Browse Prior Art Database

Generating Negative Access Rights using Positive Rights

IP.com Disclosure Number: IPCOM000115000D
Original Publication Date: 1995-Feb-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 4 page(s) / 115K

Publishing Venue

IBM

Related People

Heyman, JM: AUTHOR [+2]

Abstract

A program is disclosed that allows the administrator of a USENET News system to create machine access based on positive access rights. USENET News bases its access to newsgroup hierarchies on access rights explicitly disallowed to a particular machine (based on its hostname and domain). This invention allows the administrator to concentrate on which newsgroups the machine is allowed access and generates the negative rights automatically.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Generating Negative Access Rights using Positive Rights

      A program is disclosed that allows the administrator of a
USENET News system to create machine access based on positive access
rights.  USENET News bases its access to newsgroup hierarchies on
access rights explicitly disallowed to a particular machine (based on
its hostname and domain).  This invention allows the administrator to
concentrate on which newsgroups the machine is allowed access and
generates the negative rights automatically.

      Currently, reading and accessing USENET News can be
accomplished using two different software protocols, Network News
Transfer Program (NNTP) and InterNet News (INN).  This invention
deals specifically with the NNTP protocol, and how it restricts
access for reading/posting articles to newsgroups.

      NNTP authentication works by via an ASCII (referred to as
nntp_access) file that contains entries that define what newsgroups a
machine (or domain) CANNOT access.  Since the file is ASCII, there is
no built-in checks for duplicate entries or conflicting entries - the
software uses the last entry for a machine (or domain) as the
definitive access authority.  No validation (or verification) occurs
when a new restricted newsgroup is created.  Without some form of
checking, there is no guarantee machines/domains that are not allowed
access actually do not receive it.  As more and more newsgroups are
added, the restriction line gets worse and worse.

The format of such an entry is:
  machine (or domain) read/write post/xfer list of negative rights
   (with a ! leading each group disallowed)

An example of such a line is:
  machine.subdomain.domain  read  post  !ibm.pslob.taligent,
   !ibm.yaos, !ibm.starbase, hidden.group, !ibm.dlsprj, !ibm.swarch,
   !ibm.swarch.mpp.d, !ibm.support6k.x25.alpha, !ibm.starfleet,
   !ibm.starship, !ibm.cde
  (correct syntax does not allow for spaces or newlines between the
negative rights, but for readability they have been put here.)

      Maintaining this file is a manual process and authorization to
read/post to newsgroups is fluid, thus ensuring that everything is
completely correct is extremely time consuming and tedious.  This
disclosure describes a way to automate the creation of this ascii
file, and how to generate the negative access rights based on storing
positive rights in a object-oriented database.

      The hierarchy of the object inheritance is the 'restricted'
object.  This object defines an attribute, 'restricted_groups', that
defines all the restricted newsgroups and the methods necessary to
create the ascii line used in the nntp_access file.  Each machine in
the nntp_access file is represented by an object that inherits from
the restricted object, and also contains an attribute,
'allowed_groups', that defines which...