Method for role and resource policy management optimization

US 20040162905A1
Filed: 02/14/2003
Published: 08/19/2004
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authorization to adaptively control access to a resource, comprising the steps of:

retrieving at least one role for a principal from one of;

     1) a first hierarchy; and

     2) a first cache;

retrieving a policy from one of;

     1) a second hierarchy; and

     2) a second cache;

providing for the evaluation of the policy based on the at least one role;

determining whether to grant the principal access to the resource based on the evaluation of the policy;

wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and

wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authorization to adaptively control access to a resource, comprising the steps of: retrieving at least one role for a principal from one of: 1) a first hierarchy; and 2) a first cache; retrieving a policy from one of: 1) a second hierarchy; and 2) a second cache; providing for the evaluation of the policy based on the at least one role; determining whether to grant the principal access to the resource based on the evaluation of the policy; wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.

201 Citations

40 Claims

1. A method for authorization to adaptively control access to a resource, comprising the steps of:
- retrieving at least one role for a principal from one of;
  
       1) a first hierarchy; and
  
       2) a first cache;
  
  retrieving a policy from one of;
  
       1) a second hierarchy; and
  
       2) a second cache;
  
  providing for the evaluation of the policy based on the at least one role;
  
  determining whether to grant the principal access to the resource based on the evaluation of the policy;
  
  wherein the at least one role is retrieved from the first cache if the at least one role was retrieved from the first hierarchy; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 3. The method of claim 1 wherein:
    - the step of determining whether to grant the principal access includes determining whether or not the at least one role is satisfied by the principal.
  - 4. The method of claim 1 including the step of:
    - determining whether the at least one role is true or false for the principal in a context.
  - 5. The method of claim 1 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 6. The method of claim 5 wherein:
    - the predicate is one of user, group, time and segment.
  - 7. The method of claim 5 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 8. The method of claim 5 wherein:
    - the predicate is a segment that can be specified in plain language.
  - 9. The method of claim 1 wherein:
    - the policy is an association between the resource and a set of roles.
  - 10. The method of claim 9 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

11. A method for authorization to adaptively control access to a resource, comprising the steps of:
- retrieving at least one role for a principal from one of;
  
       1) a searchable hierarchy of roles; and
  
       2) a first cache;
  
  retrieving a policy from one of;
  
       1) a searchable hierarchy of policies; and
  
       2) a second cache;
  
  providing for the evaluation of the policy based on the at least one role;
  
  determining whether to grant the principal access to the resource based on the evaluation of the policy;
  
  wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the searchable hierarchy of roles; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the searchable hierarchy of policies; and
  
  wherein the first cache and the second cache are different.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 13. The method of claim 11 wherein:
    - the at least one role is applicable to a principal if the at least one role is satisfied by the principal.
  - 14. The method of claim 11 including the step of:
    - evaluating the at least one role to true or false for the principal in a context.
  - 15. The method of claim 11 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 16. The method of claim 15 wherein:
    - the predicate is one of user, group, time and segment.
  - 17. The method of claim 15 include the step of:
    - evaluating the predicate against the principal and a context.
  - 18. The method of claim 16 wherein:
    - the segment predicate can be specified in plain language.
  - 19. The method of claim 11 wherein:
    - the policy is an association between the resource and a set of roles.
  - 20. The method of claim 19 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

21. A system for authorization adapted for controlling access to a resource, comprising:
- at least one role-mapper to map a principal to at least one role, wherein the at least one role can be retrieved from one of;
  
  1) a first hierarchy; and
  
  2) a first cache;
  
  at least one authorizer coupled to the at least one role-mapper, the at least one authorizer to determine if a policy is satisfied based on the at least one role; and
  
  an adjudicator coupled to the at least one authorizer, the adjudicator to render a decision based on the determination of the at least one authorizer; and
  
  wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the first hierarchy.

31. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
- retrieve at least one role for a principal from one of;
  
       1) a first hierarchy; and
  
       2) a first cache;
  
  retrieve policy from one of;
  
       1) a second hierarchy; and
  
       2) a second cache;
  
  provide for the evaluation of the policy based on the at least one role;
  
  determine whether to grant the principal access to the resource based on the evaluation of the policy;
  
  wherein the at least one role is retrieved from the first cache if the at least one role was previously retrieved from the first hierarchy; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the second hierarchy.
- View Dependent Claims (22, 23, 24, 25, 29)
- - 22. The system of claim 31 wherein:
    - the principal is an authenticated user, group or process.
  - 23. The system of claim 31 wherein:
    - mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 24. The system of claim 31 wherein:
    - the at least one role evaluates to true or false for the principal in a context.
  - 25. The system of claim 31 wherein:
    - the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
  - 29. The system of claim 31 wherein:
    - the policy is an association between the resource and a set of roles.

32. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
- allow the principal to be an authenticated user, group or process.

33. The machine readable medium of claim 41 wherein:
- determining whether to grant the principal access includes determining whether or not the at least one role is satisfied by the principal.

34. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
- evaluate the at least one role to true or false for the principal in a context.

35. The machine readable medium of claim 41 wherein:
- the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
- View Dependent Claims (26, 27)
- - 26. The system of claim 35 wherein:
    - the predicate is one of user, group, time and segment.
  - 27. The system of claim 35 wherein:
    - the predicate can be evaluated against the principal and a context.

36. The machine readable medium of claim 45 wherein:
- the predicate is one of user, group, time and segment.
- View Dependent Claims (28)
- - 28. The system of claim 36 wherein:
    - the segment predicate can be specified in plain language.

37. The machine readable medium of claim 45 wherein:
- the predicate can be evaluated against the principal and a context.

38. The machine readable medium of claim 46 wherein:
- the segment predicate can be specified in plain language.

39. The machine readable medium of claim 41 wherein:
- the policy is an association between the resource and a set of roles.
- View Dependent Claims (30)
- - 30. The system of claim 39 wherein:
    - access is granted to the resource if the at least one role is in the set of roles.

40. The machine readable medium of claim 49 further comprising instructions which when executed cause the system to:
- grant access to the resource if the at least one role is in the set of roles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Griffin, Philip B., McCauley, Rod, Toussaint, Alex, Devgan, Manish

Granted Patent

US 7,653,930 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/105   Multiple levels of security

Method for role and resource policy management optimization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

201 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method for role and resource policy management optimization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links