1. Field of the Invention
The present invention relates to regulating access to data objects contained in a database. More particularly, the invention concerns integer interval based access control enforcement.
2. Description of the Related Art
As the Internet has become a social infrastructure for data sharing and information management, the need to process and classify a large amount of diverse information resources within an enterprise, and make them available to a large set of "diverse" users has increased. Potential problems and the diversity of the applications make it necessary to re-examine some kernel problems, such as access control, data retrieval, and resource management. These problems have been central to traditional operating systems and large scale databases, and more efficient and scalable solutions need to be discovered.
The Internet is a complex environment where information is distributed across the Internet's infrastructure. Some information such as technology secrets and personal records is sensitive and should only be accessible to a select group of users depending on their right for information access. Access control determines which users are allowed to access certain information.
In many information management systems, such as the IBM Grand Central Station (GCS), an expedient "group" based access control model is used to specify which user can access which object. In such a model, each user belongs to one or more access groups and each information object is accessible only to certain set of groups. For example, sensitive personnel information is only accessible to members of the Personnel Managers group. In general, there is a hierarchial structure defined over the access groups. For example, Personnel Managers may be a subgroup of Group Manager, which means that it is a more restrictive group. The access control problem, in this setting, is to determine whether the group membership will allow a user to access a protected information object according to this group based access control model.
Group based access models have been used in the Andrew File System (AFS, developed at Carnegie Mellon University, see J. H. Morris et al., "Andrew: a Distributed Personal Computing Environment," Communications of the ACM, 29 (3), March 1986 for accessing in a shared file system, and in various operating systems and database systems. These models work well for databases having a smaller number of objects, groups, and users, and generally provide solid real-time response for information requests.
However, what is needed in an "interval" access method that can be applied to the enormous database comprising information available over the Internet. The method should be capable of handling very large numbers of objects, groups, and users, larger than could reasonably be handled by current group based access models. The method should also provide superior real-time response to an information request as compared to current methods.