Abstract

A method and system for controlling access by groups of users to multiple objects stored within a data processing system implemented library wherein each object has an access list associated therewith explicitly listing individual users permitted access to that object. A group identification is established which encompasses all users within the data processing system, a selected subset of users with the data processing system, or a single selected user and his or her designated affinity users or proxies. The group identification is then listed within an associated access list for a particular object and upon an attempted access of the particular object by a user not listed explicitly within the associated access list, a determination is made as to whether or not that user is listed within a group identification which is permitted access. In one embodiment of the present invention selected objects and users each have associated therewith a clearance level and access to a selected object by a particular user listed within a group identification may be denied if that particular user's clearance level does not meet or exceed the clearance level of the selected object.

Other References

• C. J. Date, An Introduction to Database Systems, vol. II, 1983, pp. 158-159
• Shien et al., "An N-Grid Model for Group Authorization", Proceedings of the Sixth Annual Computer Security Applications Conference, Dec. 3-7, 1990, pp. 384-392
• Wilms et al., "A Database Authorization Mechanism Supporting Individual and Group Authorization", Second International Seminar on Distributed Data Sharing Systems, 1982, pp. 273-29