Browse Prior Art Database

Object Access Authorization Mechanism

IP.com Disclosure Number: IPCOM000084433D
Original Publication Date: 1975-Nov-01
Included in the Prior Art Database: 2005-Mar-02
Document File: 3 page(s) / 39K

Publishing Venue

IBM

Related People

Bennett, RB: AUTHOR [+4]

Abstract

In data processing systems it is desirable to have standardized mechanisms in the operating system for restricting access to certain stored objects, according to an authority schedule established by the object creator. Examples of such objects are: 1) sensitive user data such as customer accounts in a bank or payroll records; 2) security routines and data such as audit trails and journals; and 3) system constructs and routines.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

Object Access Authorization Mechanism

In data processing systems it is desirable to have standardized mechanisms in the operating system for restricting access to certain stored objects, according to an authority schedule established by the object creator. Examples of such objects are: 1) sensitive user data such as customer accounts in a bank or payroll records; 2) security routines and data such as audit trails and journals; and 3) system constructs and routines.

Access constraints may be associated with the object during initial entry of the object into the program storage hierarchy of the data processing system, and may be changed at any time thereafter by the creating party or program. Constraints may vary dynamically according to user authorizations and object and/or system status for which access is authorized. The constraints may be syntactically encapsulated in an authorization unit of fixed structure described below.

As shown in Fig. 1 the authorization unit may comprise indirect pointer and access criteria areas; the pointer giving indirect addressing B of the associated object in response to reference inquiries A, subject to authorization defined by the criteria area entries.

The authorization unit may be further resolved into separately stored requestor authorization and object authorization units which are successively referenced, as indicated in Fig. 2. The requestor authorization unit, created by the system when a requestor (user) initially references the object, contains a pointer field which provides a control point for indirect addressing of the object authorization unit. Access to the latter is conditioned upon satisfaction of access arguments specified by the operating system. The requestor authorization unit is preserved...