Browse Prior Art Database

Delegation Method in Access Control

IP.com Disclosure Number: IPCOM000106158D
Original Publication Date: 1993-Oct-01
Included in the Prior Art Database: 2005-Mar-20
Document File: 2 page(s) / 64K

Publishing Venue

IBM

Related People

Gladney, HM: AUTHOR

Abstract

In office and other administrative environments dealing with data objects replacing paper and other information media, people require automatically administered access controls that mimic common delegation patterns, as described in [*] J. D. Moffett and M. S. Sloman, The Source of Authority for Commercial Access Control, IEEE Computer, 59-69, Feb. 1988 and similar sources.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 53% of the total text.

Delegation Method in Access Control

      In office and other administrative environments dealing with
data objects replacing paper and other information media, people
require automatically administered access controls that mimic common
delegation patterns, as described in [*]  J. D.  Moffett and M. S.
Sloman, The Source of Authority for Commercial Access Control, IEEE
Computer, 59-69, Feb.  1988 and similar sources.

      In particular, required are not only permanent privileges
delegated down an organizational hierarchy, but also grants across
the organization subsets of privileges of the grantor to a grantee
who exercises such additional grants temporarily and as a proxy or
agent of the grantor.  Such temporary privileges would be combined
additively to the permanent privileges of the agent.  Each instance
of either temporary and permanent privileges would be a subset of the
privileges of its grantor, as illustrated in FIG. 1.

      These requirements can be conveniently and efficiently met by a
data and calculation system that includes the following elements:

1.  A tree representing a hierarchy of users and departments.

2.  A delegation table in which each row represents a named proxy
    granted by some grantor user to some grantee user, with a vector
    describing which particular privileges are granted, and a tree
    subdomain designation.

3.  A means of modifying the rows of the delegation table, with the
    means being controlle...