Browse Prior Art Database

Authorization Check Function

IP.com Disclosure Number: IPCOM000045521D
Original Publication Date: 1983-Apr-01
Included in the Prior Art Database: 2005-Feb-07
Document File: 3 page(s) / 34K

Publishing Venue

IBM

Related People

Jennings, SM: AUTHOR [+2]

Abstract

This article describes a method for operating a computing apparatus to use a set of production rules to define the steps necessary to determine if a user is authorized to access a particular set of data in a given manner.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

Authorization Check Function

This article describes a method for operating a computing apparatus to use a set of production rules to define the steps necessary to determine if a user is authorized to access a particular set of data in a given manner.

The purpose of the authorization check function is to determine whether or not a particular user may perform a requested operation on a particular named resource. For example, if user SMITH attempts to insert data into a table called PAYROLL, the check function is invoked to determine if a user whose name is SMITH is authorized to perform the operation INSERT on a resource type of TABLE with a resource name of PAYROLL. If user JONES attempts to drop a data base called PARTS, the check function is invoked to determine if a user whose name is JONES is authorized to perform the operation DROP on a resource type of DATABASE with a resource name of PARTS.

In one prior-art facility, the code in the check algorithm determines whether or not a user is authorized to perform a particular function. For example, there is one section of code for checking access to tables, another set of code for checking access to programs, and yet another set of code for checking special authorizations. In this improvement, the code in the check algorithm does not "know" what type of resource is being accessed nor does it "know" what operation on that resource is being requested. Instead, the check algorithm uses values passed to it to determine the address of a list of one or more data base requests that must be performed in order to perform the check function. The code sequentially performs every data base request in the list until it either reaches the end of the list or receives a return code of zero from the data base manager. If it receives a zero return code from the data base manager, the user is authorized to perform the function in question.

If it reaches the end of the list without receiving a zero return code from the data base manager, the user is not authorized to perform the function.

The appropriate lists of data base manager calls are generated from definitions that describe the authorization required to perform a particular function. The definitions may be written as a series of macro calls.

The main reason for taking this approach was that the definitions of the authorization required to perform all of the different operations within a subsystem under development were constantly...