Hierarchical policy-based shared resource access control
First Claim
1. A computer-implemented method carried out by one or more processors, of accessing shared computing resources, the method comprising:
- generating, by the one or more processors, an access control list for a computing resource in a computing resource hierarchy in response to receiving a first request, wherein the access control list is generated after receiving the first request and wherein the generating the access control list comprises collecting available access control policies associated with one or more parent computing resources of the computing resource, the collecting comprising;
retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy;
providing, by the one or more processors, the access control list for the computing resource in a response to the first request;
saving, by the one or more processors, the access control list for the computing resource; and
providing, by the one or more processors, the access control list for the computing resource in response to a subsequent request.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.
25 Citations
18 Claims
-
1. A computer-implemented method carried out by one or more processors, of accessing shared computing resources, the method comprising:
-
generating, by the one or more processors, an access control list for a computing resource in a computing resource hierarchy in response to receiving a first request, wherein the access control list is generated after receiving the first request and wherein the generating the access control list comprises collecting available access control policies associated with one or more parent computing resources of the computing resource, the collecting comprising; retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy; providing, by the one or more processors, the access control list for the computing resource in a response to the first request; saving, by the one or more processors, the access control list for the computing resource; and providing, by the one or more processors, the access control list for the computing resource in response to a subsequent request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed, perform operations, the operations comprising:
-
receiving a first request to perform a function on a computing resource in a computing resource hierarchy; generating an access control list for the computing resource, wherein the access control list is generated after receiving the first request, the generating comprising retrieving one or more access control policies associated with one or more parent computing resources of the computing resource in the computing resource hierarchy, the retrieving comprising; retrieving access control policies for the one or more parent computing resources that are contained within hierarchy levels in the computing resource hierarchy that are higher than a hierarchy level containing the computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy; determining whether the first request to perform the function on the computing resource is authorized based on the access control list for the computing resource; saving the access control list for the computing resource; receiving a subsequent request to perform the function on the computing resource; and determining whether the subsequent request is authorized using the saved access control list for the computing resource. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. One or more server computers implementing an access control system, the system comprising:
-
one or more processors; one or more memories; a computing resource hierarchy comprising computing resources in multiple hierarchy levels; a computing resource access manager that; provides an access control list for a child computing resource in the computing resource hierarchy in response to receiving a first access request, wherein the access control list is generated after receiving the first request and wherein the access control list is generated by an analysis engine; saves the access control list; and provides the access control list for the child computing resource in response to receiving a subsequent access request; and the analysis engine, wherein; the generating the access control list resource comprises retrieving one or more access control policies associated with one or more parent computing resources of the child computing resource in the computing resource hierarchy, the retrieving comprising; retrieving access control policies for the one or more computing resources contained within levels in the computing resource hierarchy that are higher than a hierarchy level containing the child computing resource and lower than or equal to a top hierarchy level of the computing resource hierarchy. - View Dependent Claims (18)
-
Specification