Access control for an e-commerce application

US 20030055991A1
Filed: 09/20/2001
Published: 03/20/2003
Est. Priority Date: 09/20/2001
Status: Active Grant

First Claim

Patent Images

1. A system for selectively granting access to a target object, comprising:

an object data store that includes a plurality of hierarchically structured target objects and a plurality of hierarchically structured actor objects;

an action data store that includes a plurality of action objects;

an access control instruction data store comprising a plurality of hierarchically structured access control instructions;

a context comprising an actor attribute, an action attribute, and a target attribute; and

an access determination engine configured to selectively grant access to the target object based on a first set of access control instructions having attributes that match the context and a second set of access control instructions having attributes that are hierarchically broader than the attributes of the context.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for selectively granting access to a target object. In one embodiment, the system includes an object data store, an access control instruction data store, an action data store, a context, and an access determination engine. The object data store includes a plurality of hierarchically structured target objects and a plurality of hierarchically structured actor objects. The access control instruction data store includes a plurality of hierarchically structured access control instructions. The action data store comprising a plurality action objects. The context includes an actor attribute, an action attribute, and a target attribute. The access determination engine configured to selectively grant access to the target object based on a first set of access control instructions having attributes that match the context and a second set of access control instructions having attributes that are hierarchically broader than the attributes of the context.

30 Citations

View as Search Results

20 Claims

1. A system for selectively granting access to a target object, comprising:
- an object data store that includes a plurality of hierarchically structured target objects and a plurality of hierarchically structured actor objects;
  
  an action data store that includes a plurality of action objects;
  
  an access control instruction data store comprising a plurality of hierarchically structured access control instructions;
  
  a context comprising an actor attribute, an action attribute, and a target attribute; and
  
  an access determination engine configured to selectively grant access to the target object based on a first set of access control instructions having attributes that match the context and a second set of access control instructions having attributes that are hierarchically broader than the attributes of the context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the object data store and the access control instruction data store comprise one of a lightweight directory access protocol compliant server and a relational database.
  - 3. The system of claim 1, wherein the action objects in the action data store are hierarchically related and define an implication hierarchy.
  - 4. The system of claim 3, wherein an action object data store is configured to enable the addition of an action.
  - 5. The system of claim 4, wherein the action object added to the action data store is added to the implication hierarchy.
  - 6. The system of claim 1, wherein each of the plurality of hierarchically structured access control instructions comprises an actor attribute, an action attribute, a target attribute, and an access attribute.
  - 7. The system of claim 1, wherein the context is provided to the system by an electronic commerce application.
  - 8. The system of claim 1, wherein the access determination engine is configured to determine a set of relevant access control instructions.
  - 9. The system of claim 8, wherein the access determination engine is configured to deny access if one or more relevant access control instructions have an access attribute value of deny.

10. A method for selectively granting access to a target object, comprising:
- receiving a context comprising an actor attribute, an action attribute, and a target attribute;
  
  determining a first set of hierarchically broader actor attributes based on the actor attribute;
  
  determining a second set of hierarchically broader action attributes based on the action attribute;
  
  determining a third set of hierarchically broader target attributes based on the target attribute and;
  
  determining a set of relevant access control instructions according to the actor, action, and target attributes and the first, second, and third sets of hierarchically broader relevant attributes.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the step of determining a first set of hierarchically broader actor attributes comprises accessing a hierarchically structured actor data store.
  - 12. The method of claim 10, wherein the step of determining a third set of hierarchically broader target attributes comprises accessing a hierarchically structured target data store.
  - 13. The method of claim 10, wherein the step of determining a second set of hierarchically broader action attributes comprises accessing a hierarchically structured action data store.
  - 14. The method of claim 13, further comprising:
    - adding an action object to the action data store.
  - 15. The method of claim 14, further comprising:
    - adding the added action object to a hierarchy associated with the action data store.
  - 16. The method of claim 10, further comprising denying access if one or more relevant access control instructions have an access attribute value of deny.
  - 17. The method of claim 10, wherein the context is received from an electronic commerce application.

18. A computer program product, comprising a computer readable medium having computer code embodied therein for selectively granting access to a target object comprising:
- a computer readable program code device configured as an object data store comprised of a plurality of hierarchically structured target objects and a plurality of hierarchically structured actor objects;
  
  a computer readable program code device configured as an access control instruction data store comprising a plurality of hierarchically structured access control instructions;
  
  a computer readable program code device configured as an action data store comprising a plurality action objects a computer readable program code device configured as a context comprising an actor attribute, an action attribute, and a target attribute; and
  
  an access determination engine configured to selectively grant access to the target object based on a first set of access control instructions having attributes that match the context and a second set of access control instructions having attributes that are hierarchically broader than the attributes of the context.

19. A system for selectively granting access to a target object, comprising;
- means for receiving a context comprising an actor attribute, an action attribute, and a target attribute;
  
  means for determining a first set of hierarchically broader actor attributes based on the actor attribute;
  
  means for determining a second set of hierarchically broader action attributes based on the action attribute;
  
  means for determining a third set of hierarchically broader target attributes based on the target attribute; and
  
  means for determining a set of relevant access control instructions according to the actor, action, and target attributes and the first, second, and third sets of hierarchically broader relevant attributes.

20. A computer program product comprising a computer useable medium having computer readable code embodied therein selectively granting access to a target object, the computer program product adapted when run on a computer to execute steps, including:
- receiving a context comprising an actor attribute, an action attribute, and a target attribute;
  
  determining a first set of hierarchically broader actor attributes based on the actor attribute;
  
  determining a second set of hierarchically broader actin attributes based on the actin attribute;
  
  determining a third set of hierarchically broader target attributes based on the target attribute; and
  
  determining a set of relevant access control instructions according to the actor action, and target attributes and the first, second and third sets of hierarchically broader relevant attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Addison, Stayton D. Jr., Krishnapuram, Madhu, Kand, Shreenivas G., Gondhalekar, Mangesh

Granted Patent

US 7,120,698 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/6236   between heterogeneous systems

G06F 9/468   Specific access rights for ...

Y10S 707/99939   Privileged access

Access control for an e-commerce application

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for an e-commerce application

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links