Techniques for supporting application-specific access controls with a separate server

US 20040088340A1
Filed: 02/10/2003
Published: 05/06/2004
Est. Priority Date: 11/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for supporting access controls on application-specific operations performed by an application, comprising the steps of:

receiving, at a server distinct from the application, first data that describes a first set of privileges for performing a first plurality of application-specific operations;

receiving, at the server, second data that associates a first user of the application with a privilege in the first set of privileges;

in response to receiving, at the server from the application, a request that indicates a particular user and a particular application-specific operation, determining whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and

sending to the application a response that indicates whether the particular user may have the application perform the particular application-specific operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for supporting access controls on application-specific operations performed by an application include receiving first data at a server distinct from the application. The first data describes a first set of privileges for performing a first set of application-specific operations. Second data is also received at the server. The second data associates a first user of the application with a privilege in the first set of privileges. In response to receiving a request at the server from the application, it is determined whether a particular user may have the application perform a particular application-specific operation based on the first data and the second data. The request indicates the particular user and the particular application-specific operation. A response is sent to the application. The response indicates whether the particular user may have the application perform the particular application-specific operation.

Citations

22 Claims

1. A method for supporting access controls on application-specific operations performed by an application, comprising the steps of:
- receiving, at a server distinct from the application, first data that describes a first set of privileges for performing a first plurality of application-specific operations;
  
  receiving, at the server, second data that associates a first user of the application with a privilege in the first set of privileges;
  
  in response to receiving, at the server from the application, a request that indicates a particular user and a particular application-specific operation, determining whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and
  
  sending to the application a response that indicates whether the particular user may have the application perform the particular application-specific operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein:
    - said step of receiving the first data further comprises receiving first data that also associates the first set of privileges with a first type of data items upon which the plurality of application-specific operations operate; and
      
      said step of receiving the request further comprises receiving the request that also indicates a particular data item; and
      
      said step of determining whether the particular user may have the application perform the particular application-specific operation further comprises determining whether the particular data item is a member of the first type of data items.
  - 3. The method of claim 2, wherein:
    - the method further comprises receiving, at the server, third data that describes a different second set of privileges for performing a second plurality of application-specific operations on a different second type of data items; and
      
      said step of receiving the second data further comprises receiving second data that also associates a second user of the application with a privilege in the second set of privileges; and
      
      said step of determining whether the particular user may have the application perform the particular application-specific operation further comprises determining whether a particular type of the particular data item is associated with a particular set of privileges for a particular plurality of application-specific operations that include the particular application-specific operation.
  - 4. The method of claim 1, wherein the second user is the same as the first user.
  - 5. The method of claim 1, wherein the second user is different from the first user.
  - 6. The method of claim 1, said step of receiving the first data further comprises receiving a document in extensible markup language (XML).
  - 7. The method of claim 1, said step of determining whether the particular user may have the application perform the particular application-specific operation further comprising the step of managing a cache in fast memory for storing information that associates each of one or more users with one or more privileges in each of one or more sets of privileges including the first set of privileges.
  - 8. The method of claim 7, said step of managing the cache further comprising the step of storing in the cache data indicating a type of data item associated with each user.
  - 9. The method of claim 1, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.
  - 10. The method of claim 6, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.
  - 11. The method of claim 7, said step of managing the cache further comprising the step of storing in the cache a bitmap for each user, wherein:
    - each set of privileges forms a hierarchy of one or more levels of privileges;
      
      each different position in the bitmap corresponds to one different leaf node in each hierarchy of the one or more sets of privileges; and
      
      a leaf node is a node of a hierarchy that does not have any child node.

12. A method for supporting access controls on application-specific operations performed by an application, comprising the steps of:
- sending, to a server distinct from the application, first data that describes a first set of privileges for performing a first plurality of application-specific operations;
  
  sending to the server second data that associates a first user of the application with a privilege in the first set of privileges;
  
  receiving at the application a command from a particular user, which command involves the application performing a particular application-specific operation;
  
  sending to the server a request that indicates the particular user and the particular application-specific operation;
  
  in response to the request, receiving from the server a response that indicates whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and
  
  performing the particular application-specific operation only if the response indicates the particular user may have the application perform the particular application-specific operation.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein:
    - said step of sending the first data further comprises sending first data that also associates the first set of privileges with a first type of data items upon which the plurality of application-specific operations operate; and
      
      said step of sending the request further comprises sending the request that also indicates a particular data item; and
      
      said step of receiving the response based on the first data and the second data further comprises receiving the response also based on whether the particular data item is a member of the first type of data items.
  - 14. The method of claim 13, wherein:
    - the method further comprises sending to the server third data that describes a different second set of privileges for performing a second plurality of application-specific operations on a different second type of data items; and
      
      said step of sending the second data further comprises sending second data that also associates a second user of the application with a privilege in the second hierarchy of privileges; and
      
      said step of receiving the response based on the first data and the second data further comprises receiving the response also based on whether a particular type of the particular data item is associated with a particular set of privileges for a particular plurality of application-specific operations that include the particular application-specific operation.
  - 15. The method of claim 12, wherein the second user is the same as the first user.
  - 16. The method of claim 12, wherein the second user is different from the first user.
  - 17. The method of claim 12, said step of sending the first data further comprises sending a document in extensible markup language (XML).
  - 18. The method of claim 12, wherein the application does not manage a cache in fast memory for storing information that associates each of one or more users with one or more privileges in each of one or more sets of privileges including the first set of privileges.
  - 19. The method of claim 12, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.
  - 20. The method of claim 17, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.

21. A computer-readable medium carrying one or more sequences of instructions for supporting access controls on application-specific operations performed by an application, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving, at a server distinct from the application, first data that describes a first hierarchy of privileges for performing a first plurality of application-specific operations;
  
  receiving, at the server, second data that associates a first user of the application with a privilege in the first hierarchy of privileges;
  
  in response to receiving, at the server from the application, a request that indicates a particular user and a particular application-specific operation, determining whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and
  
  sending to the application a response that indicates whether the particular user may have the application perform the particular application-specific operation.

22. A computer-readable medium carrying one or more sequences of instructions for supporting access controls on application-specific operations performed by an application, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- sending, to a server distinct from the application, first data that describes a first hierarchy of privileges for performing a first plurality of application-specific operations;
  
  sending to the server second data that associates a first user of the application with a privilege in the first hierarchy of privileges;
  
  receiving at the application a command from a particular user, which command involves the application performing a particular application-specific operation;
  
  sending to the server a request that indicates the particular user and the particular application-specific operation;
  
  in response to the request, receiving from the server a response that indicates whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and
  
  performing the particular application-specific operation only if the response indicates the particular user may have the application perform the particular application-specific operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Idicula, Sam, Murthy, Ravi, Agarwal, Nipun

Granted Patent

US 7,020,653 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/206
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/629   to features or functions of...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/956   Hierarchical

Techniques for supporting application-specific access controls with a separate server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for supporting application-specific access controls with a separate server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links