Fine grained role-based access to system resources

US 20030229623A1
Filed: 05/30/2002
Published: 12/11/2003
Est. Priority Date: 05/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method of providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said method comprising the steps of:

organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;

providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;

providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level; and

responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security policy process which provides role-based permissions for hierarchically organized system resources such as domains, clusters, application servers, and resources, as well as topic structures for messaging services. Groups of permissions are assigned to roles, and each user is assigned a role and a level of access within the hierarchy of system resources or topics. Forward or reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level. This allows simplified security policy definition and maintenance of user permissions as each user'"'"'s permission list must only be configured and managed at one hierarchical level with one role.

378 Citations

27 Claims

1. A method of providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said method comprising the steps of:
- organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
  
  providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
  
  providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level; and
  
  responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as set forth in claim 1 wherein:
    - said step of organizing said computer system objects into a hierarchical tree structure comprises providing a tree structure of system resources selected from the group of domain, cluster, application, application server and application resource, with said domain being the topmost system object; and
      
      said step of providing a unidirectional inheritance definition within said Role Permission portion comprises providing a downward inheritance definition from said domain to said clusters, applications, application servers, and application resources such that a requesting user may inherit permissions from hierarchy levels below that user'"'"'s assigned hierarchy level including all child and child descendant objects.
  - 3. The method as set forth in claim 2 wherein the step of providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises grouping one or more operations selected from the group of reading system runtime state, reading system configuration, changing system runtime state and changing system configuration into one or more permission collections.
  - 4. The method as set forth in claim 2 wherein the step of providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises assigning each permission collection to at least one corresponding security role selected from the group of monitor, operator, configurator, and administrator.
  - 5. The method as set forth in claim 4 wherein said step of assigning each permission collection to at least one corresponding security role comprises the steps of:
    - assigning permission as an operator implies assigning permission as a monitor;
      
      assigning permission as a configurator implies assigning permission as a monitor; and
      
      assigning permission as an administrator implies assigning permission as an operator, a configurator and indirectly as a monitor.
  - 6. The method as set forth in claim 1 wherein:
    - said step of organizing said computer system objects into a hierarchical tree structure comprises providing a tree structure of information topics with a topmost general topic, and with a plurality of more specific subtopics having one or more ancestor topics including said general topic; and
      
      said step of providing a unidirectional inheritance definition within said Role Permission portion comprises providing an upward (reverse) inheritance definition from said subtopics to said ancestor topics, such that a requesting user may inherit permissions from ancestor hierarchy levels above that user'"'"'s assigned hierarchy level.
  - 7. The method as set forth in claim 6 wherein the step of providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises grouping one or more operations selected from the group of publish-only, read-only, and publish-and-read.
  - 8. The method as set forth in claim 6 wherein the step of providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises assigning each permission collection to at least one corresponding security role selected from the group of publisher, reader, or publish-and-read subscriber.
  - 9. The method as set forth in claim 8 wherein said step of assigning each permission collection to at least one corresponding security role wherein the step of assigning permission as a publish-and-read subscriber implies assigning permission as a reader and as a publisher.

10. A computer readable medium encoded with software for providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said software causing a security server to perform the steps of:
- organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
  
  providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
  
  providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level; and
  
  responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable medium as set forth in claim 10 wherein:
    - said software for organizing said computer system objects into a hierarchical tree structure comprises software for organizing a tree structure of system resources selected from the group of domain, cluster, application, application server and application resource, with said domain being the topmost system object; and
      
      said software for providing a unidirectional inheritance definition within said Role Permission portion comprises software for providing a downward inheritance definition from said domain to said clusters, applications, application servers, and application resources such that a requesting user may inherit permissions from hierarchy levels below that user'"'"'s assigned hierarchy level including all child and child descendant objects.
  - 12. The computer readable medium as set forth in claim 11 wherein the software for providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises software for grouping one or more operations selected from the group of reading system runtime state, reading system configuration, changing system runtime state and changing system configuration into one or more permission collections.
  - 13. The computer readable medium as set forth in claim 11 wherein the software for providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises software for assigning each permission collection to at least one corresponding security role selected from the group of monitor, operator, configurator, and administrator.
  - 14. The computer readable medium as set forth in claim 13 wherein said software for assigning each permission collection to at least one corresponding security role comprises software for performing the steps of:
    - assigning permission as an operator implies assigning permission as a monitor;
      
      assigning permission as a configurator implies assigning permission as a monitor; and
      
      assigning permission as an administrator implies assigning permission as an operator, a configurator and indirectly as a monitor.
  - 15. The computer readable medium as set forth in Claim 10 wherein:
    - said software for organizing said computer system objects into a hierarchical tree structure comprises software for providing a tree structure of information topics with a topmost general topic, and with a plurality of more specific subtopics having one or more ancestor topics including said general topic; and
      
      wherein said software for providing a unidirectional inheritance definition within said Role Permission portion comprises software for providing an upward (reverse) inheritance definition from said subtopics to said ancestor topics, such that a requesting user may inherit permissions from ancestor hierarchy levels above that user'"'"'s assigned hierarchy level.
  - 16. The computer readable medium as set forth in claim 15 wherein the software for providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises software for grouping one or more operations selected from the group of publish-only, read-only, and publish-and-read.
  - 17. The computer readable medium as set forth in claim 15 wherein the software for providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles comprises software for assigning each permission collection to at least one corresponding security role selected from the group of publisher, reader, or publish-and-read subscriber.
  - 18. The computer readable medium as set forth in claim 17 wherein said software for assigning each permission collection to at least one corresponding security role comprises software in which assigning permission as a publish-and-read subscriber implies assigning permission as a reader and as a publisher.

19. A system for providing fine grained access control to a plurality of system objects within a networked computer system on which users wish to perform operations, said system comprising:
- a hierarchical tree structure representing said system objects, said tree structure having a plurality of parent-child object relationships, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
  
  a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
  
  a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level;
  
  a means for receiving an operation request from a requesting user, and for transmitting an operation grant to said requesting user; and
  
  a security server means for evaluating said Role Permission and Role Assignment portions of the security policy upon receipt of an operation request, and for granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system as set forth in claim 19 wherein:
    - said hierarchical tree structure comprises a system resources selected from the group of domain, cluster, application, application server and application resource, with said domain being the topmost system object; and
      
      said unidirectional inheritance definition within said Role Permission portion comprises a downward inheritance definition from said domain to said clusters, applications, application servers, and application resources such that a requesting user may inherit permissions from hierarchy levels below that user'"'"'s assigned hierarchy level including all child and child descendant objects.
  - 21. The system as set forth in claim 20 wherein said Role Permission portion of a security policy comprises groups of one or more operations selected from the group of reading system runtime state, reading system configuration, changing system runtime state and changing system configuration into one or more permission collections.
  - 22. The system as set forth in claim 20 wherein said Role Permission portion of a security policy comprises assignments of each permission collection to at least one corresponding security role selected from the group of monitor, operator, configurator, and administrator.
  - 23. The system as set forth in claim 22 wherein said assignment of each permission collection to at least one corresponding security role comprises:
    - operator assignments which imply monitor permissions;
      
      configurator assignments which imply monitor permissions; and
      
      administrator assignments which imply operator and configurator permissions, and indirectly implies monitor permissions.
  - 24. The system as set forth in claim 19 wherein:
    - said hierarchical tree structure comprises information topics with a topmost general topic, and with a plurality of more specific subtopics having one or more ancestor topics including said general topic; and
      
      said unidirectional inheritance definition within said Role Permission portion comprises an upward (reverse) inheritance definition from said subtopics to said ancestor topics, such that a requesting user may inherit permissions from ancestor hierarchy levels above that user'"'"'s assigned hierarchy level.
  - 25. The system as set forth in claim 24 wherein said Role Permission portion of a security policy comprises groups of one or more operations selected from the group of publish-only, read-only, and publish-and-read.
  - 26. The system as set forth in claim 25 wherein said Role Permission portion comprises assignments of each permission collection to at least one corresponding security role selected from the group of publisher, reader, or publish-and-read subscriber.
  - 27. The system as set forth in claim 26 wherein said assignment of each permission collection to a publish-and-read subscriber roles implies assignment as a reader role and as a publisher role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Venkataramappa, Vishwanath, Chang, David Yu, Chao, Ching-Yun, Chung, Hyen Vui, Williamson, Leigh Allen, Mason, Carlton Keith

Granted Patent

US 6,950,825 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/3
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Y10S 707/99939   Privileged access

Fine grained role-based access to system resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

378 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Fine grained role-based access to system resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

378 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others