POLICY-BASED METHOD FOR CONFIGURING AN ACCESS CONTROL SERVICE

US 20090077086A1
Filed: 09/19/2007
Published: 03/19/2009
Est. Priority Date: 09/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language, the method comprising steps of:

receiving the request from a requester;

providing the request to the first and second control services;

receiving a decision on the request from each of the first and second control services; and

comparing the decisions to determine if they differ, wherein differing decisions indicate a need to modify a control service configuration.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language includes steps of: receiving the request from a requestor; providing the request to the first and second control services; receiving a decision on the request from each of the first and second control services; and comparing the decisions. The first control specification language is an access control policy.

21 Citations

View as Search Results

35 Claims

1. A method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language, the method comprising steps of:
- receiving the request from a requester;
  
  providing the request to the first and second control services;
  
  receiving a decision on the request from each of the first and second control services; and
  
  comparing the decisions to determine if they differ, wherein differing decisions indicate a need to modify a control service configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising providing a notification to the requester if the two decisions differ.
  - 3. The method of claim 1, further comprising returning a response to the requester based on a comparison of the decisions of the two control services.
  - 4. The method of claim 1 wherein the first control specification language is an access control policy.
  - 5. The method of claim 4 further comprising:
    - if the two decisions differ, modifying a control specification configuration of the second control service so that its decision agrees with the decision of the first control service.
  - 6. The method of claim 5 wherein modifying the control specification configuration of the second control service comprises first deleting said control specification configuration.
  - 7. The method of claim 6 further comprising providing an identifier associated with the control specification configuration.
  - 8. The method of claim 7 wherein providing the identifier comprises:
    - creating a unique identifier;
      
      maintaining a log of all processed requests; and
      
      creating an association between the identifier, the access control policy, and the log of requests.
  - 9. The method of claim 8 further comprising restoring a previous control specification configuration associated with a particular identifier.
  - 10. The method of claim 9 further comprising:
    - retrieving the association for the particular identifier;
      
      using the access control policy associated with the particular identifier; and
      
      feeding the requests and associated decisions associated with the identifier in the process of configuring the second control service, for restoring a previous configuration associated with a particular identifier.
  - 11. The method of claim 4, wherein the second control service is IBM®
    - RACF®
      
      .
  - 12. The method of claim 4, wherein the policy is provided in an encoded form comprising an OASIS XACML standard.
  - 13. The method of claim 4, wherein the access control policy is a privacy policy.
  - 14. The method of claim 13, wherein the access control policy is encoded using OASIS XACML standard privacy profile.
  - 15. The method of claim 6, further comprising:
    - configuring the second control service on a non-production instance of the first control service; and
      
      installing the configuration when it is complete onto a production instance of the first control service.
  - 16. The method of claim 15 further comprising:
    - associating a state of finished with the second control service configuration; and
      
      blocking all further updates to said configuration, for locking the control service configuration.
  - 17. The method of claim 15, further comprising:
    - marking the configuration as not-finished;
      
      processing additional system requests; and
      
      marking the configuration as finished when all desired system requests have been processed, for updating said configuration.
  - 18. The method of claim 17 further comprising a first user providing the above method for a second user.
  - 19. The method of claim 4 further comprising modifying the configuration of the second control service such that its decision will agree with that of the first control service.

20. A system configured for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language, the system comprising:
- data storage configured for storing the first and second control specification languages;
  
  a database configured for creation, deletion, and modification of persistent data;
  
  memory comprising logic; and
  
  a processor operatively connected to said memory and configured to;
  
  receive the request from a requestor;
  
  provide the request to the first and second control services;
  
  receive a decision on the request from each of the first and second control services; and
  
  compare the decisions to determine if they differ.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20 further comprising an input/output subsystem configured for providing a notification to the requester if the two decisions differ.
  - 22. The system of claim 20 wherein the first control specification language is an access control policy.
  - 23. The system of claim 22 further comprising a log of all processed requests.
  - 24. The system of claim 22 further comprising a table of subject-mappings between the access control policy terms and elements of the first control service.
  - 25. The system of claim 24 further comprising additional tables for action-mappings, and resource-mappings.
  - 26. The system of claim 22 wherein the storage is further configured for storing previous access control configurations.
  - 27. The system of claim 22 further comprising a non-production instance of the second control service for testing purposes.

28. A computer program product tangibly embodied on a computer readable medium and comprising instructions that, when executed, enables a processor to:
- process a request by a first control service using a first control specification language, and a second control service using a second control specification language, the enable element comprising steps of;
  
  receiving the request from a requestor;
  
  providing the request to the first and second control services;
  
  receiving a decision on the request from each of the first and second control services; and
  
  comparing the decisions to determine if they differ.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The computer program product of claim 28 wherein the first control specification language is an access control policy.
  - 30. The computer program product of claim 29 wherein the processor is further enabled to provide an identifier associated with the first control specification configuration.
  - 31. The computer program product of claim 30 wherein the processor is further enabled to:
    - maintain a log of all processed requests and the decisions made on those requests; and
      
      create an association between the identifier, the access control policy and the log.
  - 32. The computer program product of claim 31 wherein the processor is further enabled to restore a previous control specification configuration associated with the identifier, the restore element comprising steps of:
    - retrieving the access control policy associated with the identifier;
      
      retrieving the log of processed requests and decisions associated with the identifier; and
      
      providing the processed requests and decisions to the first control service to configure the first control service with the previous control specification configuration.
  - 33. The computer program product of claim 29 wherein the processor is further enabled to:
    - modify the second control specification configuration so that its decisions agree with the decisions of the first control service.
  - 34. The computer program product of claim 29 wherein the processor is further enabled to initialize the control specification configuration by setting the control service to deny all access requests.

35. A system for obtaining services for processing an access request by a first control service using a first control specification language, and a second control service using a second control specification language, the system comprising:
- receiving the access request from a requestor;
  
  providing the access request to the first and second control services;
  
  receiving a decision on the access request from each of the first and second control services;
  
  comparing the decisions to determine if they differ; and
  
  providing notification of the comparison to the requestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Malkin, Peter Kenneth, Webb, Alan Michael

Granted Patent

US 8,024,771 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/6236   between heterogeneous systems

G06F 2221/2141   Access rights, e.g. capabil...

POLICY-BASED METHOD FOR CONFIGURING AN ACCESS CONTROL SERVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY-BASED METHOD FOR CONFIGURING AN ACCESS CONTROL SERVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links