Computer-implemented authorization systems and methods using associations

US 20060224590A1
Filed: 03/29/2005
Published: 10/05/2006
Est. Priority Date: 03/29/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for accessing resource objects, comprising:

receiving a request which involves performing an operation with respect to a resource object;

wherein the requested resource object has multiple associations with other objects;

wherein one or more data stores are used to store interrelationships among resource objects, authorization-related objects, and access permission information;

wherein the authorization-related objects are configured to specify whether a requester should be granted or denied access to a requested object;

querying the one or more data stores in order to determine which authorization-related objects are associated with the requested resource object;

querying the one or more data stores in order to determine which permissions are associated with the determined authorization-related objects;

performing a comparison between the determined permissions and the requester'"'"'s access credential information;

wherein the comparison is used to determine whether to permit authorization of the operation with respect to the resource object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented systems and methods for determining whether to authorize one or more operations with respect to resource objects. A system and method can include receiving a request that would involve an operation with respect to a resource object. The requested resource object may have multiple associations with other objects. One or more data stores are used to store interrelationships among resource objects, authorization-related objects, and access permission information. The authorization-related objects are configured to specify whether a requester should be granted or denied access to a requested object. The one or more data stores are queried in order to determine which authorization-related objects are associated with the requested resource object and in order to determine which permissions are associated with the determined authorization-related objects. A comparison is performed between the determined permissions and the requester'"'"'s access credential information. The comparison is used to determine whether to permit the operation with respect to the resource object.

83 Citations

View as Search Results

23 Claims

1. A computer-implemented method for accessing resource objects, comprising:
- receiving a request which involves performing an operation with respect to a resource object;
  
  wherein the requested resource object has multiple associations with other objects;
  
  wherein one or more data stores are used to store interrelationships among resource objects, authorization-related objects, and access permission information;
  
  wherein the authorization-related objects are configured to specify whether a requester should be granted or denied access to a requested object;
  
  querying the one or more data stores in order to determine which authorization-related objects are associated with the requested resource object;
  
  querying the one or more data stores in order to determine which permissions are associated with the determined authorization-related objects;
  
  performing a comparison between the determined permissions and the requester'"'"'s access credential information;
  
  wherein the comparison is used to determine whether to permit authorization of the operation with respect to the resource object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein an association is described by an association object with attributes that map the association between two objects of different types.
  - 3. The method of claim 2, wherein based upon information derived from the request, the association objects are queried and intermediate query results are aggregated in order to determine whether to permit the operation with respect to the resource object.
  - 4. The method of claim 3, wherein the information derived from the request includes an object reference for the resource object, requested permission, and credential information associated with the request'"'"'s user.
  - 5. The method of claim 3, wherein authorization-related objects include association objects that describe a linkage between two objects related by type;
    - wherein the association objects are used to identify relationships involving identity and permission objects in order to determine which users are permitted to perform what actions on an object.
  - 6. The method of claim 5, wherein the one or more data stores are provided on an object server;
    - wherein the object server is a multi-threaded, concurrent object server that handles object requests from users;
      
      wherein the determination of whether to permit the operation with respect to the resource object is performed without requiring querying or instantiating of actual permission objects, thereby reducing authorization processing requirements on the object server.
  - 7. The method of claim 5, wherein the one or more data stores include an association table and a permissions data store;
    - wherein the permissions data store is an in-memory list of the permission objects.
  - 8. The method of claim 5, wherein the request is received from a user;
    - wherein the user is associated with one or more GRANT/DENY user permissions with respect to the resource object;
      
      wherein the user is a member of a group that is associated with one or more GRANT/DENY member permissions with respect to the resource object;
      
      wherein the user'"'"'s permissions and the user'"'"'s member permissions are evaluated in order to determine whether to permit the operation with respect to resource object.
  - 9. The method of claim 5, wherein based upon information derived from the request, the association objects are queried and intermediate query results are aggregated in order to determine whether to permit the accessing of the resource object;
    - wherein the querying to determine which authorization-related objects are associated with the requested resource object comprises a first query;
      
      wherein the first query is performed to obtain association objects for all related access control entry objects corresponding to the requested resource object;
      
      wherein the querying to determine which permissions are associated with the determined authorization-related objects comprises a second query;
      
      wherein the second query reduces results of the first query to the association objects that represent the intersection of the access control entry object references returned from the first query and permission object references that correspond to the resource object'"'"'s requested permission;
      
      wherein a third query is performed upon the one or more data stores in order to determine association objects that represent the intersection of access control entry object references that associate to the required permission as reduced by the second query and the identity object references corresponding to the requesting user'"'"'s credential information;
      
      wherein after the third query completes, a mapping established from the second query results is used to match permission information to the identity references from the third query results;
      
      wherein authorization precedence rules are applied to the matched permission corresponding authorization-related object references to determine if the user is granted or denied authorization to the requested resource object.
  - 10. The method of claim 1, wherein if the comparison does not result in a determination of whether to permit the operation with respect to the resource object, then inheritance operations are performed to determine whether to permit the operation with respect to the resource object;
    - wherein the inheritance operations comprise;
      
      evaluating at least one security rule to determine whether to grant authorization to the requested resource object;
      
      wherein the requested resource object has multiple associations with other objects;
      
      wherein the security rule is used to determine a security containment boundary with respect to the requested resource object based upon an association which the requested resource object has with another object;
      
      wherein the request to the resource object is processed based upon security access control information associated with the objects contained within the determined security containment boundary;
      
      wherein the security containment boundary determines which requesters have access to the resource objects contained within the boundary;
      
      wherein the security containment boundary is established for the requested resource object by setting up security rules based on object class;
      
      wherein the security rules specify how to traverse from an object of a class to an associated object, wherein authorization information determined from the traversal is used to determine whether authorization is to be granted to the requested resource object, wherein identity of the requester is used in determining whether authorization is to be granted to the requested resource object.
  - 11. The method of claim 10, wherein an authorization control decision for the resource object is determined based upon the resource objects'"'"' association with a plurality of objects, wherein security access control information of the associated objects is used to form the authorization control decision, wherein the association with the plurality of objects includes both objects directly associated with the requested resource object and an object indirectly associated with the requested resource object;
    - wherein ancestor classes are classes from a class inheritance hierarchy;
      
      wherein the inheritance operations further comprise;
      
      determining for the requested resource object from which security rules to inherit based upon parents of the requested resource object as specified in the class inheritance hierarchy;
      
      wherein the security rules are defined once on a parent class and affect all of its child classes with respect to object access determinations;
      
      wherein child classes augment security rules inherited from their parents;
      
      wherein at least one child class ignores one or more of the inheritable security rules from its one or more ancestor classes;
      
      wherein a security rule specifies that at least one child class ignores one or more of the inheritable security rules from its one or more ancestor classes.
  - 12. The method of claim 1, wherein the requester'"'"'s access credential information includes one or more credentials that are used to determine access rights based upon their association with one or more authorization-related objects, said method further comprising:
    - querying the one or more data stores in order to determine which of the requester'"'"'s credentials are associated with the determined authorization-related objects;
      
      wherein a comparison is performed between the determined permissions and identity objects related to the determined requester'"'"'s credentials in order to determine whether to permit authorization with respect to the resource object.
  - 13. The method of claim 1, wherein authorization-related objects are configured to specify what types of operations a requester can perform on a requested object.
  - 14. The method of claim 1, wherein the querying to determine which permissions are associated with the determined authorization-related objects further includes querying the one or more data stores in order to determine which permissions are associated with the type of access being requested to be performed upon the resource object.
  - 15. The method of claim 1, wherein the querying steps only involve comparing object references.
  - 16. The method of claim 1, wherein dynamically sized parallel array data structures are used to maintain references to the objects and to precedence levels for the determined authorization-related objects.
  - 17. The method of claim 16, wherein the dynamically sized parallel array data structures include an object references array for storing object references of the determined authorization-related objects;
    - wherein the dynamically sized parallel array data structures include a precedence levels array for storing permission and identity information associated with a determined authorization-related object.
  - 18. The method of claim 16, wherein all object references in the parallel array data structures are in contiguous memory and delimited for direct use in an IN clause of a query statement.
  - 19. A data signal that is transmitted using a network, wherein the data signal includes the request of claim 1;
    - wherein the data signal comprises packetized data that is transmitted through the network.
  - 20. Computer-readable medium capable of causing a computing device to perform the method of claim 1.

21. A computer-implemented system for accessing resource objects, wherein a request is received which involves accessing a resource object, wherein the requested resource object has multiple associations with other objects, said system comprising:
- one or more data stores that store interrelationships among resource objects, authorization-related objects, and access permission information;
  
  wherein the authorization-related objects are configured to specify whether a requester should be granted or denied access to a requested object;
  
  first software instructions configured to query the one or more data stores in order to determine which authorization-related objects are associated with the requested resource object;
  
  second software instructions configured to query the one or more data stores in order to determine which permissions are associated with the determined authorization-related objects;
  
  wherein a comparison is performed between the determined permissions and the requester'"'"'s access credential information;
  
  wherein the comparison is used to determine whether to permit the accessing of the resource object.
- View Dependent Claims (22)
- - 22. The system of claim 21, further comprising:
    - third software instructions configured to query the one or more data stores in order to determine which of the requester'"'"'s access credential objects are associated with the determined authorization-related objects;
      
      wherein a comparison is performed between the determined permissions and the determined requester'"'"'s access credential objects in order to determine whether to permit the accessing of the resource object.

23. A computer-implemented system for accessing resource objects, comprising:
- means for receiving a request which involves accessing a resource object;
  
  wherein the requested resource object has multiple associations with other objects;
  
  wherein one or more data stores are used to store interrelationships among resource objects, authorization-related objects, and access permission information;
  
  wherein authorization-related objects are configured to specify whether a requester should be granted or denied access to a requested object;
  
  means for querying the one or more data stores in order to determine which authorization-related objects are associated with the requested resource object;
  
  means for querying the one or more data stores in order to determine which permissions are associated with the determined authorization-related objects;
  
  means for querying the one or more data stores in order to determine which of the requester'"'"'s access credential objects are associated with the determined authorization-related objects;
  
  means for performing a comparison between the determined permissions and identity objects related to the determined requester'"'"'s access credential objects in order to determine whether to permit the accessing of the resource object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAS Institute Incorporated
Original Assignee
SAS Institute Incorporated
Inventors
Bowman, Brian P., Boozer, John F.

Granted Patent

US 7,644,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Computer-implemented authorization systems and methods using associations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-implemented authorization systems and methods using associations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links