SCOPE-CENTRIC ACCESS CONTROL MODEL

US 20090049509A1
Filed: 08/15/2007
Published: 02/19/2009
Est. Priority Date: 08/15/2007
Status: Active Grant

First Claim

Patent Images

1. A computer controlled method comprising:

maintaining an association graph comprising a plurality of association tuples wherein each of said plurality of association tuples belongs to one of a plurality of access-control-policy scopes;

receiving a client reference and a supplier reference;

identifying a first scope-defining entity responsive to said client reference, said first scope-defining entity having a first explicit access control policy;

retrieving an effective supplier reference from a set of said plurality of association tuples that match said first scope-defining entity; and

presenting said effective supplier reference responsive to retrieving.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, methods, and computer program products are disclosed that maintain an association graph made up of association tuples. Each of the association tuples belongs to an access-control-policy scope that imposes an access control policy. On receipt of a client reference and a supplier reference a scope-defining entity is identified from the client reference. The scope-defining entity has an explicit access control policy. An effective supplier reference is retrieved from a set of the association tuples matching the scope-defining entity and is presented.

28 Citations

View as Search Results

30 Claims

1. A computer controlled method comprising:
- maintaining an association graph comprising a plurality of association tuples wherein each of said plurality of association tuples belongs to one of a plurality of access-control-policy scopes;
  
  receiving a client reference and a supplier reference;
  
  identifying a first scope-defining entity responsive to said client reference, said first scope-defining entity having a first explicit access control policy;
  
  retrieving an effective supplier reference from a set of said plurality of association tuples that match said first scope-defining entity; and
  
  presenting said effective supplier reference responsive to retrieving.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer controlled method of claim 1, wherein said client reference is a client proxy-identifier, said supplier reference is a supplier-proxy identifier, and said effective supplier reference is an effective supplier-proxy identifier.
  - 3. The computer controlled method of claim 1, wherein said first scope-defining entity is identified by a container proxy-identifier and each of said set of said plurality of association tuples contains said container proxy-identifier.
  - 4. The computer controlled method of claim 1, wherein the retrieving further comprises adding a new association tuple to said set of said plurality of association tuples.
  - 5. The computer controlled method of claim 1, wherein the retrieving comprises:
    - matching said supplier reference with one of said plurality of association tuples in said set of said plurality of association tuples; and
      
      using said supplier reference as said effective supplier-proxy identifier.
  - 6. The computer controlled method of claim 1, wherein the retrieving comprises:
    - matching said supplier reference with an aliased supplier reference from said set of said plurality of association tuples; and
      
      using said aliased supplier reference as said effective supplier reference.
  - 7. The computer controlled method of claim 1, wherein the retrieving further comprises:
    - determining that said client reference matches a parent entity of said supplier reference; and
      
      adding a new association tuple to said association graph, said new association tuple referencing said supplier reference and said first scope-defining entity.
  - 8. The computer controlled method of claim 1, wherein the retrieving further comprises:
    - determining that said client reference does not match a parent entity of the given said supplier reference; and
      
      creating a new alias supplier proxy for said supplier entity;
      
      adding a new association tuple to said association graph, said new association tuple referencing said new alias supplier proxy.
  - 9. The computer controlled method of claim 1, further comprising:
    - creating a proxy to an entity, said proxy identified by a proxy identifier;
      
      making said entity immutable; and
      
      providing said proxy identifier as said supplier reference.
  - 10. The computer controlled method of claim 1, further comprising:
    - determining a right of an actor to said effective supplier reference responsive to presenting; and
      
      enabling an operation by said actor on said supplier reference responsive to said right.

11. An apparatus having a central processing unit (CPU) and a memory coupled to said CPU comprising:
- a storage mechanism configured to store an association graph comprising a plurality of association tuples wherein each of said plurality of association tuples belongs to one of a plurality of access-control-policy scopes;
  
  a receiving logic configured to receive a client reference and a supplier reference;
  
  an identification logic configured to identify a first scope-defining entity responsive to said client reference, said first scope-defining entity having a first explicit access control policy;
  
  a retrieving logic configured to retrieve an effective supplier reference from a set of said plurality of association tuples in the storage mechanism that match said first scope-defining entity, the retrieving logic responsive to the identification logic; and
  
  a presenting logic configured to present said effective supplier reference responsive to the retrieving logic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein said client reference is a client proxy-identifier, said supplier reference is a supplier-proxy identifier, and said effective supplier reference is an effective supplier-proxy identifier.
  - 13. The apparatus of claim 11, wherein said first scope-defining entity is identified by a container proxy-identifier and each of said set of said plurality of association tuples contains said container proxy-identifier.
  - 14. The apparatus of claim 11, wherein the retrieving logic further comprises an insertion logic configured to add a new association tuple to said set of said plurality of association tuples.
  - 15. The apparatus of claim 11, wherein the retrieving logic further comprises:
    - a search logic configured to match said supplier reference with one of said plurality of association tuples in said set of said plurality of association tuples; and
      
      a selection logic, responsive to the search logic, configured to select said supplier reference as said effective supplier-proxy identifier.
  - 16. The apparatus of claim 11, wherein the retrieving logic further comprises:
    - a search logic configured to match said supplier reference with an aliased supplier reference from said set of said plurality of association tuples; and
      
      a selection logic, responsive to the search logic, configured to select said aliased supplier reference as said effective supplier reference.
  - 17. The apparatus of claim 11, wherein the retrieving logic further comprises:
    - a matching logic configured to determine that said client reference matches a parent entity of said supplier reference; and
      
      a tuple insertion logic, responsive to the identification logic, configured to add a new association tuple to said association graph, said new association tuple referencing said supplier reference and said first scope-defining entity.
  - 18. The apparatus of claim 11, wherein the retrieving logic further comprises:
    - a matching logic configured to determine that said client reference does not match a parent entity of the given said supplier reference;
      
      an instantiation logic configured to create a new alias supplier proxy for said supplier entity; and
      
      a tuple insertion logic, responsive to the identification logic and the instantiation logic, configured to add a new association tuple to said association graph, said new association tuple referencing said new alias supplier proxy.
  - 19. The apparatus of claim 11, further comprising:
    - an instantiation logic configured to create a proxy to an entity, said proxy identified by a proxy identifier;
      
      a fixation logic configured to make said entity immutable; and
      
      a specification logic configured to provide said proxy identifier as said supplier reference.
  - 20. The apparatus of claim 11, further comprising:
    - a rights determination logic, responsive to the presenting logic, configured to determine a right of an actor to said effective supplier reference; and
      
      an enablement logic configured to enable an operation by said actor on said supplier reference responsive to said right.

21. A computer program product comprising:
- a computer-usable data carrier providing instructions that, when executed by a computer, cause said computer to perform a method comprising;
  
  maintaining an association graph comprising a plurality of association tuples wherein each of said plurality of association tuples belongs to one of a plurality of access-control-policy scopes;
  
  receiving a client reference and a supplier reference;
  
  identifying a first scope-defining entity responsive to said client reference, said first scope-defining entity having a first explicit access control policy;
  
  retrieving an effective supplier reference from a set of said plurality of association tuples that match said first scope-defining entity; and
  
  presenting said effective supplier reference responsive to retrieving.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21, wherein said client reference is a client proxy-identifier, said supplier reference is a supplier-proxy identifier, and said effective supplier reference is an effective supplier-proxy identifier.
  - 23. The computer program product of claim 21, wherein said first scope-defining entity is identified by a container proxy-identifier and each of said set of said plurality of association tuples contains said container proxy-identifier.
  - 24. The computer program product of claim 21, wherein retrieving further comprises adding a new association tuple to said set of said plurality of association tuples.
  - 25. The computer program product of claim 21, wherein retrieving comprises:
    - matching said supplier reference with one of said plurality of association tuples in said set of said plurality of association tuples; and
      
      using said supplier reference as said effective supplier-proxy identifier.
  - 26. The computer program product of claim 21, wherein retrieving comprises:
    - matching said supplier reference with an aliased supplier reference from said set of said plurality of association tuples; and
      
      using said aliased supplier reference as said effective supplier reference.
  - 27. The computer program product of claim 21, wherein the retrieving further comprises:
    - determining that said client reference matches a parent entity of said supplier reference; and
      
      adding a new association tuple to said association graph, said new association tuple referencing said supplier reference and said first scope-defining entity.
  - 28. The computer program product of claim 21, wherein the retrieving further comprises:
    - determining that said client reference does not match a parent entity of the given said supplier reference; and
      
      creating a new alias supplier proxy for said supplier entity;
      
      adding a new association tuple to said association graph, said new association tuple referencing said new alias supplier proxy.
  - 29. The computer program product of claim 21, further comprising:
    - creating a proxy to an entity, said proxy identified by a proxy identifier;
      
      making said entity immutable; and
      
      providing said proxy identifier as said supplier reference.
  - 30. The computer program product of claim 21, further comprising:
    - determining a right of an actor to said effective supplier reference responsive to presenting; and
      
      enabling an operation by said actor on the supplier reference responsive to said right.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Vasudevan, Ramesh, Teplov, Ilya, Chan, Eric S., Chatterjee, Ramkrishna, Begun, Vladimir

Granted Patent

US 8,245,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 2221/2113 Multi-level security, e.g. ...

SCOPE-CENTRIC ACCESS CONTROL MODEL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SCOPE-CENTRIC ACCESS CONTROL MODEL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links