Browse Prior Art Database

Reference Monitor - Application-ID Operand

IP.com Disclosure Number: IPCOM000100044D
Original Publication Date: 1990-Mar-01
Included in the Prior Art Database: 2005-Mar-15
Document File: 2 page(s) / 114K

Publishing Venue

IBM

Related People

Janis, FL: AUTHOR

Abstract

This article describes a feature that relates to Reference Monitor Services. The Reference Monitor Service concept is designed to provide access control for applications and objects within the application. Access control is where users or subjects are limited in the actions they may perform upon resources or objects. A Reference Monitor is defined as the program or service where access control decisions are made and access control information is kept. This concept allows the decision-making process and information to be kept in one location for a host which can be used by all applications or services within the host. As we move from a single host environment to distributed processing, where a service may be performed in several different hosts, the ability to interchange access control information becomes a requirement.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 51% of the total text.

Reference Monitor - Application-ID Operand

       This article describes a feature that relates to
Reference Monitor Services. The Reference Monitor Service concept is
designed to provide access control for applications and objects
within the application.  Access control is where users or subjects
are limited in the actions they may perform upon resources or
objects. A Reference Monitor is defined as the program or service
where access control decisions are made and access control
information is kept. This concept allows the decision-making process
and information to be kept in one location for a host which can be
used by all applications or services within the host.  As we move
from a single host environment to distributed processing, where a
service may be performed in several different hosts, the ability to
interchange access control information becomes a requirement. The
interchange is designed to be as simple as possible and meet today's
requirements for office products and yet provide a growth path for
enhanced security and access control requirements for customers.

      The Reference Monitor Service concept is limited to how
information is interchanged between two different services or an
application and service. The architecture is oriented on how the
information is passed from a requester to a service. The requester
may be a service or application itself or may be a user of the
application or service.  The goal is for the information to be passed
locally or remotely in the same fashion.  The information may flow
from two versions of the same product or two different products or
two different products on different systems.  If the information
flows from two different systems, then it must be carried on a
transmission line.

      The functionality of the Reference Monitor Services is built in
three ways. First, there are the basic blocks of access control
information, called profiles. Second, there is the basic form of
interchange, commands and their operands. Third, there are the
functions that can be accomplished as the different types of profiles
interact, and the commands to be used to create and destroy
relationships between profiles.

      The Reference Monitor Services is built to deal with the access
control interaction of subjects and objects. Subjects are users who
carry out action upon objects. They act on their own, can be
organized into groups, or collected with other users in lists.
Objects are the resources requiring protection. Resources can be
grouped into sets. Subjects can function, at times, as objects
requiring protection. The goal is to make these interactions as easy
to use as possible and as close to the way people function in the
office or other data processing environments.

      The Reference Monitor Services consists of commands and
operands.  With this set of comman...