A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
The present invention generally relates to the field of managing access control in computing systems and more particularly to an object-oriented software method for controlling access to objects and to features of those objects.
Access Control refers to a method for restricting access to a system. Such a system could be hardware or software or any other system, such as a repository functioning as a persistent store for object oriented models. Access control methods typically take the form of a policy that has two major functions. First, it defines the nature of control itself, meaning the features and functions that can be accessed. Second, such an access control policy administers control by defining the type of users who would have access to the features and functions defined previously.
An access control policy can be implemented in many ways. An example from the prior art where such an access control policy has been implemented is disclosed in U.S. Pat. No. 5,903,720, which issued May 11, 1999, entitled xe2x80x9cObject System Capable of Using Different Object Authorization Systemsxe2x80x9d. This patent discloses an access control, which is implemented for accessing xe2x80x9ca plurality of different object authorization systemsxe2x80x9d from an xe2x80x9cobject systemxe2x80x9d. The disclosed system requires an authorization system table to be maintained by the object system; and each of the plurality of authorization systems is to be registered as an entry in this authorization table. A problem with this approach is that it makes access control rigid with the need for changing the authorization table each time a user defined authorization system needs to be added.
Further, the system disclosed in the above-cited patent requires that at the time of registering in the authorization table, an xe2x80x9cauthorization systemxe2x80x9d is provided to the object system, with pointers to the functions provided by the authorization system. The authorization systems are associated with structures that are not strictly object-oriented in the sense that they are not encapsulated as objects to take advantage of object polymorphism. Thus, this prior art access control system does not provide a framework for defining extensible access control policies.
Another disadvantage if prior art is that, every time access to an object is required, the whole authorization functionality will need to be executed even for recursive calls on the same object to which access has already been granted. This is a serious overhead burden where an object needs to be accessed repeatedly because there will be repeated executions of the authorization functionality each time access is requested.
Another disadvantage with the prior art, as disclosed in the above-cited patent is that it does not support access control of the authorization systems themselves, because the authorization systems and system tables are not modeled as objects which can be controlled by the authorization systems. This may be necessary to preserve the security of the authorization system.
Still another disadvantage with prior art is that while being suited to large grained objects such as files and storage systems, it is not efficient for use with great numbers of fine grained objects such as model elements, each element being tied to its own access control policy.
It is apparent from the above that an access control system implementing an access control policy as an operation of an access control object (which can be invoked every time an access request is received) can solve many of the problems encountered with the prior art.
It is an object of this invention to provide a method for controlling access to a multiplicity of different objects using a customizable object-oriented access control hook.
It is another object of this invention to encapsulate access control policies in objects so that a variety of access control policies are accomplished through object polymorphism.
Another object of this invention is to provide for an access control object associated with each object in an object system, so that access control is managed from within each object. This reduces the overhead of maintaining authorization structures and tables separate from the objects being controlled.
Yet another object of this invention is to provide a method whereby, having determined that access is granted to an object for a first time, access is automatically granted to recursive requests on the same object.
Still another object of this invention is to provide a method for controlling access to access control.
An advantage of this invention is that it provides a method for controlling access to great numbers of objects in an object-oriented store. This access control is customizable so that different access control policies can be defined for each individual object. Thus the method of this invention efficiently scales up to handle a multiplicity of objects and a multiplicity of access control policies.
A feature of this invention is that it recognizes system administrators as having special access rights, which bypass the access control policies of individual objects.
Another feature of the present invention is that an access control policy on a class object can control construction of new objects and can put new objects under access control before construction is complete.
These and other objects, which will become apparent as the invention is described in detail below, wherein a computer-implemented object-oriented method for controlling access to a multiplicity of objects is disclosed. The method includes creating specific access control object types, each including a pre-check method for implementing a pre-defined access control policy. Each one of the multiplicity of objects to be controlled is then associated with one of the access control objects. Next, upon an attempt to invoke a feature of any one of the multiplicity of objects, a determination is made if one of the multiplicity of objects is linked to an access control object, and if yes; the pre-check method for the access control object associated with the one of the multiplicity of objects is performed to determine whether to grant access.
Still other objects, features and advantages of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is shown and described only the preferred embodiment of the invention, simply by way of illustration of the best mode contemplated of carrying out the invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive, and what is intended to be protected by Letters Patent is set forth in the appended claims. The present invention will become apparent when taken in conjunction with the following description and attached drawings, wherein like characters indicate like parts, and which drawings form a part of this application.