United States Patent
`Montague et al.
`
`[19]
`
`lllllllllllllllllllllNliillmIIIIIIIIIIIIIIIIIIIlIIIIIIIIIIIIII
`US005761669A
`[H] Patent Number:
`[45] Date of Patent:
`
`527612669
`Jun. 2, 1998
`
`[54] CONTROLLING ACCESS TO OBJECTS ON
`MULTIPLE OPERATING SYSTEMS
`
`[75]
`
`Inventors: David S. Moutague. Bellevue;
`Prudyumna K. Misra. Issaquah:
`isnchael M. Swut. Bellevue; Robert P.
`Reichel, Redmond. all of Wash.
`
`[73] Assignee: Microsoft Corporation, Redmond.
`Wash.
`
`[21] Appl. Noc 534,197
`Sep. 26, 1995
`[22] Filed:
`
`Related U.S. Application Data
`
`[63] Conunustion-m-psrt of Ser. No 465,990, Jun. 6, 1995, Pst
`No 5,675,782.
`Iut. CL'........................................,............ G06F 17/30
`[51]
`[52] U.S. CL ............................................. 707/103; 707/104
`[58] Field of Search ..................................... 395/650. 614,
`395/700. 728. 800. 186; 379/95: 707/103.
`104
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`7/1992 Chung ..................................... 395/650
`............................ 395/600
`7/1992 Cuder et al
`................. 395/700
`8/1992 Pemzzoh, Jr. et sl
`11/1993 Jssis .......„............................... 395/600
`1/1994 Howdl et al........................... 395/800
`
`5.128,697
`5.129,083
`5,136.712
`5263.157
`5276.90t
`
`5297283
`5,335,346
`5.446,903
`5.469 576
`5.495321
`
`3/1994 Relly Jr et sl
`8/1994 Fabbro ...............
`8/1995 Abraham et st
`1 1/1995 Dsucrer et al
`2/1996 Rsngachsr .........
`
`OTHER PUBLICATIONS
`
`... 395/650
`... 395/600
`... 395/728
`... 395/186
`..... 379/95
`
`Novel Netware. Version 3.11 pp. 192 —261. 1991.
`
`Pr/mar) Emminer—Paul R. Lintz
`Assistant Exam/ner—Frantz Coby
`A//ames; Agent, or Firm—Ronald M. Anderson
`ABSTRACT
`[57]
`A method and system for controlling access to entities on a
`network on which a plurality of servers are installed that use
`different operating systems. A request is entered by a user at
`a workstation on the network to set access permissions to an
`entity on the network in regard to a trustee. In response to
`the request. various application programming interfaces
`to set
`(APIs) are called to translate the generic request
`permissions on the entity into a format appropriate for the
`operating system that controls the entity. Assuming that the
`user has the appropriate rights to set access permissions to
`the entity as requested. and assuming that the trustee iden-
`tified by the user is among those who can have rights set to
`the entity. the request made by the user is granted. Entities
`include both "containers" and "objects." Entities are either
`software. such as directories (containers) and files (objects).
`or hardware, such as printers (objects).
`
`26 Clahns, 12 Drawing Sheets
`
`200
`
`f
`
`START
`
`202
`
`20'F
`
`IHUL Itl,
`I
`ACI'ESS RIGHTS 0
`ENTITY
`
`TO SFRVFR Sl OR I OCAL WORK
`
`201STEE+;
`EF
`ENTITI"» TRUSTEE
`INVALID
`
`D—NO
`
`VALID DN
`
`YES
`
`OTHER SERVERS
`
`205
`
`READ
`
`ACCESS ~
`/ RETUR I+200
`I'ERUISSIDNSON a FAIL/ ACCESS
`DENI 0
`
`NTITY
`
`~200VIS
`
`SUCCEED
`
`ENTITV LO AL
`
`YESJ
`
`10
`
`(AVRITE REQUES
`
`TOFNTI YS
`FLRNISS ONS
`
`I AIL
`
`/ RFTUR I
`ACCt tt
`
`ERROR
`
`DENIED
`
`(
`
`SUCCttD]
`
`1
`REH RN
`t SUCCESS
`
`210
`
`Google Exhibit 1051
`Google v. VirtaMove
`
`

`

`Jun.2, 1998
`Jun. 2, 1998
`
`Sheet 1 of 12
`Sheet 1 of 12
`
`U.S. Patent
`US. Patent
`
`5,761,669
`
`5,761,669
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jun. 2, 1998
`Jun. 2, 1998
`
`Sheet 2 of 12
`Sheet 2 of 12
`
`5,761,669
`5,761,669
`
`
`
`Lf!Al-SWALAS
`
`0$7ONILVYSdOYSHLO
`
`I——eeeeeeaeeee
`
`SLHOIY
`
`JOYLNOD
`
`AOVAYSAINI
`
`SLOWSYNO
`
`
`
`OVWALSASONILVeadO
`
`LNSMOCNIM
`
`WwiodVMLAN
`
`
`
`87WALSASONILVYSdO|
`
`ZV4JYVSLHSI4
`
`
`
`SSI90VHOIHM
`
`GSTIOYLNOD
`
`
`
`
`
`YAMSALOWSYNOWOddNOILVONTIddv¥
`
`SSADOV YSAYSS
`
`ZSLNVINdNWOO390
`
`
`
`W3LSASONILVESdO
`
`
`
`UaAUaSSLOWSYNOCDlA
`
`
`
`
`

`

`U.S. Patent
`
`Jun. 2, 199S
`
`Sheet 3 of 12
`
`5,761,669
`
`72
`
`100
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jun. 2, 1998
`Jutt. 2, 1998
`
`Sheet 4 of 12
`Sheet 4 of 12
`
`5,761,669
`5,761,669
`
`132
`Add Users and Groups
`=|
`132
`138
`tNames From:|gWSERVER_NT2_—|¥.
`
`
`
`
`List [f5=\\SERVER_NT2_—_|Names From: +]
`134
`
`Names:
`
`142
`
`160
`
`Supports file replication in a domain
`¥& Replicator
`The Operating System
`f SYSTEM
`Ordinary Users
`Users
`{| Administrator Account for administering the Compu
`{|
`janesmith
`| johndoe_~ 444
`4150
`RAL,
`(RIKER
`EE), CBE
`Add Names:~ 154
`SERVER_NT2\ohndo‘Oe
`
`108
`
`vad
`
`of
`
`Type of Access:
`
`162
`
`159
`
`182
`52
`
`160
`
`130
`
`100
`100
`102
`=
`=FilePermissionsSS
`
`104
`
`
`
`Eile: G:tmplacts\aclapi.dlf~
`
`
`Owner: SERVER_NTZ~
`108
`
`Names:
`110
`113
`
`
`SERVER_NT2\johndoe
`Read
`
`Everyone
`107
`Full Control (All.
`112
`114
`
` 116
`122
`172 124
`126
`428
`170
`
`
`
`
`
`
`
`
`
`FIG. 6
`
`

`

`U.S. Patent
`
`Jutt. 2, 1998
`
`Sheet 5 of 12
`
`5,761,669
`
`FIG. 7
`
`180
`
`F
`
`

`

`U.S. Patent
`
`Jun. 2, 1998
`
`Sbeet 6 of 12
`
`5,761,669
`
`201
`
`GET TRUSTEE,
`ACCESS RIGHTS &
`ENTITY
`
`202
`
`DETERMINE
`CONTROLLING
`SERVER & ROUTE
`APPROPRIATELY
`
`TO SERVER S1, OR LOCAL WORKSTATION
`
`203
`
`204
`
`S2
`
`S3
`
`SN
`
`IS TRUSTEE
`VALID ON
`ENTITY?
`
`NO
`
`YES
`
`FAIL
`
`YES
`
`SUCCEED
`
`NO
`
`OTHER SERVERS
`
`206
`
`10
`
`FIG. 9
`
`FAIL
`
`216
`
`

`

`U.S. Patent
`
`JutL 2, 1998
`
`Sheet 7 of 12
`
`5,761,669
`
`CI
`
`LU
`
`OO
`
`Cl
`
`0O c
`
`o
`
`Ccl
`
`LL
`
`PJ
`
`(Q
`
`CD
`
`CV
`
`0
`
`.0Z
`
`

`

`U.S. Patent
`
`Jlm. 2, 1998
`
`Sheet 8 of 12
`
`5,761,669
`
`UJ
`
`Co
`
`UJ
`I—
`
`o
`
`IY
`UJ
`
`C0
`
`X ZU
`
`J0I
`
`-Z0O OV
`
`CC:I-
`
`ZU
`
`J0 Z0U UV«
`
`(
`
`UJ
`
`Z UJ
`iU ~
`IJJ00IL''
`I- &
`p 0DZ
`C0 gUJ 0O CUOp
`
`C0 a.
`
`I-
`
`ZU
`
`J 0I
`
`-Z0O OU«
`
`C
`
`CC
`
`CY
`
`I- I
`UJ ~
`UJ0 CLCL''
`I-Z&
`0 0
`O Z
`C0 0
`C0 ~
`LLI 0
`0'
`O
`Q
`
`CC'.I-
`
`ZU
`
`J0E
`
`L'
`
`0O
`
`OO
`
`I-
`I— C0
`C0 LLI
`
`CL
`
`~ 0
`0 CJ
`I- 0Z Z0OC9
`C0 ~LUO IJ'-
`
`C0 UJ
`
`O UJ
`
`I-
`
`C0 Ij C0~ LUp p
`IZ: 0
`I— LUZ CLooO I—
`CC'0 0
`O CJ-
`O 0-
`
`C0
`
`I-
`C0
`LLI0 UJ
`
`0-'a
`0 &
`0 o.V 0
`C0 0
`IJJ 0D =
`O
`
`C0 CL:
`
`Z0
`I-
`C0
`
`CL0
`
`

`

`U.S. Patent
`
`juu. 2, 1998
`
`Sheet 9 of 12
`
`5,761,669
`
`L0
`LLI
`Q
`
`Q.
`
`L00
`Q.0
`
`UJ
`
`LU
`
`Oz
`I-
`IY
`UJTz
`
`Q'0
`
`UJ
`LU EL
`O L9
`
`oz Q
`v
`L9z g~ L0~~z N
`
`LU I-
`0 z
`Z U
`r0 CI
`(0 zLU pO ~O O+
`
`LL'J
`
`CI 0
`I- I-
`(0
`LU2 U0 UJ
`UJ K
`Q-'L0
`Z IJ"
`LIJ LLIz m
`L0Z
`
`LU
`
`QQ L
`
`U m L
`
`LI
`
`0m
`
`LLJ
`
`UJ
`
`«0
`
`0U
`
`J
`LY
`
`tA
`
`L0
`LU UJ
`
`O Lt-'~O &
`zz Q
`
`t9 U
`
`~
`
`oEz z
`cC Z
`V) UJ
`c0 P
`LLI ZO 0O—
`~~0
`CO I—
`UJ
`+ U-
`
`LL'IJ
`
`LU LLI
`Z t0
`LU CLg UJ
`g m
`(0 ~LU z
`
`LLI
`
`I-
`0m
`
`&C
`
`UJO
`«CI-
`
`LUZ
`
`

`

`U.S. Patent
`
`Jun. 2, 1998
`
`Sheet 10 of 12
`
`5,761,669
`
`ACTION DEFINITIONS
`
`2
`
`ADD PERMISSIONS FROM EXISTING ACCESS CONTROL ENTRY TO
`PERMISSIONS FOR ACCESS REQUEST, REMOVE EXISTING
`ACCESS CONTROL, & ADD ACCESS REQUEST AS NEW ACCESS
`CONTROL ENTRY
`
`LEAVE EXISTING ACCESS CONTROL ENTRY
`
`REMOVE EXISTING ACCESS CONTROL ENTRY; & ADD ACCESS
`REQUEST A NEW ACCESS CONTROL ENTRY
`
`5
`
`7
`
`REMOVE REQUESTED INHERITANCE FROM EXISTING ACCESS
`ENTRY; & ADD ACCESS REQUEST AS NEW ACCESS CONTROL
`ENTRY
`
`REMOVE REQUESTED INHERITANCE FROM EXISTING ENTRY; ADD
`ENTRY WITH OVERLAP BETWEEN REQUESTED INHERITANCE AND
`INHERITANCE FROM EXISTING ENTRY, WITH EXISTING ENTRY'S
`PERMISSIONS LESS REQUESTED PERMISSIONS; & ADD REQUEST
`AS NEWACCESS CONTROL ENTRY
`
`REMOVE REQUESTED PERMISSIONS FROM PERMISSIONS OF
`ACCESS ENTRY; & ADD ACCESS REQUEST AS A NEW ACCESS
`CONTROL ENTRY
`
`

`

`U.S. Patent
`
`jun. 2, 1998
`
`Sheet 11 of 12
`
`5,761,669
`
`INHERITANCE FLAGS
`
`(NONE)
`NO PROPAGATE (NP) INHERIT
`CONTAINER INHERIT (CI)
`
`OBJECT INHERIT (OI)
`
`INHERIT ONLY (IO)
`(NP, CI)
`
`(NP, Ol)
`
`(NP, IO)
`(CI, OI)
`
`(Ol, IO)
`(CI, IO)
`(NP, CI, OI)
`
`(NP, CI, IO)
`(NP, Ol, IO)
`(CI, OI,IO)
`
`(NP, Cl, Ol, IO)
`
`ENTITIES TO WHICH INHERITED ACCESS
`PERMISSIONS APPLY
`TO THE CONTAINER
`(N/A)
`TO THE CONTAINER
`TO ALL SUB CONTAINERS
`TO THE CONTAINER
`TO IMMEDIATELY CONTAINED OBJECTS
`(N/A)
`TO THE CONTAINER
`TO IMMEDIATELY CONTAINED OBJECTS
`TO THE CONTAINER
`TO IMMEDIATELY CONTAINED OBJECTS
`(N/A)
`TO THE CONTAINER
`TO ALL SUB CONTAINERS
`TO ALL SUB OBJECTS
`TO IMMEDIATELY CONTAINED OBJECTS
`TO ALL SUB CONTAINERS
`TO THE CONTAINER
`TO IMMEDIATELY CONTAINED OBJECTS
`TO IMMEDIATELY CONTAINED CONTAINERS
`TO IMMEDiATELY CONTAINED CONTAINERS
`TO IMMEDIATELY CONTAINED OBJECTS
`TO ALL SUB CONTAINERS
`TO ALL SUB OBJECTS
`TO IMMEDIATELY CONTAINED CONTAINERS
`TO IMMEDIATELY CONTAINED OBJECTS
`
`

`

`U.S. Patent
`
`Jun. 2, 1998
`
`Sheet 12 of 12
`
`5,761,669
`
`~NO FLAGS
`
`~(CI)
`
`(Ol)
`
`(NP,CI)
`
`{NP, Ol)
`
`{CI, Ol)
`
`(
`
`(
`
`)/
`
`)/
`
`(OI, IO)
`
`(CI, IO)
`
`(NP, CI, OI)
`
`~(NP, CI, IO)
`
`~(NP. Oi. IO)
`
`(CI, OI,IO)
`
`(NP, CI, OI, IO)
`
`

`

`5.761.669
`
`1
`CONTROLLING ACCESS TO OBJECTS ON
`MULTIPLE OPERATING SYSTEMS
`
`RELATED APPLICATIONS
`This application is a continuation-in-part of prior appli-
`cation Ser. No. 08/465.990, filed lun. 6. 1995. now U.S. Pat.
`No. 5.675.782. the benefit of the filiag date of which is
`hereby claimed under 35 U.S.C. 8 120.
`
`FIELD OF THE INVENTION
`
`invention generally relates to controlfing
`The present
`access to objects on a network, and more specifically, to a
`method and apparatus for coatrolling access to objects on a
`network in which a plurality of operating systems are used.
`
`BACKGROUND OF THE INVENTION
`Most operating systems for networks include provisions
`for controlling access to entities that are stored on the
`network or coupled to the network The term "entity" is
`intended to broadly encompass hardware such as gateways
`to other networks, printers. and modems, and software such
`as directories. files, application programs, data. records.
`fields in a record. and cells in a spreadsheet—in other words.
`virtually any hardware or software aspect of a computer
`network. Regardless of whether the network is simply two
`computers coupled peer to peer. or a wide area network with
`typicafiy be
`thousands of users, a security system will
`induded to limit access rights to entities on the network and
`to identify each user that can connect to the network. As used
`herein. the term "access rights" is synonymous with "access
`pamissions "
`Control of access to entities on a computer network is
`very important. Data that are personal in nature or which
`comprise proprietary or sensitive information should not be
`freely accessible or usable by all of the individuals con-
`nected to the network. For example. E-Mail messages
`should only be accessible by the intended recipient. Person-
`nel data files that include details about each employee in a
`corporation should only be accessible by a limited group.
`e.g., only by people in the human resource department of the
`corporation. The right to change the contents of files. read
`files, or execute files must often be restricted to specified
`users to maintain the network integrity or to safisfy licensing
`requirements that lunit the number of people who caa
`execute a program.
`A network administrator is typically assigned the respon-
`sibility for establishing and maintaining defined groups of
`users, determining who has the right to connect to the
`network. and for initially determining the rights of each
`group and individual in respect to entities on the oetwork. A
`group will normally include one or more usas having some
`common relationship to the entities for which access rights
`are initially granted. For example. clerks in the accounting
`department of a corporation might comprise an "Accounting
`Group." which has full rights to certain accounting programs
`and to certain acoounting data files, and limited rights to
`others. The manager of the accounting department would
`typically be a member of the "Accounting Group" and might
`also be a member of an "Accounting Supavisor Group."
`which has full rights to mare sensitive accounting data files,
`and limited rights in extranely sensitive accounting data
`files.
`The rights granted to a group or an individual determine
`whether manbers of that group or that user can control
`access to other entities on the system. Thus. a user with full
`
`25
`
`rights in a directory can control access by other users on the
`network to that directory and to subdirectories of that
`directory or files that the user creates within that directory.
`One form of access control to entities employs access
`control lists (ACLs) comprised of a set of access control
`entries (ACEs). An ACL may be associated with an entity on
`the network An ACE typically includes an identifier
`(platform or operating system specific& for a user or a group
`and some encoding or representation that specifies the rights
`io granted or denied to that user or group with regard to the
`object. An individual or group granted (or denied) rights to
`an object is referred to throughout this specification and in
`the claims that follow as a "trustee." The access mask
`represents an encoding of operafions relevant to the entity
`is and/or to the environment in which it is used. Accordingly.
`the ACL specifies who has access to the entity and the nature
`of that access.
`Each network operating system. such as Microsoft Cor-
`poration*s WINDOWS NT™ and Novell Corporation's
`NETWAREru, employs different protocols and formats for
`controlling access to entities on the aetwork. An access
`control program is typically included with the operating
`system to establish the access rights for trustees to the
`various types of entities on the oetwork. by producing the
`ACL for the eatity. However. the access control programs
`for the different network operating systems are generally
`incompatible with each other. because of differences in the
`format and protocols that they use. In addition, the mecha-
`nism by which a new entity is assigned or inherits an ACL
`may be different on diferent network operating systems. For
`this reason. special purpose tools are required to manipulate
`access controls for each different network operating system/
`platform
`In larger networks. it is oonunon for several different
`servers to be interconnected. and for the servers to be
`running different network operating systems and software.
`Under these circumstances. controlling access to objects on
`the network becomes more diflicult. Io order to establish
`access control on an object, it is first necessary to determine
`the server with which the object is associated or by which its
`access is controlled. Then. the appropriate tool or utility
`program for manipulating access control in the network
`operating system running on that server must be used to
`4s create or modify the ACL for the entity.
`The task of controlling access to an entity may not be
`limited only to the network administrator; any trustee with
`the appropriate rights can establish access controls to the
`entity. Accordingly. requiring each such trustee to be famil-
`so iar with the access control tools provided with each different
`network operating system is an unduly onerous burden to
`impose. Clearly, it would be much more efficient and require
`less specialized kaowledge of the trustees on a network if
`setting access permissions could be made to appear inde-
`ss pendent of the network operating system and unique plat-
`form specific access control mechanism that controls access
`to an entity. Certain access operations that are generic to any
`entity. regardless of the network operatiag system involved.
`could then be eifected by a trustee having the requisite
`so rights, without requiring the trustee to possess intimate
`knowledge of the underlying network access protocol or
`
`tooL S~Y OF THE ~ON
`
`ss
`
`In accordance with the present invention. a method is
`defined for controlling access to an entity on a network.
`where the entity comprises one of a plurality of dfiferent
`
`

`

`5.761.669
`
`types of enuties. The method includes the step of determin-
`ing each trustee that can have access permissions to the
`entity by querying the network operating system. A generic
`request for controlling access to the entity is selected from
`a set of predefined generic requests. The generic request that
`was selected is translated into a format usable by the
`network operating system. Subsequently. the network oper-
`ating system is caused to implement the request.
`The entity preferably comprises either a container or an
`object and may include software or hardware aspect of the
`network.
`The method further comprises the step of enabling a user
`to request seuing specific access rights to an entity associ-
`ated with an application. from within the application. if the
`user possesses a right to set the specific access rights to the
`entity.
`In respoase to a request by the user. the network operating
`system determines the trustees that can have the specific
`access rights assigned to them and returns a list of the
`tmstees in a format that is independent of the network
`operating system on which the specific access rights are to
`be set. A user must have the right to grant access to the entity
`and can only affect the access rights of a trustee on the list.
`Another step of the method is to enable a user to view a
`trustee's access permissions to an entity.
`Preferably. the set of predefined generic requests includes
`at least one of: (a) granting of access rights to the entity; (b)
`setting access rights to the entity; (c) denying access rights
`to the entity; (d) revoking explicit access rights to a specific
`eatityt (e) replacing all access rights to the entity; (f)
`determining if access to the entity is permilted; (g) getting
`elfective access rights for a specific entity t (h) listing trustees
`who have explicit access rights to the entity; and.
`(i)
`enumerating all trustees who may be granted access rights to
`the entity.
`Another aspect of the present invention is directed to a
`system for controlling access to an entity on a network. The
`components of the system include a processor. A plurality of
`machine instructions are executed by the processor to con-
`trol the access to the entity. Execution of the machine
`instructions causes the processor to enable the user to
`least one of a plurality of predefined generic
`specify at
`requests for use in controlling access to the entity.
`In
`addition. the machine instructions executing on the proces-
`sor comprise translation means for translating the specified
`predefined generic request for access control to the entity
`into a system request having a format usable by a network
`operating system running on a server associated with the
`entity. Implementation of the system request by the network
`operating system running on the server sets access to the
`entity accordingly.
`Other elements and aspects of the system generally cor-
`respond to the steps of the method discussed above.
`Similarly. an article of manufacture is defined that is adapted
`for use with a computer. The article includes a memory
`medium in which are stored machine instructions. which
`when executed by a computer. unplement functions gener-
`ally consistent with the steps of the method.
`Another aspect of the present invention is directed to a
`method for handling a request to change an access to an
`entity on a network by an account. where the entity may
`have existing inheritance attributes associated with it for the
`accounc Based upon the existing inheritance attributes to the
`entity for the account and the existing permissions to the
`account for the entity, a list of access control entries that are
`used in controlling access to entities on the network is
`
`3Q
`
`33
`
`ic
`
`modified so as to grant the request without afiecling any
`other existing access permissions in the lish This aspect is
`also covered in regard to the functions implemented by a
`computer and in regard to the functions implemented when
`3 machine instructions stored in a memory medium of an
`article of maaufacture are executed by a computer.
`BRIEF DESCRIPTION OF THE DRAWING
`FIGURES
`The foregoing aspects and many of the attendant advan-
`tages of this invention will become more readily appreciated
`as the same becomes better understood by reference to the
`following detailed destxiption. when taken in conjunction
`with the accompanying drawiags. wherein:
`FIG. I is a block diagram of a portion of a network that
`includes a plurality of workstations and a plurality of servers
`on which access is controlled in accordance with the present
`invention;
`FIG. 2 is a functional block diagram illustrating the
`relationship between an application that executes on a
`workstation and the servers through which access to an
`entity is controlled using the present invention;
`FIG. 3 is a reprcduction of a File Manager screen that
`includes a menu enabling a user to selectively control access
`23 to a software entity:
`FI. 4 is a reproduction of a File Permissions dialog box
`that enables the user to select lhe trustee(s) and set the
`permissions for the trustee for a software entilyi
`FIG. 5 is an add Users and Groups dialog box that enables
`a user to list trustees on a server and to add a trustee from
`the list to those included ia the File Permissions dialog box;
`FIG. 6 is another view of the File Permissions dialog box
`of FIG. 4:
`FIG.7 is a reproduction of a Print Manager screen show-
`ing the menu items available to the user to selectively
`coatrol access to a printer or printer server;
`FIG. 8 is a Printer Permissions dialog box in which a user
`can select the trustee(s) and set the permissions for a printer
`4o or print server;
`FIG. 9 is a first portion of a fiow chart that shows the
`logical steps implemented to select and control access to an
`entity on the network;
`FIG. 10 is a secoad portion of the flow chart of FIG. 9;
`FIG. 11 is block diagmn illustrating how a preferred
`embodiment of the present invention merges a request to
`affect access control into an access control list maintained on
`an operating system that maintains ACEs;
`FIG. 12 is a block diagram illustrating the possible
`relationships between existing and requested access
`permissions, and existing and requested inheritance
`attributes;
`FIG. 13 is a table showing how the relationship between
`ss the existing aad requested permissions and inheritance
`attributes determine an appropriate action for merging an
`access control request into an access control list. if requested
`access and the existing access are of the same type. e. g.. both
`grant or both deny;
`FIG. 14 is a table showing how the relationship between
`the existing and requested permissions and inheritance
`attributes determine an appropriate action for merging an
`access control request into an access control list. if requested
`access and the existing access are of opposite types, e.g.. one
`as grant aad the other deny;
`FIG. 15 is a table showing the action definitions that apply
`in connecfion with the tables shown in FIGS. 13 and 14.
`
`43
`
`

`

`5,76].669
`
`lists the various combinations
`FIG. 16 is a table that
`inheritance flags used in the WINDOWS NT version of the
`present invention and indicates the entities afFected by the
`inherited access permissions for each combination of inher-
`itance flags;
`FIG. 17 is a diagram illustrating the same information
`listed in the table of FIG. 16, where open circles indicate
`container and sub containers. filled circles indicate sub
`objects (i.e.. files). and dash lines indicate the entities to
`which the inherited access permissions apply; and
`FIG. 18 is table that illustrates examples of the various
`relationships between the requested access inheritaace and
`the existing access inheritance.
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENT
`The present invention will typically be implemented on a
`network that includes a plurality of servers running under
`different operating systems. A portion of aa exemplary
`network 10 on which the inveation might be used is shown
`in FIG. 1. Although not necessary to realize the advantages
`of the present invention, network 10 can be part of a wide
`area network in which different geographical locations are
`interconnected. either by high-speed data lines or by radio
`links. perhaps interconnecting hundreds of workstations at
`widely disparate locations. However. in the simplified dia-
`gram of FIG. I, only three servers 12, 14. and 16 are shown.
`coupled by an Etherfinkru network to two workstatioas 20
`and 22. and to a printer 38. It will be understood by those of
`ordinary skill in the art that the present invention is also
`usable on other types of network configurations. such as a
`token ring or star configuration.
`As is typical in a network. each of servers 12. 14. and 16
`includes at least oae hard drive 24 on which are stored a
`plurality of files, including data and applications that can be
`accessed by the workstations. In addition. each server is
`provided with a monitor 26. Although not specifically
`shown. each server can also be coupled to a keyboard for
`entry of oonunands and data used in configuring and coa-
`trolling the operation of the server,
`Each of the workstations 20 and 22 includes a processor
`chassis 28 and a hard drive 30 for storiag programs, which
`can be executed by a central processing unit (CPU) that is
`disposed on a motherboard (neither showa) within processor
`chassis 28. A display screen 32 is coup(tat to the display port
`of the processor chassis on each of the workstatioas.
`The user can control the workstation and provide input of
`commands and data via a keyboard 34 and/or a mouse 36 (or
`other suitable pointing device). Each of workstations 20 and
`22 can access any of servers 12. 14. or 16 through aetwork
`18. In addition. if the user who is signed-on to one of the
`workstations has the proper permissions. that workstation
`can direct printer output from an application to printer 38.
`Printer 38 includes its own network interface card (not
`shown). as do each of the workstatioos. Alternatively, printer
`38 can be coupled to a print server (which may be another
`it conununicates with the network
`workstation). so that
`through the parallel port of the print server and through the
`network interface card of the print server. These variations
`in ihe art of
`are well known to those of ordinary skill
`configuring aad administering networks and need aot be
`further discussed.
`Although some networks employ multiple servers that run
`is becoming increasingly
`the same operating system.
`it
`commoa for a network to be coupled to a plurality of servers,
`each of which run difierent operating systems. For example.
`
`in network 10, server 12 may be booted up to run on
`Microsoft*s WINDOWS NT operating system; server 14
`may run under Novell's NETWARE™ and server 16 may
`operate under Distributed Computing Environment (DCE)
`UNIX or some other DCE compliant operating system. It is
`not intended that the present invention in any way be limited
`by the specific operating systems running on each of the
`plurality of servers in a network with which it is used. The
`method and system for controfiing access to eatities on the
`ip network to which the present invention is directed can
`readily be implemented to work with virtually any type of
`operating system and on almost any network configurafion,
`and is not limited to those mentioned above.
`As explained in the Background of the Invention. one of
`,3 the primary functions of almost any network operating
`system is to control access to various software and hardware
`entities assigned to. controlled by. or otherwise associated
`with a server or workstation on which the operating system
`is running. However. each of these operating systems run-
`io ning on the various servers used in a network. such as
`servers 12. 14. and 16. may use different formats and
`paruneters for setting the pernussions that control access to
`each such entity by the users of the network. The eatities to
`which access is controlled comprise both software resources
`zs such as directories (or folders) and files. and hardware
`objects such as priater 3$. Thus. a user who has signed onto
`network 10 at workstation 20 would normally need to be
`aware of the a)qxopriate format and command structure to
`sei the access permissions to a particular file that is stared on
`sp one of these three servers on the exemplary aetwork. First.
`however, the user would need to identify the server that is
`responsible for controlling access to the file or entity. Since
`the format and specific access commands used on each
`server that employs a dUYerent operating system will be
`33 different. it will be apparent that carrying out routine opera-
`tions to set or modify access permissions to entities on a
`includes multiple servers running multiple
`network that
`operating systems can be boih difficult and confusing.
`The preseat invention is a set of routines for controlling
`m access to certain entities on a network in a manner that does
`not require a user to identify the appropriate server and does
`not require that the user know the format for setting access
`permissions in the operating system running oa that server.
`The routines comprising the present invention can either be
`integrated into or
`ss part of a network operating system.
`accessed from an applicafion, or may be provided as sepa-
`rate stand-alone application on a network. Generally. the
`routines enable a user to identify a specific eatity for which
`access rights are to be set or modified. The routines. not the
`sn user. will determine the server that controls a specific entity.
`Dace the user selects the entity, the trustee. and indicates the
`access rights to be applied. the routines wiU determine if the
`user has the right to set the requested permissions and
`whether the trustee has the required permissions relative to
`ss the entity, and if so. will convert the user's request into the
`appropriate format and function caUs implemented in the
`operating system running on the server that controls the
`entity.
`In a preferred embodiment of the present inveation. these
`so routines comprise a set of relatively high-level application
`programming interfaces (APIs). These APIs provide a rela-
`tively easy way to manipulate access to virtually any type of
`entity on a network that Inc)udes servers using different
`operahng systems. While it is likely that certain operations
`ss relating to securiiy or semng access peinussions will be
`outside the scope of the generic control provided by these
`APIs. a user can always call a platform or operating system-
`
`

`

`5.761.669
`
`specific API to accomplish such non-generic tasks. Thus. a
`goal of the present invention is to enable a user to control
`access rights for various entities on a network in a simple
`way that satisfies a majority of the requirements for setting
`pertnissions to the entities. while generally insulating the
`user fiom the various formatting and other operating system-
`specific access control parameters.
`FIG. 2 is a functional block diagram. which is an over-
`invention accomplishes
`view illustrating how the present
`generic access control for an entity on network 10. A user
`will likely access the network from a workstation, which is
`represented by a dash line block 40. A block 42 represents
`an application (program) from which access rights are to be
`controlled by the user a( the workstation in block 40. It
`invention can also be
`the present
`should be noted that
`implemented from within an operating system shell (or
`desktop) or can be configured as a staad-alone utility. The
`application in block 42 from which the access permissions
`to an entity are to be set conununicates with an access rights
`control interface in a block 44. This interface, which is
`coupled to the applicatioa and is thereby informed of the
`specific entity for which the permissions are to be set. causes
`the system to automatically determine the server that has the
`responsibility for controlling access to that entity and deter-
`mines if the user has the rights to set the requested access
`permission for the entity.
`Conceptually. each operating system/server maintains
`some form of persisteat database that specifies each trustee
`for which access rights can be set in regard to any entity
`controfied or associated with the server and a data structure
`that specifies requisite access controls. In the WINDOWS
`M'perating system. the database is called an "access
`control list*'ACL). but other types of data structures can
`also be usixt for this purpose, Normally, a network admin-
`istrator is responsible for adding and deleting trustees fmm
`the list of trustees potentially active oa a server. This
`functioa is not part of the present invention. As explained
`below. using the present invention. a user having appropriate
`permissions raut readily access the database of trustees that
`specifies the trustees oa a server and display the list of
`trustees for whom access permissions can be set on a specific
`entity controlled by that server. The process by which this is
`accomplished ia the present invention is transparent to the
`user, and it is generaUy not necessary for the user to kaow
`the server that controls the entity for which access rights are
`to be modified. nor for the user to know the specific format
`used in the operating system running on that server in order
`for the user to set or modify the access rights to an entity.
`However, the user must have the permissions to modify the
`access rights to the entity in order to do so. and the trustee
`granted such rights must then have the required permissions.
`In applying the permissions to an entity, the user defines
`a trustee and permission pair by selecting one or more
`tmstee{s) from the list of possible trustees and selecting the
`type of access that will be set for the eatity in regard to the
`selected trustee(s). The interface in the pres