The present invention generally relates to the access and usage control and management of information stored in a computer environment. The invention relates more specifically to a method and apparatus for controlling access to and usage of electronic information using centrally managed rules in a computer environment.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated in this application, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Networked computer systems have evolved over the years from simple serially connected computer systems to massively networked computer systems connected via large intranets and the Internet. During this evolution, many different concepts were developed to manage how users are granted access to electronic files stored in the computer systems. How a computer system determines if a user permission to access a file has been a complex problem to solve.
Some operating systems use a simple approach to determining whether a user has permission to access a file. For example the Unix operating system gives a system administrator or file owner the ability to attach access permissions to directories and files. There are three types of access permissions that the system administrator or file owner can select from. The permissions are: read, write, and execute. These permissions can then be limited to three types of users: the owner of the file; the group that the owner belongs to; and other users. Each permission and user type has two states: allowed or denied.
Whenever a user accesses a file, the Unix operating system first checks the permissions set for a file against the user's type. The operating system checks if the user falls into any of the three user types. If the user is a member of any of the user types and the user type has been specified as allowed, then the operating system checks which of the permissions are set as allowed. The user is then allowed to perform any access that falls under an allowed permission.
This approach does not offer much flexibility to the system administrator. The system administrator cannot specify particular users other than the owner or particular groups. The permissions are limited to directories and files within the file system and do not cover nonfile system objects such as e-mails and Web pages. Further, the operating system checks permissions for file accesses based only on user and it does not restrict file accesses based on application programs.
A more advanced approach that is commonly used is called Access Control Lists (ACL). ACL uses a language that allows the system administrator or file owner to set read, write, and execute permissions for specific users and groups of users for accesses to files. In some approaches, each set of ACLs for a particular directory reside in a file stored in that directory. The ACLs apply to files that are contained within that directory. When a user attempts to access a file in a directory, the operating system loads the ACL file and reads the ACL rules that were created by the system administrator or user. The operating system determines if the user is allowed to access the file by parsing the ACL rule. In other approaches, a set of ACLs associated with a file is stored as one or more extended file system attributes of the file. In another implementation, access control and auditing ACLs are stored in a security descriptor associated with a file or a directory.
There are many drawbacks to the ACL approach. ACL only applies to files within a file system and does not apply to nonfile system objects. The ACL support is built into the operating system kernel and cannot be extended. ACL is not very portable because it is file system specific and is therefore not universal which means that not all file systems support the same ACL and not all operating systems have the same interpretation of an ACL. When a file is copied from one file system to another (or from one operating system to another), some of the control information may be lost due to compatibility issues. Further, ACL is difficult to apply to users outside of a company's file system (e.g., a customer). Finally, as with the operating system example above, ACL is capable of controlling file accesses by a user but is not capable of controlling file accesses by a particular application program or at a particular time or location.
Applications such as document management systems require a user to check a document in and out of a library system. Once the document has been checked out, it can be distributed and modified in any manner. This means that there is no control over how a document is used once the document leaves the document management system.