System and method for hierarchical role-based entitlements

US 20040162906A1
Filed: 02/14/2003
Published: 08/19/2004
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authorization to adaptively control access to a resource, comprising the steps of:

providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource;

providing for the evaluation of a policy based on the at least one role; and

providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authorization to adaptively control access to a resource, comprising the steps of providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource; providing for the evaluation of a policy based on the at least one role; and providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.

196 Citations

View as Search Results

60 Claims

1. A method for authorization to adaptively control access to a resource, comprising the steps of:
- providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource;
  
  providing for the evaluation of a policy based on the at least one role; and
  
  providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 3. The method of claim 1 wherein:
    - the step of providing for the mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 4. The method of claim 1 including the step of:
    - determining whether the at least one role is true or false for the principal in a context.
  - 5. The method of claim 1 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 6. The method of claim 5 wherein:
    - the predicate is one of user, group, time and segment.
  - 7. The method of claim 5 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 8. The method of claim 5 wherein:
    - the predicate is a segment that can be specified in plain language.
  - 9. The method of claim 1 wherein:
    - the policy is an association between the resource and a set of roles.
  - 10. The method of claim 9 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

11. A method for authorization for adaptively controlling access to a resource, comprising the steps of:
- providing for the evaluation of a policy based on at least one role applicable to a principal attempting to access the resource;
  
  providing for the granting of access to the resource based on the evaluation; and
  
  wherein the resource, the policy and the at least one role are hierarchically related.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 13. The method of claim 11 wherein:
    - the at least one role is applicable to a principal if the at least one role is satisfied by the principal.
  - 14. The method of claim 11 including the step of:
    - evaluating the at least one role to true or false for the principal in a context.
  - 15. The method of claim 11 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 16. The method of claim 15 wherein:
    - the predicate is one of user, group, time and segment.
  - 17. The method of claim 15 include the step of:
    - evaluating the predicate against the principal and a context.
  - 18. The method of claim 16 wherein:
    - the segment predicate can be specified in plain language.
  - 19. The method of claim 11 wherein:
    - the policy is an association between the resource and a set of roles.
  - 20. The method of claim 19 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

21. A method for authorization for adaptively controlling access to a resource, comprising the steps of:
- providing to a security framework information pertaining to a principal and the resource; and
  
  utilizing the security framework to provide an authorization result based on evaluating at least one security policy by associating at least one role to the principal; and
  
  wherein the resource, the security policy, and the at least one role are hierarchically related.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 23. The method of claim 21 wherein:
    - associating at least one role to a principal includes determining whether or not the at least one role is satisfied by the principal.
  - 24. The method of claim 21 including the step of:
    - evaluating the at least one role to true or false for the principal in a context.
  - 25. The method of claim 21 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 26. The method of claim 25 wherein:
    - the predicate is one of user, group, time and segment.
  - 27. The method of claim 25 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 28. The method of claim 25 wherein:
    - the predicate is a segment and can be specified in plain language.
  - 29. The method of claim 21 wherein:
    - the policy is an association between the resource and a set of roles.
  - 30. The method of claim 29 include the step of:
    - granting access to the resource if the at least one role is in the set of roles.

31. A system for authorization adapted for controlling access to a resource, comprising:
- at least one role-mapper to map a principal to at least one role, wherein the at least one role is hierarchically related to the resource;
  
  at least one authorizer coupled to the at least one role-mapper, the at least one authorizer to determine if a policy is satisfied based on the at least one role; and
  
  an adjudicator coupled to the at least one authorizer, the adjudicator to render a final decision based on the determination of the at least one authorizer.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31 wherein:
    - the principal is an authenticated user, group or process.
  - 33. The system of claim 31 wherein:
    - mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 34. The system of claim 31 wherein:
    - the at least one role evaluates to true or false for the principal in a context.
  - 35. The system of claim 31 wherein:
    - the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
  - 36. The system of claim 35 wherein:
    - the predicate is one of user, group, time and segment.
  - 37. The system of claim 35 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 38. The system of claim 36 wherein:
    - the segment predicate can be specified in plain language.
  - 39. The system of claim 31 wherein:
    - the policy is an association between the resource and a set of roles.
  - 40. The system of claim 39 wherein:
    - access is granted to the resource if the at least one role is in the set of roles.

41. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
- map a principal to at least one role, wherein the at least one role is hierarchically related to the resource;
  
  evaluate a policy based on the at least one role; and
  
  determine whether to grant access to the resource based on the evaluation of the policy.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 42. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
    - allow the principal to be an authenticated user, group or process.
  - 43. The machine readable medium of claim 41 wherein:
    - mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 44. The machine readable medium of claim 41 further comprising instructions which when executed cause the system to:
    - evaluate the at least one role to true or false for the principal in a context.
  - 45. The machine readable medium of claim 41 wherein:
    - the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
  - 46. The machine readable medium of claim 45 wherein:
    - the predicate is one of user, group, time and segment.
  - 47. The machine readable medium of claim 45 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 48. The machine readable medium of claim 46 wherein:
    - the segment predicate can be specified in plain language.
  - 49. The machine readable medium of claim 41 wherein:
    - the policy is an association between the resource and a set of roles.
  - 50. The machine readable medium of claim 49 further comprising instructions which when executed cause the system to:
    - grant access to the resource if the at least one role is in the set of roles.

51. A method for authorization to adaptively control access to a resource in an enterprise application, comprising the steps of:
- providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource;
  
  providing for the evaluation of a policy based on the at least one role; and
  
  providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy; and
  
  wherein the at least one role, the policy and the resource are part of an enterprise application.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 52. The method of claim 51 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 53. The method of claim 51 wherein:
    - the step of providing for the mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 54. The method of claim 51 including the step of:
    - determining whether the at least one role is true or false for the principal in a context.
  - 55. The method of claim 51 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 56. The method of claim 55 wherein:
    - the predicate is one of user, group, time and segment.
  - 57. The method of claim 55 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 58. The method of claim 55 wherein:
    - the predicate is a segment that can be specified in plain language.
  - 59. The method of claim 51 wherein:
    - the policy is an association between the resource and a set of roles.
  - 60. The method of claim 59 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Griffin, Philip B., McCauley, Rod, Toussaint, Alex, Devgan, Manish

Granted Patent

US 7,591,000 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for hierarchical role-based entitlements

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for hierarchical role-based entitlements

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links