Browse Prior Art Database

Disclosed is a method for Role Based Granular File Access Control

IP.com Disclosure Number: IPCOM000173651D
Original Publication Date: 2008-Aug-20
Included in the Prior Art Database: 2008-Aug-20
Document File: 5 page(s) / 135K

Publishing Venue

IBM

Abstract

Most general purpose operating systems are shared systems. The resources are shared between multiple users on one system. Resource can be processor, memory, files etc. It is the responsibility of the operating system to make sure all the shared resources are used as intended. This can be achieved by better access control policy models. Disclosed in this article is a way to enhance the access control mechanism of a data file using suitable file format. Once deployed a file will have the ability to portray itself in multiple facades, rather than a single access face. The main advantage is the degree of transparency. The file access policy will be completely transparent to the user. This means that the user will not have to perform any extra authentication procedures to access the file once he/she has switched to the required role.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 46% of the total text.

Page 1 of 5

Disclosed is a method for Role Based Granular File Access Control

Authors --> Aravinda Prasad, Ranjith Peter, Manoranjan Beura, Shailaja Mallya, Manoj S Bableshwar.

In traditional operating system where files are shared, the security method implemented is an "all-or-nothing" approach i.e., users will have either complete access to the file or no access at all (eg:-, DAC and ACL). However, there are many cases where it is necessary to expose or share some amount of data in a file to certain set of users who are authorized, and also to deny the access to certain data to other set of users who are not authorized.

There are two know solutions to this problem:-

1. To split the file into two or more sub-files, each with different security level. These files will be owned by respective user. This can lead to complications when lots of users need access to different section of the file. The total number of sub-files is directly dependent on number of users who require access. This leads to redundancy of data and synchronization problems if different users have access to sub-files with similar content.

2. Other approach is, encrypting a part of a file. The idea is to encrypt extents of a file independently from other extents, so that a single file may contain one or more secure regions. The main disadvantage is, this solution will become complex when the number of users increase and when they need access to different regions of the file, which will lead to increase in the number of keys required to encrypt the file.

Number of keys required may vary between 1 to

(2^n -1) as explained, where "n" is number of users. For eg, consider a 3 user A,B and C system. The total number of keys required for a such a system would be between 1 and P({A,B,C}), P(S) being the power set of S. That is the number of keys for a 3 user system would be 1 to (2^3 -1) = 7. The power set is being considered as 2 or more users in the system can have access to common regions wherein a single key will be used to encrypt that region. If we have 32 users then the number of keys may vary from 1 to (2^32 -1) which is 4,294,967,295 keys! Another major drawback is the resource (time, memory and CPU power) utilization involved in encryption and decryption process. Resource utilization is directly proportional to the size of all the encrypted regions and also depends on the encryption/decryption algorithm.

Disclosed here is a method, where a part of the file which requires access control will be demarcated - which can be understood by the operating system while processing file operations. A "section" is defined as a part of the file which may require access control. Demarcation on the section of the file can be done using tags or any other suitable ways. Tag is an entity that identifies the section of the file along with access control for that particular se...