Browse Prior Art Database

Method for Integrating LAN Server Security with Distributed Computing Environment

IP.com Disclosure Number: IPCOM000117752D
Original Publication Date: 1996-May-01
Included in the Prior Art Database: 2005-Mar-31
Document File: 4 page(s) / 115K

Publishing Venue

IBM

Related People

Foltz, D: AUTHOR [+4]

Abstract

Disclosed is a method for integrating IBM* OS/2* LAN Server* security with Distributed Computing Environment (DCE**) registry.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 34% of the total text.

Method for Integrating LAN Server Security with Distributed Computing
Environment

      Disclosed is a method for integrating IBM* OS/2* LAN Server*
security with Distributed Computing Environment (DCE**) registry.

      The security model in an OS/2 LAN Server legacy (LAN Server 4.0
base and below) environment is very different from the DCE security
model.  In OS/2 LAN Server Enterprise, the LAN Server user and group
information was integrated with the DCE registry.

In OS/2 LAN Server, every user account belongs to one of the
following three groups:
  1.  ADMINS: A user account belonging to this group has unlimited
       authority to perform all administrative functions.
  2.  USERS: User accounts in this group have limited administrative
       capabilities as granted by an administrator.
  3.  GUESTS: Users in this group usually have the lowest level of
       authority.

      Within the USERS group, LAN Server users can have different
levels of authority known as operator privileges.  A LAN Server user
can have one or more of the following operator privileges:
  ACCOUNTS: Users with the accounts operator privilege can manage
             users and groups in a LAN Server domain.
  PRINT: Users with this privilege can manage printer queues
          and print jobs.
  COMM: Users with this privilege can manage serial devices.
  SERVER: Users can manage aliases and other shared resources
           and view network status.

      In LAN Server Enterprise, shared network resources or aliases
are integrated with DCE's directory service.  These LAN Server
aliases are stored as Cell Directory Service (CDS) objects.  In a DCE
environment, access to these alias objects is based on the access
control list associated with the CDS objects; the DCE code has no
concept of the LAN Server operator privileges.  In LAN Server
Enterprise, since legacy LAN server user accounts are migrated to the
DCE registry, a mechanism for preserving and maintaining the same
levels of LAN Server privileges is needed.  For example, a LAN Server
user who had the "PRINT operator" privilege in the legacy
environment, should be able to manage printer objects in the CDS
namespace after migration to the DCE environment.

      The DCE registry namespace may be viewed as an extension of the
directory namespace; container objects are supported as well as
several object types.  The objects of interest in this solution are
Principal, Group, Organization, and Policy.  The principal object
represents a network identity.  Groups are used mainly to facilitate
access control, and are used to represent LAN server groups.
Organization is a membership object like a group; the main use is to
define policy characteristic of groups of users, and to support
enumeration schemes.  The policy object defines default policy
attributes for the entire registry.

      A portion of the registry namespace is...