Browse Prior Art Database

Cleanup Mechanism for Access Control Lists

IP.com Disclosure Number: IPCOM000114178D
Original Publication Date: 1994-Nov-01
Included in the Prior Art Database: 2005-Mar-27
Document File: 4 page(s) / 124K

Publishing Venue

IBM

Related People

Kramer, PH: AUTHOR

Abstract

Disclosed is an efficient automated mechanism for cleaning up access control lists when a user is removed from a loosely-couple multi-system security realm.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Cleanup Mechanism for Access Control Lists

      Disclosed is an efficient automated mechanism for cleaning up
access control lists when a user is removed from a loosely-couple
multi-system security realm.

      On computer systems today, there is a relationship between a
real individual that utilizes resources on a system and a set of
identification information stored internally.  Users are typically
enrolled into a system and can then be authorized to use objects
(e.g., files) or can be the owners of objects (usually as a result of
object creation).

      User ownership or authorization permissions to objects (e.g.,
files) in a system are logically stored in list structures referred
to as Access Control Lists (ACLs).  Each list can be associated with
a set of objects, but is more commonly associated with a single
object.  Entries in an ACL identify users and permissions that the
users have to the object(s) associated with the ACL.  Ownership may
also be stored in ACLs, either as a permission or a special entry
type.

      Enrollment information for users is typically stored in some
form of user registry.  In distributed systems, there is often a
single system designated as the registry manager, although multiple
replicated copies of the registry data may exist.  User enrollment
and deletion are accomplished thru this user registry manager for a
set of systems referred to as a security realm.  When a user is
deleted from the realm, access control list entries that associate
the user with various objects in the realm need to be cleaned up and
deleted.  Techniques today range from occasionally running a scanning
program over all the objects in a system and removing entries for
which there is no associated user enrolled, to systems that
automatically delete all associated entries.  The problem is that
none of these techniques scale well to a distributed security scheme.
The scanning program which is typical of UNIX* systems does not even
scale well for a large single system.

      The solution is based on the concept of an
Authorization/Ownership object (A/O).  One A/O object is associated
with each user.  An A/O object contains a list of objects a user is
either authorized to or owns.

      Whenever a user is given ownership or is initially authorized
to an object (call it X) on a particular system, a check is made to
determine if there is an A/O object for the user on that system.  If
there is, the A/O object is updated by adding an entry to the ACL for
object X.  If an A/O object does not exist, one is created for the
user and the entry is added.  Also when an A/O object is created, a
notification is sent to the user registry.  This notification
identifies that an A/O object was created for the user and the system
on which it was created.  This information is added to the registry.

      If user's ownership or object authorization...