1. Field of the Invention
The present invention generally relates to file access control systems and, more particularly to a front end system for controlling a file access control system.
2. Description of the Prior Art
In computer systems, control of access to data and program files is often of critical importance in order to maintain file integrity and to obtain security for the information in the files. Control of access to files is particularly important in multi-user systems where a plurality of user terminals are connected to shared or distributed resources, such as memory, and where each terminal is capable of performing as a virtual machine with the entirety of the shared resource resident therein.
Any system for file access control will typically have the capability of regulating access when there is the possibility that a file may be altered so that alterations by one user will not be written over by another user when the file is again stored and to provide each user with only the most recent form of the file. File access systems also will typically have the facility to limit access on a "need to know" basis to limit the files to which a given user may have access or the type of access which can be granted to a user. For example, a user may be denied access to files for which that user has no particular need or, although a particular user may have need for access to information in the file, that user might not have a need to be able to alter the data in that file. As can be readily understood, the reduction of the number of users having the capability of writing to a file can greatly reduce the likelihood that the file may be inadvertently corrupted or that erroneous information will be introduced into the system.
Efficient satisfaction of the above basic requirements of a file access control system necessarily implies some sort of hierarchical division of the shared resource. Such division of the shared resource might be by subject matter, level of sensitivity (e.g. confidentiality) or both at a plurality of levels. Alternatively, the division could be on the basis of individual files. Whatever the hierarchical division might be, it is necessary that each accessible portion of the shared resource include a list of authorized users and the type of access that each may be granted.
For example, in the Resource Access Control Facility (RACF) system, an IBM corporate product program, the shared resource, although possibly physically distributed, can be conceptualized as a master disk and will be so denominated hereinafter. Groups of files therein are divided by subject matter such as individual products, planning, processes, etc. These groups of files form virtual disks, sometimes referred to as mini-disks, which, for purposes of this description are identified by a number. A list of authorized users must exist for each mini-disk.
It should be understood that while the present invention will be described in terms of the RACF system, it is applicable to any system for controlling file access since the basic requirement for any such system is the maintenance of lists of authorized users corresponding to files in the shared resource.
Division of the shared resource in some manner provides a substantial simplification of the access system requirements. For example, it can be readily understood that each list of authorized users of a portion of the resource may potentially contain an entry for each possible user of the system and which can number in the thousands. Therefore, it is not practical to maintain such a list for each file in the system since the size of the list of authorized users might greatly exceed the size of a substantial number of the files. By the same token, each time there is a change in the data concerning any authorized user, each list of authorized users might potentially require updating. On the other hand, the number of lists cannot necessarily be kept small since the division must be made in such a way as to provide the desired degree of selectivity of access since all files in any division corresponding to a single list of authorized users will be accessible to all users contained in that list. Therefore, the number of divisions (e.g. mini-disks) of the shared resource might well number in the hundreds, presenting a major burden when the user lists must be altered.
This burden is compounded by the fact that, for security, passwords or user ID's and other information for validating access must be changed from time to time. Also, the statistical likelihood of a change being required will increase with the number of users. Moreover, the requirement for alteration of multiple lists increases the likelihood of erroneous or obsolete information remaining in a list of authorized users of the mini-disk. In any event, all of these operations must be performed by personnel responsible for management of the database or shared resource, requiring substantial amounts of time and numbers of personnel as well as detailed specialized knowledge of the file access control system. Further, updating the lists of authorized users requires access to the system which may limit use by other users of the system.
It should be noted that granting access to a mini-disk typically requires either logging on to the owning user ID or another user ID that has an "alter capability" to the mini-disk. "Alter capability" can only exist for an administrator user ID if the user ID is located on the same node as the owning user ID or if the administrator's user ID node has a "single system image" with the owning user ID. "Single system image" can be thought of as a network of nodes, each having access to all of the disk space in the network. This arrangement can only be put in place for nodes having a close proximity to one another. After logging onto the appropriate user ID, the administrator is required to input specific (e.g. RACF) commands to grant or remove access for each user whose access must be changed.
The RACF commands can be either against a single user for a mini-disk or against a group of users for a mini-disk. In the event a RACF command is issued against a list of users, the administrator must keep track of the user ID's to be added or deleted. RACF will take the entire list and either add all the user ID's on the list or delete all the user ID's on the list. If an administrator wants to obtain access or delete access for a user ID for several mini-disks, the administrator must issue the appropriate RACF command for each user ID per mini-disk or group of user ID's per mini-disk.