Method for Integrating LAN Server Security with Distributed Computing Environment
Original Publication Date: 1996-May-01
Included in the Prior Art Database: 2005-Mar-31
Foltz, D: AUTHOR [+3]
Disclosed is a method for integrating IBM* OS/2* LAN Server* security with Distributed Computing Environment (DCE**) registry.
Method for Integrating LAN Server Security with
a method for integrating IBM* OS/2* LAN Server*
security with Distributed Computing Environment (DCE**) registry.
model in an OS/2 LAN Server legacy (LAN Server 4.0
base and below) environment is very different from the DCE security
model. In OS/2 LAN Server Enterprise, the LAN Server user and group
information was integrated with the DCE registry.
In OS/2 LAN Server, every user account belongs to one of
following three groups:
1. ADMINS: A user account belonging to this group has unlimited
authority to perform all administrative functions.
2. USERS: User accounts in this group have limited administrative
capabilities as granted by an administrator.
3. GUESTS: Users in this group usually have the lowest level of
USERS group, LAN Server users can have different
levels of authority known as operator privileges. A LAN Server user
can have one or more of the following operator privileges:
ACCOUNTS: Users with the accounts operator privilege can manage
users and groups in a LAN Server domain.
PRINT: Users with this privilege can manage printer queues
and print jobs.
COMM: Users with this privilege can manage serial devices.
SERVER: Users can manage aliases and other shared resources
and view network status.
In LAN Server
Enterprise, shared network resources or aliases
are integrated with DCE's directory service. These LAN Server
aliases are stored as Cell Directory Service (CDS) objects. In a DCE
environment, access to these alias objects is based on the access
control list associated with the CDS objects; the DCE code has no
concept of the LAN Server operator privileges. In LAN Server
Enterprise, since legacy LAN server user accounts are migrated to the
DCE registry, a mechanism for preserving and maintaining the same
levels of LAN Server privileges is needed. For example, a LAN Server
user who had the "PRINT operator" privilege in the legacy
environment, should be able to manage printer objects in the CDS
namespace after migration to the DCE environment.
registry namespace may be viewed as an extension of the
directory namespace; container objects are supported as well as
several object types. The objects of interest in this solution are
Principal, Group, Organization, and Policy. The principal object
represents a network identity. Groups are used mainly to facilitate
access control, and are used to represent LAN server groups.
Organization is a membership object like a group; the main use is to
define policy characteristic of groups of users, and to support
enumeration schemes. The policy object defines default policy
attributes for the entire registry.
A portion of the registry namespace is...