Role-permission model for security policy administration and enforcement
First Claim
1. A method of improving security policy administration and enforcement using a role-permission model, comprising steps of identifying one or more groups of permitted actions on selected resources;
- assigning a name to each identified group;
defining each assigned name to a security system as a security object; and
associating subjects with each assigned name.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments. The disclosed techniques improve administration and enforcement of security policies. Allowed actions on resources, also called permissions, (such as invocations of particular methods, read or write access of a particular row or perhaps a particular column in a database table, and so forth) are grouped, and each group of permissions is associated with a role name. A particular action on a particular resource may be specified in more than one group, and therefore may be associated with more than one role. Each role is administered as a security object. Users and/or user groups may be associated with one or more roles. At run-time, access to a resource is protected by determining whether the invoking user has been associated with (granted) at least one of the roles required for this type of access on this resource.
-
Citations
18 Claims
-
1. A method of improving security policy administration and enforcement using a role-permission model, comprising steps of
identifying one or more groups of permitted actions on selected resources; -
assigning a name to each identified group;
defining each assigned name to a security system as a security object; and
associating subjects with each assigned name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for improving security policy administration and enforcement in a computing network using a role-permission model, comprising:
-
means for identifying one or more groups of permitted actions on selected resources;
means for assigning a name to each identified group;
means for defining each assigned name to a security system as a security object; and
means for associating subjects with each assigned name. - View Dependent Claims (16)
-
-
17. A computer program product for improving security policy administration and enforcement in a computing network using a role-permission model, the computer program product embodied on one or more computer readable media and comprising:
-
computer readable program code means for identifying one or more groups of permitted actions on selected resources;
computer readable program code means for assigning a name to each identified group;
computer readable program code means for defining each assigned name to a security system as a security object; and
computer readable program code means for associating subjects with each assigned name. - View Dependent Claims (18)
-
Specification