Method and system for controlling access to data resources and protecting computing system resources from unauthorized access

摘要

The invention controls access to data resources by performing the steps of: providing (i) a first directory which relates data objects to object groups, each object group including all data objects having a common assigned security attribute; (ii) a second directory which relates functions to function groups, each function group including functions having a common execution attribute; (iii) a third directory which relates users to user groups, each user group including users having a common user attribute; and a permission directory which lists allowed combinations of (user group, function group, object group). In response to a request from a user to perform a function with respect to an object, the permission directory is examined to determine if the access request is to be allowed or not allowed.