1. Technical Field
The present invention relates generally to access control in computer systems and, in particular, to the use of prime numbers to facilitate group based access control to information resources in the computer system.
2. Description of the Related Art
Group based access control is an access control model in which the authorization to access an object from a user is based on some group information associated with the user and/or the object. This model is commonly employed in popular operating systems, database managers, special-purpose applications, and cross-platform computing infrastructures (e.g., The Open Group Distributed Computing Environment or DCE), due to its close fit human organizational structures. Implementation of this model, however, often results in a large amount of overhead in storage, operation, and administration.
The known group based access control paradigm involves users, groups, and information resource objects. A user is the entity who can access an object with some operations. Each user typically belongs to a number of groups. A group is the entity solely defined for the purpose of access control. Each group typically contains as its members a number of users. An object is the entity that can be accessed by a user. Each object can be accessed with a number of operations, depending upon the object's type. Access control on each operation of an object is group based, i.e. whether a user can access an object with an operation depends upon the groups to which the user belongs. Therefore, each object needs to be associated with some access control information that indicates what group of users are allowed to access the object and in what ways (operations).
The traditional and most commonly used mechanism to implement this model is by an Access Control List (ACL). In this known scheme, each object is associated with an ACL that either lists, for each defined access operation, all the groups that are allowed to access the object (a so-called per-operation based ACL) or lists, for each group that is allowed to access the object, all the operations the group can perform (a so-called per-group based ACL). Each group is also associated with a member list that lists all the users belonging to the group. For ease of user administration, each user can also be associated with a group list that lists all the groups to which the user belongs.
In an enterprise environment whose computing systems and applications employ an ACL group based access control mechanism, each operation request from a user to access an object is potentially expensive. This is because the access control modules of these systems and applications need to traverse the whole ACL associated with the object for that access operation and then check if the user belongs to any one of the groups. Such checking may require traversal of the whole member list of each group or the whole group list of the user. The object authorization is costly at run time (especially the I/O operation to load the ACL from persistent storage to volatile memory), and this mechanism also requires a significant amount of space to store ACLs off-line.
Moreover, multiple groups may require access to multiple resources creating a compound and complex access list problem. For each user, a list must be stored listing each group to which the user belongs. Also, for each resource, a list must be stored listing each group which has access to that resource. It is known in the art to assign a prime number to each group, and the access list for resources and the group list for users may be stored as multipliers of these groups of primes. This approach provides an easy storage method, but prior art techniques require computationally intensive methods for decomposing the multipliers to their primes to determine whether a prime number is present on both the users group list and the resources group access list. This technique is illustrated, for example, by Hwang et al. in an article titled "A New Access Control Method Using Prime Factorisation," the Computer Law Journal, Volume 35, No. 1, 1992.
Another known access control technique is to use a prime number assigned to each information resource object. The user is then assigned a number that is a multiple of all of those prime numbers encompassing all access authorities for that user. The determination of whether that particular user has access to a particular resource object is then determined by dividing the prime number assigned to the resource into the access product for the user. If the result is an integer, then access is granted because the prime number for that resource group must be one of the prime numbers used for the access product. This approach, however, is computationally inefficient and also creates a significant administrative burden. In particular, determining every single resource to which a user is entitled access in a system with a large number of resources requires system administrators to tag all of these resources to create the resource access multiplier. In a large system, this technique is simply not feasible.
There remains a need to provide new and efficient techniques for group based access control to information resource objects that do not require ACLs, computationally intensive parsing of prime multiplication factors, or other inefficient or expensive schemes. The present invention solves this important problem.