| 摘要 |
A method and system for restricting access to objects created by privileged commands. In an RBAC environment, execution of certain privileged commands creates objects, which typically, have traditional access permissions based on the user ID and not the role. To enhance security of these objects, a new security attribute is introduced. The security attribute can be associated to the privileged command. Therefore, whenever a privileged command creates an object, the security attribute associated with the privileged command is applied on the object. The security attribute can mask the traditional access permissions of the object, and modify the access permissions, which can be stored along with the object. An AND operation can be performed on the traditional access permissions and the security attribute, to determine the modified permissions of the object. Further, an authorized user can modify, add, delete, or customize the security attribute at any time.
|
