A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawing hereto: Copyright(copyright)1998, Microsoft Corporation, All Rights Reserved.
1. Field
This invention relates generally to software access control, and more particularly to providing access control on an object type basis.
2. Background
Multi-user computer systems and systems connected to a multi-user network of computers require the ability to control and restrict access to various components and services provided within the computer system. Windows NT(copyright) is an operating system available from Microsoft Corporation, Redmond Washington, and is an example of a multi-user system implementing access control. Several reasons exist for providing access control, however primary reasons are to protect the privacy of each user""s data, and to protect system data from intentional or inadvertent corruption causing system failure or inefficient operation.
Examples of the components typically requiring an access control mechanism include file systems, electronic mail (E-mail) services, directory services, and database systems. Each of these components is generally represented by objects having a plurality of properties describing various aspects of the object. Generally, the objects can be divided into two categories, container objects and non-container objects. Non-container objects are objects that are atomic, that is, they cannot contain other objects. Container objects are objects that can contain other objects, including other container objects. An example of a container object is a folder object in a file system manager. A folder, as is known in the art, can contain files and sub-folders. Thus, a folder object is a container object, since it can contain other objects (file objects and folder objects). A file cannot contain other files or sub-folders, therefore the file object is a non-container object.
Another example is a directory service. Directory services maintain a database of objects describing various resources available on the computer system. The Active Directory(trademark) system available from Microsoft Corporation, Redmond Wash. provides such a service. Directory services typically need to maintain a wide variety of objects to represent the various types of resources available on modern computer systems. These objects include both container objects and non-container objects. Examples of entities represented by non-container objects include system users, computers, printers and the like. Examples of entities represented by container objects include organizational units, domains and groups. The object types mentioned are meant to be representative of the many types of objects maintained by a directory service, and do not necessarily include all the object types defined by a service.
It is important to provide access control for directory objects because the objects are used to define critical features of complicated systems. The intentional or accidental creation or deletion of an object can have serious effects. For example, deleting an object representing a computer hosting a mission critical database system could cause applications relying on the database to fail. Thus, an important aspect of access control systems is the ability to restrict access to objects to those users responsible for insuring that the object and object structure is correct.
Typically, there are several major concepts common to access control systems provided by prior systems. The first concept is that users of the system are assigned a user identifier (USERID). The USERID uniquely identifies a user to the system. The USERID is used to control and track access to the various components of the computer system. The USERID is generally associated with a password, which must be correctly supplied before a user is allowed access to the system.
In addition to the USERID, some operating systems, including Windows NT(copyright), also support the concept of a group identifier (GROUPID). A group identifier allows the system to treat a related group of users in a similar way. For example, there may be a group of users assigned to a backup group whose function is to provide daily backups of the data contained within the computer system. Since the members of this group would all need similar system privileges, it is easier and more convenient to include them in a user group and assign the privileges to the group, rather than to each individual within the group.
The second concept supported by access control systems is the concept of access rights associated with an object. Access rights define who is allowed to perform particular operations on an object and are typically granted or denied based on the USERID or GROUPID associated with an application making a service request. In the context of a file system, access rights associated with files include the right to create a file, read a file, write a file, update a file, and delete a file. In the context of a directory service, access rights associated with directory entries include the right to create an entry, read an entry, update an entry, and delete an entry.
Prior systems have used bit masks to represent permissions (also referred to as access rights or access control rights) associated with an object. In this scheme, each bit in the bit mask represent one of a plurality of different permissions. In one system, Windows NT(copyright) version 4.X, the bit mask is 32 bits wide.
A critical problem with using bit masks to define access control rights is that the number of rights that can be defined in the system is bound by the number of bits in the bit mask. In the above example, a maximum of 32 different rights are available. This limitation becomes more critical as the number of different types of objects increase. Associating a create and delete right for each object type defined in a system using only a bit mask will quickly exhaust the number of bits in the bit mask. Additional memory could be added to the data structure to increase the size of the bit mask, however this raises compatibility problems between applications designed for the old and new bit mask sizes.
Therefore, there is a need in the art for an access control system that provides a mechanism for defining access control rights for specific object types that allows for a large number of differing object types. The data structures used to support the access control should not need modification as the number of object types increases. In addition, the system should be implemented by a central module within the operating system in order to provide a consistent, non-redundant interface.
The above-identified problems, shortcomings and disadvantages with the prior art, as well as other problems, shortcoming and disadvantages, are solved by the present invention, which will be understood by reading and studying the specification and the drawings. In one configuration, the system includes an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry (ACE). The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.
One aspect of the invention is that access rights are interpreted with respect to a particular object type identifier. Different object types can have different access rights, allowing for a large number of possible object type and object access right combinations.
One of the data structures defined in the invention includes fields defining whether access is begin granted or denied, and the type of access to grant or deny. The data structure also defines the user or group to whom the permission is granted or denied. Finally, the data structure includes an identifier used to indicate the object type to which the permissions apply.
One of the data structures defined in the invention includes fields defining whether access is being granted or denied, and the type of access to grant or deny. The data structure also defines the user or group to whom the permission is granted or denied. Finally, the data structure includes an identifier used to indicate the object type to which the permissions apply.
A second data structure defined in the invention allows groups of related objects to be included in a set. The data structure is implemented as a graph structure, with the root of the graph identifying a container object type. Lower level nodes in the graph describe sets of related child object types that may be created, deleted or listed from the container object.
The invention includes systems, methods, computers, and computer-readable media of varying scope. Besides the embodiments, advantages and aspects of the invention described herein, the invention also includes other embodiments, advantages and aspects, as will become apparent by reading and studying the drawings and the following description.