Techniques for providing role-based security with instance-level granularity

US 20060277595A1
Filed: 06/06/2005
Published: 12/07/2006
Est. Priority Date: 06/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting a request by a principal for access to a resource, wherein access is conditioned on a status of a role associated with the request, the principal, and the resource;

evaluating a constraint associated with the role to determine the status; and

providing the status to a context manager, which decides whether to provide access to the resource for purposes of satisfying the request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing role-based security with instance-level granularity are provided. A security service detects a request made by a principal for access to a resource. Access to the resource is conditioned on a status of a role. The role is associated with the request, the principal, and the resource. The security service evaluates a constraint associated with the role to determine the status. The status is subsequently consumed to determine whether access to the resource for the purposes of satisfying the request is permissible.

147 Citations

View as Search Results

25 Claims

1. A method, comprising:
- detecting a request by a principal for access to a resource, wherein access is conditioned on a status of a role associated with the request, the principal, and the resource;
  
  evaluating a constraint associated with the role to determine the status; and
  
  providing the status to a context manager, which decides whether to provide access to the resource for purposes of satisfying the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, supplying the context manager with the role, wherein the role assists the context manager in deciding whether to provide access to the resource.
  - 3. The method of claim 1 further comprising, determining whether access to the resource for the purposes of satisfying the request is permissible in response to the status.
  - 4. The method of claim 3 further comprising, at least one of:
    - denying the principal access to the resource if the status is determined to be false; and
      
      permitting access by the principal to the resource if the status is determined to be true.
  - 5. The method of claim 1, wherein evaluating further includes identifying instance-level data associated with the constraint, wherein the instance-level data includes at least one of a method name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, parameter data associated with the method name and temporal data associated with the request.
  - 6. The method of claim 5 further comprising, retrieving at least a portion of the instance-level data from the context manager.
  - 7. The method of claim 1 further comprising:
    - assigning a time-to-access or a time-to-live value to the status; and
      
      providing the time-to-access or the time-to-live value to the context manager.

8. A method, comprising:
- detecting a request made by a principal for access to a resource, wherein access is contingent on a status of a role associated with the principal and a condition associated with the principal and the resource;
  
  evaluating a constraint associated with the role to determine the status; and
  
  providing the status, wherein the status is subsequently consumed to resolve the condition and determine whether access to the resource for the purposes of satisfying the request is permissible.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein providing further includes supplying the status to a context manager, wherein the context manager determines whether access to the resource is permissible.
  - 10. The method of claim 8 further comprising, assigning the status to the role in response to evaluating the constraint.
  - 11. The method of claim 8 further comprising, receiving the role from an identity service.
  - 12. The method of claim 11, wherein receiving further includes receiving the role and an identity for the principal as an assertion from the identity service which vouches for the role and for the identity of the principal.
  - 13. The method of claim 8 further comprising, dynamically modifying the status and providing the modified status to a context manager, wherein the modified status revokes previous access permitted by the context manger to the resource.
  - 14. The method of claim 8, wherein evaluating further includes dynamically determining whether the condition is true or false at least partially in response to a statically assigned role.

15. A system, comprising:
- a role;
  
  a constraint associated with the role; and
  
  a security service, wherein the security service detects a request made by a principal for access to a resource, wherein access is contingent on a status of the role and a condition associated with the principal and the resource, and wherein the security service evaluates the constraint to determine the status, and wherein the security service provides the status to a context manager which controls access to the resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, further comprising an identity service, wherein the identity service supplies the security service with one or more roles which can be associated with the principal.
  - 17. The system of claim 16, wherein the identity service interacts with the security service according to a trust specification.
  - 18. The system of claim 16, wherein the identity service provides the roles to the security service as an assertion.
  - 19. The system of claim 15, wherein the security service communicates with the context manager through an Application Programming Interface (API) associated with an external interface of the context manager.
  - 20. The system of claim 15, wherein the request includes instance-level data having at least one of a method name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, parameter data associated with the method name, and temporal data associated the request, and wherein the constraint includes one or more policies associated with the instance-level data.
  - 21. The system of claim 20, wherein the operation of the security service is transparent to at least one of the context manager, the principal, and the resource.

22. A system, comprising:
- a context manager; and
  
  a security service, wherein a principal makes a request for access to a resource within an environment of the context manager, the security service detects the request and supplements a decision regarding access by at least one of resolving a role for the principal, evaluating a constraint associated with the role, and evaluating a condition associated with the principal and the resource, wherein the security service communicates an access decision to the context manager in a manner recognized by the context manager, the context manager decides in response to its own independent decision and in response to the security service'"'"'s access decision whether to grant access to the resource in order to satisfy the request of the principal.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22 further comprising, an identity service that assists the security service in at least one of resolving the identity of the principal and resolving a list of roles with which the principal may be associated.
  - 24. The system of claim 22, wherein the security service acquires information associated with the environment when evaluating the constraint.
  - 25. The system of claim 24, wherein the information includes access-related data associated with at least one of the resource and one or more principals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen R., Burch, Lloyd Leon, Kinser, Stephen Hugh

Granted Patent

US 7,774,827 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Techniques for providing role-based security with instance-level granularity

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for providing role-based security with instance-level granularity

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links