Browse Prior Art Database

Assignment of Detailed Privileges for Directory Administrators

IP.com Disclosure Number: IPCOM000119379D
Original Publication Date: 1991-Jan-01
Included in the Prior Art Database: 2005-Apr-01
Document File: 4 page(s) / 111K

Publishing Venue

IBM

Related People

Austin, JH: AUTHOR [+8]

Abstract

Disclosed is a program to assign distinct sets of privileges to different administrators of a distributed and replicated directory data base. Privileges are assigned to individual requestor ids, on each of three levels.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 48% of the total text.

Assignment of Detailed Privileges for Directory Administrators

      Disclosed is a program to assign distinct sets of
privileges to different administrators of a distributed and
replicated directory data base.  Privileges are assigned to
individual requestor ids, on each of three levels.

      A benefit of this program is that individual administrators can
be granted authorization for maintaining specific fields or
performing specific operations within the scope of their knowledge
and responsibility while being prevented from causing unintentional
damage to other fields or operations.

      All invocations of the directory service require an
AUTHORIZATION_ID of the requestor, which uniquely identifies the
requestor (person or responsibility) within the network. (It is
assigned and authenticated by services outside the directory service
before being passed to the directory service.)

      The program assigns privileges to individual requestor ids.
The program provides three levels (scopes) of authorization, listed
below.  It can assign any id any selection of privileges in any of
the authorization levels, and within the lower levels, for each
partition or entry separately.
 Entry:  governs updating an individual entry by the owner.
      Partition:  governs creating, deleting, and updating entires in
a partition (a disjoint subset of the entries in the directory, such
as entries for a particular site or division of a company), assigning
entry owners and their privileges, and granting privileges for
partition administration to other ids.
      System:  governs the distribution and replication of partitions
among network nodes, and granting privileges for partition
administration or system administration to other ids.

      The privileges that the program may individually assign at each
level include:
           Entry Owner Level Privileges--apply to an individual-owned
entry.
           Modify selected fields as determined by a field mask
           Transfer ownership to another id.

      Partition Administration Level Privileges--apply to entries in
a specific partition:
           Create entry
           Delete any entry
           Modify any non-system field in any entry
           Modify selected fields in any entry as determined by a
field
           mask
           Transfer ownership of any entry to another id
           Delete any owned entry
           Modify any owned non-system field in any owned entry

      Modify selected fields in any owned entry as determined by a
           field mask
           Transfer ownership of any owned entry to another id
           Create a replica ("shadow") of a partition at any
           directory node
           Refresh any shadow of the partition--that is,
           bring it up-t...