Methods and Apparatus for Scoped Role-Based Access Control

US 20080243856A1
Filed: 06/09/2008
Published: 10/02/2008
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:

determining if the resource is accessible by the subject;

determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;

permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and

denying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing role-based access control of a resource by a subject in an access control system are provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.

52 Citations

View as Search Results

20 Claims

1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:
- determining if the resource is accessible by the subject;
  
  determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;
  
  permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and
  
  denying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of one or more subjects that may access the resource comprise the subject.
  - 3. The method of claim 2, wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
  - 4. The method of claim 2, wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
  - 5. The method of claim 1, wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
  - 6. The method of claim 5, wherein, in the step of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
  - 7. The method of claim 5, wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of role-permission pairs are implemented using at least one of a distributed relation database and a distributed hashing table.
  - 8. The method of claim 5, wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of one or more role-permission pairs is maintained by at least one of the access control system and the resource.
  - 9. The method of claim 1, wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.

10. Apparatus for providing role-based access control of a resource by a subject in an access control system, comprising:
- a memory; and
  
  at least one processor coupled to the memory and operative to;
  
  (i) determine if the resource is accessible by the subject;
  
  (ii) determine if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;
  
  (iii) permit access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and
  
  (iv) deny access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of one or more subjects that may access the resource comprise the subject.
  - 12. The apparatus of claim 11, wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
  - 13. The apparatus of claim 11, wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
  - 14. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by a role and an associated permission of the subject comprises the operation of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
  - 15. The apparatus of claim 14, wherein, in the operation of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
  - 16. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.

17. An article of manufacture for providing role-based access control of a resource by a subject in an access control system, comprising a machine readable medium containing one or more programs which when executed implement the steps of:
- determining if the resource is accessible by the subject;
  
  determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;
  
  permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and
  
  denying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.

18. A role-based access control system comprising:
- one or more roles capable of association with one or more subjects;
  
  a plurality of permission sets, wherein one or more of the plurality of permission sets are associated with each of the one or more roles;
  
  a plurality of resources, wherein one or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources are associated with set of one or more subjects;
  
  wherein a given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
- View Dependent Claims (19, 20)
- - 19. The role-based access control system of claim 18, wherein each of the plurality of permission sets comprise one or more actions that may be performed on a resource.
  - 20. The role-based access control system of claim 18, wherein a first subject of the one or more subjects and a second subject of the one or more subjects are associated with an identical role of the one or more roles and differing permission sets of the plurality of permission sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wang, Xiping, Lobo, Jorge, Vassberg, Lorraine Phyllis, Corley, Carole Rhoads

Granted Patent

US 8,458,337 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/9
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

Methods and Apparatus for Scoped Role-Based Access Control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Apparatus for Scoped Role-Based Access Control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links