Techniques for fine grained protection of resources in an access management environment

US 10,104,086 B2
Filed: 12/18/2015
Issued: 10/16/2018
Est. Priority Date: 04/24/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing fine-grained access protection of resources, the method comprising:

receiving, by an access management service, a request from a requester for a resource in a content management system, wherein the resource comprises a plurality of resource parts;

determining, by the access management service, a type of the resource;

invoking, by the access management service, a resource type-specific plugin based on the type of the resource in the request;

for each resource part of the plurality of resource parts, determining, by the type-specific plugin, whether the requester is authorized to access the resource part based on one or more access policies;

providing access to the requester, by the access management service, to the resource parts the requester is authorized to access; and

blocking access to the requester, by the access management service, to the resource parts the requester is not authorized to access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In certain embodiments, techniques are provided (e.g., a method, a system, non-transitory computer-readable medium storing code or instructions executable by one or more processors) to provide fine grained protection of resources in an access management environment. An access management service can intercept requests for resources (e.g., content in a content management system) and provide fine-grained authorization service for content management systems, such as Microsoft Office Sharepoint Server. The access management service can provide external policy management, evaluation and enforcement for content management systems. The access management service can include a plurality of plugins associated with different types of resources available through the content management systems. Integrating an access management service with content management systems provides both user and administrator efficiencies while enforcing a consistent level of access security across an enterprise system.

Citations

20 Claims

1. A computer-implemented method for providing fine-grained access protection of resources, the method comprising:
- receiving, by an access management service, a request from a requester for a resource in a content management system, wherein the resource comprises a plurality of resource parts;
  
  determining, by the access management service, a type of the resource;
  
  invoking, by the access management service, a resource type-specific plugin based on the type of the resource in the request;
  
  for each resource part of the plurality of resource parts, determining, by the type-specific plugin, whether the requester is authorized to access the resource part based on one or more access policies;
  
  providing access to the requester, by the access management service, to the resource parts the requester is authorized to access; and
  
  blocking access to the requester, by the access management service, to the resource parts the requester is not authorized to access.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the type-specific plugin includes one of a search module, a content management service-specific plugin, and a custom tag library.
  - 3. The computer-implemented method of claim 1, wherein the one or more access policies comprise access policies that limit access to the requester based on one or more of time of day, location, subscription level, and business hierarchy.
  - 4. The computer-implemented method of claim 2, wherein the type of the resource is a search and the type-specific plugin invoked is the search module, wherein the search module is configured to:
    - determine identity information associated with the requester;
      
      send a search query included with the request for the resource to the content management system;
      
      receive a query result from the content management system;
      
      send an access request to an authorization module for each resource in the query result; and
      
      receive an access decision for each resource in the query result.
  - 5. The computer-implemented method of claim 2, wherein the type of the resource is web page content comprising a plurality of web parts, and wherein the type-specific plugin invoked is the custom tag library, wherein the custom tag library is configured to:
    - determine identity information associated with the requester;
      
      identify, for each web part of the plurality of web parts, an associated tag;
      
      send an access request, for each web part, including the associated tag and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.
  - 6. The computer-implemented method of claim 2, wherein the type of the resource is a web page comprising a plurality of web parts, and wherein the type-specific plugin invoked is the content management service-specific plugin, wherein the content management service-specific plugin is configured to:
    - determine identity information associated with the requester;
      
      send an access request, for each web part, including the request for the web part and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.
  - 7. The computer-implemented method of claim 1, wherein the one or more access policies include content management service access policies imported by the access management service from the content management system.

8. A system for providing fine-grained access protection of resources, the system comprising:
- an access management service, including a plurality of resource type-specific plugins; and
  
  a content management service, including a plurality of resources;
  
  wherein a request for a resource comprising a plurality of resource parts in a content management system is received from a requester, the access management service is configured to;
  
  intercept the request for the resource in the content management system;
  
  determine a type of the resource;
  
  invoke one of the resource type-specific plugins based on the type of the resource in the request;
  
  for each resource part of the plurality of resource parts, determine, by the type-specific plugin, whether the requester is authorized to access the resource part based on one or more access policies;
  
  provide access to the requester to the resource parts the requester is authorized to access; and
  
  block access to the requester to the resource parts the requester is not authorized to access.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the type-specific plugin includes one of a search module, a content management service-specific plugin, and a custom tag library.
  - 10. The system of claim 8, wherein the one or more access policies comprise access policies that limit access to the requester based on one or more of time of day, location, subscription level, and business hierarchy.
  - 11. The system of claim 9, wherein the type of the resource is a search and the type-specific plugin invoked is the search module, wherein the search module is configured to:
    - determine identity information associated with the requester;
      
      send a search query included with the request for the resource to the content management service;
      
      receive a query result from the content management service;
      
      send an access request to an authorization module for each resource in the query result; and
      
      receive an access decision for each resource in the query result.
  - 12. The system of claim 9, wherein the type of the resource is web page content comprising a plurality of web parts, and wherein the type-specific plugin invoked is the custom tag library, wherein the custom tag library is configured to:
    - determine identity information associated with the requester;
      
      identify, for each web part of the plurality of web parts, an associated tag;
      
      send an access request, for each web part, including the associated tag and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.
  - 13. The system of claim 9, wherein the type of the resource is a web page comprising a plurality of web parts, and wherein the type-specific plugin invoked is the content management service-specific plugin, wherein the content management service-specific plugin is configured to:
    - determine identity information associated with the requester;
      
      send an access request, for each web part, including the request for the web part and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.
  - 14. The system of claim 8, wherein the one or more access policies include content management service access policies imported by the access management service from the content management service.

15. A non-transitory computer readable storage medium including instructions stored thereon which, when executed by a processor, cause the processor to perform a method for providing fine-grained access protection of resources, the method comprising:
- receiving, by an access management service, a request from a requester for a resource in a content management system, wherein the resource comprises a plurality of resource parts;
  
  determining, by the access management service, a type of the resource;
  
  invoking, by the access management service, a resource type-specific plugin based on the type of the resource in the request;
  
  for each resource part of the plurality of resource parts, determining, by the type-specific plugin, whether the requester is authorized to access the resource part based on one or more access policies;
  
  providing access to the requester to the resource parts the requester is authorized to access; and
  
  blocking access to the requester to the resource parts the requester is not authorized to access.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the type-specific plugin includes one of a search module, a content management service-specific plugin, and a custom tag library.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the one or more access policies comprise access policies that limit access to the requester based on one or more of time of day, location, subscription level, and business hierarchy.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the type of the resource is a search and the type-specific plugin invoked is the search module, wherein the search module is configured to:
    - determine identity information associated with the requester;
      
      send a search query included with the request for the resource to the content management system;
      
      receive a query result from the content management system;
      
      send an access request to an authorization module for each resource in the query result; and
      
      receive an access decision for each resource in the query result.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the type of the resource is web page content comprising a plurality of web parts, and wherein the type-specific plugin invoked is the custom tag library, wherein the custom tag library is configured to:
    - determine identity information associated with the requester;
      
      identify, for each web part of the plurality of web parts, an associated tag;
      
      send an access request, for each web part, including the associated tag and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein the type of the resource is a web page comprising a plurality of web parts, and wherein the type-specific plugin invoked is the content management service-specific plugin, wherein the content management service-specific plugin is configured to:
    - determine identity information associated with the requester;
      
      send an access request, for each web part, including the request for the web part and the identity information to an authorization module; and
      
      receive an access response from the authorization module for each web part.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Manjunath, Srivatsa, Cao, Yulong, Desai, Premal Ramesh, Li, Juan, Wenliang, Cai, Wenfang, Ding
Primary Examiner(s)
Kanaan, Simon P

Application Number

US14/975,208
Publication Number

US 20160315943A1
Time in Patent Office

1,033 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Techniques for fine grained protection of resources in an access management environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for fine grained protection of resources in an access management environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links