[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

GB2273585A - Temporary password access. - Google Patents

Temporary password access. Download PDF

Info

Publication number
GB2273585A
GB2273585A GB9226544A GB9226544A GB2273585A GB 2273585 A GB2273585 A GB 2273585A GB 9226544 A GB9226544 A GB 9226544A GB 9226544 A GB9226544 A GB 9226544A GB 2273585 A GB2273585 A GB 2273585A
Authority
GB
United Kingdom
Prior art keywords
data
user
access
security record
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9226544A
Other versions
GB9226544D0 (en
Inventor
Frank Murphy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HANOVER
Original Assignee
HANOVER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HANOVER filed Critical HANOVER
Priority to GB9226544A priority Critical patent/GB2273585A/en
Priority to BE9201148A priority patent/BE1005100A6/en
Publication of GB9226544D0 publication Critical patent/GB9226544D0/en
Publication of GB2273585A publication Critical patent/GB2273585A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An access control circuit allows access to data in storage devices according to a user password. Additional access rights may be temporarily assigned by the access control circuit by reference to a security record which specifies relationships with blocks of data associated with other passwords. This allows versatility in controlling access to records while maintaining strict control. <IMAGE>

Description

"Securitv Operations in a Data Processor" The invention relates to the technical operations to ensure security of data stored in a data processing system, and in particular a data processing system comprising a plurality of data processors connected in a cluster, each being connected to a storage device such as a bank of fixed disk drives. Because the processors are connected in a cluster, each processor may access data stored on the storage device of another processor, although clearly for maintenance of fast response times, it is generally better for each processor to store its data on the storage device to which it is directly connected.
Such a data processing system generally has a large number of users which would generally all be employed by the same organisation. In particular, the users would be employed in different departments of an organisation, each of which will require access to different stored data. For example, people working in personnel will require access to wage and salary data, whereas people working in a sales department would require access to stock levels and sales data. In addition,# senior people in an organisation would generally require access to all or almost all of the stored data.
One approach to ensuring that there is not any unauthorised access to stored data is to route all access requests through an access control circuit which refers to passwords and various other indications of rights for the particular user to actively enable or disable signals.
According to this stored data, the user may have access to a certain block of data or not. Such an arrangement is satisfactory in some organisations. However, in large organisation where flexibility in working arrangements for staff is required this security arrangement is too rigid.
For example, it may be necessary for a member of the sales staff who must do a certain amount with purchasing data to locate a member of the purchasing staff and have him or her gain access to the relevant data.
The invention is directed towards providing a security control method which controls user access to data in a flexible manner to achieve the optimum advantages of strict access control and of maximum flexibility to provide for efficient management of an organisation.
According to the invention there is provided a data security control process carried out by a plurality of data processors connected in a cluster, each processor being connected to a storage device and having a memory circuit and a data access control circuit, the method comprising the steps of: each processor storing in a storage device a user identifer code; each processor storing in a storage device addresses for blocks of data which are addressable by a data device, the blocks of data being associated with the user identifer codes;; storing a security record in the storage device, the security record being associated with a user identifer code, the security record including at least one other user identifier code, the indicator and the associated user identifer code in the security record in combination specifying additional access rights for the data device associated with the security record; the data access control circuit allowing access to the blocks of data associated with the user identifer code; and upon receipt of an access request from a data device the user interface transmitting a request for access to additional blocks of data and the data access control circuit subsequently referring to the security record to determine which blocks of data may be accessed temporarily by the data device.
In one embodiment, the identifier of the security record indicates whether or not the block of data related to the adjacent user identifier code within the security record is a possible target for the data device or whether the block of data associated with the user for the security record may be accessed.
Preferably, additional access rights specified by the security record are disabled on disconnection of the user interface from the data within 6 the storage device.
The invention will be more clearly understood from the following description of some preferred embodiments thereof, given by way of example only with reference to the accompanying drawings in which: Fig. 1 is a diagrammatic view showing a data processing system of the invention; and Fig. 2 is a detailed diagram showing the manner in which security operations are carried out in the system.
Referring to the drawings, and initially to Fig. 1, there is shown a data processing system 1 which is constructed to carry out the security operations of the invention.
The system 1 comprises four processors 2(a), 2(b), 2(c) and 2(d), which are all interconnected by a cluster cable 3. Nodes 4 on the cluster cable 3 connect the processors 2 to terminal servers, which in turn are connected to terminals which act as the user interfaces to the system.
For clarity, the terminal servers and terminals are not shown in the drawing.
The processors 2 are connected to various peripheral devices, including banks 5(a), 5(b), 5(c) and 5(d) of fixed disks respectively. In addition, the processors 2(a), 2(b) and 2(c) are connected to tape drives 6(a), 6(b) and 6(c), respectively. The capacities of the banks of fixed disks are as follows: Bank 5(a) - 4 x 1GB Bank 5(b) - 2 x 600MB Bank 5(c) - 3 x 316MB Bank 5(d) - 3 x 316MB Total 7.68GB The tape drives 6(a), 6(b) and 6(c) are used for back-up purposes and for automatic archival of data.
The operating characteristics of the processors 2(a), 2(b), 2(c) and 2(d) are such as to allow up to 100 terminals communicate with the processors simultaneously.
Referring now to Fig. 2, circuits and stored files within one of the processors are shown. These circuits and stored data ensure security is maintained in access to data from various user interfaces. In more detail, three user interfaces 20 are shown, namely, those for User A, User B and User C. These interfaces are all connected to an access control circuit 21 which is constructed to route data access requests to any of the fixed disk drives on the cluster. For clarity, only three of the fixed disk drives are illustrated, two within the bank 5(a) and one within the bank 5(b). Address and data buses are indicated generally by the numeral 24, which includes both the local address and data bus of the relevant processor and also the cluster cable 3. Each one of the processors 2(a), 2(b), 2(c) and 2(d) includes an access control circuit 21. However, the user interfaces may be common to all processors as they are connected via the terminal server nodes 4 on the cluster cable 3.
Initially, on detection of an interface signal containing an access request, the access control circuit 21 retrieves from a fixed disk: (a) a file including user names and passwords; (b) technical interfacing data for network/cluster access; and (c) a user identifier code 22 and security record 23.
The user identifier code (UIC) 22 is 32 bits long, the first bit being 0, bits 2 to 15 specifying a group membership, and bits 16 to 32 specifying the particular member. For example, the bits 2 to 15 may specify that the user belongs to a sales group or indeed a purchasing group or any other group within an organisation. The bits 16 to 32 specify the particular user. UIC's A, B and C for Users A, B and C are shown in the drawing. Every data device of the system 1 also has an associated UIC 22, for example a data or a program file.
Associated with each UIC there is a set of access control instructions (not shown) which indicates to the access control circuit the blocks of data locations to which access should be allowed for that user.
Each security record 23 comprises a list of one or more UICs for other users. For example, in the security record 23 for User B three other UICs are listed, namely, UICq, UICr and UICs. Associated with each listed UIC in the security record is an indicator which specifies an additional control access right for the user. In this embodiment, there are three possible indicators 00, 01 and 10. The identifer 00 specifies that the UIC to which it is related is a possible target for the user to which the security record relates. For example, it specifies that User B may access temporarily the block of data to which access is normally only allowed to the data device or user of UICr. The identifer 01 specifies that the device or user of the related UIC is the only device or user who can access data to which access is allowed under the UIC of the security record.For example, the user or device associated with UICs is the only user who may access the block of data to which access is allowed to User B.
Finally, the identifer 10 (binary) specifies that the user may have temporary access to all data except that associated with the particular UIC. For example, User B may have access to all blocks of data, except those to which access is only allowed for the user or device associated with UICq. It will be appreciated that in the security records 23 there may be overlaps in the additional controlled access specifiers. For example, an identifer 10 and an identifer 01 may overlap in the additional rights which are given.
Immediately on completion of the particular process, the user is again restricted to his particular UIC as the rights given by reference to the security record 23 are temporary only.
The diagram in Fig. 2 shows the security records for the Users A, B and C, however, it will be appreciated that in the system 1 there are many users and thus, the advantages of having a simple security record which not only can disable access to a set block of data but also temporarily access additional blocks of data in a very simple, efficient and controlled manner. This is extremely important in that a very small amount of processing power is required in order to control the situation. It will also be appreciated that the security record may be easily changed so that a large level of control is given to a supervisor in determining exactly who can access blocks of data either temporarily or on an on-going basis.An important aspect of the invention is that it avoids the situation where a supervisor is tempted to give a higher level of access rights than is desirable to achieve the necessary flexibility. The technical operations of the invention solve this problem in a simple manner. Another important aspect is that the access control circuit may control accesses of devices, files, programs within the system.
What has been achieved by the invention is the controlled access to data in a very flexible manner which allows for versatility in work practices or personnel and which requires very little processing power. An example of the type of data to which the invention relates particularly well is to cash received and on account in an organisation, such as a retail trading organisation.
Versatility in control of additional controlled access may also be achieved in a simple manner.
The invention is not limited to the embodiments hereinbefore described but may be varied in both construction and detail.

Claims (4)

CIAIXS
1. A data security control process method carried out by a plurality of data processors connected in a cluster, each processor being connected to a storage device and having a memory circuit and a data access control circuit, the method comprising the steps of: each processor storing in a storage device a user identifer code; each processor storing in a storage device addresses for blocks of data which are addressable by a data device, the blocks of data being associated with the user identifer codes; storing a security record in the storage device, the security record being associated with a user identifer code, the security record including at least one other user identifier code, the indicator and the associated user identifer code in the security record in combination specifying additional access rights for the data device associated with the security record;; the data access control circuit allowing access to the blocks of data associated with the user identifer code upon receipt of an access request from a data device; and the user interface transmitting a request for access to additional blocks of data and the data access control circuit subsequently referring to the security record to determine which blocks of data may be accessed temporarily by the data device.
2. A method as claimed in claim 1, wherein the identifer of the security record indicates whether or not the block of data related to the adjacent user identifer code within the security record is a possible target for the data device or whether the block of data associated with the user for the security record may be accessed.
3. A method as claimed in claims 1 or 2 wherein additional access rights specified by the security record are disabled on disconnection of the user interface from the data within the storage device.
4. A method substantially as hereinbefore described with reference to and as illustrated in the accompanying drawings.
GB9226544A 1992-12-21 1992-12-21 Temporary password access. Withdrawn GB2273585A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB9226544A GB2273585A (en) 1992-12-21 1992-12-21 Temporary password access.
BE9201148A BE1005100A6 (en) 1992-12-21 1992-12-23 Operations security in a data processor.

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB9226544A GB2273585A (en) 1992-12-21 1992-12-21 Temporary password access.
BE9201148A BE1005100A6 (en) 1992-12-21 1992-12-23 Operations security in a data processor.

Publications (2)

Publication Number Publication Date
GB9226544D0 GB9226544D0 (en) 1993-02-17
GB2273585A true GB2273585A (en) 1994-06-22

Family

ID=25662682

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9226544A Withdrawn GB2273585A (en) 1992-12-21 1992-12-21 Temporary password access.

Country Status (2)

Country Link
BE (1) BE1005100A6 (en)
GB (1) GB2273585A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1016925A2 (en) * 1998-12-28 2000-07-05 Eastman Kodak Company Method and system for handling user and producer photofinishing customization data for a film unit

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69533938T2 (en) * 1994-06-20 2005-12-22 Faith, Inc. NETWORK SYSTEM AND NETWORK MANAGEMENT SYSTEM

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0220920A1 (en) * 1985-10-28 1987-05-06 Hewlett-Packard Company Instruction for implementing a secure computer system
GB2248324A (en) * 1990-09-25 1992-04-01 Uken Data security in a computer network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0220920A1 (en) * 1985-10-28 1987-05-06 Hewlett-Packard Company Instruction for implementing a secure computer system
GB2248324A (en) * 1990-09-25 1992-04-01 Uken Data security in a computer network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1016925A2 (en) * 1998-12-28 2000-07-05 Eastman Kodak Company Method and system for handling user and producer photofinishing customization data for a film unit
EP1016925A3 (en) * 1998-12-28 2004-01-28 Eastman Kodak Company Method and system for handling user and producer photofinishing customization data for a film unit

Also Published As

Publication number Publication date
BE1005100A6 (en) 1993-04-20
GB9226544D0 (en) 1993-02-17

Similar Documents

Publication Publication Date Title
US4995112A (en) Security system
US4937736A (en) Memory controller for protected memory with automatic access granting capability
WO1995000910A1 (en) Computer network with reliable and efficient removable media services
EP0756730A1 (en) Data storage
GB2273585A (en) Temporary password access.
GB2248324A (en) Data security in a computer network
CA2231872A1 (en) Controlling shared disk data in a duplexed computer unit
IE922906A1 (en) Security operations in a data processor
IES62686B2 (en) Security opertions in a data processor
EP0723231A2 (en) Method and apparatus for preventing inadvertent changes to system-critical files in a computing system
US6397270B1 (en) System for indirect communication between two computers, each having write access to its own portion of a dual-access disk drive and read access to the entire drive
JPS6272049A (en) Resource using control method in information processing system
JPH10334050A (en) Communication system
GB2274524A (en) Data security in a network file server.
JP2773830B2 (en) Book management system
EP0434876A1 (en) A computer system for unit trust processing functions
JPS60241346A (en) Storage system of ring network
JPH05108273A (en) Computer system
JP2003296174A (en) Device for referring to and updating data in real time
JP2000047923A (en) File access system and file controller
TW351880B (en) Load balancing across the processor of a server computer
AU690247C (en) Data storage
JPH02144739A (en) Remote file access system
IE930042A1 (en) Control of data storage devices
Teplitzky Security in a Client/Server Environment

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)