Abstract: A method may comprise determining, in an operating system instance, that an access control is being attempted to control an object by a user from a first client of a plurality of clients. Domain and client identifiers associated with the user may be determined. Any domain identifiers from a set and any client identifiers from a set may be accessed that may be associated with the object, where the domain identifiers may uniquely identify one or more domains and the client identifiers may uniquely identify one or more clients. One or more domain and client isolation rules may be evaluated to determine whether access control is permitted on the object based on whether a domain identifier is associated with both the object and the user and whether a client identifier is associated with both the object and the client. A permit or deny indication may be returned based on whether or not access control is permitted on the object.

Abstract: According to one aspect of the present disclosure, a method and technique for domain based partition and resource group management is disclosed. The method includes: responsive to determining that an operation is being attempted on an object, determining a partition identifier associated with the object; determining a domain identifier associated with a user attempting the operation; determining whether the operation can proceed on the partition based on domain isolation rules, the domain isolation rules indicating rules for allowing or disallowing operations to proceed on the partition based on partition identifiers and domain identifiers; and responsive to determining that the operation on the partition can proceed based on the domain isolation rules, permitting the operation.

Abstract: A method may comprise determining, in an operating system instance, that an access control is being attempted to control an object by a user from a first client of a plurality of clients. Domain and client identifiers associated with the user may be determined. Any domain identifiers from a set and any client identifiers from a set may be accessed that may be associated with the object, where the domain identifiers may uniquely identify one or more domains and the client identifiers may uniquely identify one or more clients. One or more domain and client isolation rules may be evaluated to determine whether access control is permitted on the object based on whether a domain identifier is associated with both the object and the user and whether a client identifier is associated with both the object and the client. A permit or deny indication may be returned based on whether or not access control is permitted on the object.

Abstract: User space applications can utilize custom network protocol timers. A registration request is received from an application to register a custom timer. Responsive to receiving the registration request, a handle is created. The handle is a pointer to be used by the application to reference the custom timer. The handle is forwarded to the application. When a custom timer is required, a request to use a custom timer is received from an application. The kernel is then requested to start the custom timer. A determination is then made as to whether a receipt confirmation is received from the kernel before expiration of the custom timer.

Abstract: According to one aspect of the present disclosure, a method and technique for domain based partition and resource group management is disclosed. The method includes: responsive to determining that an operation is being attempted on an object, determining a partition identifier associated with the object; determining a domain identifier associated with a user attempting the operation; determining whether the operation can proceed on the partition based on domain isolation rules, the domain isolation rules indicating rules for allowing or disallowing operations to proceed on the partition based on partition identifiers and domain identifiers; and responsive to determining that the operation on the partition can proceed based on the domain isolation rules, permitting the operation.

Abstract: In a Role Based Access Control (RBAC) system, an additional layer of access control is provided on a per-client basis on a centralized directory or database server. Access to privileged commands that are otherwise accessible by a user under a given role may be restricted by the additional layer of access control, depending on the client under which access is attempted. Thus, a user otherwise authorized to access a privileged command under an assigned role using one client may be restricted from accessing that command from a particular client system, even if another user having the same role is allowed to access that command using another client.

Abstract: User space applications can utilize custom network protocol timers. A registration request is received from an application to register a custom timer. Responsive to receiving the registration request, a handle is created. The handle is a pointer to be used by the application to reference the custom timer. The handle is forwarded to the application. When a custom timer is required, a request to use a custom timer is received from an application. The kernel is then requested to start the custom timer. A determination is then made as to whether a receipt confirmation is received from the kernel before expiration of the custom timer.

Abstract: A network system loads operating system (OS) software that includes a switch role tool (SRT). The SRT provides the network system with security management capability that employs a hostname attribute within a user role definition. The user role definition provides for user restrictions to database information and other user actions within the network system. During a user login or switch role command, the security management method interrogates the login location or hostname of the login along with the user request. If that login meets the criteria that the network system stores as a user role attribute for that particular user, the network system allows the login request and action. If that login does not meet the criteria that the network system stores as a user role attribute for that user, the network system denies the login request. The network system grants the user an access privilege level that varies with the determined location or hostname from which the user attempts to login.