Browse Prior Art Database

Access Control List Export Utility with Enhancement for Performance and Disk Requirement

IP.com Disclosure Number: IPCOM000118742D
Original Publication Date: 1997-Jun-01
Included in the Prior Art Database: 2005-Apr-01
Document File: 4 page(s) / 102K

Publishing Venue

IBM

Related People

Bsaibes, ME: AUTHOR [+7]

Abstract

Disclosed is an Access Control List (ACL) export utility to migrate Local Area Network (LAN) Server effective ACLs to Directory and Security Server (DSS) efficiently. Only the files with explicit ACLs or effective ACLs inherited from the parent directory will have records in the export file. The rest will be deduced from the file. Also, the file-search will be done efficiently.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 46% of the total text.

Access Control List Export Utility with Enhancement for Performance
and Disk Requirement

      Disclosed is an Access Control List (ACL) export utility to
migrate Local Area Network (LAN) Server effective ACLs to Directory
and Security Server (DSS) efficiently.  Only the files with explicit
ACLs or  effective ACLs inherited from the parent directory will have
records in  the export file.  The rest will be deduced from the file.
Also, the file-search will be done efficiently.

      In order to migrate LAN Server servers to DSS, one important
item to migrate is the effective ACLs for every resource.  The
migration utility should not take long to complete and should not
absorb a lot of  the disk space.

      The migration of LAN Server's ACLs is important due to the fact
that LAN Server ACLs do not map one to one to DSS ACLs.  Furthermore,
the access algorithm in LAN Server is different from DSS's.  While
DSS requires that each resource has an ACL associated with it, LAN
Server does not.

      When determining access permissions on a resource, LAN Server's
access algorithm checks first the ACLs on the resource itself.  If no
permissions were found on the resource, the algorithm checks the ACLs
of the parent directory, then the ACLs of the drive.  This means that
even if a resource does not have ACLs associated with it, it can
still be protected by its parent directory's ACLs or the ACLs of its
drive.  For example: When determining the access permissions on the
file c:\tmp\dir1\file1, the ACLs on the file file1 are checked first.
Then, the ACLs of the directory c:\tmp\dir1 are checked.  Finally,
the ACLs of  the drive c: are checked.

      Therefore, to correctly migrate the access control of a
resource, it is not enough to look at the explicit ACLs of the
resource; rather, it is necessary to know the effective ACLs.  The
first solution  to migrate LAN Server's ACLs was to get the effective
ACLs for every resource on LAN Server and write the entries into an
ASCII file with the  following format:
  Resource:                     G:\tmp
  Audit:                        0100
  ACLlist:
    User:                       TESTER1
    Access:                     RWCDEPA
    Group:                      USERS
    Access:                     RWCDEPA
    Group:                      GUESTS
    Access:                     RWCDEPA
  EOR

      Every resource was required to have a record in the ACL export
file.  It was not long before it was discovered that the export files
can grow to an unacceptable size.  For a one Giga bytes drive with a
moderate number of files and directories, the export file could
easily reach five to six Mega bytes.  This was specially true when
the drives  have ACLs protecting them.  In that case, every...