Methods and apparatus for pre-filtered access control in computing systems

US 20040054663A1
Filed: 09/17/2002
Published: 03/18/2004
Est. Priority Date: 09/17/2002
Status: Active Grant

First Claim

Patent Images

1. An automated method implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, the method comprising the steps of:

selecting one or more authorization policies that apply to a given principal; and

transforming the one or more authorization policies based on meta-information associated with the one or more resources so as to form a query against a resource store that selects the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated technique implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action comprises the following steps/operations. First, one or more authorization policies that apply to a given principal are selected. Then, the one or more authorization policies are transformed based on meta-information associated with the one or more resources so as to form a query against a resource store that selects the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action. The query may then be executed to select the one or more resources from the resource store. In another automated technique, the query may be formed without use of the one or more authorization policies, but where the policies are used to remove unauthorized resources from the superset of resources returned as a result of query execution. The techniques may return no resources on which the user is allowed to perform an action, if, for example, no such resources are stored in the resource store. Also, it may also be that no authorization policy applies to the user.

Citations

20 Claims

1. An automated method implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, the method comprising the steps of:
- selecting one or more authorization policies that apply to a given principal; and
  
  transforming the one or more authorization policies based on meta-information associated with the one or more resources so as to form a query against a resource store that selects the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the step of executing the query to select the one or more resources from the resource store.
  - 3. The method of claim 1, wherein the one or more authorization policies are explicitly represented.
  - 4. The method of claim 1, wherein the one or more authorization policies are prestored in a policy store.
  - 5. The method of claim 1, wherein the meta-information is prestored in a meta-information store.
  - 6. The method of claim 1, wherein the query is formed in accordance with the Standard Query Language (SQL).
  - 7. The method of claim 1, wherein the query is formed in accordance with the Lightweight Directory Access Protocol (LDAP).
  - 8. The method of claim 1, wherein the meta-information is procedurally derivable from the resources or information contained in the resource store.

9. An automated method implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, the method comprising the steps of:
- selecting one or more authorization policies that apply to a given principal;
  
  forming a query, based on meta-information associated with the one or more resources, against a resource store that selects resources from the resource store;
  
  executing the query to select the resources from the resource store; and
  
  removing one or more resources from the selected resources on which the one or more authorization policies do not allow the given principal to perform the at least one action so as to select the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action.

10. Apparatus implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, the apparatus comprising:
- at least one processor operative to;
  
  (i) select one or more authorization policies that apply to a given principal; and
  
  (ii) transform the one or more authorization policies based on meta-information associated with the one or more resources so as to form a query against a resource store that selects the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action; and
  
  memory, coupled to the at least one processor, for maintaining the resource store.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus of claim 10, wherein the at least one processor is further operative to execute the query to select the one or more resources from the resource store.
  - 12. The apparatus of claim 10, wherein the one or more authorization policies are explicitly represented.
  - 13. The apparatus of claim 10, wherein the one or more authorization policies are prestored in a policy store.
  - 14. The apparatus of claim 10, wherein the meta-information is prestored in a meta-information store.
  - 15. The apparatus of claim 10, wherein the query is formed in accordance with the Standard Query Language (SQL).
  - 16. The apparatus of claim 10, wherein the query is formed in accordance with the Lightweight Directory Access Protocol (LDAP).
  - 17. The apparatus of claim 10, wherein the meta-information is procedurally derivable from the resources or information contained in the resource store.

18. Apparatus implemented in a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, the apparatus comprising:
- at least one processor operative to;
  
  (i) select one or more authorization policies that apply to a given principal;
  
  (ii) forming a query, based on meta-information associated with the one or more resources, against a resource store that selects resources from the resource store;
  
  (iii) execute the query to select the resources from the resource store; and
  
  (iv) remove one or more resources from the selected resources on which the one or more authorization policies do not allow the given principal to perform the at least one action so as to select the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action; and
  
  memory, coupled to the at least one processor, for maintaining the resource store.

19. An article of manufacture for use in accordance with a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, comprising a machine readable medium containing one or more programs which when executed implement the steps of:
- selecting one or more authorization policies that apply to a given principal; and
  
  transforming the one or more authorization policies based on meta-information associated with the one or more resources so as to form a query against a resource store that selects the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action.

20. An article of manufacture for use in accordance with a computer system for selecting one or more resources on which a principal is authorized to perform at least one action, comprising a machine readable medium containing one or more programs which when executed implement the steps of:
- selecting one or more authorization policies that apply to a given principal;
  
  forming a query, based on meta-information associated with the one or more resources, against a resource store that selects resources from the resource store;
  
  executing the query to select the resources from the resource store; and
  
  removing one or more resources from the selected resources on which the one or more authorization policies do not allow the given principal to perform the at least one action so as to select the one or more resources on which the one or more authorization policies allow the given principal to perform the at least one action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Goodwin, Richard Thomas

Granted Patent

US 7,216,125 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/3
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Y10S 707/99939 Privileged access

Methods and apparatus for pre-filtered access control in computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for pre-filtered access control in computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links