[go: up one dir, main page]

WO2000051288A2 - Modification of the itu-t recommendation x.741 for a uniform access protection of managed objects and files - Google Patents

Modification of the itu-t recommendation x.741 for a uniform access protection of managed objects and files Download PDF

Info

Publication number
WO2000051288A2
WO2000051288A2 PCT/DE2000/000517 DE0000517W WO0051288A2 WO 2000051288 A2 WO2000051288 A2 WO 2000051288A2 DE 0000517 W DE0000517 W DE 0000517W WO 0051288 A2 WO0051288 A2 WO 0051288A2
Authority
WO
WIPO (PCT)
Prior art keywords
managed objects
recommendation
file
access
attribute
Prior art date
Application number
PCT/DE2000/000517
Other languages
German (de)
French (fr)
Other versions
WO2000051288A3 (en
Inventor
Herwig Kittl
Maria Lauer
Klaus-Dieter Müller
Bernhard Nauer
Josef Glösmann
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to DE10080454T priority Critical patent/DE10080454D2/en
Publication of WO2000051288A2 publication Critical patent/WO2000051288A2/en
Publication of WO2000051288A3 publication Critical patent/WO2000051288A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/052Network management architectures or arrangements using standardised network management architectures, e.g. telecommunication management network [TMN] or unified network management architecture [UNMA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the ITU-T (International Telecommunication Union, Telecommunications Standardization Sector) recommendation X.741 is currently only intended for access protection of managed objects.
  • the subject matter of the application relates to a method for realizing uniform access protection to managed objects and files based on ITU-T recommendation X.741, comprising the features of the preamble of claim 1, 4 or 5.
  • ITU-T recommendation M.3010 describes the architecture and interfaces of a Telecommunication Management Network TMN.
  • the interface between operations systems and network elements is designated Q 3 , that between the operations systems is designated X.
  • CMIP Common Management Information Protocol
  • ITU-T rec X.710 / X.711 was developed and managed objects were introduced, in which the management information is stored .
  • the managed objects are administered with CMIP.
  • the managed objects are processed in accordance with the ITU-T rec. X.720 to X.722 described with GDMO (Guidelines for the Definition of Managed Objects). In practice, this implementation of the Q 3 and X interfaces is not sufficient.
  • mass data e.g.
  • ITU-T rec. X.741 interprets and applies the model described in ITU-T X.812 for access control to management applications that use CMIP as the management protocol. It defines an object model with which access rights can be managed at the object class, object instance, attribute and attribute value level. A direct application of the ITU-T rec. X.741 on file access is not possible.
  • the subject of the registration is based on the problem described in ITU-T rec. Adapt the object model described in X.741 so that it can be used uniformly both for access protection for managed objects and for access protection for files.
  • the subject of the application makes use of the knowledge that the ITU-T rec. X.741 described schemes (access control list schemes, label based schemes, context based schemes or capacity based schemes) for an access control to which managed objects can be transferred to a file access control.
  • the subject of registration is ITU-T rec. X.741 in such a way that it is used to protect files accessed by file trans- fer (e.g. with FTAM or FTP) is made usable.
  • Access protection to managed object classes and files is implemented in a uniform form, which means that an operator for access protection offers uniform handling (look and feel) and uniform management. Synergy effects can be achieved when implementing uniform access protection.
  • the file access protection provided by the subject of the application is independent of the file management system and of the access method. It can be used, for example, for FTAM (ISO 8571) and for FTP (RFC (Request for Comments) 959 and 1123).
  • the object of registration can be executed as a separate model for file protection.
  • FIG. 1 shows a basic illustration of the general relationship of a telecommunications management network to a telecommunications network
  • FIG. 2 shows an exemplary embodiment for the simplified physical architecture of a telecommunications management network ⁇ and FIG. 3 relationships in an object model.
  • ITU-T rec. M.3010 describes the architecture and the interface ⁇ provide a Telecommunications Management Network TMN.
  • the interface between the operations systems and network elements is designated by Q, that between the operations systems by X.
  • a Data Communication Network DCN consists of several operating systems OS, a workstation WS, another telecommunications management network oTMN (for: other telecommunications management network) and several switching devices EX (for: Exchange) and several transmission devices TR (for: Transmission) connected.
  • the switching devices EX and the transmission devices TR which are alternately connected to one another, belong to the telecommunications network TN.
  • a data processing device TEPC for: telecommunication terminal personal computer
  • a telephone device TEF for: telecommunication terminal telephone
  • the data communication network DCN is via an interface X, an interface F or an interface Q 3 ⁇ it with one or more operating systems OS, via an interface F with one or more workstations WS, via an interface Q 3 or an interface F to one or more devices MD (for: mediation device), via an interface Q 3 to one or more network elements NE, via an interface Q 3 to one or more QA and can be connected via an interface X to another telecommunication management network (not shown).
  • the device MD is connected to one or more devices QA via an interface Q x (for: Q adapter) and an interface Q x connected to one or more network elements NE.
  • the ITU-T rec. Schemes described in X.741 access control list schemes, label based schemes, context based schemes or capacity based schemes) for access control to the managed objects are transferred to a file access control according to the application.
  • the in the object model of the ITU-T rec. X.741 described CMIP operations to which file accesses are adapted. These adjustments are essentially based on an expansion of the behavior, an expansion of the attribute syntax and the definition of new attributes and actions. The following changes are made:
  • Access control rules object class defaultAccess attribute the attribute syntax is extended to the file access methods such as “create”, “delete”, “read”, “write”, “readAttributes”, “execute”, “noOperation” ... deni- alGranularity Attribute: the attribute syntax is expanded to include values that relate to the granularity of the file access, such as “fileOperation” and "singleFile”. The behavior of the attribute is adjusted accordingly.
  • Behavior The behavior is expanded by the following sentence: "If the targets list attribute identifies files, then the initiators list attribute must identify initiators in the context of a file access scheme.”
  • Behavior should be expanded to "managed objects or files”.
  • the object class is expanded by attributes for file selection (such as fileType, fileName) and by optional attributes in which conditions for file selection can be formulated (such as fileFilter, fi lePatternList to identify file names according to a defined pattern).
  • OperationsListPackage operationsList attribute: the attribute syntax refers to the ASN.l (Abstract Syntax Notation No 1) type "operationType". This type is extended by values for file access methods such as "create”, “delete”, “read”, “write”, “readAttributes”, “execute”, “noOperation” ... An access protection password can be optionally defined for each method . The behavior of the attribute is adjusted accordingly.
  • the package should be extended by the actions "resetPassword” (resetting an access protection password to a predefined value) and “cancelPassword” (removing an access protection password).
  • An access protection password can be optionally defined for each method. The behavior of the attribute is adjusted accordingly.
  • the actions “resetPassword” (resetting an access protection password to a predefined value) and “cancelPassword” (removing an access protection password) should be added.
  • Capability initiators object class capabilityldentitiesList Attribute the attribute syntax refers to the ASN.l type "operationType". This type is extended by values for file access methods such as “create”, “delete”, “read”, “write”, “readAttributes”, “execute”, “no ⁇ Operation” ... An access protection password can be optionally defined for each method. The behavior of the attribute is adjusted accordingly.
  • Object model The previously used in the ITU-T rec.
  • the X.741 defined object model remains unchanged and is extended allomorphically by the subclasses required for file access protection.
  • the allomorphic extension of the object model is understood to mean that an object model derived from a given object model is handled as an instance of an object model.
  • the aim of this type of implementation is to define and reuse already defined object classes that can still be used for file access protection.
  • 3 shows the example of relationships in an object model in which an object class access control AC (for: accessControl) in the course of inheritance IH (for: inheritance) an object class access control scheme ACR (for: accessControlRules) and an object class file- Access control scheme FACR (for: fileAccessControlRules) can be formed.
  • AC for: accessControl
  • ACR object class access control scheme
  • FACR object class file- Access control scheme

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The ITU-I recommendation X.741 is provided for access protection of managed objects. According to the invention, said recommendation is modified in such a way that it can also be used for access protection of files. This results in a uniform access protection with uniform handling and uniform management. Particular embodiments of the invention can be obtained by completing the existing object model for access protection of managed objects by an additional object model for access protection of files, by enlarging the existing object model for access protection of managed objects by subclasses for access protection of files and by enlarging the existing object model to form a novel object model for managed objects and files. The inventive model can be realised as an independent model for file protection.

Description

Beschreibungdescription
Modifizierung der ITU-T recommendation X.741 für einen einheitlichen Zugriffsschutz auf Managed Objects und DateienModification of the ITU-T recommendation X.741 for uniform access protection to managed objects and files
Die ITU-T (International Telecommunication Union, Telecommu- nication Standardization Sector) recommendation X.741 ist derzeit nur für einen Zugriffsschutz von Managed Objects vorgesehen.The ITU-T (International Telecommunication Union, Telecommunications Standardization Sector) recommendation X.741 is currently only intended for access protection of managed objects.
Der Anmeldungsgegenstand betrifft ein Verfahren zur Realisierung eines einheitlichen Zugriffsschutzes auf Managed Objects und Dateien basierend auf der ITU-T recommendation X.741 umfassend die Merkmale des Oberbegriffs des Anspruchs 1 , 4 oder 5.The subject matter of the application relates to a method for realizing uniform access protection to managed objects and files based on ITU-T recommendation X.741, comprising the features of the preamble of claim 1, 4 or 5.
Die ITU-T recommendation M.3010 beschreibt die Architektur und die Schnittstellen eines Telecommunication Management Network TMN. Die Schnittstelle zwischen Operations Systems und Network Elements wird mit Q3, diejenige zwischen den Operations Systems mit X bezeichnet. Um diese beiden TMN- Schnittstellen zu realisieren, wurden das in der ITU-T rec X.710/X.711 beschriebene Common Management Information Proto- col (CMIP) entwickelt und Managed Objects eingeführt, in de- nen die Management-Informationen gespeichert sind. Mit CMIP werden die Managed Objects administriert. Die Managed Objects werden entsprechend der ITU-T rec. X.720 bis X.722 mit GDMO (Guidelines for the Definition of Managed Objects) beschrieben. In der Praxis reicht diese Realisierung der Q3- und X- Schnittstelle nicht aus. Für die Speicherung von Massendaten (z.B. Accounting-Daten) werden Files verwendet, auf die mittels File Transfer (z.B. per File Transfer Access Method FTAM oder File Transfer Protocol FTP) zugegriffen wird. In der TMN Standardisierung (z.B. bei ETSI) wurden für die Realisierung der Q3- und X-Schnittstelle sowohl CMIP als auch FTAM betrachtet. Der Zugriffsschutz auf die Managed Objects ist in der ITU-T rec. X.741 beschrieben. Die ITU-T rec. X.741 interpretiert und wendet das in der ITU-T X.812 beschriebene Modell für eine Zugriffskontrolle auf Management-Applikationen an, die CMIP als Management-Protokoll nutzen. Sie definiert ein Objektmodell mit dem Zugriffsrechte auf Objektklassen-, Objektinstanzen-, Attribut- und Attributwertebene verwaltet werden können. Eine direkte Anwendung der ITU-T rec. X.741 auf Dateizugriffe ist nicht möglich.ITU-T recommendation M.3010 describes the architecture and interfaces of a Telecommunication Management Network TMN. The interface between operations systems and network elements is designated Q 3 , that between the operations systems is designated X. In order to implement these two TMN interfaces, the Common Management Information Protocol (CMIP) described in ITU-T rec X.710 / X.711 was developed and managed objects were introduced, in which the management information is stored . The managed objects are administered with CMIP. The managed objects are processed in accordance with the ITU-T rec. X.720 to X.722 described with GDMO (Guidelines for the Definition of Managed Objects). In practice, this implementation of the Q 3 and X interfaces is not sufficient. For the storage of mass data (e.g. accounting data) files are used, which are accessed by means of file transfer (e.g. via File Transfer Access Method FTAM or File Transfer Protocol FTP). In the TMN standardization (eg at ETSI) both CMIP and FTAM were considered for the implementation of the Q 3 and X interfaces. Access protection to the managed objects is in the ITU-T rec. X.741. The ITU-T rec. X.741 interprets and applies the model described in ITU-T X.812 for access control to management applications that use CMIP as the management protocol. It defines an object model with which access rights can be managed at the object class, object instance, attribute and attribute value level. A direct application of the ITU-T rec. X.741 on file access is not possible.
Bisher wurde die Zugriffskontrolle auf Managed Objects und auf Dateien auf unterschiedliche Art und Weise gelöst. Beispielsweise wird in dem herstellerspezifischen Telekommunika- tionsvermittlungssystem EWSD (Elektronisches Wählsystem Digi- tal) die Zugriffskontrolle auf Managed Objects auf Basis der ITU-T rec. X.741 ausgeführt, wohingegen für die Dateizugriffskontrolle eine proprietäre Lösung eingesetzt wird.Until now, access control to managed objects and files has been solved in different ways. For example, in the manufacturer-specific telecommunications switching system EWSD (Electronic Dialing System Digital), access control to managed objects based on ITU-T rec. X.741 executed, whereas a proprietary solution is used for the file access control.
Dem Anmeldungsgegenstand liegt das Problem zugrunde, das in der ITU-T rec. X.741 beschriebene Objektmodell so anzupassen, daß es einheitlich sowohl für einen Zugriffschütz von Managed Objects als auch für einen Zugriffsschutz von Dateien verwendet werden kann.The subject of the registration is based on the problem described in ITU-T rec. Adapt the object model described in X.741 so that it can be used uniformly both for access protection for managed objects and for access protection for files.
Das Problem wird bei einem durch die Merkmale des Oberbegriffs umrissenen Gegenstand gemäß Anspruch 1, 4 oder 5 durch die Merkmale des kennzeichnenden Teils des Anspruchs 1, 4 bzw. 5 gelöst.The problem is solved in an object outlined by the features of the preamble according to claim 1, 4 or 5 by the features of the characterizing part of claim 1, 4 or 5.
Der Anmeldungsgegenstand macht sich die Erkenntnis zu nutze, daß die in der ITU-T rec. X.741 beschriebenen Schemata (Access Control List Schemata, Label based Schemata, Context based Schemata oder Capacity based Schemata) für eine Zugriffskontrolle auf die Managed Objects auf eine Dateizu- griffskontrolle übertragen werden können. Der Anmeldungsgegenstand bildet die ITU-T rec. X.741 derart weiter, daß sie für einen Zugriffsschutz von Dateien, auf die per File Trans- fer (z.B. mit FTAM oder FTP) zugegriffen wird, brauchbar gemacht wird. Der Zugriffschütz auf Managed Object Classes und auf Dateien wird in einheitlicher Form realisiert, womit sich einem Operator für den Zugriffsschutz eine einheitliche Hand- habung (Look and Feel) und ein einheitliches Management bietet. Bei der Realisierung des einheitlichen Zugriffsschutzes sind Synergieeffekte erzielbar. Der durch den Anmeldungsgegenstand gegebene Dateizugriffsschutz ist unabhängig vom Datei-Management-System und von der Zugriffsmethode. Er ist beispielsweise für FTAM (ISO 8571) und für FTP (RFC (Request for Comments)959 und 1123) verwendbar. Der Anmeldungsgegenstand ist als eigenständiges Modell für den Dateischutz ausführbar .The subject of the application makes use of the knowledge that the ITU-T rec. X.741 described schemes (access control list schemes, label based schemes, context based schemes or capacity based schemes) for an access control to which managed objects can be transferred to a file access control. The subject of registration is ITU-T rec. X.741 in such a way that it is used to protect files accessed by file trans- fer (e.g. with FTAM or FTP) is made usable. Access protection to managed object classes and files is implemented in a uniform form, which means that an operator for access protection offers uniform handling (look and feel) and uniform management. Synergy effects can be achieved when implementing uniform access protection. The file access protection provided by the subject of the application is independent of the file management system and of the access method. It can be used, for example, for FTAM (ISO 8571) and for FTP (RFC (Request for Comments) 959 and 1123). The object of registration can be executed as a separate model for file protection.
Vorteilhafte Weiterbildungen des Anmeldungsgegenstandes sind in den Unteransprüchen angegeben.Advantageous further developments of the subject of the application are specified in the subclaims.
Gemäß einer besonderen Ausführungsform des Anmeldungsgegenstandes bleibt das in der ITU-T rec. X.741 definierte Objekt- odell unverändert und wird allomorph um die für den Dateizugriffsschutz benötigten Subclasses erweitert. Dabei bleibt das Originalmodell unverändert, wodurch eine Änderung der Implementierung nicht notwendig ist.According to a special embodiment of the subject of the application, this remains in the ITU-T rec. X.741 defines the object model unchanged and is extended allomorphically by the subclasses required for file access protection. The original model remains unchanged, so it is not necessary to change the implementation.
Der Anmeldungsgegenstand wird im folgenden als Ausführungsbeispiel in einem zum Verständnis erforderlichen Umfang anhand von Figuren näher erläutert. Dabei zeigen: Fig 1 eine prinzipielle Darstellung der allgemeinen Beziehung eines Telekommunication Management Netz zu einem Tele- kommunikationsnetzThe subject of the application is explained in more detail below as an exemplary embodiment to the extent necessary for understanding with reference to figures. 1 shows a basic illustration of the general relationship of a telecommunications management network to a telecommunications network
Fig 2 ein Ausführungsbeispiel für die vereinfachte physikalische Architektur eines Telekommunication Management Netz λ und Fig 3 Beziehungen in einem Objektmodell.2 shows an exemplary embodiment for the simplified physical architecture of a telecommunications management network λ and FIG. 3 relationships in an object model.
In den Figuren bezeichnen gleiche Bezeichnungen gleiche Elemente. ITU-T rec. M.3010 beschreibt die Architektur und die Schnitt¬ stellen eines Telecommunication Management Network TMN. Die Schnittstelle zwischen Operations Systems und Network Ele- ments wird mit Q, diejenige zwischen den Operations Systems mit X bezeichnet.In the figures, the same designations denote the same elements. ITU-T rec. M.3010 describes the architecture and the interface ¬ provide a Telecommunications Management Network TMN. The interface between the operations systems and network elements is designated by Q, that between the operations systems by X.
Fig 1 zeigt allgemeine Beziehungen eines Telekommunication Management Netz TMN zu einem Telekommunikationsnetz TN. Ein Data Communication Network DCN ist mit mehreren Operating Systems OS, einer Workstation WS, einem anderen Telekommunication Management Netz oTMN (für: other Telekommunication Management Netz) und mehreren Vermittlungs-Einrichtungen EX (für: Exchange) sowie mehreren Übertragungs- Einrichtungen TR (für: Transmission) verbunden. Die Vermittlungs-Einrichtungen EX und die Übertragungs- Einrichtungen TR, die einander abwechselnd miteinander verbunden sind, sind dem Teleko munikati- onsnetz TN zugehörig. Im übrigen sind mit dem Telekommunikationsnetz stellvertretend für eine Vielzahl von Telekommuni- kationsendeinrichtungen eine Datenverarbeitungseinrichtung TEPC (für: Telekommunikationsendeinrichtung Personal Computer) und eine Fernsprecheinrichtung TEF (für: Telekommunikationsendeinrichtung Fernsprecher) verbunden.1 shows general relationships of a telecommunications management network TMN to a telecommunications network TN. A Data Communication Network DCN consists of several operating systems OS, a workstation WS, another telecommunications management network oTMN (for: other telecommunications management network) and several switching devices EX (for: Exchange) and several transmission devices TR (for: Transmission) connected. The switching devices EX and the transmission devices TR, which are alternately connected to one another, belong to the telecommunications network TN. For the rest, a data processing device TEPC (for: telecommunication terminal personal computer) and a telephone device TEF (for: telecommunication terminal telephone) are connected to the telecommunication network, representing a large number of telecommunication terminal devices.
Bei der in Fig 2 dargestellten Architektur des Telekommunication Management Netz λ TMN ist das Datenkommunikationsnetz DCN über eine Schnittstelle X, eine Schnittstelle F bzw. eine Schnittstelle Q3πιit einem oder mehreren Operating Systems OS, über eine Schnittstelle F mit einer oder mehreren Worksta- tions WS, über eine Schnittstelle Q3 bzw. eine Schnittstelle F mit einem oder mehreren Einrichtungen MD (für: Mediation Device) , über eine Schnittstelle Q3 mit einem oder mehreren Network Elements NE, über eine Schnittstelle Q3 mit einem oder mehreren QA verbunden und ist über eine Schnittstelle X mit einem nicht näher dargestellten anderen Telekommunication Management Netz verbindbar. Die Einrichtung MD ist über eine Schnittstelle Qx mit einem oder mehreren Einrichtungen QA (für: Q Adaptor) sowie eine Schnittstelle Qx mit einem oder mehreren Network Elements NE verbunden.In the architecture of the telecommunication management network λ TMN shown in FIG. 2, the data communication network DCN is via an interface X, an interface F or an interface Q 3 πιit with one or more operating systems OS, via an interface F with one or more workstations WS, via an interface Q 3 or an interface F to one or more devices MD (for: mediation device), via an interface Q 3 to one or more network elements NE, via an interface Q 3 to one or more QA and can be connected via an interface X to another telecommunication management network (not shown). The device MD is connected to one or more devices QA via an interface Q x (for: Q adapter) and an interface Q x connected to one or more network elements NE.
Die in der ITU-T rec. X.741 beschriebenen Schemata (Access Control List Schemata, Label based Schemata, Context based Schemata oder Capacity based Schemata) für eine Zugriffskontrolle auf die Managed Objects werden anmeldungsgemäß auf eine Dateizugriffskontrolle übertragen. Dafür müssen die im Objektmodell der ITU-T rec. X.741 beschriebenen CMIP- Operationen auf die Dateizugriffe angepaßt werden. Diese Anpassungen basieren im Wesentlichen auf einer Erweiterung des Behaviour, einer Erweiterung der Attribut-Syntax und der Definition neuer Attribute und Actions. Im Einzelnen werden folgende Änderungen vorgenommen:The ITU-T rec. Schemes described in X.741 (access control list schemes, label based schemes, context based schemes or capacity based schemes) for access control to the managed objects are transferred to a file access control according to the application. For this, the in the object model of the ITU-T rec. X.741 described CMIP operations to which file accesses are adapted. These adjustments are essentially based on an expansion of the behavior, an expansion of the attribute syntax and the definition of new attributes and actions. The following changes are made:
Access control rules object class defaultAccess Attribut: die Attribut-Syntax wird erweitert auf die Dateizugriffsmethoden wie "create", "delete", "read", "write", "readAttributes", "execute", "noOperation" ... deni- alGranularity Attribut: die Attribut-Syntax wird erweitert um Werte, die sich auf die Granularität des Dateizugriffs beziehen, wie z.B. "fileOperation" und "singleFile" . Das Behaviour des Attributs wird entsprechend angepaßt.Access control rules object class defaultAccess attribute: the attribute syntax is extended to the file access methods such as "create", "delete", "read", "write", "readAttributes", "execute", "noOperation" ... deni- alGranularity Attribute: the attribute syntax is expanded to include values that relate to the granularity of the file access, such as "fileOperation" and "singleFile". The behavior of the attribute is adjusted accordingly.
Rule object classRule object class
Behaviour: Das Behaviour wird erweitert um folgenden Satz: "Wenn das targets list Attribut Dateien identifiziert, dann muß das initiators list Attribute Initiatoren im Kontext eines Dateizugriffsschemas identifizieren."Behavior: The behavior is expanded by the following sentence: "If the targets list attribute identifies files, then the initiators list attribute must identify initiators in the context of a file access scheme."
Targets object classTargets object class
Behaviour: "managed objects" sollte erweitert werden auf "managed objects or files". Die Objektklasse wird erweitert um Attribute zur Datei-Auswahl (wie z.B. fileType, fileName) und durch optionale Attribute, in denen Bedingungen für die Dateiauswahl formuliert werden können (wie z.B. fileFilter, fi- lePatternList zur Identifizierung von Dateinamen gemäß eines definierten Musters) . OperationsListPackage : operationsList Attribut: die Attribut-Syntax bezieht sich auf den ASN.l (Abstract Syntax Notation No 1) Typ "operationTy- pe". Dieser Typ wird erweitert um Werte für Dateizugriffsmethoden wie "create", "delete", "read", "write", "readAttribu- tes", "execute", "noOperation" ... Zu jeder Methode kann optional ein Zugriffsschutzpaßwort definiert werden. Das Beha- viour des Attributs wird entsprechend angepaßt.Behavior: "managed objects" should be expanded to "managed objects or files". The object class is expanded by attributes for file selection (such as fileType, fileName) and by optional attributes in which conditions for file selection can be formulated (such as fileFilter, fi lePatternList to identify file names according to a defined pattern). OperationsListPackage: operationsList attribute: the attribute syntax refers to the ASN.l (Abstract Syntax Notation No 1) type "operationType". This type is extended by values for file access methods such as "create", "delete", "read", "write", "readAttributes", "execute", "noOperation" ... An access protection password can be optionally defined for each method . The behavior of the attribute is adjusted accordingly.
Das Package sollte um die Aktionen "resetPassword" (Rücksetzen eines Zugriffsschutzpaßwortes auf einen vordefinierten Wert) und "cancelPassword" (Entfernen eines Zugriffsschutzpaßwortes) erweitert werden.The package should be extended by the actions "resetPassword" (resetting an access protection password to a predefined value) and "cancelPassword" (removing an access protection password).
Operations object classOperations object class
Behaviour: "managed objects" sollte erweitert werden auf "managed objects or files". operationType Attribut: die Attribut-Syntax wird erweitert um Werte für Dateizugriffsmethoden wie "create", "delete",Behavior: "managed objects" should be expanded to "managed objects or files". operationType attribute: the attribute syntax is expanded to include values for file access methods such as "create", "delete",
"read", "write", "readAttributes", "execute", "noOperation" ... Zu jeder Methode kann optional ein Zugriffsschutzpaßwort definiert werden. Das Behaviour des Attributs wird entsprechend angepaßt. Es sollten die Aktionen "resetPassword" (Rücksetzen eines Zugriffsschutzpaßwortes auf einen vordefinierten Wert) und "cancelPassword" (Entfernen eines Zugriffsschutzpaßwortes) hinzugefügt werden."read", "write", "readAttributes", "execute", "noOperation" ... An access protection password can be optionally defined for each method. The behavior of the attribute is adjusted accordingly. The actions "resetPassword" (resetting an access protection password to a predefined value) and "cancelPassword" (removing an access protection password) should be added.
Initiator object classInitiator object class
Behaviour: "management operations" sollte erweitert werden auf "management operations or file access methods".Behavior: "management operations" should be expanded to "management operations or file access methods".
Capability initiators object class capabilityldentitiesList Attribut: die Attribut-Syntax bezieht sich auf den ASN.l Typ "operationType". Dieser Typ wird erweitert um Werte für Dateizugriffsmethoden wie "create", "delete", "read", "write", "readAttributes", "execute", "no¬ Operation" ... Zu jeder Methode kann optional ein Zugriffsschutzpaßwort definiert werden. Das Behaviour des Attributs wird entsprechend angepaßt.Capability initiators object class capabilityldentitiesList Attribute: the attribute syntax refers to the ASN.l type "operationType". This type is extended by values for file access methods such as "create", "delete", "read", "write", "readAttributes", "execute", "no ¬ Operation" ... An access protection password can be optionally defined for each method. The behavior of the attribute is adjusted accordingly.
Die beschriebenen Änderungen können auf folgende Art und Weise in den Network Elements und Operations Systems realisiert werden.The changes described can be implemented in the Network Elements and Operations Systems as follows.
1. Eigenständige Objektmodelle für den Zugriffsschutz von Managed Objects und von Dateien: Für den Dateizugriffsschutz wird basierend auf dem in der ITU-T rec. X.741 beschriebenen Objektmodell und den oben beschriebenen notwendigen Änderungen für den Dateischutz ein eigenständiges Objektmodell beschrieben.1. Independent object models for the access protection of managed objects and files: For the file access protection is based on the in the ITU-T rec. X.741 described object model and the above described necessary changes for file protection described an independent object model.
2. Allomorphe Erweiterung des in ITU-T rec. X.741 definierten2. Allomorphic extension of the in ITU-T rec. X.741 defined
Objektmodells : Das bisher in der ITU-T rec. X.741 definierte Objektmodell bleibt unverändert und wird allomorph um die für den DateiZugriffsschutz benötigten Subclasses erweitert. Unter der allo- morphen Erweiterung des Objektmodells wird dabei verstanden, daß ein von einem gegebenen Objektmodell abgeleitetes Objektmodell als Instanz eines Objektmodells gehandhabt wird. Ziel bei dieser Art von Realisierung ist es, bereits definierte Objektklassen, die unverändert auch für den Dateizugriffsschutz genutzt werden können, nur einmal zu definieren und wiederzuverwenden. Fig 3 zeigt am Beispiel Beziehungen in einem Objektmodell, bei dem aus einer Objektklasse Zugriffskon- trolle AC (für: accessControl) im Zuge von Vererbung IH (für: inheritance) eine Objektklasse Zugriffskontroll-Schema ACR (für: accessControlRules) und eine Objektklasse Datei- Zugriffskontroll-Schema FACR (für: fileAccessControlRules) gebildet werden.Object model: The previously used in the ITU-T rec. The X.741 defined object model remains unchanged and is extended allomorphically by the subclasses required for file access protection. The allomorphic extension of the object model is understood to mean that an object model derived from a given object model is handled as an instance of an object model. The aim of this type of implementation is to define and reuse already defined object classes that can still be used for file access protection. 3 shows the example of relationships in an object model in which an object class access control AC (for: accessControl) in the course of inheritance IH (for: inheritance) an object class access control scheme ACR (for: accessControlRules) and an object class file- Access control scheme FACR (for: fileAccessControlRules) can be formed.
3. Erweiterung des existierenden Objektmodells zu einem neuen Objektmodell für Managed Objects und Dateien Das in der ITU-T rec. X.741 definierte Objektmodell kann so erweitert werden, daß in den bestehenden Objektklassen3. Extension of the existing object model to a new object model for managed objects and files The ITU-T rec. X.741 defined object model can be extended so that in the existing object classes
- das Behaviour wie oben beschrieben angepaßt wird und- The behavior is adapted as described above and
- für den Dateizugriffsschutz notwendige neue Attribute und Actions optional (als conditional packages) hinzugefügt werden,- new attributes and actions necessary for file access protection are optionally added (as conditional packages),
- die spezifisch für den Zugriffsschutz von Managed Objects notwendigen Attribute und Actions in conditional packages eingefügt werden.- The attributes and actions specifically required for the access protection of managed objects are inserted in conditional packages.
Die Änderung der Attributsyntax kannThe change of the attribute syntax can
- entweder durch die Definition neuer Attribute (in conditional packages)- either by defining new attributes (in conditional packages)
- oder durch die Erweiterung des ASN.l (Abstract Syntax Notation No 1) -Typen- or by expanding the ASN.l (Abstract Syntax Notation No 1) type
erfolgen. Werden für den Dateizugriffsschutz eigene Attribute definiert, dann müssen in diesem Fall auch die spezifisch für den Zugriffsschutz von Managed Objects notwendigen Attribute in conditional packages eingefügt werden. respectively. If separate attributes are defined for file access protection, then the attributes specifically required for the access protection of managed objects must also be inserted in conditional packages.

Claims

Patentansprüche claims
1. Verfahren zur Realisierung einen einheitlichen Zugriffsschutzes auf Managed Objects und Dateien basierend auf der ITU-T recommendation X.741 demzufolge ein erstes Zugriffskontroll-Schema (Objektmodell) auf Managed Objects gegeben ist dadurch gekennzeichnet, dass - ein zweites eigenständiges Zugriffskontroll-Schema (Objektmodell) auf Dateien gegeben ist,1.Procedure for implementing uniform access protection on managed objects and files based on ITU-T recommendation X.741.Therefore, a first access control scheme (object model) for managed objects is characterized in that - a second independent access control scheme (object model ) given on files,
- das zweite Zugriffskontroll-Schema sämtliche Eigenschaften, insbesondere Objektklassen, Attribute, der recommendation X.741 aufweist, - das zweite Zugriffskontroll-Schema um neue Attribute und / oder Actions für den Dateizugriff erweitert wird,the second access control scheme has all the properties, in particular object classes, attributes, which recommendation X.741 has, the second access control scheme is expanded to include new attributes and / or actions for file access,
- für den Dateischutz die Attributsyntax eines in der recommendation X.741 definierten Attributes erweitert wird,- for file protection, the attribute syntax of an attribute defined in recommendation X.741 is expanded,
- für den Dateischutz die Eigenschaften (Behaviour) einer in der recommendation X.741 definierten Objektklasse erweitert werden und- For file protection, the properties (behavior) of an object class defined in recommendation X.741 are expanded and
- das zweite Zugriffskontroll-Schema gleichartig wie für Managed Objects auf Dateien anwendbar ist.- The second access control scheme is the same as for managed objects on files.
2. Verfahren nach Anspruch 1 dadurch gekennzeichnet, dass2. The method according to claim 1, characterized in that
- sämtliche Attribute / Actions, die sich ausschließlich auf Managed Objects beziehen, als Teil von conditional packages ausgebildet werden. -- All attributes / actions that relate exclusively to managed objects are developed as part of conditional packages. -
3 . Verfahren nach Anspruch 1 d a d u r c h g e k e n n z e i c h n e t , d a s s3rd Method according to claim 1 d a d u r c h g e k e n n z e i c h n e t, d a s s
- das zweite eigenständige Zugriffskontroll-Schema (Objektmodell) frei ist von sämtlichen Eigenschaften, insbesondere Attributen, syntaktischen Beschreibungen, die sich ausschließlich auf Managed Objects beziehen. - The second independent access control scheme (object model) is free of all properties, in particular attributes, syntactic descriptions that relate exclusively to managed objects.
4. Verfahren zur Realisierung eines einheitlichen Zugriffsschutzes auf Managed Objects und Dateien mittels allomorpher Erweiterung der ITU-T recommendation X.741 demzufolge ein Zugriffskontroll-Schema (Objektmodell) auf Managed Objects gegeben ist dadurch gekennzeichnet, dass das Objektmodell um die für den Dateizugriffsschutz benötigten Subclasses erweitert wird.4. The method for realizing uniform access protection to managed objects and files by means of the allomorphic extension of ITU-T recommendation X.741. Accordingly, an access control scheme (object model) to managed objects is characterized in that the object model contains the subclasses required for file access protection is expanded.
5. Verfahren zur Realisierung eines einheitlichen Zugriffsschutzes auf Managed Objects und Dateien basierend auf der ITU-T recommendation X.741 demzufolge ein Zugriffskontroll-Schema (Objektmodell) auf Managed Objects gegeben ist dadurch gekennzeichnet, dass5. The method for realizing uniform access protection to managed objects and files based on ITU-T recommendation X.741. Accordingly, an access control scheme (object model) to managed objects is characterized in that
- das Zugriffskontroll-Schema sämtliche Eigenschaften, insbesondere Objektklassen, Attribute, der recommendation X.741 aufweist,the access control scheme has all the properties, in particular object classes, attributes, which recommendation X.741 has,
- das Zugriffskontroll-Schema um neue Attribute und / oder Actions für den Dateizugriff erweitert wird,the access control scheme is expanded by new attributes and / or actions for file access,
- für den Dateischutz die Attributsyntax eines in der recommendation X.741 definierten Attributes erweitert wird, - für den Dateischutz die Eigenschaften (Behaviour) einer in der recommendation X.741 definierten Objektklasse erweitert wird und- for file protection the attribute syntax of an attribute defined in recommendation X.741 is expanded, - for file protection the properties (behavior) of an object class defined in recommendation X.741 is expanded and
- das Zugriffskontroll-Schema sowohl für Managed Objects als auch auf Dateien anwendbar ist.- The access control scheme is applicable to both managed objects and files.
6 . Verfahren nach Anspruch 5 d a d u r c h g e k e n n z e i c h n e t , d a s s6. Method according to claim 5 d a d u r c h g e k e n n z e i c h n e t, d a s s
- die für den Dateischutz neu definierten Attribute und / oder Actions als Teil von conditional packages ausgewiesen werden, - existierende Attribute und Actions, die sich ausschließlich auf Managed Objects beziehen, als Teil von conditional packages definiert werden, und- the attributes and / or actions newly defined for file protection are shown as part of conditional packages, - existing attributes and actions that relate exclusively to managed objects are defined as part of conditional packages, and
- die Attributsyntax eines in der recommendation X.741 defi- nierten Attributes durch eine Erweiterung der ASN.l Syntax erweitert wird.- The attribute syntax of an attribute defined in recommendation X.741 is expanded by an extension of the ASN.l syntax.
7 . Verfahren nach Anspruch 5 d a d u r c h g e k e n n z e i c h n e t , d a s s - die für den Dateischutz neu definierten Attribute und / oder Actions als Teil von conditional packages ausgewiesen werden,7. Method according to claim 5 d a d u r c h g e k e n n z e i c h n e t, d a s s - the attributes and / or actions newly defined for file protection are shown as part of conditional packages,
- existierende Attribute und Actions, die sich ausschließlich auf Managed Objects beziehen, als Teil von conditional packages definiert werden und- existing attributes and actions that relate exclusively to managed objects are defined as part of conditional packages and
- für den Dateischutz die Attributsyntax eines in der recommendation X.741 definierten Attributes dadurch erweitert wird, daß das Attribut als Teil eines conditional package definiert wird und zusätzlich ein Attribut als Teil eines conditional package mit der Erweiterung der Attributsyntax definiert wird,- for file protection, the attribute syntax of an attribute defined in recommendation X.741 is expanded by defining the attribute as part of a conditional package and additionally defining an attribute as part of a conditional package with the extension of the attribute syntax,
8. Verfahren nach einem der vorstehenden Ansprüche dadurch gekennzeichnet, dass für den Dateizugriff FTP (File Transfer Protocol) - Standard (RFC 959 und/oder 1123) verwendet wird.8. The method according to any one of the preceding claims, characterized in that FTP (File Transfer Protocol) standard (RFC 959 and / or 1123) is used for file access.
9. Verfahren nach einem der vorstehenden Ansprüche dadurch gekennzeichnet, dass für den Dateizugriff FTAM (File Transfer Access Method) - Standard (ISO 8571) verwendet wird.9. The method according to any one of the preceding claims, characterized in that FTAM (File Transfer Access Method) standard (ISO 8571) is used for file access.
10. Verfahren nach einem der vorstehenden Ansprüche dadurch gekennzeichnet, dass es in einem Network Element (NE) realisiert wird.10. The method according to any one of the preceding claims, characterized in that it is implemented in a network element (NE).
11. Verfahren nach einem der vorstehenden Ansprüche dadurch gekennzei chnet , das s es in einem Operations System (OS) realisiert wird. 11. The method according to any one of the preceding claims characterized in that it is implemented in an operations system (OS).
PCT/DE2000/000517 1999-02-26 2000-02-24 Modification of the itu-t recommendation x.741 for a uniform access protection of managed objects and files WO2000051288A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE10080454T DE10080454D2 (en) 1999-02-26 2000-02-24 Modification of the ITU-T recommendation X.741 for uniform access protection to managed objects and files

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19908429.7 1999-02-26
DE19908429 1999-02-26

Publications (2)

Publication Number Publication Date
WO2000051288A2 true WO2000051288A2 (en) 2000-08-31
WO2000051288A3 WO2000051288A3 (en) 2000-12-21

Family

ID=7899015

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE2000/000517 WO2000051288A2 (en) 1999-02-26 2000-02-24 Modification of the itu-t recommendation x.741 for a uniform access protection of managed objects and files

Country Status (2)

Country Link
DE (1) DE10080454D2 (en)
WO (1) WO2000051288A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10146361B4 (en) * 2001-09-20 2007-02-01 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Distributed system
JP2008029094A (en) * 2006-07-20 2008-02-07 Hitachi Ltd Power converter
JP2017131061A (en) * 2016-01-21 2017-07-27 ヤンマー株式会社 Power conversion device and assembling method therefor

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"ITU-T Recommendation X.741 Corrigendum 1" ITU-T INTERNATIONAL TELECOMMUNICATION UNION, 1. Oktober 1996 (1996-10-01), Seiten 1-123, XP002144722 in der Anmeldung erw{hnt *
"X.741 Recommendation" ITU-T INTERNATIONAL TELECOMMUNICATION UNION, 1. April 1995 (1995-04-01), Seiten 1-1-123, XP002144721 in der Anmeldung erw{hnt *
NETWORK WORKING GROUP: "RFC 959 - FTP - File Transfer Protocol" INTERNET RFCS, 1. Oktober 1985 (1985-10-01), XP002144723 in der Anmeldung erw{hnt *
START K ET AL: "The distribution management of service software" COMPUTER STANDARDS AND INTERFACES,CH,ELSEVIER SEQUOIA. LAUSANNE, Bd. 17, Nr. 3, 1. Juni 1995 (1995-06-01), Seiten 291-301, XP004008584 ISSN: 0920-5489 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10146361B4 (en) * 2001-09-20 2007-02-01 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Distributed system
JP2008029094A (en) * 2006-07-20 2008-02-07 Hitachi Ltd Power converter
US7751201B2 (en) 2006-07-20 2010-07-06 Hitachi, Ltd. Power converter
JP2017131061A (en) * 2016-01-21 2017-07-27 ヤンマー株式会社 Power conversion device and assembling method therefor

Also Published As

Publication number Publication date
DE10080454D2 (en) 2001-07-26
WO2000051288A3 (en) 2000-12-21

Similar Documents

Publication Publication Date Title
DE69319103T2 (en) NETWORK MANAGEMENT SYSTEM
DE69510226T2 (en) METHOD AND DEVICE FOR UPDATING OR MODIFYING A NETWORK DIRECTORY
DE69738309T2 (en) DISTRIBUTED PROCESSING
DE69832946T2 (en) Distributed system and method for controlling access to wetting means and event messages
DE68927508T2 (en) Temporary preservation of a distributed file service
DE69726853T2 (en) SYSTEM AND METHOD FOR TOTAL PICKING OF TELECOMMUNICATION SERVICES
DE69424597T2 (en) Extensible file system
EP0959588A2 (en) Network element with control device and control method
DE69634650T2 (en) Telecommunications service interactions
DE19849776A1 (en) Scalable switching system architecture
DE3782349T3 (en) Network event identification devices.
DE19924261B4 (en) Network management procedure and system
EP0520083A1 (en) Consistency protection of data in a digital telecommunications exchange system
DE69427198T2 (en) COMMUNICATION SYSTEM WITH A NETWORK INCLUDING AN ADMINISTRATIVE MODULE
DE10115722A1 (en) Efficient real time management of memory operating arrangements involves using software agents, data storage attributes and data depots in conjunction with memory management application
DE69833845T2 (en) Intelligent interface between a service control point and a signaling network
EP0557566B1 (en) Method for hierarchical managed password oriented access control to user access indications in a database of an SPS exchange
WO2000051288A2 (en) Modification of the itu-t recommendation x.741 for a uniform access protection of managed objects and files
DE69932302T2 (en) Apparatus and method for exploring traces in a communication network
DE10110039A1 (en) Provision of access to resources e.g. XML file by producing hierarchical control information by reading resource-specific information
DE19930119C2 (en) Priority management procedures
EP0850545A1 (en) Operational environment system for communication network service applications
DE19534207A1 (en) Method for coding or decoding protocol data units (PDU)
EP0614551B1 (en) Process for controlling the interaction between a user interface and an application
EP1157566A1 (en) Method and network element for operating a telecommunications network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): CN DE US

AK Designated states

Kind code of ref document: A3

Designated state(s): CN DE US

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REF Corresponds to

Ref document number: 10080454

Country of ref document: DE

Date of ref document: 20010726

WWE Wipo information: entry into national phase

Ref document number: 10080454

Country of ref document: DE