Method and system for a role-based access control model with active roles
First Claim
1. A method for controlling access rights of a requesting principal to a protected resource in a computer system, wherein a principal is associated with at least one role, the method comprising:
- associating a role filter with a role;
associating a set of one or more capabilities with the role;
associating a capability filter with a capability in the set of one or more capabilities; and
authorizing access for the requesting principal to the protected resource based on an association between the requesting principal and the role and based on an association between the protected resource and a capability of the role.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, apparatus, and computer program product are presented for managing access to resources with a role-based access control model that includes dynamic update functionality using role filters and capability filters. Rather than directly connecting individual users to a role, a role filter is defined for a role. The role filter is evaluated to determine which users should be matched to a given role, and matching users are then automatically associated with the given role. In addition to its role filter, each named role contains a set of capabilities. Each capability contains a set of access conditions and a capability filter. Each access condition has a set of rights. Rather than directly connecting individual resources to a capability, the administrator can define a capability filter for each capability. As target instances are added, deleted, or changed, capability filters are re-evaluated to maintain the appropriate set of relationships.
-
Citations
30 Claims
-
1. A method for controlling access rights of a requesting principal to a protected resource in a computer system, wherein a principal is associated with at least one role, the method comprising:
-
associating a role filter with a role;
associating a set of one or more capabilities with the role;
associating a capability filter with a capability in the set of one or more capabilities; and
authorizing access for the requesting principal to the protected resource based on an association between the requesting principal and the role and based on an association between the protected resource and a capability of the role. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus for controlling access rights of a requesting principal to a protected resource in a computer system, wherein a principal is associated with at least one role, the apparatus comprising:
-
means for associating a role filter with a role;
means for associating a set of one or more capabilities with the role;
means for associating a capability filter with a capability in the set of one or more capabilities; and
means for authorizing access for the requesting principal to the protected resource based on an association between the requesting principal and the role and based on an association between the protected resource and a capability of the role. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product in a computer readable medium for use in a data processing system for controlling access rights of a requesting principal to a protected resource, wherein a principal is associated with at least one role, the computer program product comprising:
-
instructions for associating a role filter with a role;
instructions for associating a set of one or more capabilities with the role;
instructions for associating a capability filter with a capability in the set of one or more capabilities; and
instructions for authorizing access for the requesting principal to the protected resource based on an association between the requesting principal and the role and based on an association between the protected resource and a capability of the role. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification