| 主权项 |
1. A method of restricting access to a file system object, comprising:
assigning, by a security context server, an object security context to the file system object, the object security context including one or more permissible roles and defining a set of access permissions associated with each of the one or more permissible roles, the file system object stored in a file server communicatively coupled to the security context server, the security context server comprising at least one hardware processor, the file server comprising at least one non-transitory computer-readable storage medium; assigning, by the security context server, an executable security context to an executable program stored by a program server, the security context server communicatively coupled to the program server, the program server comprising at least one hardware processor; receiving, from a client device communicatively coupled to the security context server, authentication information from a user; assigning, by the security context server, a user security context to the user based on the received authentication information, the user security context identifying a user role for the user; responsive to detecting that the user has launched the executable program to create a process, assigning, by the security context server, the user security context of the user and the executable security context of the executable program to the process; intercepting, by the security context server, an attempt by the process to perform an access operation on the file system object; verifying, by the security context server, at least one of the user security context and the executable security context against the object security context to determine whether the access operation should be allowed; and responsive to determining that the access operation should be allowed, enabling the process to perform the access operation on the file system object. |
