Remote interface for policy decisions governing access control

US 20050021978A1
Filed: 06/26/2003
Published: 01/27/2005
Est. Priority Date: 06/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to resources, said method comprising:

storing a policy decision for a resource in local memory, said policy decision received from a source of policy definitions, said policy decision based on a policy definition governing access to said resource and on requester identifying information provided to said source;

receiving a request for access to said resource, said request comprising said requester identifying information; and

evaluating said request using said policy decision in said local memory instead of referring said request to said source for evaluation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

106 Citations

View as Search Results

25 Claims

1. A method of controlling access to resources, said method comprising:
- storing a policy decision for a resource in local memory, said policy decision received from a source of policy definitions, said policy decision based on a policy definition governing access to said resource and on requester identifying information provided to said source;
  
  receiving a request for access to said resource, said request comprising said requester identifying information; and
  
  evaluating said request using said policy decision in said local memory instead of referring said request to said source for evaluation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said resource is affiliated with another resource, and wherein further a policy decision for said other resource is received from said source and stored in local memory.
  - 3. The method of claim 1 further comprising:
    - receiving from said source a notification of a change in said policy definition.
  - 4. The method of claim 3 wherein said notification identifies resources affected by said change.
  - 5. The method of claim 3 wherein said notification also comprises an updated version of said policy decision based on said change.
  - 6. The method of claim 3 further comprising:
    - marking said policy decision subject to said change; and
      
      requesting an updated version of said policy decision in response to a subsequent request for said resource.
  - 7. The method of claim 1 further comprising:
    - sending a message to said source, said message requesting updates for policy decisions stored in said memory.
  - 8. The method of claim 1 wherein a period of time said policy decision is valid is also received from said source and stored locally.
  - 9. The method of claim 1 wherein a condition associated with said policy definition is also received from said source and stored locally, wherein said condition is enforced locally.

10. A method of controlling access to resources, said method comprising:
- receiving a request for access to a resource, said request comprising requestor identifying information, wherein said request is referred to a source of a policy definition that governs access to said resource for evaluation;
  
  receiving from said source a policy decision for said resource, said policy decision based on said policy definition and said requestor identifying information; and
  
  storing said policy decision in local memory, wherein a subsequent request for said resource is evaluated locally using said policy decision stored in memory.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein said resource is affiliated with another resource, wherein a policy decision for said other resource is received from said source and stored in local memory.
  - 12. The method of claim 10 further comprising:
    - receiving from said source a notification of a change in said policy definition.
  - 13. The method of claim 12 wherein said notification identifies resources affected by said change.
  - 14. The method of claim 12 wherein said notification also comprises an updated version of said policy decision based on said change.
  - 15. The method of claim 12 further comprising:
    - marking said policy decision subject to said change; and
      
      requesting an updated version of said policy decision in response to a subsequent request for said resource.
  - 16. The method of claim 10 further comprising:
    - sending a message to said source, said message requesting updates to policy decisions stored in said memory.
  - 17. The method of claim 10 further comprising:
    - receiving information that identifies a period of time said policy decision is valid.
  - 18. The method of claim 10 further comprising:
    - receiving from said source a condition associated with said policy definition, wherein said condition is enforced locally.

19. A computer-usable medium having computer-readable program code embodied therein for causing a computer system to perform a method of controlling access to resources, said method comprising:
- storing in memory a policy decision for a first resource, said policy decision received from a source of policy definitions, said policy decision based on a policy definition governing access to said first resource and on requestor identifying information provided to said source;
  
  receiving a request for access to said first resource, said request comprising said requester identifying information; and
  
  evaluating said request using said policy decision stored in said memory instead of referring said request to said source for evaluation.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer-usable medium of claim 19 wherein said first resource is affiliated with another resource, wherein a policy decision for said other resource is received from said source and stored in local memory.
  - 21. The computer-usable medium of claim 19 wherein said computer-readable program code embodied therein causes said computer system to perform said method comprising:
    - receiving from said source a notification of a change in said policy definition.
  - 22. The computer-usable medium of claim 19 wherein said computer-readable program code embodied therein causes said computer system to perform said method comprising:
    - sending a message to said source, said message requesting updates for policy decisions stored in said memory.
  - 23. The computer-usable medium of claim 19 wherein a period of time said policy decision is valid is also received from said source and stored locally.
  - 24. The computer-usable medium of claim 19 wherein a condition associated with said policy definition is also received from said source and stored locally, wherein said condition is enforced locally.
  - 25. The computer-usable medium of claim 19 wherein said computer-readable program code embodied therein causes said computer system to perform said method comprising:
    - receiving a request for access to a second resource, said request comprising said requestor identifying information;
      
      providing said requestor identifying information to a source of a policy definition that governs access to said second resource;
      
      receiving from said source a policy decision for said second resource, said policy decision for said second resource based on said policy definition that governs said second resource and said requestor identifying information; and
      
      storing said policy decision for said second resource in said memory, wherein a subsequent request for said second resource is evaluated using said policy decision stored in said memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation), Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Cui, Hua, Ranganathan, Aravindan, Luo, Ping, Bhat, Shivaram, Arumugam, Dilli Dorai Minnal

Granted Patent

US 7,594,256 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/6227 where protection concerns t...

H04L 63/102 Entity profiles

Remote interface for policy decisions governing access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Remote interface for policy decisions governing access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links