Fine-Grained Authorization by Traversing Generational Relationships

US 20080222719A1
Filed: 03/26/2008
Published: 09/11/2008
Est. Priority Date: 12/10/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining access rights to a resource managed by an application, the method comprising:

receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;

locating, based on the request, the resource in a containment relationship graph and in a structure having groupings of resources;

traversing a vertex of the containment relationship graph, wherein the vertex comprises a generational resource of the resource;

reading an authorization table associated with a grouping having the generational resource in the groupings; and

determining whether to grant the access rights for performing the action on the resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media are disclosed for determining access rights to a resource managed by an application. One embodiment includes receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource, and locating, based on the request, the resource in both a containment relationship graph and in a structure having groupings of resources, wherein the groupings comprise a grouping having the resource. Further, the embodiment includes traversing a vertex of the containment relationship graph, wherein the vertex comprises a generational resource of the resource, and reading an authorization table associated with a grouping having the generational resource in the groupings. Further still, the embodiment includes determining whether to grant the access rights for performing the action on the resource.

35 Citations

View as Search Results

30 Claims

1. A method for determining access rights to a resource managed by an application, the method comprising:
- receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;
  
  locating, based on the request, the resource in a containment relationship graph and in a structure having groupings of resources;
  
  traversing a vertex of the containment relationship graph, wherein the vertex comprises a generational resource of the resource;
  
  reading an authorization table associated with a grouping having the generational resource in the groupings; and
  
  determining whether to grant the access rights for performing the action on the resource.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising prompting the user for the request before the receiving a request.
  - 3. The method of claim 1, further comprising, prior to the receiving, arranging the groupings by similar authorization constraints for the resources, and associating each of the groupings with the authorization table tailored for each of the groupings.
  - 5. The method of claim 1, wherein the locating comprises searching the containment relationship graph and finding the resource relationships for the resource, and searching the structure and finding within the structure the grouping having the resource.
  - 6. The method of claim 1, wherein the groupings, the attachment table, and the containment relationship graph comprise xml files.
  - 7. The method of claim 1, wherein the traversing comprises traversing the generational resource by successive generations in relatedness order, whereby, the resource is traversed before a parent resource is traversed, and the parent resource is traversed before a grandparent resource is traversed.
  - 8. The method of claim 1, wherein the reading comprises reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the generational resource.
  - 9. The method of claim 8, wherein the action of the request is defined by one of the roles.
  - 10. The method of claim 1, wherein the determining whether to grant access rights for performing the action on the resource to a user comprises granting access if the authorization table associated with the grouping having the generational resource indicates the user has permission to perform the action.

4. (canceled)

11. A system for determining access rights to a resource managed by an application, the system comprising:
- an input module for receiving a request from a user for performing an action on a resource;
  
  a locator module for locating the resource in a containment relationship graph and in a structure having groupings of resources;
  
  a traversor module for traversing a vertex of the containment relationship graph, wherein the vertex comprises a generational resource of the resource;
  
  a reader module for reading the authorization table associated with the grouping having the generational resource; and
  
  a decision module for determining whether to grant the access rights for performing the action on the resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 12. The system of claim 11, further comprising a prompter for entering the request into the input module.
  - 13. The system of claim 11, further comprising an arrangement module for arranging the groupings of resources by similar authorization constraints, and an associator module for associating each of the groupings with the authorization table tailored for each of the groupings.
  - 14. The system of claim 11, further comprising an iteration module for re-invoking the traversor module, the reading module, and the decision module through the vertex of a root resource before denying the access rights for performing the action on the resource.
  - 15. The system of claim 11, wherein the locator module comprises a search module for searching the structure and for searching the containment relationship graph, and a find module for finding, in the structure, the grouping having the resource and for finding resource relationships of the resource in the containment relationship graph.
  - 16. The system of claim 11, wherein the traversor module comprises a vertex locator module for invoking the locator module for locating the generational resource.
  - 17. The system of claim 11, wherein the traversor module comprises traversing the generational resource by successive generations in relatedness order, whereby, a parent resource is traversed before a grandparent resource is traversed.
  - 18. The system of claim 11, wherein the reader module comprises reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the generational resource.
  - 19. The system of claim 18, wherein the action of the request is defined by one of the roles.
  - 20. The system of claim 11, wherein the decision module for determining whether to grant access rights for performing the action on the resource to a user comprises granting access if the authorization table associated with the grouping having the generational resource indicates the user has permission to perform the action.
  - 22. The machine-accessible medium of claim 20, wherein the instructions further comprise operations for prompting a user for the request before the receiving a request.
  - 23. The machine-accessible medium of claim 20, wherein the instructions further comprise, prior to the instructions for performing operations for receiving, instructions for arranging the groupings by similar authorization constraints for the resources, and instructions for associating each of the groupings with the authorization table tailored for each of the groupings.
  - 24. The machine-accessible medium of claim 20, wherein the instructions further comprise operations for iterating the traversing, the reading, and the determining of the vertex through a root resource before denying the access rights for performing the action on the resource.
  - 25. The machine-accessible medium of claim 20, wherein the instructions for locating comprise instructions for searching the containment relationship graph and instructions finding the resource relationships for the resource, and instructions for searching the structure and instructions for finding within the structure the grouping having the resource.
  - 26. The machine-accessible medium of claim 20, wherein the groupings, the attachment table, and the containment relationship comprise xml files.
  - 27. The machine-accessible medium of claim 20, wherein the instructions for traversing comprise instructions for traversing the generational resource by successive generations in relatedness order, whereby, a parent resource is traversed before a grandparent resource is traversed.
  - 28. The machine-accessible medium of claim 20, wherein the instructions for reading comprise instructions for reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the generational resource.
  - 29. The machine-accessible medium of claim 28, wherein the action of the request is defined by one of the roles.
  - 30. The machine-accessible medium of claim 20, wherein the instructions for determining whether to grant access rights for performing the action on the resource to a user comprise instructions to perform granting access if the authorization table associated with the grouping having the generational resource indicates the user has permission to perform the action.

21. A machine-accessible medium containing instructions, which when executed by a machine, cause the machine to perform operations for determining access rights to a resource managed by an application, comprising:
- receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;
  
  locating, based on the request, the resource in a containment relationship graph and in a structure having groupings of resources;
  
  traversing a vertex of the containment relationship graph, wherein the vertex comprises a generational resource of the resource;
  
  reading an authorization table associated With a grouping-having the generational resource in the groupings; and
  
  determining whether to grant the access rights for performing the action on the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Venkataramappa, Vishwanath, Chang, David Yu, Williamson, Leigh Allen

Application Number

US12/055,407
Publication Number

US 20080222719A1
Time in Patent Office

Days
Field of Search
US Class Current

726/17
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Fine-Grained Authorization by Traversing Generational Relationships

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-Grained Authorization by Traversing Generational Relationships

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links