Definition of low-level security rules in terms of high-level security concepts

US 20030167401A1
Filed: 04/30/2001
Published: 09/04/2003
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a pluggable security policy enforcement module configured to be replaceable in the system and to provide different granularities of control for a business logic in the system, wherein the business logic processes requests submitted to the system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set of pluggable rules are used to define low-level security rules in terms of high-level security concepts. The rules are part of a pluggable module that can interact with a business logic to provide different granularities of control.

Citations

39 Claims

1. A system comprising:
- a pluggable security policy enforcement module configured to be replaceable in the system and to provide different granularities of control for a business logic in the system, wherein the business logic processes requests submitted to the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A system as recited in claim 1, wherein the different granularities of control comprise a plurality of sets of rules that can be replaced with each other without altering the business logic.
  - 3. A system as recited in claim 1, wherein the pluggable security policy enforcement module is further configured to determine, for a particular granularity of control, whether to permit an operation, requested by a user based, based at least in part on a permission assigned to the user.
  - 4. A system as recited in claim 1, wherein the pluggable security policy enforcement module includes a control module configured to determine whether to permit an operation based at least in part on accessing the business logic to identify one or more additional tests to perform, and further configured to perform the one or more additional tests.
  - 5. A system as recited in claim 4, wherein the control module is further configured to return a result of the determining to the business logic.
  - 6. A system as recited in claim 1, wherein the different granularities of control comprise a plurality of sets of rules, and wherein each set of rules includes a plurality of permission assignment objects, wherein each of the permission assignment objects associates a user with a particular role, wherein each particular role is associated with one or more permissions, and wherein each of the one or more permissions identifies a particular operation and context on which the operation is to be performed.
  - 7. A system as recited in claim 6, wherein each of the permission assignment objects further identifies whether the one or more permissions in the particular role are granted to the user or denied to the user.

8. One or more computer-readable media comprising computer-executable instructions that, when executed, direct a processor to perform acts including:
- receiving a request to perform an operation;
  
  checking whether to access a business logic in order to generate a result for the requested operation;
  
  obtaining, from the business logic, a set of zero or more additional tests to be performed in order to generate the result;
  
  performing each additional test in the set of tests if there is at least one test in the set of tests;
  
  checking a set of pluggable rules to determine the result of the requested operation; and
  
  returning, as the result, a failure indication if checking the business logic or checking the set of pluggable rules indicates that the result is a failure, otherwise returning, as the result, a success indication.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. One or more computer-readable media as recited in claim 8, wherein the receiving comprises receiving, from the business logic, the request to perform the operation.
  - 10. One or more computer-readable media as recited in claim 8, wherein the receiving comprises receiving, as part of the request, an indication of a user, and wherein the checking the set of pluggable rules comprises comparing an object associated with the user to the rules in the set of pluggable rules and determining whether the operation can be performed based at least in part on whether the user is permitted to perform the operation.
  - 11. One or more computer-readable media as recited in claim 8, wherein the receiving comprises having one of a plurality of methods invoked.
  - 12. One or more computer-readable media as recited in claim 8, wherein the set of pluggable rules is a set of security rules defined using high-level permission concepts.
  - 13. One or more computer-readable media as recited in claim 12, wherein the high-level permission concepts include an operation and a context, wherein the operation allows identification of an operation to be performed and the context allows identification of what the operation is to be performed on.
  - 14. One or more computer-readable media as recited in claim 8, wherein the computer-executable instructions are implemented as an object.
  - 15. One or more computer-readable media as recited in claim 8, wherein the computer-executable instructions further direct the processor to perform acts including:
    - determining if at least one of the tests in the set of zero or more additional tests would indicate a result of failure; and
      
      returning, as the result, the failure indication without checking the set of pluggable rules.
  - 16. One or more computer-readable media as recited in claim 8, wherein the set of pluggable rules can be replaced with another set of pluggable rules without altering the business logic.
  - 17. One or more computer-readable media as recited in claim 8, wherein the set of pluggable rules includes a plurality of permission assignment objects, wherein each of the permission assignment objects associates a user with a particular role, wherein each particular role is associated with one or more permissions, and wherein each of the one or more permissions identifies a particular operation and context on which the operation is to be performed.
  - 18. One or more computer-readable media as recited in claim 17, wherein each of the permission assignment objects further identifies whether the one or more permissions in the particular role are granted to the user or denied to the user.

19. A method comprising:
- providing high-level permission concepts for security rules;
  
  allowing a set of security rules to be defined using the high-level permission concepts, wherein the set of security rules allows permissions to be assigned to users of an application; and
  
  determining, based at least in part on a permission assigned to a user, whether to permit an operation based on a request by the user.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. A method as recited in claim 19, wherein the determining further comprises determining whether to permit the operation requested by the user based at least in part on accessing a business logic to identify one or more additional tests to perform, and further comprising performing the one or more additional tests.
  - 21. A method as recited in claim 20, further comprising returning a result of the determining to the business logic.
  - 22. A method as recited in claim 19, wherein the high-level permission concepts include an operation and a context, wherein the operation allows identification of an operation to be performed and the context allows identification of what the operation is to be performed on.
  - 23. A method as recited in claim 19, wherein the method is implemented in an object having a plurality of interfaces for requesting a determination as to whether to permit a plurality of operations including the operation requested by the user.
  - 24. A method as recited in claim 19, wherein the set of security rules includes a plurality of permission assignment objects, wherein each of the permission assignment objects associates a user with a particular role, wherein each particular role is associated with one or more permissions, and wherein each of the one or more permissions identifies a particular operation and context on which the operation is to be performed.
  - 25. A method as recited in claim 24, wherein each of the permission assignment objects further identifies whether the one or more permissions in the particular role are granted to the user or denied to the user.

26. A method comprising:
- receiving a request to perform an operation;
  
  accessing a set of low-level rules, wherein the low-level rules are defined in terms of high-level concepts;
  
  checking whether a user requesting to perform the operation is entitled to perform the operation based at least in part on the set of low-level rules; and
  
  returning an indication of whether the operation is allowed or not allowed.
- View Dependent Claims (27, 28, 29, 30)
- - 27. A method as recited in claim 26, wherein the checking further comprises checking whether the user is entitled to perform the operation based at least in part on accessing a business logic to identify one or more additional tests to perform, and further comprising performing the one or more additional tests.
  - 28. A method as recited in claim 27, wherein the set of low-level rules can be replaced with another set of low-level rules without altering the business logic.
  - 29. A method as recited in claim 27, further comprising returning the indication to the business logic.
  - 30. A method as recited in claim 26, wherein the low-level rules include a plurality of permission assignment objects, wherein each of the permission assignment objects associates a user with a particular role, wherein each particular role is associated with one or more permissions, and wherein each of the one or more permissions identifies a particular operation and context on which the operation is to be performed

31. A method comprising:
- assigning high level security concepts to an application domain; and
  
  allowing a set of pluggable rules to define low-level rules, in terms of the high level security concepts, for different business logic in the application domain.
- View Dependent Claims (32, 33, 34)
- - 32. A method as recited in claim 31, wherein the high level security concepts include an operation and a context that identifies what the operation is performed on.
  - 33. A method as recited in claim 31, further comprising:
    - determining, based at least in part on a permission assigned to a user and on one or more additional tests identified by accessing the business logic, whether to permit an operation based on a request by the user.
  - 34. A method as recited in claim 33, further comprising returning a result of the determining to the business logic.

35. An architecture comprising:
- a plurality of resources;
  
  a business logic layer to process, based at least in part on the plurality of resources, requests received from a client; and
  
  a pluggable security policy enforcement module to enforce security restrictions on accessing information stored at the plurality of resources.
- View Dependent Claims (36, 37, 38, 39)
- - 36. An architecture as recited in claim 35, wherein the pluggable security policy enforcement module defines high-level permission concepts for security rules and further defines a set of security rules using the high-level permission concepts.
  - 37. An architecture as recited in claim 36, wherein the high-level permission concepts include an operation and a context, wherein the operation allows identification of an operation to be performed and the context allows identification of what the operation is to be performed on.
  - 38. An architecture as recited in claim 35, wherein the pluggable security policy enforcement module can be replaced with another pluggable security policy enforcement module to enforce different security restrictions without altering the business logic layer.
  - 39. An architecture as recited in claim 35, wherein the pluggable security policy enforcement module is configured to determine, based at least in part on a permission assigned to a user and on one or more additional tests identified by accessing the business logic layer, whether to permit an operation to access information at the plurality of resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Capital Corp (General Electric Company)
Original Assignee
GE Capital Corp (General Electric Company)
Inventors
Murren, Brian T., Kiehl, Thomas R.

Granted Patent

US 7,346,921 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Definition of low-level security rules in terms of high-level security concepts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Definition of low-level security rules in terms of high-level security concepts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links