Embodiments provide conditional permissions for user accounts such that access to a given computer resource can be controlled on a user account by user account basis. As the outcomes of the conditions change, the access rights to computer resources may change as well. As the conditional permissions are implemented by a computer controlling access to the computer resources, the administrator is freed from manually switching permissions to a resource on and off for user accounts.
In the example, of
Additionally, these embodiments provide logic for implementation by the processor 102 in order to assign conditional permissions to computer resources and then analyze those conditional permissions upon attempts by user accounts to access the computer resources. In the example, shown in
The example of
In some embodiments, the computer system 100 acts as a host system where client systems access the computer resources being controlled by the host system, such as the network file share and/or the on-line services such as Internet services. In the example shown, the computer system 130 is a client system where the user of the computer system 130 wishes to access a computer resource under the control of host system 100. Furthermore, a client computer 130 may be used by an administrator to configure the conditional permissions for the resources of the host system 100. The computer system 130 of this example includes similar components to those of computer system 100, such as a processor 132, memory 134, data bus 136, display 138, input device 140, mass storage 142, operating system 144, and network interface 146.
The computer system 100 of
Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer system 100.
Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer readable media.
Upon the administrator having attempted access to the permissions settings for the resource of interest, the host system scans the registry 116 and determines that the registry contains an association of this resource to PermissionProviderX.dll at registry operation 206. Each permission provider of this example is registered with the host system in the Registry 116 or in any other system configuration location. For example, the Registry 116 may specify:
Each of the permission providers utilized by the host system may have their own unique set of conditions for granting or denying access. For example, PermissionProviderX may have the conditions discussed below in relation to
Upon the host system 100 finding the association in the Registry 116, the host system then loads the associated permission provider, PermissionProviderX.dll in this example, from storage at load operation 208. The host system 100 then calls a user interface method of that permission provider at call operation 210. As a result, the user interface is displayed on the display screen for viewing by the administrator at display operation 212.
An example of a user interface of such a permission provider is shown in
As the permissions being assigned to the resource are on a user account basis, field 304 acts as an entry point for the user account name. The field 304 may accept manual entry of the user account name or may act as a drop down menu to provide the administrator with a list of user account name options to select. As discussed above, a user account may refer to a single user or to a group of users such as an entire domain or Active Directory. In the example shown, permissions are being assigned to the individual USER1 of DOMAIN.
The administrator can select control button 306 in order to obtain the existing permissions, if any, for the current resource and user account. Upon selecting this option, the remaining fields of the user interface 300 are populated with data specifying the existing conditional permissions, if any do exist. The user interface method obtains the permissions from a permission table maintained in the Registry 116 or elsewhere. This permissions table is discussed in more detail below, particularly with reference to Table 1.
The administrator has several options available in the user interface 300. These options are provided for purposes of illustration. It will be appreciated that the options available for establishing conditional permissions may vary from one implementation to the next. Furthermore, the options available may be customizable by the administrator for a given product or resource to be configured or for a given host computer 100.
A first option is checkbox 308 for selecting to revoke permission to access the specified resource via the specified user account. Thus, if checkbox 308 is selected, then USER1 of DOMAIN will no longer have access to FILEl.PRODUCTXEXTENSION. The remaining options are grant conditions, or conditions that need to be satisfied in order to grant access to the specified resource for the specified user account.
A first grant condition is a grant until date that may be selected via field 310. Field 310 may accept a manual entry of a date or may provide a drop down such as a calendar from which a selection can be made. This grant until date indicates that the specified user can no longer access the specified resource once this date arrives.
A second grant condition is a number of accesses that may be selected via field 312. Field 312 may accept manual entry of a number and/or may provide up/down buttons to increase or decrease a displayed number. The number of accesses indicates that the specified user can no longer access the specified resource after having already accessed the resource by this number of accesses.
A third grant condition is whether the grant conditions must all be satisfied to grant access, or whether only a single grant condition must be satisfied even though multiple ones are set. Bullet 314 specifies that all must be satisfied while bullet 316 specifies that only any single one must be satisfied. For this example, if all must be satisfied, then both the grant until date and the number of accesses conditions must be met to grant access. If any must be satisfied, then so long as either the grant until date condition or the number of accesses condition is met, then access is granted.
The user interface 300 of this example also includes an OK button 318 and a cancel button 320. Thus, an administrator may make settings and click button 318 to accept and implement then or click button 320 to cancel them and return to existing permissions.
As noted above, the options to the administrator may vary from those of the example shown in
Returning to
An example of a format of the Permissions Table is shown in Table 1.
As can be seen in Table 1, each resource has its own conditional permissions per user. Table 1 specifies conditional permissions for User1 of Domain for File 1 of Product X, including those conditions shown in the user interface 300 of
In one illustrative embodiment, the Permissions Table may take the form of an Access Control List (ACL) or similar structure containing Access Control Elements (ACE), where the Table specifies an access mask to grant certain permissions for a resource. The ACL has an additional field, namely, the conditional permissions field, so that the access specified by the access mask is effective only upon the conditions to the permissions being satisfied as described herein.
If the administrator has not yet selected to get the existing permissions, then operational flow proceeds directly to query operation 410 where it is detected whether the administrator has selected to revoke permission to access the current resource. If so, then the registry table is accessed at table operation 412 to find the entry of the user account and current resource. The condition type is then entered as “revoked” and all other conditions are removed at entry operation 414, and operational flow then proceeds to query operation 416.
If the administrator has not yet selected to revoke permission, then operational flow proceeds directly to query operation 416 where it is detected whether the administrator has selected a grant until date. If so, then the registry table is accessed at table operation 418 to find the entry of the user account and current resource. The condition type is then entered as “grant” and a condition name is entered as “expiry date” with the date set to what the administrator has chosen at entry operation 420. Operational flow then proceeds to query operation 422.
If the administrator has not yet selected a grant until date, then operational flow proceeds directly to query operation 422 where it is detected whether the administrator has selected a number of accesses. If so, then the registry table is accessed at table operation 424 to find the entry of the user account and current resource. The condition type is then entered as “grant” and a condition name is entered as “max access account” with the number set to what the administrator has chosen at entry operation 426. Operational flow then proceeds to query operation 428.
If the administrator has not yet selected a number of accesses, then operational flow proceeds directly to query operation 428 where it is detected whether the administrator has selected for all conditions to be satisfied or any conditions to be satisfied before access is granted. If the administrator has selected “any,” then the registry table is accessed at table operation 430 to find the entry of the user account and current resource. The condition satisfy element is then set to “any” at entry operation 432, and operational flow proceeds to query operation 438. If the administrator has selected “all,” then the registry table is accessed at table operation 434 to find the entry of the user account and current resource. The condition satisfy element is then set to “all” at entry operation 436, and operational flow proceeds to query operation 438.
At query operation 438, it is detected whether the administrator has selected another user account for the current resource. If so, then operational flow returns to name operation 402 where the use account name is obtained from the data field. If not, then operational flow returns to query operation 410 to then proceed through the series of queries regarding user input in the user interface.
The host system 100 scans the Registry 116 and determines that the registry contains an association of this resource to PermissionProviderX.dll at registry operation 506. Upon the host system 100 finding the association in the Registry 116, the host system then loads the associated permission provider, PermissionProviderX.dll in this example, from storage at load operation 508. The host system 100 then calls a user permission method of that permission provider at call operation 510. As a result, the user permission method then looks up the permission table in the Registry 116 or other system configuration location to attempt to find the current user account for the current resource at look-up operation 512.
Once the entry in the permissions table is found, the user permission method then analyzes the conditional permissions to determine the grant/revoke status for this user account and resource at analysis operation 514. Here, the user permission method checks for the condition type, each condition name, and compares the value for each specified condition name to a data value obtained from the appropriate data source. Details of this analysis are discussed below in relation to
The user permission method next detects whether the grant until date has been set at query operation 612. If so, then the date specified in the expiry date condition name is compared to the current data that is accessed from the system calendar at comparison operation 614. Query operation 616 then determines whether the current date is before the specified expiry date. If not and the flag is set to all, then it is already determined that access should be denied so a false output is generated. The host system 100 then denies access at denial operation 604. If the current date is not before the specified expiry date and the flag is set to any, then it is not yet known whether to output true or false so operational flow proceeds to query operation 618 to check additional conditions.
If query operation 616 detects that the current date is before the specified expiry date and the flag is set to all, then it is not yet know whether to output true or false so operational flow proceeds to query operation 618 to check additional conditions. If query operation 616 detects that the current date is before the specified expiry date and the flag is set to any, then it is already known that the output should be true so the host system 100 grants the user account access to the resource at allowance operation 624.
When operational flow reaches query operation 618, it is detected whether the number of accesses has been set. If it has not been set, then since this is the last condition to check, it is known that the output should be true so the host system 100 grants the user account access to the resource at allowance operation 624. If the number of accesses has been set, then the specified number of accesses is compared to the number of accesses made thus far by the user account of the current resource which may be accessed from a one of various locations such as from a transactional log, from a counter that stores the number of access to a property of the resource, and the like.
If the number of accesses by the user account is less than the specified number in the permissions table, then it is known that the output should be true so the host system 100 grants the user account access to the resource at allowance operation 624. If the number of accesses by the user account is not less than the specified number in the permissions table, then it is known that the output should be false so the host system 100 denies the user account access to the resource at denial operation 604.
Thus, once the administrator has assigned permissions, or if default permissions are provided, then the user account may access the resource until the conditions as specified are no longer satisfied. The host system thereby manages access to resources without the administrator having to manually revoke access upon noticing that a particular user account should no longer have access, although the administrator may be given the ability to revoke at any time and at his discretion.
While the invention has been particularly shown and described with reference to various embodiments thereof, it will be understood by those skilled in the art that various other changes in the form and details may be made therein without departing from the spirit and scope of the invention. For example, the particular order of the operational flow for determining which user interface option the administrator has chosen may vary, and the options themselves may vary. As another example the particular order of the operational flow for determining whether the conditions are met may vary, and the conditions themselves may also vary.