Lawrence G. Roberts
ACCESS CONTROL AND FILE DIRECTORIES
IN COMPUTER NETWORKS
Advanced Research Projects Agency
Washington, D. C.
Lawrence G. Roberts
Just as time-shared computer systems have permitted groups of hundreds of individual users to share hardware and software resources with each other, networks connecting dozens of such systems will permit resource sharing between thousands of users. Each system, by virtue of being time-shared, can offer any of its services to another computer system on demand. To achieve this, a fast, reliable; multi-node communication system is required. This can be achieved through the use of general-purpose small computers at each node, interconnected through leased communication lines. Each small computer (Interface Message Processor) receives messages from the main computer over a high-speed digital channel. The IMP is then responsible for routing the messages to their destination and verifying their correct delivery. Each IMP would have direct leased lines to several other IMP's and for the other destinations the intermediate IMP's would provide store and forward services.
The usual type of message interchanged in a resource-sharing network would be short queries and responses, rather than complete files. Also, the messages must be delivered very rapidly in order to maintain the necessary interactive capability. It is in developing a network of this type that the following questions of access and files arise.
Currently most time-sharing systems maintain an individual record of each authorized user, recording his access control number, the locations of all his saved files, and his charges. Such records can only be maintained for a limited number of individuals however, and no system should attempt keeping such records for all the users in a network. Thousands of users may use a popular routine on a particular computer and controlling their access individually would be wasteful. The responsibility of maintaining records for the individual user should be delegated to the local computer, which services his console. If he requests access to a remote computer in the network, his local computer should identify itself to the remote, providing only an identifying code for the individual. Thus, beyond its local users, each system need only keep records about other computers. Charges for resources utilized would be sent back to the calling computer when a job terminated so that the individual could be appropriately charged. Also the charges against each other computer would be accumulated as a basis for inter-installation billing. If any computer system in the network did not protect adequately against unauthorized users or was otherwise objectionable, the other systems could refuse its access requests.
File Storage and Directories
The problems associated with file storage for thousands of users throughout a network of computers are considerably more complex than those of access and charging, but the same delegation of responsibility described above provides a good start. When a user creates a file on a remote computer and wishes to have it saved, the file should be logged as belonging to his local computer. However, the individuals code number should be included in the file entry so that later requests to modify the file by other users at his installation can be denied. Also, a code word or name for the file should be returned to the individual's local computer system and an entry made in his own individual file directory. Thus, dual records are kept about the existence of remotely generated files. This small amount of redundancy makes it far easier for a user to determine where he has saved files. It also simplifies the executive tasks of limiting file generation and deleting departed users' files. The more detailed information about each file such as its length, type, and symbolic name are not duplicated, however, since it would waste both storage space and update messages.
Assume a program at computer A requests service from computer .B and the program utilized at B requests service from computer C. When such chained requests occur, access conflicts are possible; for example1 if A has access to both B and C but B does not have access to A. The only simple solution to such conflicts is to require uniform access rights. Further complications arise when the user at A has a private file at C and attempts to modify it through a program at B. The file access control mechanism must be capable of recognizing the owner of a file even through such chains. A further problem involves the question of who maintains public files and pays for their storage. Today the costs of maintaining public files are not reflected in charges to the user. In considering a network of users there is a need to determine an equitable policy for user cost sharing of file storage. One last problem is extending all these ideas to sub-networks when the total number of systems in the network becomes too large to manage.
Copyright © 2001 Dr. Lawrence G. Roberts