[go: up one dir, main page]

WO2001089177A1 - Domain specification system for an ldap aci entry - Google Patents

Domain specification system for an ldap aci entry Download PDF

Info

Publication number
WO2001089177A1
WO2001089177A1 PCT/US2000/013710 US0013710W WO0189177A1 WO 2001089177 A1 WO2001089177 A1 WO 2001089177A1 US 0013710 W US0013710 W US 0013710W WO 0189177 A1 WO0189177 A1 WO 0189177A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
control command
access control
attributes
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2000/013710
Other languages
French (fr)
Inventor
Terry N. Hayes
Prasanta Behera
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New Aurora Corp
Original Assignee
Netscape Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netscape Communications Corp filed Critical Netscape Communications Corp
Priority to US10/276,586 priority Critical patent/US7124132B1/en
Priority to PCT/US2000/013710 priority patent/WO2001089177A1/en
Priority to AU2000254413A priority patent/AU2000254413A1/en
Publication of WO2001089177A1 publication Critical patent/WO2001089177A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4523Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using lightweight directory access protocol [LDAP]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the invention relates to accessing resources in a directory structure in a computer environment. More particularly, the invention relates to controlling access to resources within an LDAP directory structure in a computer environment.
  • a Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation's Directory Server) is a collection of "entries.” Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
  • LDAP Lightweight Directory Access Protocol
  • LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
  • Entries and attributes correspond to a wide variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries contain important information, a method is required to restrict the availability of specific information to authorized users.
  • the Netscape Directory Server allows an ACI entry to be created which controls access to data stored in the directory tree.
  • the ACI entry contains rules to determine which users of the directory should be allowed to have access.
  • One of the components of the ACL rule is a description of which entries the rule applies to.
  • the entry is essentially a resource specification (e.g., data, printers, servers, etc.).
  • ACL Access Control Lists
  • the invention provides a domain specification system for an LDAP ACL rule.
  • the system allows a system administrator to specify and control access to directory resources by specifying the resource using an easily understood standardized format.
  • the invention provides a system that allows the system administrator to restrict a user's access to a single node or single level of nodes.
  • a preferred embodiment of the invention provides a system for specifying an ACI domain entry in an access control command line that controls access to a resource.
  • the access control command specifies resources using a Universal Resource Locator (URL) format.
  • URL Universal Resource Locator
  • the resource specification contains the name of the resource.
  • a target scope value specifies the scope of access to be granted to a user.
  • the scope can b e limited to a single entry, a subtree, or a single level.
  • a search filter is part of the resource specification.
  • the ACL applies only to entries in the subtree rooted at the resource name that match the filter.
  • a list of attributes is also contained in the resource specification and the ACL applies only to attributes in the resource that are named in the list.
  • the access control command specifies the type of access to be granted to a user which includes, but is not limited to: read, write, and any other privileges that the system supports.
  • the access control command also specifies the required user attributes or credentials for access to a resource.
  • the directory server matches the required attributes with the accessing user's attributes and grants the type of access listed only if the user has the required attributes.
  • Fig. 1 is a diagram of an LDAP directory structure according to the invention.
  • Fig. 2 is a block schematic diagram of an example of server interaction with user ACI rules and system resources according to the invention.
  • the invention is embodied in an domain specification system for an LDAP ACI entry in a computer environment.
  • a system according to the invention allows a system administrator to specify and control access to directory resources b y specifying the resource using an easily understood standardized format.
  • the invention provides a system that allows the system administrator to restrict a user's access to a single node or single level of nodes.
  • a Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation's Directory Server) is a collection of "entries.” Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
  • LDAP Lightweight Directory Access Protocol
  • LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
  • Entries and attributes correspond to a wide, variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries are stored within a single directory, a method is required to restrict the availability of specific information to authorized users.
  • the Netscape Directory Server allows an ACI attribute to be created which controls access to data stored in the directory tree.
  • the ACI attribute contains rules to determine which users of the directory should be allowed to have access.
  • a simple LDAP directory structure is shown.
  • the directory structure contains a server subtree 102 and people subtree 103. Under each subtree are multiple related entries.
  • the method used to control access in an LDAP system is via Access Control Lists (ACL).
  • ACL Access Control Lists
  • the Directory Server Administrator (DSAdmin) creates basic ACL rules that grant specific users access to entries in the directory.
  • the ACI entry 106 in the user's entry 104 specifies resources that the user has access to b y using ACL syntax.
  • the name (Distinguished Name) of one of the LDAP entries The ACI rule will apply to all entries in the subtree rooted at the specified entry.
  • the DSAdmin had to specify each of the values in a command line. For example:
  • a preferred embodiment of the invention adds a value called Targetscope that allows the ACI to be restricted to a more specific range.
  • the ACI command line is also specified in an LDAP URL format, thereby standardizing the command line format.
  • One of the values BASE, SUB and ONE is specified. These values have the same meaning as defined for LDAP search operations (as specified by the Internet Engineering Task Force (IETF)) and define the scope of access (i.e., one entry, one level, or an entire subtree).
  • the ACI entry will be restricted to the same set of entries as would be considered in an LDAP search.
  • a preferred embodiment of the invention improves the specification of the domain by allowing the user to apply the ACI rules to a single entry, entries at the next level of the tree only, or the entire subtree. Previous approaches could specify only the entire subtree.
  • Various schemes for filtering the entries within the subtree have been used to approximate the results of the invention's targetscope method. However, none of the prior approaches can exactly match the invention's results.
  • the invention uses the LDAP Universal Resource Locator (URL) format to include all four components of the domain specification.
  • An LDAP URL specification looks like:
  • the invention improves over previous approaches by bringing the complete description of the domain Into a standard form which is already familiar to users.
  • the Server 202 checks the ACI rule 201 for the resource when the user attempts access to a resource 203. The condition attributes are checked against the current user. If the ACI specification 201 allows the user access, then the Server 202 grants access to the resource 203.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A domain specification system for an LDAP ACI entry provides a system for specifying an ACI domain entry in an access control command line that controls access to a resource. The access control command specifies resources using a Universal Resource Locator (URL) format that contains the name of the resource. A target scope value specifies the scope of access to be granted to a user which can be limited to a single entry, a subtree, or a single level. A search filter is part of the resource specification. The ACI applies only to entries in the subtree rooted at the resource name that match the filter. A list of attributes is also contained in the resource specification and the ACI applies only to attributes in the resource that are named in the list. The access control command specifies the type of access to be granted to a user which includes, but is not limited to: deny, read, write, and any other privileges that the system supports. The access control command also specifies the required user attributes for access to a resource. The directory server matches the required attributes with the accessing user's attributes and grants the type of access listed only if the user has the required attributes.

Description

Domain Specification System for an LDAP
ACI Entry
BACKGROUND OF THE INVENTION
TECHNICAL FIELD
The invention relates to accessing resources in a directory structure in a computer environment. More particularly, the invention relates to controlling access to resources within an LDAP directory structure in a computer environment.
DESCRIPTION OF THE PRIOR ART
A Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation's Directory Server) is a collection of "entries." Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
Entries and attributes correspond to a wide variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries contain important information, a method is required to restrict the availability of specific information to authorized users.
The Netscape Directory Server allows an ACI entry to be created which controls access to data stored in the directory tree. The ACI entry contains rules to determine which users of the directory should be allowed to have access. One of the components of the ACL rule is a description of which entries the rule applies to. The entry is essentially a resource specification (e.g., data, printers, servers, etc.).
The method used to control access in an LDAP system is via Access Control Lists (ACL). The Directory Server Administrator (DSAdmin) creates basic ACL rules that grant specific users access to entries in the directory.
Previous methods required the DSAdmin to specify separate attributes in the command line for a resource which was cumbersome and confusing. An additional problem with previous approaches was that the DSAdmin could not restrict the affect of the ACI to a single node or single level of nodes.
It would be advantageous to provide a domain specification system for an LDAP ACI entry that gives the system administrator the ability to easily specify resources that are accessible by a user. It would further be advantageous to provide an domain specification system for an LDAP ACL rule that allows the system administrator to restrict a user's access to a single node or single level of nodes.
SUMMARY OF THE INVENTION
The invention provides a domain specification system for an LDAP ACL rule. The system allows a system administrator to specify and control access to directory resources by specifying the resource using an easily understood standardized format. In addition, the invention provides a system that allows the system administrator to restrict a user's access to a single node or single level of nodes.
A preferred embodiment of the invention provides a system for specifying an ACI domain entry in an access control command line that controls access to a resource. The access control command specifies resources using a Universal Resource Locator (URL) format.
The resource specification contains the name of the resource. A target scope value specifies the scope of access to be granted to a user. The scope can b e limited to a single entry, a subtree, or a single level. A search filter is part of the resource specification. The ACL applies only to entries in the subtree rooted at the resource name that match the filter. A list of attributes is also contained in the resource specification and the ACL applies only to attributes in the resource that are named in the list.
The access control command specifies the type of access to be granted to a user which includes, but is not limited to: read, write, and any other privileges that the system supports.
The access control command also specifies the required user attributes or credentials for access to a resource. The directory server matches the required attributes with the accessing user's attributes and grants the type of access listed only if the user has the required attributes.
Other aspects and advantages of the invention will become apparent from the following detailed description in combination with the accompanying drawings, illustrating, by way of example, the principles of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a diagram of an LDAP directory structure according to the invention; and
Fig. 2 is a block schematic diagram of an example of server interaction with user ACI rules and system resources according to the invention.
DETAILED DESCRIPTION OF THE INVENTION
The invention is embodied in an domain specification system for an LDAP ACI entry in a computer environment. A system according to the invention allows a system administrator to specify and control access to directory resources b y specifying the resource using an easily understood standardized format. In addition, the invention provides a system that allows the system administrator to restrict a user's access to a single node or single level of nodes.
A Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation's Directory Server) is a collection of "entries." Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
Entries and attributes correspond to a wide, variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries are stored within a single directory, a method is required to restrict the availability of specific information to authorized users.
The Netscape Directory Server allows an ACI attribute to be created which controls access to data stored in the directory tree. The ACI attribute contains rules to determine which users of the directory should be allowed to have access.
Referring to Fig. 1 , a simple LDAP directory structure is shown. The organization designation (o=Arius.com) 101 is at the root of the directory structure. Here, the directory structure contains a server subtree 102 and people subtree 103. Under each subtree are multiple related entries. In this example, a typical user entry 104 contains the user's information such as the user's name (here uid=prasanta) 105.
The method used to control access in an LDAP system is via Access Control Lists (ACL). The Directory Server Administrator (DSAdmin) creates basic ACL rules that grant specific users access to entries in the directory. The ACI entry 106 in the user's entry 104 specifies resources that the user has access to b y using ACL syntax.
Current Products
Previous approaches required three separate values to specify the domain of an ACI entry:
• target
• targetfilter
• targetattrs Target
The name (Distinguished Name) of one of the LDAP entries. The ACI rule will apply to all entries in the subtree rooted at the specified entry.,
Targetfilter
Specifies a standard LDAP search filter. The ACI rule will apply only to entries (as restricted by target) which match the filter. '
Targetattrs
Specifies a list of attributes. The ACI rule will apply only to the named attributes with the directory entries.
The DSAdmin had to specify each of the values in a command line. For example:
aci: (target = "o=Arius.com")(targetattr = "en, sn, mail, uid")(targetfilter =
(position>level2))allow(read)user=joe
However, the problem with the previous approaches was that the DSAdmin could not restrict the affect of the ACI to a single node or single level of nodes. Additionally, three separate values must be specified for the ACI, which is confusing.
A preferred embodiment of the invention adds a value called Targetscope that allows the ACI to be restricted to a more specific range. The ACI command line is also specified in an LDAP URL format, thereby standardizing the command line format.
Targetscope
One of the values BASE, SUB and ONE is specified. These values have the same meaning as defined for LDAP search operations (as specified by the Internet Engineering Task Force (IETF)) and define the scope of access (i.e., one entry, one level, or an entire subtree). The ACI entry will be restricted to the same set of entries as would be considered in an LDAP search. A preferred embodiment of the invention improves the specification of the domain by allowing the user to apply the ACI rules to a single entry, entries at the next level of the tree only, or the entire subtree. Previous approaches could specify only the entire subtree. Various schemes for filtering the entries within the subtree have been used to approximate the results of the invention's targetscope method. However, none of the prior approaches can exactly match the invention's results.
Unifying the Rules: LDAP URL
The invention uses the LDAP Universal Resource Locator (URL) format to include all four components of the domain specification. An LDAP URL specification looks like:
ldap://<serverspeo/<baseDN>?<attributes>?<scope>?<filter>
When the LDAP URL applies to the current server, the <serverspec> portion is left empty. To describe the domain of an ACI, the other fields are filled with the data from the four values specified above. The URL form becomes:
Idap : / / / <target>?<targetattrs>?<targetscope>?< targetfilter>
The invention improves over previous approaches by bringing the complete description of the domain Into a standard form which is already familiar to users.
Using the example above, the URL resource specification using all four values is as follows:
aci: (target = ldap://o=Arius.com?cn.sn.mail.uid?SUB?(position>level2))allow(read)user=joe
This follows the format:
aci: <resource><ALLOW/DENY><rightsxcondition>
where: rights = read, write, or any other privileges that the system recognizes, condition = the attribute requirements for user access. With respect to Fig. 2, the Server 202 checks the ACI rule 201 for the resource when the user attempts access to a resource 203. The condition attributes are checked against the current user. If the ACI specification 201 allows the user access, then the Server 202 grants access to the resource 203.
Although the invention is described herein with reference to the preferred embodiment, one skilled in the art will readily appreciate that other applications may be substituted for those set forth herein without departing from the spirit and scope of the present invention. Accordingly, the invention should only be limited by the Claims included below.

Claims

1. A process for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising the steps of: providing a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; and said access control command specifies the type of access to be granted to a user.
2. The process of Claim 1 , wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
3. The process of Claim 1 , wherein said access control command specifies, the required user attributes for access to said resource.
4. The process of Claim 3, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
5. The process of Claim 1 , wherein said access control command specifies said resource using a Universal Resource Locator (URL) format.
6. The process of Claim 1 , wherein said access control command specifies a search filter; and wherein said access command applies only to entries that match said filter.
7. The process of Claim 1 , wherein said access control command specifies a list of attributes; and wherein said access control command applies only to attributes in said resource that are listed in said list.
8. An apparatus for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising: a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; and said access control command specifies the type of access to be granted to a user.
9. The apparatus of Claim 8, wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
10. The apparatus of Claim 8, wherein said access control command specifies the required user attributes for access to said resource.
11. The apparatus of Claim 10, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
12. The apparatus of Claim 8, wherein said access control command specifies said resource using a Universal Resource Locator (URL) format.
13. The apparatus of Claim 8, wherein said access control command specifies a search filter; and wherein said access command applies only to entries that match said filter.
14. The apparatus of Claim 8, wherein said access control command specifies a list of attributes; and wherein said access control command applies only to attributes in said resource that are listed in said list.
15. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising the steps of: providing a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; and said access control command specifies the type of access to be granted to a user.
16. The method of Claim 15, wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
17. The method of Claim 15, wherein said access control command specifies the required user attributes for access to said resource.
18. The method of Claim 17, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
19. The method of Claim 15, wherein said access control command specifies said resource using a Universal Resource Locator (URL) format.
20. The method of Claim 15, wherein said access control command specifies a search filter; and wherein said access command applies only to entries that rnatch said filter.
21. The method of Claim 15, wherein said access control command specifies a list of attributes; and wherein said access control command applies only to attributes in said resource that are listed in said list.
AMENDED CLAIMS
[received by the International Bureau on 07 June 2001 (07.06.01); original claims 1, 5, 8, 12, 15, 19 amended; remaining claims unchanged (4 pages)]
1. A process for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising the steps of: providing a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; wherein said access control command specifies the type of access to be granted to a user; and wherein said access control command is expressed in an LDAP Universal Resource Locator (URL) format in an ACI rule.
2. The process of Claim 1 , wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
3. The process of Claim 1 , wherein said access control command specifies the required user attributes for access to said resource.
4. The process of Claim 3, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
5. The process of Claim 1 , wherein said target scope value specifies one of the values: BASE, SUB, or ONE.
6. The process of Claim 1 , wherein said access control command specifies a search filter; and wherein said access command applies only to entries that match said filter.
7. The process of Claim 1 , wherein said access control command specifies a list of attributes; and wherein said access control command applies only to attributes in said resource that are listed in said list.
8. An apparatus for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising: a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; and wherein said access control command specifies the type of access to be granted to a user; and wherein said access control command is expressed in an LDAP Universal Resource Locator (URL) format in an ACI rule.
9. The apparatus of Claim 8, wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
10. The apparatus of Claim 8, wherein said access control command specifies the required user attributes for access to said resource.
11. The apparatus of Claim 10, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
12. The apparatus of Claim 8, wherein said target scope value specifies one of the values: BASE, SUB, or ONE.
13. The apparatus of Claim 8, wherein said access control command specifies a search filter; and wherein said access command applies only to entries that match said filter.
14. The apparatus of Claim 8, wherein said access control command specifies a list of attributes; and wherein said access control command applies only to attributes in said resource that are listed in said list.
15. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for specifying an ACI domain entry that controls access to a resource in a computer environment, comprising the steps of: providing a system administrator defined access control command; said access control command specifies the name of said resource; said access control command lists a target scope value; wherein said target scope specifies the scope of access to be granted to a user; and wherein said access control command specifies the type of access to be granted to a user; and wherein said access control command is expressed in an LDAP
Universal Resource Locator (URL) format in an ACI rule.
16. The method of Claim 15, wherein said type of access includes, but is not limited to: deny, read, write, and any other privileges that the system supports.
17. The method of Claim 15, wherein said access control command specifies the required user attributes for access to said resource.
18. The method of Claim 17, wherein the directory server matches said required attributes with the accessing user's attributes and grants said type of access only if the user has said required attributes.
19. The method of Claim 15, wherein said target scope value specifies one of the values: BASE, SUB, or ONE.
20. The method of Claim 15, wherein said access control command specifies a search filter; and wherein said access command applies only to entries that match said filter.
PCT/US2000/013710 2000-05-17 2000-05-17 Domain specification system for an ldap aci entry Ceased WO2001089177A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US10/276,586 US7124132B1 (en) 2000-05-17 2000-05-17 Domain specification system for an LDAP ACI entry
PCT/US2000/013710 WO2001089177A1 (en) 2000-05-17 2000-05-17 Domain specification system for an ldap aci entry
AU2000254413A AU2000254413A1 (en) 2000-05-17 2000-05-17 Domain specification system for an ldap aci entry

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2000/013710 WO2001089177A1 (en) 2000-05-17 2000-05-17 Domain specification system for an ldap aci entry

Publications (1)

Publication Number Publication Date
WO2001089177A1 true WO2001089177A1 (en) 2001-11-22

Family

ID=21741398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/013710 Ceased WO2001089177A1 (en) 2000-05-17 2000-05-17 Domain specification system for an ldap aci entry

Country Status (2)

Country Link
AU (1) AU2000254413A1 (en)
WO (1) WO2001089177A1 (en)

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"COMMAND LINE METHOD FOR MANAGING ACCESS CONTROL PROFILES FOR ALIASES", IBM TECHNICAL DISCLOSURE BULLETIN,IBM CORP. NEW YORK,US, vol. 38, no. 6, 1 June 1995 (1995-06-01), pages 513 - 514, XP000520755, ISSN: 0018-8689 *
ITU-T: "Information Technology - Open Systems Interconnection - The Directory: Models", ITU-T RECOMMENDATION X.501, November 1993 (1993-11-01), pages 1 - 153, XP002163461 *
NETSCAPE: "Netscape Directory Server, Version 3.0", ADMINISTRATOR'S GUIDE, December 1997 (1997-12-01), XP002123088 *

Also Published As

Publication number Publication date
AU2000254413A1 (en) 2001-11-26

Similar Documents

Publication Publication Date Title
US6535879B1 (en) Access control via properties system
US6633872B2 (en) Extendible access control for lightweight directory access protocol
Carter LDAP System Administration: Putting Directories to Work
EP1058873B1 (en) File access control in a multi-protocol file server
US5878415A (en) Controlling access to objects in a hierarchical database
US6256031B1 (en) Integration of physical and virtual namespace
US6768988B2 (en) Method and system for incorporating filtered roles in a directory system
EP2548138B1 (en) Computer relational database method and system having role based access control
US7016893B2 (en) Method and system for sharing entry attributes in a directory server using class of service
US7020662B2 (en) Method and system for determining a directory entry&#39;s class of service based on the value of a specifier in the entry
US6785686B2 (en) Method and system for creating and utilizing managed roles in a directory system
US6240455B1 (en) Internet server providing link destination deletion, alteration, and addition
US7167918B2 (en) Macro-based access control
US7165182B2 (en) Multiple password policies in a directory server system
US6553368B2 (en) Network directory access mechanism
US6970873B2 (en) Configurable mechanism and abstract API model for directory operations
US8635221B2 (en) Method, system, and program product for managing access to data items in a database
JP2000047924A (en) Apparatus and method for limiting database access to managed object information using a permission table specifying access rights corresponding to user access rights to managed objects
US7194472B2 (en) Extending role scope in a directory server system
US20030078937A1 (en) Method and system for nesting roles in a directory system
EP1668437A1 (en) System device and method for managing file security attributes in a computer file storage system
US7124132B1 (en) Domain specification system for an LDAP ACI entry
US6950819B1 (en) Simplified LDAP access control language system
US7363328B2 (en) Method and system for modifying schema definitions
US20030061347A1 (en) Method and system for determining a directory entry&#39;s class of service by pointing to a single template entry

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWE Wipo information: entry into national phase

Ref document number: 10276586

Country of ref document: US

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP