WO2001048634A2 - Virtual resource attribute directory - Google Patents

Virtual resource attribute directory Download PDF

Info

Publication number
WO2001048634A2
WO2001048634A2 PCT/CA2000/001568 CA0001568W WO0148634A2 WO 2001048634 A2 WO2001048634 A2 WO 2001048634A2 CA 0001568 W CA0001568 W CA 0001568W WO 0148634 A2 WO0148634 A2 WO 0148634A2
Authority
WO
WIPO (PCT)
Prior art keywords
file system
attributes
strucmre
stored
entity
Prior art date
Application number
PCT/CA2000/001568
Other languages
French (fr)
Other versions
WO2001048634A3 (en
Inventor
Eugen Bacic
Tony White
Original Assignee
Texar Software Corp.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Texar Software Corp. filed Critical Texar Software Corp.
Priority to AU23369/01A priority Critical patent/AU2336901A/en
Priority to CA002395494A priority patent/CA2395494A1/en
Publication of WO2001048634A2 publication Critical patent/WO2001048634A2/en
Publication of WO2001048634A3 publication Critical patent/WO2001048634A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • This invention relates to computer security, and in particular a method of controlling access to files in a computer system.
  • Computer operating systems such as Unix, MS DOS and Windows, typically organize files in a tree structure. These files are given attributes, which are stored along with the files in the directory structure. Such attributes can include security controls determining who is permitted to access the files.
  • attributes can include security controls determining who is permitted to access the files.
  • the tight binding of security attributes with the information that they secure found in traditional operating systems leads to a restrictive and inflexible security policy implementation that varies from operating system to operating system. As a result, especially in networks running multiple operating systems, this inflexibility makes it difficult to permit central administration of security policy within a system.
  • a method of controlling access to computer data comprising the steps of: creating a real file system in a computer for storing said data; creating a virtual file system that mirrors said real file system but lacks the stored data; and storing attributes pertaining to the files in said file system at corresponding locations in said virtual file system.
  • the attributes typically contain security information determining who is permitted access to the files.
  • the virtual file system is known as a virtual resource attribute directory.
  • the essence of the invention is that it abstracts security away from the simple, fixed attributes that are available within particular operating systems..
  • the invention ensures that enterprise security policies are defined outside of the operating system, are administered centrally and applied to a single type of structure, the entity. This uniformity ensures policy coherence within an enterprise.
  • the invention provides a virtual resource attribute directory comprising a shadow directory structure mirroring a real file structure and storing attributes of files in said real file structure without the associated data.
  • VRAD Virtual Resource Attribute Directory
  • the Virtual Resource Attribute Directory manages the security of information elements stored within it.
  • the VRAD is thus a shadow of the real file system. For example, if the file system is a UNIX file system, then the VRAD would be a virtualization of the UNIX file system. At no point are the actual files modified in any way. No information is stored on the virtualized system other than that associated with the operational agents. There is a clear separation of security and information in a VRAD-managed system. The importance of the security features built into the operating system is significantly diminished.
  • Figure 1 is an example showing linked security servers
  • FIG. 2 is an example showing cross linking of VRAD file systems. Detailed Description of the Invention
  • VRAD Virtual Resource Attribute Directory
  • the root 14 of a VRAD can be a security server also known as a generic policy engine, which controls all aspects of security on a network. All elements in the VRAD are represented by entities and proxy entities.
  • VRADs 10 are connected by a super-tree which has at its terminals the VRADs of the virtualized systems as shown in Figure 2.
  • the various VRADs need not be from the same type of operating system.
  • the VRAD is utilized to create a homogenous representation of all the information that resides within a security controlled realm. This includes unified user and group lists to assist in single sign-on and Authentication Server services.
  • the VRAD 10 stores entities.
  • An entity is the data structure that forms the starting point for all security-related activities. As such, it describes a minimal set of properties that are considered essential for effective security while being fully extensible. Every entity in a VRAD has a unique key generated without relation to the information that it represents; i.e., nothing concerning the data can be inferred from a knowledge of the information and vice versa.
  • the unique key associated with an entity is called the entity identifier, or eid.
  • the eid is represented using a number of bits, n, making the maximum size of the realm 2° entities.
  • the entity has a security policy associated with it, the security policy being represented by a name in order that policies may be shared by multiple entities in the VRAD. The actual policy is stored in a private part of the VRAD that may only be accessed by security officers.
  • the attributes that are part of the entity are name, owner, data type, creation timestamp, last modified timestamp and last access timestamp and security policy.
  • the data type attribute points at a data structure that stores attributes particular to the name of the resource that the entity represents. For example, an entity representing a machine would have the data type machine-ID. A machine-ID instance would store the location of the machine, its IP address, and operating system type.
  • Another type of data structure stored in a VRAD is a proxy entity. This provides a reference to an entity or another proxy entity that is managed outside of the realm in which the proxy is defined.
  • a proxy entity has a unique key (eid) similar to an entity and a URL that stores the location of the VRAD where the actual entity is stored.
  • the URL consists of two pieces of information. First, the protocol, host and port for a remote security server is present. Second, the eid in the remote VRAD is present.
  • a proxy entity can be thought of as a "pointer" to the actual entity. It should be noted that eids are unique within the realm, i.e., no two entities, proxy entities or an entity and a proxy entity can have the same eid.
  • ER Entity Relationship
  • a one-to-one relation between two entities is stored as a single instance of an ER data structure.
  • a one-to-many, many-to-one or many-to-many relationship is represented as several instances of ER data structures.
  • the ER data structure stores the two entities involved in a relationship, the name of the relationship and a qualifying operator.
  • an ER data strucmre can be used to store the relationships, "A may read B” and "A may not read B.”
  • Relationship data structures are used in policies associated with entities to respond to requests for access to an entity.
  • the parent-child relationships that define the structure of a VRAD are stored using ER data structures.
  • a combination of one or more VRADs is called a Realm.
  • a Realm contains all resources being protected, all users allowed access to those resources, all groups with which those users can be associated, and all physical machines (and their addresses) that represent the Realm.
  • a realm defines a default security policy that is used when individual entities do not have a policy defined for them. This policy ensures that requests for access to resources will always be resolved.
  • Realms may act as containers for other realms managed by other security servers.
  • the enterprise realm is special in that it acts as a container for all other realms in the enterprise. If an entity is stored within a particular realm, its security is managed by that realm.
  • Each entity stored within the VRAD has additional attributes and relationships to other entities associated with it. These include unique name, Entity ID, mandatory controls, etc.
  • An entity includes a reference to another data strucmre by name that contains non-security specific information. For example, the physical location of a machine might be stored and used in a mediation function to prevent information legal in one country from being transmitted to a country in which that information is illegal.
  • the strucmre Since the strucmre is tree-like, it is easy to manipulate the strucmre via security messaging protocol designed to assist in walking a tree-like strucmre, and performing actions against it. Any tree-traversal algorithms can be utilized to manipulate the information stored within a VRAD.
  • VRAD trees can be linked across security servers in order to provide a security solution across an enterprise.
  • the proxy entity concept is used to achieve this.
  • VRAD trees contain only entity or proxy entity data structures.
  • the VRADs for the resources associated with each machine are stored as subtrees within the VRAD for the realm.
  • the root of this tree is always an entity representing the GPE itself. This entity is called the realm root.
  • the parent of the realm root is a proxy entity that represents the realm root, which is one level up in the enterprise security hierarchy. In the case of the enterprise realm root, it is its own parent. It is possible to walk to any realm in the enterprise by walking to the parent of the realm root given appropriate security permissions.
  • the proxy entity for the parent is retrieved.
  • the IRSP is used to retrieve the eid of the remote entity if the requesting user has permission to do so.
  • Realms 10, and 10 2 are managed by GPE, and GPE 2 respectively.
  • GPE Realm root
  • GPE realm root of a parent realm
  • Users 2 on the remote GPE the eid of Users 2 under GPE 2 is returned.
  • This eid is served up to the user and a new proxy created within realm,. Garbage collection of this proxy entity occurs when the user no longer needs to access the remote entity.
  • a proxy for dir 22 is maintained in realm 2 and a proxy for the root directory of machine., is stored in realm,. Walking from the root directory of machine,, takes the user to dir 22 in realm,. Walking to the children of dir 22 causes proxy entities to be generated in realm 2 that are removed when the user tells the system that they may be discarded or when the user logs out from the system.
  • the invention provides a flexible approach to file security that is consistent across different operating systems.

Abstract

Computer data is stored in a real file system. Attributes pertaining to the files in the real file system are stored at corresponding locations in the virtual file system, thereby decoupling the storage of attribute information from the data. Typically the file attributes relate to security information.

Description

Virtual Resource Attribute Directory
Field of the Invention
This invention relates to computer security, and in particular a method of controlling access to files in a computer system. Background of the Invention
Computer operating systems, such as Unix, MS DOS and Windows, typically organize files in a tree structure. These files are given attributes, which are stored along with the files in the directory structure. Such attributes can include security controls determining who is permitted to access the files. The tight binding of security attributes with the information that they secure found in traditional operating systems leads to a restrictive and inflexible security policy implementation that varies from operating system to operating system. As a result, especially in networks running multiple operating systems, this inflexibility makes it difficult to permit central administration of security policy within a system. Summary of the Invention
According to the present invention there is provided a method of controlling access to computer data, comprising the steps of: creating a real file system in a computer for storing said data; creating a virtual file system that mirrors said real file system but lacks the stored data; and storing attributes pertaining to the files in said file system at corresponding locations in said virtual file system.
Typically the attributes contain security information determining who is permitted access to the files. The virtual file system is known as a virtual resource attribute directory. The essence of the invention is that it abstracts security away from the simple, fixed attributes that are available within particular operating systems.. The invention ensures that enterprise security policies are defined outside of the operating system, are administered centrally and applied to a single type of structure, the entity. This uniformity ensures policy coherence within an enterprise. In another aspect the invention provides a virtual resource attribute directory comprising a shadow directory structure mirroring a real file structure and storing attributes of files in said real file structure without the associated data.
The Virtual Resource Attribute Directory (VRAD) defines the structure of the virtualized elements of the information being protected. The principal function of the VRAD is to mediate access to information elements. The VRAD provides a mechanism to ensure that the security attributes required for proper functioning of a security system exist and are accessible. The VRAD is unique for a variety of reasons:
• Non-intrusive to the virtualized system
• Full mapping of extant security controls to security attributes
Additional security attributes per entity protected for fully realizable security policies
• Portable, non-system dependent
Extensible and user configurable
• Easily manipulatable
The Virtual Resource Attribute Directory manages the security of information elements stored within it. The VRAD is thus a shadow of the real file system. For example, if the file system is a UNIX file system, then the VRAD would be a virtualization of the UNIX file system. At no point are the actual files modified in any way. No information is stored on the virtualized system other than that associated with the operational agents. There is a clear separation of security and information in a VRAD-managed system. The importance of the security features built into the operating system is significantly diminished.
Brief Description of the Drawings
The invention will now be described in more detail, by way of example only, with reference to the accompanying drawings, in which:-
Figure 1 is an example showing linked security servers; and
Figure 2 is an example showing cross linking of VRAD file systems. Detailed Description of the Invention
Referring to Figure 1 , it will be seen that the Virtual Resource Attribute Directory (VRAD) 10, typically stored on a hard disk, resembles a rooted tree structure 12. This tree structure 12 represents the parent-child relationships that are found in the directory structures of all important file systems. The root 14 of a VRAD can be a security server also known as a generic policy engine, which controls all aspects of security on a network. All elements in the VRAD are represented by entities and proxy entities.
All the VRADs 10 are connected by a super-tree which has at its terminals the VRADs of the virtualized systems as shown in Figure 2. The various VRADs need not be from the same type of operating system. The VRAD is utilized to create a homogenous representation of all the information that resides within a security controlled realm. This includes unified user and group lists to assist in single sign-on and Authentication Server services.
There remains, at all times, a one-to-one mapping between the physical machine with the resources being protected and a VRAD with the associated security attributes. The two are updated synchronously, via the use of agents, a security server, and message protocol to ensure that each remains perfectly synchronized.
The VRAD 10 stores entities. An entity is the data structure that forms the starting point for all security-related activities. As such, it describes a minimal set of properties that are considered essential for effective security while being fully extensible. Every entity in a VRAD has a unique key generated without relation to the information that it represents; i.e., nothing concerning the data can be inferred from a knowledge of the information and vice versa. The unique key associated with an entity is called the entity identifier, or eid. The eid is represented using a number of bits, n, making the maximum size of the realm 2° entities. The entity has a security policy associated with it, the security policy being represented by a name in order that policies may be shared by multiple entities in the VRAD. The actual policy is stored in a private part of the VRAD that may only be accessed by security officers.
The attributes that are part of the entity are name, owner, data type, creation timestamp, last modified timestamp and last access timestamp and security policy. The data type attribute points at a data structure that stores attributes particular to the name of the resource that the entity represents. For example, an entity representing a machine would have the data type machine-ID. A machine-ID instance would store the location of the machine, its IP address, and operating system type. Another type of data structure stored in a VRAD is a proxy entity. This provides a reference to an entity or another proxy entity that is managed outside of the realm in which the proxy is defined. The function of a proxy entity is to allow a security server to have access to entities outside of the realm without being responsible for their management and to remove the need for the generation of globally-unique entity identifiers across all realms within the enterprise. A proxy entity has a unique key (eid) similar to an entity and a URL that stores the location of the VRAD where the actual entity is stored. The URL consists of two pieces of information. First, the protocol, host and port for a remote security server is present. Second, the eid in the remote VRAD is present. A proxy entity can be thought of as a "pointer" to the actual entity. It should be noted that eids are unique within the realm, i.e., no two entities, proxy entities or an entity and a proxy entity can have the same eid.
When information on the actual entity is required, the GPE server managing the realm in which the entity is actually stored is contacted and the information retrieved using the InterRealm Security Protocol (IRSP). All relationships between entities are stored in a single data strucmre known as the Entity Relationship (ER) data structure. A one-to-one relation between two entities is stored as a single instance of an ER data structure. A one-to-many, many-to-one or many-to-many relationship is represented as several instances of ER data structures. The ER data structure stores the two entities involved in a relationship, the name of the relationship and a qualifying operator. For example, an ER data strucmre can be used to store the relationships, "A may read B" and "A may not read B." The difference in representation between the examples in the previous sentence in the value of the associated ER operator. Relationship data structures are used in policies associated with entities to respond to requests for access to an entity. The parent-child relationships that define the structure of a VRAD are stored using ER data structures. A combination of one or more VRADs is called a Realm. A Realm contains all resources being protected, all users allowed access to those resources, all groups with which those users can be associated, and all physical machines (and their addresses) that represent the Realm. A realm defines a default security policy that is used when individual entities do not have a policy defined for them. This policy ensures that requests for access to resources will always be resolved.
Realms may act as containers for other realms managed by other security servers. The enterprise realm is special in that it acts as a container for all other realms in the enterprise. If an entity is stored within a particular realm, its security is managed by that realm.
Each entity stored within the VRAD has additional attributes and relationships to other entities associated with it. These include unique name, Entity ID, mandatory controls, etc. An entity includes a reference to another data strucmre by name that contains non-security specific information. For example, the physical location of a machine might be stored and used in a mediation function to prevent information legal in one country from being transmitted to a country in which that information is illegal.
Since the strucmre is tree-like, it is easy to manipulate the strucmre via security messaging protocol designed to assist in walking a tree-like strucmre, and performing actions against it. Any tree-traversal algorithms can be utilized to manipulate the information stored within a VRAD.
VRAD trees can be linked across security servers in order to provide a security solution across an enterprise. The proxy entity concept is used to achieve this.
VRAD trees contain only entity or proxy entity data structures. The VRADs for the resources associated with each machine are stored as subtrees within the VRAD for the realm. The root of this tree is always an entity representing the GPE itself. This entity is called the realm root. The parent of the realm root is a proxy entity that represents the realm root, which is one level up in the enterprise security hierarchy. In the case of the enterprise realm root, it is its own parent. It is possible to walk to any realm in the enterprise by walking to the parent of the realm root given appropriate security permissions. When the parent of the realm root is requested, the proxy entity for the parent is retrieved. The IRSP is used to retrieve the eid of the remote entity if the requesting user has permission to do so. Referring to Figure 2, two realms 10,, 102 are represented. Realms 10, and 102 are managed by GPE, and GPE2 respectively. When an agent walks from Machine, to Files,, GPE, (realm root), then to the parent GPE (realm root of a parent realm), and finally to Users2 on the remote GPE, the eid of Users2 under GPE2 is returned. This eid is served up to the user and a new proxy created within realm,. Garbage collection of this proxy entity occurs when the user no longer needs to access the remote entity. While the above example has demonstrated linking of realms through the realm root entity, cross linking of VRADs at other points within the realm is possible. For example, in Figure 2, a child directory of machine4 in realm2 is managed by realm,. A proxy for dir22 is maintained in realm2 and a proxy for the root directory of machine., is stored in realm,. Walking from the root directory of machine,, takes the user to dir22 in realm,. Walking to the children of dir22 causes proxy entities to be generated in realm2 that are removed when the user tells the system that they may be discarded or when the user logs out from the system.
The invention provides a flexible approach to file security that is consistent across different operating systems.

Claims

We claim:
1. A method of controlling access to computer data, comprising the steps of: creating a real file system for storing said data; creating a virtual file system that mirrors said real file system but lacks the stored data; and storing attributes pertaining to the files in said file system at corresponding locations in said virtual file system.
2. A method as claimed in claim 1, wherein said attributes are security attributes.
3. A method as claimed in claim 2, wherein said virtual file system manages the security attributes stored within it.
4. A method as claimed in claim 3, wherein said virtual file system mediates access to said computer data in said real file system based on said stored attributes in said virtual file system.
5. A method as claimed in claim 4, wherein said virtual file system is organized in a tree strucmre representing parent-child relationships found in said real file system.
6. A method as claimed in claim 5, wherein said attributes are stored as entities describing the security properties of a corresponding file in said real file strucmre.
7. A method as claimed in claim 6, wherein each said entity has a unique key generated without relation to the data whose attributes it describes.
8. A method as claimed in claim 7, wherein each said key has a security policy associated with it to permit policies to be shared by multiple entities within the virtual file system.
9. A method as claimed in claim 7, wherein each said entity stores the following attributes: name, owner, data type, creation timestamp, last modified timestamp, last access timestamp, and security policy.
10. A method as claimed in claim 7, wherein said virtual file system also stores proxy entities referencing an actual entity stored in a different virtual file system to permit access to entities stored in said different virtual file system without requiring said first mentioned file system to be responsible for its management.
11. A method as claimed in claim 7, wherein all relationships between entities are stored in a single entity data strucmre.
12. A method as claimed in claim 7, wherein a plurality of said virtual file systems are linked through their roots.
13. A method as claimed in claim 7, wherein a plurality of said virtual file systems are cross linked at points on the tree strucmre.
14. A virtual resource attribute directory comprising a shadow directory strucmre miπoring a real file strucmre and storing attributes of files in said real file strucmre without the associated data.
15. A virtual resource attribute directory as claimed in claim 14, wherein said shadow directory strucmre is a tree strucmre.
16. A virtual resource attribute directory as claimed in claim 14, wherein said attributes are stored as entities describing the security properties of a coπesponding file in said real file strucmre.
17. A virtual resource attribute directory as claimed in claim 16, wherein each said entity has a unique key generated without relation to the information whose attributes it describes.
PCT/CA2000/001568 1999-12-27 2000-12-21 Virtual resource attribute directory WO2001048634A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU23369/01A AU2336901A (en) 1999-12-27 2000-12-21 Virtual resource attribute directory
CA002395494A CA2395494A1 (en) 1999-12-27 2000-12-21 Virtual resource attribute directory

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US47260999A 1999-12-27 1999-12-27
US09/472,609 1999-12-27

Publications (2)

Publication Number Publication Date
WO2001048634A2 true WO2001048634A2 (en) 2001-07-05
WO2001048634A3 WO2001048634A3 (en) 2004-02-26

Family

ID=23876217

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2000/001568 WO2001048634A2 (en) 1999-12-27 2000-12-21 Virtual resource attribute directory

Country Status (3)

Country Link
AU (1) AU2336901A (en)
CA (1) CA2395494A1 (en)
WO (1) WO2001048634A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2372116A (en) * 2001-02-08 2002-08-14 Accenture Multi-media management systems
US7039594B1 (en) 2000-07-26 2006-05-02 Accenture, Llp Method and system for content management assessment, planning and delivery

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8984636B2 (en) 2005-07-29 2015-03-17 Bit9, Inc. Content extractor and analysis system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5012405A (en) * 1986-10-17 1991-04-30 Hitachi, Ltd. File management system for permitting user access to files in a distributed file system based on linkage relation information
US5313646A (en) * 1989-02-24 1994-05-17 Sun Microsystems, Inc. Method and apparatus for translucent file system
EP0615192A1 (en) * 1993-03-09 1994-09-14 Kabushiki Kaisha Toshiba Method and apparatus for object traversing suitable for structured memory formed by linked objects
US5724578A (en) * 1994-12-07 1998-03-03 Fujitsu Limited File managing system for managing files shared with a plurality of users
US5897638A (en) * 1997-06-16 1999-04-27 Ab Initio Software Corporation Parallel virtual file system
WO1999039257A1 (en) * 1998-01-29 1999-08-05 Gemplus System and method for managing computer applications security

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5012405A (en) * 1986-10-17 1991-04-30 Hitachi, Ltd. File management system for permitting user access to files in a distributed file system based on linkage relation information
US5313646A (en) * 1989-02-24 1994-05-17 Sun Microsystems, Inc. Method and apparatus for translucent file system
EP0615192A1 (en) * 1993-03-09 1994-09-14 Kabushiki Kaisha Toshiba Method and apparatus for object traversing suitable for structured memory formed by linked objects
US5724578A (en) * 1994-12-07 1998-03-03 Fujitsu Limited File managing system for managing files shared with a plurality of users
US5897638A (en) * 1997-06-16 1999-04-27 Ab Initio Software Corporation Parallel virtual file system
WO1999039257A1 (en) * 1998-01-29 1999-08-05 Gemplus System and method for managing computer applications security

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GUSTAFSSON M ET AL: "Using NFS to implement role-based access control" ENABLING TECHNOLOGIES: INFRASTRUCTURE FOR COLLABORATIVE ENTERPRISES, 1997. PROCEEDINGS., SIXTH IEEE WORKSHOPS ON CAMBRIDGE, MA, USA 18-20 JUNE 1997, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 18 June 1997 (1997-06-18), pages 299-304, XP010253338 ISBN: 0-8186-7967-0 *
WALSH D ET AL: "OVERVIEW OF THE SUN NETWORK FILE SYSTEM" PROCEEDINGS OF THE WINTER USENIX CONFERENCE, XX, XX, 23 January 1985 (1985-01-23), pages 117-124, XP000748351 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7039594B1 (en) 2000-07-26 2006-05-02 Accenture, Llp Method and system for content management assessment, planning and delivery
GB2372116A (en) * 2001-02-08 2002-08-14 Accenture Multi-media management systems

Also Published As

Publication number Publication date
AU2336901A (en) 2001-07-09
WO2001048634A3 (en) 2004-02-26
CA2395494A1 (en) 2001-07-05

Similar Documents

Publication Publication Date Title
US6920455B1 (en) Mechanism and method for managing service-specified data in a profile service
US6081898A (en) Unification of directory service with file system service
US6542515B1 (en) Profile service
Pfaff et al. The open vswitch database management protocol
US6061740A (en) Method and apparatus for heterogeneous network management
US6470332B1 (en) System, method and computer program product for searching for, and retrieving, profile attributes based on other target profile attributes and associated profiles
US7165182B2 (en) Multiple password policies in a directory server system
US6785713B1 (en) Method and apparatus for communicating among a network of servers utilizing a transport mechanism
US9384361B2 (en) Distributed event system for relational models
US6785726B1 (en) Method and apparatus for delivering local and remote server events in a similar fashion
US6922724B1 (en) Method and apparatus for managing server load
US6651047B1 (en) Automated referential integrity maintenance
US20030088656A1 (en) Directory server software architecture
US7441007B1 (en) System and method for allowing applications to retrieve properties and configuration information from a persistent store
US20040225896A1 (en) Distributed capability-based authorization architecture
US20080034438A1 (en) Multiple hierarchy access control method
US8380806B2 (en) System and method for absolute path discovery by a storage virtualization system
US20040254912A1 (en) Method and apparatus for managing publication and sharing of data
US20020103761A1 (en) Method and apparatus for managing and administering licensing of multi-function offering applications
CA2445093A1 (en) Remote object access
WO2001048634A2 (en) Virtual resource attribute directory
JP3481867B2 (en) Network management system for multiple management protocols
Howard et al. Supporting dynamic policy change using CORBA system management facilities
US7209248B1 (en) Managing the lifetime of distributed resource data using temporal scopes
US9965496B2 (en) Method and apparatus for creating compliant zone records in an LDAP directory without schema extensions

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2000986944

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2395494

Country of ref document: CA

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 2000986944

Country of ref document: EP

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP