthermore, administrators of the system cannot set authorities of different users according to particular contents of various different databases. This can cause inconvenience for the administrators, who may sometimes be required to temporarily alter a user's authority to allow access for the user to a specific database on a particular occasion only. Accordingly, it is desired to provide a system and method which overcomes the above-mentioned problems and difficulties.