| 摘要 |
In a computer environment, a mechanism for the flow of access by means of derivation is provided. Typically, access rights granted with respect to an access point flow (or derive from) an access provider to an access recipient. Typically, the access provider is a function and the access recipient is a function. The access point may be any object, such as files or functions, to which the access recipient is granted access rights by the access provider. Access is typically represented by a relationship object referencing the access provider function, the access recipient function, and the access point object, and a set of access rights. There are typically different types of access, including read access, right access, and membership access. Therefore, the membership access relationship is typically represented as a subtype of the general/abstract access relationship. Membership is the idea that a first function can gain access to a second function, so that the first function becomes the member of the second function. The membership access relationship (MAR1) maps the access provider role to a function A, maps the access recipient to function B, and maps the access point to function C, wherein, function A is a function doing the membership inviting and therefore providing access (as the access provider), function B is the function being invited and therefore receiving access (as the access recipient), and function C (the access point) is the function into which function B is obtaining membership. When a membership access relationship (MAR1) is created, typically a new associated persona function is generated, representing the new identity created for the access recipient function (function B) while serving as a member of the access point function (function C). Because the persona (persona1) is typically a function, additional rights may be granted to or granted by persona1, such as rights granted by persona1 (as the access provider in a new access relationship) or rights granted to persona1 (as the access recipient in a new access relationship). After a persona (persona1) is created, it may itself be invited by a function 3 to become a member in another function (function 4), thereby creating another membership access relationship (MAR2) in which MAR2's access recipient is persona 1, MAR2's access provider is function 3, and MAR's access point is function 4. A second persona (persona2) is then typically automatically created representing the new membership access (MAR2). Persona2 is then said to derive from persona1, since persona 2 is based on persona1. In this way, identity derivation is provided so that persona1 has a derived persona2 (and persona 2 derives from persona 1). Persona1 may have a plurality of derived personas, including persona2, persona3, and persona4. Since these derived personas are based on the persona1, if persona1 is deleted, persona2, persona3, and persona4 (the derived personas) may also be deleted. So, a new technique is provided by which a function may be invited to participate in a plurality of other functions, wherein each membership “invite” is expressed by a new membership access relationship and each such membership access relationship results in the creation of a new and associated persona. When a persona function is invited to be a member in another function, that in turn generates a membership and a second persona that is derived from the first persona, resulting in identity derivation. |
