method and system for enhanced access control based on roles in distributed and centralized computer systems

摘要

A method and system for registration, authorization, and control of access rights in a computer system are disclosed in the present invention. The inventive method for controlling access rights of subjects (1) on objects (4) in a computer system uses parameterized role types (2) that can be instantiated into role instances (4) equivalent to roles or groups as known from the prior art. The required parameters are provided by the subject (1) of the computer system, e.g. by a person (5), a job position (6) or an organization unit (7). Furthermore, the inventive method provides relative resource sets (8) which are instantiated into concrete resource sets (9) and individual resources (10) by using the same parameter values as for instantiating the role types. The inventive system for authorization and control of access rights as disclosed in the present invention comprises capability lists (30) providing the access rights of the subjects (1) on the objects (4) of a computer system on a per-subject basis. Furthermore, the inventive system comprises means for deriving (32) access control lists (31) from capability lists (30), wherein said access rights of the subjects (1) on the respective objects (4) are provided. MATH