Dynamic access control of resources in a computing environment

US 10,380,367 B2
Filed: 07/27/2017
Issued: 08/13/2019
Est. Priority Date: 07/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

over a period of time, continuously monitoring, by a policy retrieval point executing on a processor device, at least one new policy creation location for a new policy rule;

detecting that a first new policy rule has been added to the at least one new policy creation location;

storing the first new policy rule in a core policy rule structure that comprises a plurality of policy rules;

receiving a request for new policy rules;

communicating the first new policy rule toward a policy decision point in response to the request for the new policy rules;

subsequent to communicating the first new policy rule toward the policy decision point, detecting that a second new policy rule has been added to the at least one new policy creation location;

making a determination that the second new policy rule is inconsistent with at least one policy rule of the plurality of policy rules in the core policy rule structure; and

refraining from storing the second new policy rule in the core policy rule structure based on the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamic access control of resources in a computing environment is disclosed. A policy retrieval point continuously monitors at least one new policy creation location for a new policy rule. It is detected that a first new policy rule has been added to the at least one new policy creation location. The first new policy rule is stored in a core policy rule structure that comprises a plurality of policy rules. A request for new policy rules is received, and the first new policy rule is communicated toward a policy decision point in response to the request.

Citations

19 Claims

1. A method comprising:
- over a period of time, continuously monitoring, by a policy retrieval point executing on a processor device, at least one new policy creation location for a new policy rule;
  
  detecting that a first new policy rule has been added to the at least one new policy creation location;
  
  storing the first new policy rule in a core policy rule structure that comprises a plurality of policy rules;
  
  receiving a request for new policy rules;
  
  communicating the first new policy rule toward a policy decision point in response to the request for the new policy rules;
  
  subsequent to communicating the first new policy rule toward the policy decision point, detecting that a second new policy rule has been added to the at least one new policy creation location;
  
  making a determination that the second new policy rule is inconsistent with at least one policy rule of the plurality of policy rules in the core policy rule structure; and
  
  refraining from storing the second new policy rule in the core policy rule structure based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the first new policy rule comprises a plurality of executable instructions, and further comprising:
    - prior to storing the first new policy rule in the core policy rule structure that comprises the plurality of policy rules, validating, by the policy retrieval point, the first new policy rule by;
      
      determining that the plurality of executable instructions of the first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 3. The method of claim 2 wherein making the determination that the first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure further comprises:
    - retrieving, from the core policy rule structure, a subset of policy rules of the plurality of policy rules that are related to the first new policy rule; and
      
      making the determination that the first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the subset of policy rules.
  - 4. The method of claim 3 wherein the first new policy rule identifies a subject, an action, and a resource, and wherein the subset of policy rules is related to the first new policy rule based on one or more of the subject, the action, and the resource.
  - 5. The method of claim 1 further comprising:
    - receiving, by the policy retrieval point from a first policy decision point, data that alters access rights implemented by the first new policy rule;
      
      accessing the first new policy rule from the core policy rule structure;
      
      modifying the first new policy rule with the data to generate an updated first new policy rule; and
      
      storing the updated first new policy rule in the core policy rule structure.
  - 6. The method of claim 5 further comprising validating, by the policy retrieval point, the updated first new policy rule by:
    - determining that a plurality of executable instructions of the updated first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the updated first new policy rule does not implement the access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 7. The method of claim 5 further comprising:
    - receiving, from a second policy decision point, a request that encompasses the updated first new policy rule; and
      
      sending, to the second policy decision point, the updated first new policy rule.
  - 8. The method of claim 1 further comprising:
    - determining, by the policy decision point, data that alters an access right implemented by the first new policy rule; and
      
      sending, to the policy retrieval point, contextual data to update the first new policy rule with the contextual data.
  - 9. The method of claim 1 further comprising:
    - receiving, by the policy decision point, the first new policy rule;
      
      receiving, by the policy decision point, an access request from an access requestor;
      
      determining that the access request is at least partially governed by the first new policy rule;
      
      initiating the first new policy rule;
      
      receiving an access result from the first new policy rule; and
      
      based on the access result, implementing the access request.

10. A computing system, comprising:
- one or more memories; and
  
  one or more processor devices coupled to the one or more memories, the one or more processor devices to;
  
  over a period of time, continuously monitor at least one new policy creation location for a new policy rule;
  
  detect that a first new policy rule has been added to the at least one new policy creation location;
  
  store the first new policy rule in a core policy rule structure that comprises a plurality of policy rules;
  
  receive a request for new policy rules;
  
  communicate the first new policy rule toward a policy decision point in response to the request for the new policy rules;
  
  subsequent to communicating the first new policy rule toward the policy decision point, detect that a second new policy rule has been added to the at least one new policy creation location;
  
  make a determination that the second new policy rule is inconsistent with at least one policy rule of the plurality of policy rules in the core policy rule structure; and
  
  refrain from storing the second new policy rule in the core policy rule structure based on the determination.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computing system of claim 10 wherein the first new policy rule comprises a plurality of executable instructions, and wherein the one or more processor devices are further to:
    - prior to storing the first new policy rule in the core policy rule structure that comprises the plurality of policy rules, validate the first new policy rule by;
      
      determining that the plurality of executable instructions of the first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 12. The computing system of claim 10 wherein the one or more processor devices are further to:
    - receive, a first policy decision point, data that alters access rights implemented by the first new policy rule;
      
      access the first new policy rule from the core policy rule structure;
      
      modify the first new policy rule with the data to generate an updated first new policy rule; and
      
      store the updated first new policy rule in the core policy rule structure.
  - 13. The computing system of claim 12 wherein the one or more processor devices are further to:
    - validate the updated first new policy rule by;
      
      determining that the plurality of executable instructions of the updated first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the updated first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 14. The computing system of claim 10 wherein the one or more processor devices are further to:
    - receive, by the policy decision point, the first new policy rule;
      
      receive, by the policy decision point, an access request from an access requestor;
      
      determine that the access request is at least partially governed by the first new policy rule;
      
      initiate the first new policy rule;
      
      receive an access result from the first new policy rule; and
      
      based on the access result, implement the access request.

15. A non-transitory computer program product stored on a non-transitory computer-readable storage medium and including instructions to cause one or more processor devices to:
- over a period of time, continuously monitor at least one new policy creation location for a new policy rule;
  
  detect that a first new policy rule has been added to the at least one new policy creation location;
  
  store the first new policy rule in a core policy rule structure that comprises a plurality of policy rules;
  
  receive a request for new policy rules;
  
  communicate the first new policy rule toward a policy decision point in response to the request for the new policy rules;
  
  subsequent to communicating the first new policy rule toward the policy decision point, detect that a second new policy rule has been added to the at least one new policy creation location;
  
  make a determination that the second new policy rule is inconsistent with at least one policy rule of the plurality of policy rules in the core policy rule structure; and
  
  refrain from storing the second new policy rule in the core policy rule structure based on the determination.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory computer program product of claim 15 wherein the first new policy rule comprises a plurality of executable instructions, and wherein the instructions further cause the one or more processor devices to:
    - prior to storing the first new policy rule in the core policy rule structure that comprises the plurality of policy rules, validate the first new policy rule by;
      
      determining that the plurality of executable instructions of the first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 17. The non-transitory computer program product of claim 15 wherein the instructions further cause the one or more processor devices to:
    - receive, from a first policy decision point, data that alters access rights implemented by the first new policy rule;
      
      access the first new policy rule from the core policy rule structure;
      
      modify the first new policy rule with the data to generate an updated first new policy rule; and
      
      store the updated first new policy rule in the core policy rule structure.
  - 18. The non-transitory computer program product of claim 17 and wherein the instructions further cause the one or more processor devices to validate the updated first new policy rule by:
    - determining that the plurality of executable instructions of the updated first new policy rule comply with a programming language syntax of an executable programming language; and
      
      making a determination that the updated first new policy rule does not implement access rights in a way that is inconsistent with any policy rules of the plurality of policy rules in the core policy rule structure.
  - 19. The non-transitory computer program product of claim 15 wherein the instructions further cause the one or more processor devices to:
    - receive, by the policy decision point, the first new policy rule;
      
      receive, by the policy decision point, an access request from an access requestor;
      
      determine that the access request is at least partially governed by the first new policy rule;
      
      initiate the first new policy rule;
      
      receive an access result from the first new policy rule; and
      
      based on the access result, implement the access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Griffin, Leigh
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/661,380
Publication Number

US 20190034651A1
Time in Patent Office

747 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

Dynamic access control of resources in a computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access control of resources in a computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links