Inherited role-based access control system, method and program product

US 20060010483A1
Filed: 07/12/2004
Published: 01/12/2006
Est. Priority Date: 07/12/2004
Status: Active Grant

First Claim

Patent Images

1. An inherited role-based access control system, comprising:

a role definition system for defining a set of permissible actions for a role type;

a role binding system for binding the role type to a node of a hierarchical tree of nodes, wherein the nodes represent computer-based resources, and wherein instances of the role type are inherited by hierarchical descendants of the node; and

a role blocking system for establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Under the present invention, role types are defined by association with certain permissible actions. Once defined in this manner, a role type can then be bound to “nodes” of a hierarchical tree that represent computer-based resources such as dynamic object spaces. Once bound to a node, instances of this role type are created that will be inherited by hierarchical descendants of that node unless a role type block (e.g., inheritance or propagation) has been established for the corresponding role type. The present invention also allows the computer-based resources to be defined as virtual or private. Virtual resources represent general protected concepts in the system instead of computer-based resources and are subject to be bound with roles, while private resources are not. That is, the private resources remain the “property” of the creating user or group.

Citations

26 Claims

1. An inherited role-based access control system, comprising:
- a role definition system for defining a set of permissible actions for a role type;
  
  a role binding system for binding the role type to a node of a hierarchical tree of nodes, wherein the nodes represent computer-based resources, and wherein instances of the role type are inherited by hierarchical descendants of the node; and
  
  a role blocking system for establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the role blocking system comprises an inheritance blocking system for establishing an inheritance block on one of the hierarchical descendants, wherein instances of the role type cannot be inherited by the one hierarchical descendant on which the inheritance block has been established or by any descendant nodes of the one hierarchical descendant on which the inheritance block has been established.
  - 3. The system of claim 1, wherein the role blocking system comprises a propagation blocking system for establishing a propagation block on one of the hierarchical descendants for the role type, wherein the instances of the role type cannot be inherited by any descendant nodes of the one hierarchical descendant on which the propagation block has been established.
  - 4. The system of claim 1, further comprising a role association system for associating the role type with particular types of the computer-based resources, wherein the role type can only be bound to the nodes that correspond to the types of computer-based resources with which the role type was associated.
  - 5. The system of claim 1, further comprising a resource definition system for identifying virtual computer-based resources that are subject to the role binding system and for identifying private computer-based resources that are not subject to the role binding system.
  - 6. The system of claim 1, wherein the binding of the role type to the node results in a role-based domain that comprises the node and the hierarchical descendants of the node unless a role type block has been established.
  - 7. The system of claim 1, wherein the computer-based resources comprise dynamic object spaces.
  - 8. The system of claim 1, wherein the set of permissible actions are derived from a set of generic actions.

9. An inherited role-based access control method, comprising:
- providing a hierarchical tree of nodes, wherein the nodes represent computer-based resources;
  
  binding a role type to a node of the hierarchical tree to create a role-based domain, wherein instances of the role type are inherited by hierarchical descendants of the node; and
  
  establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the role type block is an inheritance block established on one of the hierarchical descendants that prevents the instances of the role type from being inherited by the one hierarchical descendant.
  - 11. The method of claim 9, wherein the role type block is a propagation block established on one of the hierarchical descendants that prevents the instances of the role types from being inherited by descendant nodes of the one hierarchical descendant.
  - 12. The method of claim 9, further comprising defining a set of permissible actions for the role type.
  - 13. The method of claim 9, further comprising associating the role type with particular types of resources, wherein the role type can only be bound to the nodes that correspond to the types of resources with which the role type was associated.
  - 14. The method of claim 9, further comprising defining virtual computer-based resources whose corresponding nodes are subject to the binding step.
  - 15. The method of claim 9, further comprising defining private computer-based resources whose corresponding nodes are not subject to the binding step.
  - 16. The method of claim 9, wherein the computer-based resources comprise dynamic object spaces.

17. A program product stored on a recordable medium for inherited role-based access control, which when executed, comprises:
- program code for defining a set of permissible actions for a role type;
  
  program code for binding the role type to a node of a hierarchical tree of nodes, wherein the nodes represent computer-based resources, and wherein instances of the role type are inherited by hierarchical descendants of the node; and
  
  program code for establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The program product of claim 17, wherein the program code for establishing comprises program code for establishing an inheritance block on one of the hierarchical descendants, wherein instances of the role type cannot be inherited by the one hierarchical descendant on which the inheritance block has been established or by any descendant nodes of the one hierarchical descendant on which the inheritance block has been established.
  - 19. The program product of claim 17, wherein the program code for establishing comprises program code for establishing a propagation block on one of the hierarchical descendants for the role type, wherein the instances of the role type cannot be inherited by any descendant nodes of the one hierarchical descendant on which the propagation block has been established.
  - 20. The program product of claim 17, further comprising program code for associating the role type with particular types of the computer-based resources, wherein the role type can only be bound to the nodes that correspond to the types of computer-based resources with which the role type was associated.
  - 21. The program product of claim 17, further comprising program code for identifying virtual computer-based resources that are subject to the role binding system, and for identifying private computer-based resources that are not subject to the role binding system.
  - 22. The program product of claim 17, wherein the binding of the role to the node results in a role-based domain that comprises the node and the hierarchical descendants of the node unless a role type block has been established.
  - 23. The program product of claim 17, wherein the computer-based resources comprise dynamic object spaces.
  - 24. The program product of claim 17, wherein the set of permissible actions are derived from a set of generic actions.

25. A system for deploying an application for inherited role-based access control comprising:
- a computer infrastructure being operable to;
  
  define a set of permissible actions for a role type;
  
  bind the role type to a node of a hierarchical tree of nodes, wherein the nodes represent computer-based resources, and wherein instances of the role type are inherited by hierarchical descendants of the node; and
  
  establish a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.

26. Computer software embodied in a propagated signal for inherited role-based access control, the computer software comprising instructions to cause a computer system to perform the following functions:
- define a set of permissible actions for a role type;
  
  bind the role type to a node of a hierarchical tree of nodes, wherein the nodes represent computer-based resources, and wherein instances of the role type are inherited by hierarchical descendants of the node; and
  
  establish a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Buehler, Dieter, Masselle, Eric L.

Granted Patent

US 7,882,544 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6227 where protection concerns t...

G06F 2221/2145 Inheriting rights or proper...

Inherited role-based access control system, method and program product

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Inherited role-based access control system, method and program product

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links