Method for role and resource policy management optimization
First Claim
1. A method for authorization to adaptively control access to a resource, comprising the steps of:
- retrieving at least one role for a principal from one of;
1) a first hierarchy; and
2) a first cache;
retrieving a policy from one of;
1) a second hierarchy; and
2) a second cache;
providing for the evaluation of the policy based on the at least one role;
determining whether to grant the principal access to the resource based on the evaluation of the policy;
wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and
wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for authorization to adaptively control access to a resource, comprising the steps of: retrieving at least one role for a principal from one of: 1) a first hierarchy; and 2) a first cache; retrieving a policy from one of: 1) a second hierarchy; and 2) a second cache; providing for the evaluation of the policy based on the at least one role; determining whether to grant the principal access to the resource based on the evaluation of the policy; wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.
201 Citations
40 Claims
-
1. A method for authorization to adaptively control access to a resource, comprising the steps of:
-
retrieving at least one role for a principal from one of;
1) a first hierarchy; and
2) a first cache;
retrieving a policy from one of;
1) a second hierarchy; and
2) a second cache;
providing for the evaluation of the policy based on the at least one role;
determining whether to grant the principal access to the resource based on the evaluation of the policy;
wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and
wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for authorization to adaptively control access to a resource, comprising the steps of:
-
retrieving at least one role for a principal from one of;
1) a searchable hierarchy of roles; and
2) a first cache;
retrieving a policy from one of;
1) a searchable hierarchy of policies; and
2) a second cache;
providing for the evaluation of the policy based on the at least one role;
determining whether to grant the principal access to the resource based on the evaluation of the policy;
wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the searchable hierarchy of roles; and
wherein the policy is retrieved from the second cache if the policy was previously retrieved from the searchable hierarchy of policies; and
wherein the first cache and the second cache are different. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for authorization adapted for controlling access to a resource, comprising:
-
at least one role-mapper to map a principal to at least one role, wherein the at least one role can be retrieved from one of;
1) a first hierarchy; and
2) a first cache;
at least one authorizer coupled to the at least one role-mapper, the at least one authorizer to determine if a policy is satisfied based on the at least one role; and
an adjudicator coupled to the at least one authorizer, the adjudicator to render a decision based on the determination of the at least one authorizer; and
wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the first hierarchy.
-
-
31. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
-
retrieve at least one role for a principal from one of;
1) a first hierarchy; and
2) a first cache;
retrieve policy from one of;
1) a second hierarchy; and
2) a second cache;
provide for the evaluation of the policy based on the at least one role;
determine whether to grant the principal access to the resource based on the evaluation of the policy;
wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the first hierarchy; and
wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy. - View Dependent Claims (22, 23, 24, 25, 29)
-
-
32. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
allow the principal to be an authenticated user, group or process.
-
33. The machine readable medium of claim 41 wherein:
determining whether to grant the principal access includes determining whether or not the at least one role is satisfied by the principal.
-
34. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
evaluate the at least one role to true or false for the principal in a context.
-
35. The machine readable medium of claim 41 wherein:
the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate. - View Dependent Claims (26, 27)
-
36. The machine readable medium of claim 45 wherein:
the predicate is one of user, group, time and segment. - View Dependent Claims (28)
-
37. The machine readable medium of claim 45 wherein:
the predicate can be evaluated against the principal and a context.
-
38. The machine readable medium of claim 46 wherein:
the segment predicate can be specified in plain language.
-
39. The machine readable medium of claim 41 wherein:
the policy is an association between the resource and a set of roles. - View Dependent Claims (30)
-
40. The machine readable medium of claim 49 further comprising instructions which when executed cause the system to:
grant access to the resource if the at least one role is in the set of roles.
Specification