Browse Prior Art Database

Definition of Directory Service Authorization Levels

IP.com Disclosure Number: IPCOM000119380D
Original Publication Date: 1991-Jan-01
Included in the Prior Art Database: 2005-Apr-01
Document File: 2 page(s) / 94K

Publishing Venue

IBM

Related People

Austin, JH: AUTHOR [+8]

Abstract

Disclosed is a program to selectively control authorization for maintaining a distributed and replicated directory data base in such a way that multiple individuals ("administrators"), including "owners" of individual directory entries, can issue configuration or update requests from any node in the network yet be restricted to an administrator-specific scope of entries or operations.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 53% of the total text.

Definition of Directory Service Authorization Levels

      Disclosed is a program to selectively control
authorization for maintaining a distributed and replicated directory
data base in such a way that multiple individuals ("administrators"),
including "owners" of individual directory entries, can issue
configuration or update requests from any node in the network yet be
restricted to an administrator-specific scope of entries or
operations.

      A benefit of this program is that responsibility for
maintaining currency and accuracy of individual items or collections
of directory data can be delegated and distributed to those
individuals with the most current and accurate information regarding
a specific item or group, while preserving the integrity of data from
unintentional damage from others.

      The program provides three levels (scopes) of authorization:

      Entry:  governs updating an individual entry by the owner.
           Partition:  governs creating, deleting, and
           updating entries in a partition (a disjoint subset
           of the entries in the directory, such as entries
           for a particular site or division of a company),
           assigning entry owners and their privileges, and
           granting privileges for partition administration
           to other ids.
           System:  governs the distribution and replication
           of partitions among network nodes, and granting
           privileges for partition administration or system
           administration to other ids.

      All invocations of the directory service require an
AUTHORIZATION_ID of the requestor, which uniquely identifies the
requestor (person or responsibility) within the network. (It is
assigned and authenticated by services outside the directory service
before being passed to the directory service.)

      The program assigns configuration or update privileges to
individual requestor ids.  Each id can be assigned privileges in any
of the levels, and within the lower levels, for each partition or
entry separately.

      For each object (partition, entry), and for the entire system,
a single directory service node specific to that object or group
maintains in its secure tables a list of authorized IDs for the
object or service, and the particular privileges allowed to each.
This includes:
      For each entry:
           a single authorization id of the owner of that
           entry, and
           a mask containing a value for e...