System and method for rule-based entitlements

US 20030105974A1
Filed: 10/24/2002
Published: 06/05/2003
Est. Priority Date: 10/24/2001
Status: Active Grant

First Claim

Patent Images

1. A method of authorization, comprising:

associating at least one role with a resource;

associating at least one capability with the at least one role; and

determining whether to permit a resource operation based on the at least one capability.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of authorization comprising associating at least one role with a resource, associating at least one capability with the at least one role, and determining whether to permit a resource operation based on the at least one capability.

159 Citations

View as Search Results

104 Claims

1. A method of authorization, comprising:
- associating at least one role with a resource;
  
  associating at least one capability with the at least one role; and
  
  determining whether to permit a resource operation based on the at least one capability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 3. The method of claim 2 wherein:
    - the at least one role rule is specified in plain language.
  - 4. The method of claim 2 wherein:
    - the at least one role rule includes at least one logical expression.
  - 5. The method of claim 2 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 6. The method of claim 1 wherein:
    - the at least one role is everyone.
  - 7. The method of claim 1 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 8. The method of claim 1 wherein:
    - the resource operation is one of show, edit and remove.
  - 9. The method of claim 1 wherein:
    - the resource is a resource group.
  - 10. The method of claim 1 wherein:
    - determining whether to permit the resource operation is based on an optimistic access scheme.
  - 11. The method of claim 1 wherein:
    - associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 12. The method of claim 1 wherein:
    - associating the at least one role with the resource includes retrieving the at least one role from a cache.
  - 13. The method of claim 1 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

14. A method of authorization, comprising:
- intercepting a resource operation, the resource operation identifying a resource;
  
  associating at least one role with the resource;
  
  associating at least one capability with the at least one role; and
  
  allowing the resource operation if the resource operation is permitted based on the at least one capability.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 16. The method of claim 15 wherein:
    - the at least one role rule is specified in plain language.
  - 17. The method of claim 15 wherein:
    - the at least one role rule includes at least one logical expression.
  - 18. The method of claim 15 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 19. The method of claim 14 wherein:
    - the at least one role is everyone.
  - 20. The method of claim 14 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 21. The method of claim 14 wherein:
    - the resource operation is one of show, edit and remove.
  - 22. The method of claim 14 wherein:
    - the resource is a resource group.
  - 23. The method of claim 14 wherein:
    - determining whether to permit the resource operation is based on an optimistic access scheme.
  - 24. The method of claim 14 wherein:
    - associating the at least one capability with the at least one role requires the at least one capability and the resource operation to be compatible.
  - 25. The method of claim 14 wherein:
    - associating the at least one role with the resource includes retrieving the at least one role from a cache.
  - 26. The method of claim 14 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

27. A method of authorization, comprising:
- sending a resource request from a client to an access controller, wherein the access controller associates at least one capability with the resource request; and
  
  sending an indication of whether the resource request is permitted from the access controller to the client based on the at least one capability; and
  
  wherein associating the at least one capability with the resource request includes associating at least one role with a resource identified in the resource request.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The method of claim 27 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 29. The method of claim 28 wherein:
    - the at least one role rule is specified in plain language.
  - 30. The method of claim 28 wherein:
    - the at least one role rule includes at least one logical expression.
  - 31. The method of claim 28 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 32. The method of claim 27 wherein:
    - the at least one role is everyone.
  - 33. The method of claim 27 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 34. The method of claim 27 wherein:
    - the resource request includes a resource operation, wherein the resource operation is one of show, edit and remove.
  - 35. The method of claim 27 wherein:
    - the resource is a resource group.
  - 36. The method of claim 27 wherein:
    - determining whether to permit the resource request is based on an optimistic access scheme.
  - 37. The method of claim 27 wherein:
    - associating the at least one capability with the resource request requires the capability and the resource request to be compatible.
  - 38. The method of claim 27 wherein:
    - associating the at least one role with the resource includes retrieving the at least one role from a cache.
  - 39. The method of claim 27 wherein:
    - associating the at least one capability with the resource request includes retrieving the at least one capability from a cache.

40. A system for authorization, comprising:
- an access controller adapted to accept a resource operation from a client;
  
  a role mapper coupled to the access controller, the role mapper to associate at least one role with the client; and
  
  a decision module coupled to the access controller, to determine whether access to a resource specified in the resource operation is permitted based upon the at least one role.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 76, 78)
- - 41. The system of claim 40 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 42. The system of claim 41 wherein:
    - the at least one role rule is specified in plain language.
  - 43. The system of claim 41 wherein:
    - the at least one role rule includes at least one logical expression.
  - 44. The system of claim 41 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 45. The system of claim 40 wherein:
    - the at least one role is everyone.
  - 46. The system of claim 40 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 47. The system of claim 40 wherein:
    - the resource operation is one of show, edit and remove.
  - 48. The system of claim 40 wherein:
    - the resource is a resource group.
  - 49. The system of claim 40 wherein:
    - determining whether to permit a resource operation is based on an optimistic access scheme.
  - 50. The system of claim 40, further comprising:
    - associating at least one capability with the at least one role; and
      
      wherein associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 51. The system of claim 40 wherein:
    - associating the at least one role with the client includes retrieving the at least one role from a cache.
  - 52. The system of claim 50 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.
  - 76. The system of claim 40 further comprising:
    - associating at least one capability with the at least one role; and
      
      wherein associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 78. The system of claim 76 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

53. A system for authorization, comprising:
- a client adapted to send a resource operation to an access controller;
  
  wherein the access controller is coupled to a role mapper, the role mapper to associate at least one role with a client; and
  
  wherein the access controller is coupled to an access decision module, the access decision module to determine whether access to a resource specified in the resource operation is permitted based upon the role at least one role.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 54. The system of claim 53 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 55. The system of claim 54 wherein:
    - the at least one role rule is specified in plain language.
  - 56. The system of claim 54 wherein:
    - the at least one role rule includes at least one logical expression.
  - 57. The system of claim 54 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 58. The system of claim 53 wherein:
    - the at least one role is everyone.
  - 59. The system of claim 53 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 60. The system of claim 53 wherein:
    - the resource operation is one of show, edit and remove.
  - 61. The system of claim 53 wherein:
    - the resource is a resource group.
  - 62. The system of claim 53 wherein:
    - determining whether to permit access to the resource is based on an optimistic access scheme.
  - 63. The system of claim 53 further comprising:
    - associating at least one capability with the at least one role; and
      
      wherein associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 64. The system of claim 53 wherein:
    - associating the at least one role with the client includes retrieving the at least one role from a cache.
  - 65. The system of claim 63 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

66. A system for authorization, comprising:
- a client;
  
  an access controller to accept a resource operation from the client, wherein the resource operation identifies a resource;
  
  a role mapper coupled to the access controller, to associate at least one role with a client; and
  
  an access decision module coupled to the access controller, to determine whether access to a resource specified in the resource operation is permitted based upon the role at least one role.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 77)
- - 67. The system of claim 66 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 68. The system of claim 67 wherein:
    - the at least one role rule is specified in plain language.
  - 69. The system of claim 67 wherein:
    - the at least one role rule includes at least one logical expression.
  - 70. The system of claim 67 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 71. The system of claim 66 wherein:
    - the at least one role is everyone.
  - 72. The system of claim 66 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 73. The system of claim 66 wherein:
    - the resource operation is one of show, edit and remove.
  - 74. The system of claim 66 wherein:
    - the resource is a resource group.
  - 75. The system of claim 66 wherein:
    - determining whether to permit access to the resource is based on an optimistic access scheme.
  - 77. The system of claim 66 wherein:
    - associating the at least one role with the client includes retrieving the at least one role from a cache.

79. A system for authorization, comprising:
- a means for associating at least one role with a resource;
  
  a means for associating at least one capability with the at least one role; and
  
  a means for determining whether to permit a resource operation based on the at least one capability.
- View Dependent Claims (80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91)
- - 80. The system of claim 79 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 81. The system of claim 80 wherein:
    - the at least one role rule is specified in plain language.
  - 82. The system of claim 80 wherein:
    - the at least one role rule includes at least one logical expression.
  - 83. The system of claim 80 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 84. The system of claim 79 wherein:
    - the at least one role is everyone.
  - 85. The system of claim 79 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 86. The system of claim 79 wherein:
    - the resource operation is one of show, edit and remove.
  - 87. The system of claim 79 wherein:
    - the resource is a resource group.
  - 88. The system of claim 79 wherein:
    - determining whether to permit a resource operation is based on an optimistic access scheme.
  - 89. The system of claim 79 wherein:
    - associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 90. The system of claim 79 wherein:
    - associating the at least one role with the resource includes retrieving the at least one role from a cache.
  - 91. The system of claim 79 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

92. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
- associate at least one role with a resource;
  
  associate at least one capability with the at least one role; and
  
  determine whether to permit a resource operation based on the at least one capability.
- View Dependent Claims (93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104)
- - 93. The machine readable medium of claim 92 wherein:
    - associating the at least one role is based on evaluating at least one role rule.
  - 94. The machine readable medium of claim 93 wherein:
    - the at least one role rule is specified in plain language.
  - 95. The machine readable medium of claim 93 wherein:
    - the at least one role rule includes at least one logical expression.
  - 96. The machine readable medium of claim 93 wherein:
    - evaluating the at least one role rule utilizes at least one of user information, session information, and system information.
  - 97. The machine readable medium of claim 92 wherein:
    - the at least one role is everyone.
  - 98. The machine readable medium of claim 92 wherein:
    - the resource is one of a portal page, a portlet, and an administrative task.
  - 99. The machine readable medium of claim 92 wherein:
    - the resource operation is one of show, edit and remove.
  - 100. The machine readable medium of claim 92 wherein:
    - the resource is a resource group.
  - 101. The machine readable medium of claim 92 wherein:
    - determining whether to permit the resource operation is based on an optimistic access scheme.
  - 102. The machine readable medium of claim 92 wherein:
    - associating the at least one capability with the at least one role requires the capability and the resource operation to be compatible.
  - 103. The machine readable medium of claim 92 wherein:
    - associating the at least one role with the resource includes retrieving the at least one role from a cache.
  - 104. The machine readable medium of claim 92 wherein:
    - associating the at least one capability with the at least one role includes retrieving the at least one capability from a cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Griffin, Philip B., Devgan, Manish, Howes, Jason, Dunbar, Scott

Granted Patent

US 7,451,477 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 16/275   Synchronous replication

G06F 16/80   of semi-structured data, e....

G06F 16/954   Navigation, e.g. using cate...

G06F 16/958   Organisation or management ...

G06F 16/986   Document structures and sto...

G06F 21/1012   to domains

G06F 21/1015   to users

G06F 21/1064   Restricting content process...

G06F 21/1073   Conversion

G06F 21/1076   Revocation

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/629   to features or functions of...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/10   Office automation; Time man...

H04L 41/18 : Delegation of network manag...

H04L 41/22 : comprising specially adapte...

H04L 63/0815 : providing single-sign-on or...

H04L 63/0884 : by delegation of authentica...

H04L 63/102 : Entity profiles

H04L 67/02 : based on web technology, e....

H04L 67/025 : for remote control or remot...

H04L 67/06 : specially adapted for file ...

H04L 67/14 : Session management for real...

H04L 67/142 : Managing session states for...

H04L 67/2871 : Implementation details of s...

H04L 67/306 : User profiles

H04L 67/34 : involving the movement of s...

H04L 67/51 : Discovery or management the...

H04L 67/564 : Enhancement of application ...

H04L 67/567 : Integrating service provisi...

H04L 67/568 : Storing data temporarily at...

H04L 67/75 : Indicating network or usage...

H04L 69/22 : Parsing or analysis of headers

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

Y10S 707/99931 : Database or file accessing

Y10S 707/99933 : Query processing, i.e. sear...

Y10S 707/99953 : Recoverability

Y10S 707/99954 : Version management

View All

System and method for rule-based entitlements

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

159 Citations

104 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for rule-based entitlements

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

104 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links