Role-permission model for security policy administration and enforcement

US 20030046576A1
Filed: 08/30/2001
Published: 03/06/2003
Est. Priority Date: 08/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method of improving security policy administration and enforcement using a role-permission model, comprising steps of identifying one or more groups of permitted actions on selected resources;

assigning a name to each identified group;

defining each assigned name to a security system as a security object; and

associating subjects with each assigned name.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments. The disclosed techniques improve administration and enforcement of security policies. Allowed actions on resources, also called permissions, (such as invocations of particular methods, read or write access of a particular row or perhaps a particular column in a database table, and so forth) are grouped, and each group of permissions is associated with a role name. A particular action on a particular resource may be specified in more than one group, and therefore may be associated with more than one role. Each role is administered as a security object. Users and/or user groups may be associated with one or more roles. At run-time, access to a resource is protected by determining whether the invoking user has been associated with (granted) at least one of the roles required for this type of access on this resource.

Citations

18 Claims

1. A method of improving security policy administration and enforcement using a role-permission model, comprising steps of identifying one or more groups of permitted actions on selected resources;
- assigning a name to each identified group;
  
  defining each assigned name to a security system as a security object; and
  
  associating subjects with each assigned name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein the assigned name is a role name.
  - 3. The method according to claim 1, wherein the selected resources are executable methods.
  - 4. The method according to claim 1, wherein the selected resources are columns of a database table.
  - 5. The method according to claim 1, wherein the selected resources are rows of a database table.
  - 6. The method according to claim 1, wherein the selected resources are files and the permitted actions are file access operations.
  - 7. The method according to claim 1, wherein the selected resources are function calls to functions of one or more executable programs.
  - 8. The method according to claim 1, wherein the selected resources are Enterprise JavaBeans (“
    - EJBs”
      
      ) and the permitted actions are methods on the EJBs.
  - 9. The method according to claim 1, wherein the selected resources are servlets and the permitted actions are methods of the servlets.
  - 10. The method according to claim 1, wherein the selected resources are Uniform Resource Identifiers (“
    - URIs”
      
      ) and the permitted actions are methods which reference the URIs.
  - 11. The method according to claim 1, wherein the selected resources are JavaServer Pages (“
    - JSPs”
      
      ) and the permitted actions are methods referenced from the JSPs.
  - 12. The method according to claim 1, wherein the selected resources are any resource that is expressible to the security system and the permitted actions are selected from a set of actions that are permitted on those resources.
  - 13. The method according to claim 1, further comprising the steps of:
    - receiving an access request for a particular one of the selected resources;
      
      determining one or more roles which are required for accessing the particular resource;
      
      determining an identity of a source of the access request;
      
      for each of the required roles, until obtaining a successful result or exhausting the required roles, determining whether the identity of the source is associated with the required role; and
      
      authorizing access to the particular resource only if the successful result was obtained.
  - 14. The method according to claim 13, wherein the step of determining the one or more roles further comprises consulting a collection created from the identified permitted actions on the particular resource.

15. A system for improving security policy administration and enforcement in a computing network using a role-permission model, comprising:
- means for identifying one or more groups of permitted actions on selected resources;
  
  means for assigning a name to each identified group;
  
  means for defining each assigned name to a security system as a security object; and
  
  means for associating subjects with each assigned name.
- View Dependent Claims (16)
- - 16. The system according to claim 15, further comprising:
    - means for receiving an access request for a particular one of the selected resources;
      
      means for determining one or more roles which are required for accessing the particular resource;
      
      means for determining an identity of a source of the access request;
      
      for each of the required roles, until obtaining a successful result or exhausting the required roles, means for determining whether the identity of the source is associated with the required role; and
      
      means for authorizing access to the particular resource only if the successful result was obtained.

17. A computer program product for improving security policy administration and enforcement in a computing network using a role-permission model, the computer program product embodied on one or more computer readable media and comprising:
- computer readable program code means for identifying one or more groups of permitted actions on selected resources;
  
  computer readable program code means for assigning a name to each identified group;
  
  computer readable program code means for defining each assigned name to a security system as a security object; and
  
  computer readable program code means for associating subjects with each assigned name.
- View Dependent Claims (18)
- - 18. The computer program product according to claim 17, further comprising:
    - computer readable program code means for receiving an access request for a particular one of the selected resources;
      
      computer readable program code means for determining one or more roles which are required for accessing the particular resource;
      
      computer readable program code means for determining an identity of a source of the access request;
      
      for each of the required roles, until obtaining a successful result or exhausting the required roles computer readable program code means for determining whether the identity of the source is associated with the required role; and
      
      computer readable program code means for authorizing access to the particular resource only if the successful result was obtained.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nagaratnam, Nataraj, Nadalin, Anthony Joseph, High, Robert Howard Jr.

Granted Patent

US 7,124,192 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Role-permission model for security policy administration and enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Role-permission model for security policy administration and enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links