Translating role-based access control policy to resource authorization policy
First Claim
1. A method for authoring role based access control policy in a networked computing environment, comprising:
- defining at least one scope wherein each scope represents a set of resources in the networked computing environment;
defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and
defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role.
2 Assignments
0 Petitions
Accused Products
Abstract
Translation of role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, is provided. A generic RBAC system is defined from which mappings to other authorization enforcement mechanism make possible the translation of RBAC “roles” to resource authorization policies applied to resources managed by a resource manager, e.g., a file system resource manager. An implementation is described that uses Windows Authorization Manager as a storage mechanism and object model to manage object types and relationships translated from an RBAC system.
-
Citations
21 Claims
-
1. A method for authoring role based access control policy in a networked computing environment, comprising:
-
defining at least one scope wherein each scope represents a set of resources in the networked computing environment; defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer readable medium for storing role based access control policy data for controlling access in a networked computing environment, comprising:
-
a first data structure including scope data representing at least one scope wherein each scope represents a set of resources in the networked computing environment; a second data structure including role data defining at least one application role, each application role including a set of permissions that are assigned to principals in a given scope; and a third data structure including group data defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is granted or denied access to specific resources according to a scope of the at least one scope and an application role of the at least one application role, wherein the first, second and third data structures are mappable according to a pre-determined mapping function to data structures associated with a resource authorization policy that applies authorization policy per resource. - View Dependent Claims (15, 16, 17, 18)
-
-
19. An authoring tool for creating role based access control policy to be enforced in a networked computing environment including authorizations based on resource authorization policy, comprising:
-
means for defining at least one scope wherein each scope represents a set of resources in the networked computing environment; means for defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and means for defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role. - View Dependent Claims (20, 21)
-
Specification