1. The Field of the Invention
The present invention relates to the field of computer networks. In particular, the present invention relates to methods and systems for synchronizing security descriptors in computer networks that use multiple security descriptor specifications.
2. The Prior State of the Art
In the context of computers, security is often defined as the prevention of unauthorized use of an object. Such objects may include documents, databases, user objects, mailboxes, executables and the like.
In order to prevent unauthorized use of an object, prior to allowing a requested use of the object, computer systems typically authenticate the requesting entity to obtain a reasonable degree of security that the requesting entity is what it purports to be. Once the requesting entity is authenticated, the computer system refers to security information called “security descriptors” (also called “access control lists”) that describe the requesting entity's rights to use the object. If the security descriptor expressly or implicitly indicates that the requested use is unauthorized for the requesting entity, then the computer system typically does not allow the requested use of the object to the requesting entity. Otherwise, if the security descriptor expressly or implicitly indicates that the requested use is authorized for the requesting entity, then the computer system typically allows the requested use of the object to the requesting entity. Thus, current security mechanisms rely heavily on security descriptors that define user rights to objects.
Different programs may define the same rights differently using different security descriptors. So long as the program controlling use of an object is able to interpret a security descriptor properly, the program should also be able to properly control the use of the object. Some programs may recognize one specification for interpreting security descriptors while another recognizes an entirely different security descriptor specification. For example, the MICROSOFT® WINDOWS NT® workstation 4.0 and server 4.0 operating systems recognize a security descriptor specification called herein the “4.0 specification.” In contrast, the MICROSOFT® WINDOWS® 2000 operating system recognizes a significantly different security descriptor specification that is used by the ACTIVE DIRECTORY™ and is called herein the “Active Directory specification.” The relevant points of each of these security descriptor specifications will now be described.
Typically, security descriptors include one or more ACEs or “Access Control Entries”, each ACE including a security principle identifier (e.g., a user, group, or computer) followed by list of rights that apply to that security principle identifier. In the 4.0 specification, the ACEs include a field of 32 bits often called an “access mask”, each bit in the access mask representing a flag that defines a certain right. If the flag is set high, that means that the right is allowed for the associated security principle. This type of ACE is often called a “standard” ACE since the ACE is not in the form of an object. In order to avoid confusion with other elements in this application labeled “standard”, these “standard” ACEs will be referred to as “non-object” ACEs in this description and in the claims.
The Active Directory specification may also include security descriptors that have “non-object” ACEs which include a similar access mask associated with a security principal identifier. However, in the Active Directory specification, security descriptors may also be in the form of an object that defines rights using a GUID or “Globally Unique Identifier”, each GUID representing an individual right. Since the number of GUIDs that may be used to identify rights is essentially limitless, numerous individual rights may be associated with a security principle identifier. Thus, the Active Directory specification permits for fine-grained control over security permissions. The GUID ACEs are often referred to as “Object ACEs” since they are in the form of an object.
Often, different security descriptors exist in a common network. This type of network will be referred to as a “security heterogenic network”. For example, one device in the network may run the MICROSOFT® WINDOWS® 2000 operating system thus representing security rights to objects using the Active Directory specification. On the other hand, another device in the network may run either the MICROSOFT® WINDOWS NT® workstation 4.0 and server 4.0 operating systems thus representing security rights to objects using the 4.0 specification. In networked computer systems, it is common for many devices to represent the security rights associated with an object even if the device does not locally contain the object. Thus, in security heterogenic networks, security rights to the same object may be represented by different security descriptors that follow different security descriptor specifications.
It is important to any security system that rights granted to a given object be accurately and consistently represented across each device in the network at any given point in time. Otherwise, security permissions may differ depending on the device accessing the object on behalf of the requester. However, such accurate and consistent representation across security heterogenic networks is difficult due to the heterogenic nature of the network using different security descriptor specifications. Accordingly, methods and systems are desired for accurately and consistently representing or “synchronizing” security descriptors even in security heterogenic networks such as those that use both the 4.0 specification and the Active Directory specification.