TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY

US 20090276824A1
Filed: 05/05/2008
Published: 11/05/2009
Est. Priority Date: 05/05/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-executed method for efficiently evaluating a security policy, comprising:

retrieving one or more roles associated with a user;

if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL);

updating the one or more roles associated with the user;

updating the set of ACEs based on the updated one or more roles and the access control list; and

subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles.

27 Citations

View as Search Results

21 Claims

1. A computer-executed method for efficiently evaluating a security policy, comprising:
- retrieving one or more roles associated with a user;
  
  if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL);
  
  updating the one or more roles associated with the user;
  
  updating the set of ACEs based on the updated one or more roles and the access control list; and
  
  subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein retrieving the one or more roles associated with the user comprises retrieving a directed acyclic graph of roles associated with the user.
  - 3. The method of claim 1, wherein generating the set of ACEs associated with the one or more roles from the ACL comprises:
    - retrieving an XML document representing the ACL;
      
      parsing the retrieved XML document; and
      
      generating the set of ACEs associated with the one or more roles from the parsed XML document.
  - 4. The method of claim 3, wherein generating the set of ACEs that is associated with the one or more roles from the parsed XML document comprises:
    - generating a set of privileges that are granted and associated with the one or more roles from the parsed XML document; and
      
      generating a set of privileges that are denied and associated with the one or more roles from the parsed XML document.
  - 5. The method of claim 1, wherein updating the one or more roles associated with the user comprises at least one of a system administrator changing the one or more roles, a process temporarily enabling a role, a role expiring because of a time limit, and the one or more roles remaining the same.
  - 6. The method of claim 1, wherein updating the set of ACEs based on the updated one or more roles and the ACL comprises:
    - deleting the set of ACEs; and
      
      generating from the ACL an updated set of ACEs associated with the updated one or more roles.
  - 7. The method of claim 1, wherein updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles comprises:
    - storing a bit vector for a grant list associated with the updated set of ACEs so that the bit vector for the grant list is associated with the updated one or more roles in the session-level cache; and
      
      storing a bit vector for a deny list associated with updated the set of ACEs so that the bit vector for the deny list is associated with the updated one or more roles in the session level cache.

8. An apparatus that efficiently evaluates a security policy, comprising:
- a role retrieval mechanism configured to retrieve one or more roles associated with a user;
  
  an access control entry (ACE) retrieval mechanism configured to retrieve a set of ACEs associated with the one or more roles from a session-level cache if the ACE exists in the session-level cache and is associated with the one or more roles;
  
  an ACE generation mechanism configured to generate a set of ACEs that is associated with the one or more roles from an access control list (ACL) if the session-level cache does not contain an set of ACEs associated with the one ore more roles;
  
  a role updating mechanism configured to update the one or more roles associated with the user;
  
  an ACE updating mechanism configured to update the set of ACEs based on the updated one or more roles and the access control list; and
  
  a session-level cache updating mechanism configured to subsequently update the session-level cache so that the updated set of ACEs is associated with the updated one or more roles.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein while retrieving the one or more roles associated with the user, the role retrieval mechanism is further configured to retrieve a directed acyclic graph of roles associated with the user.
  - 10. The apparatus of claim 8, wherein while generating the set of ACEs associated with the one or more roles from the ACL, the ACE generation mechanism is further configured to:
    - retrieve an XML document representing the ACL;
      
      parse the retrieved XML document; and
      
      generate the set of ACEs associated with the one or more roles from the parsed XML document.
  - 11. The apparatus of claim 10, wherein while generating the set of ACEs associated with the one or more roles from the parsed XML document, the ACE generation mechanism is further configured to:
    - generating a set of privileges that are granted and associated with the one or more roles from the parsed XML document; and
      
      generating a set of privileges that are denied and associated with the one or more roles from the parsed XML document.
  - 12. The apparatus of claim 8, wherein while update the one or more roles associated with the user, the role updating mechanism is further configured to at least one of:
    - to have a system administrator change the one or more roles, to have a process temporarily enable a role, to have a role expire because of a time limit, and to keep the one or more roles the same.
  - 13. The apparatus of claim 8, wherein while updating the set of ACEs based on the updated one or more roles and the ACL, the ACE updating mechanism is further configured to:
    - delete the set of ACEs; and
      
      generate from the ACL an updated set of ACEs associated with the updated one or more roles.
  - 14. The apparatus of claim 8, wherein while updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles, the session-level cache updating mechanism is further configured to:
    - storing a bit vector for a grant list associated with the updated set of ACEs so that the bit vector for the grant list is associated with the updated one or more roles in the session-level cache; and
      
      storing a bit vector for a deny list associated with updated the set of ACEs so that the bit vector for the deny list is associated with the updated one or more roles in the session level cache.

15. A computer-readable storage device storing instructions that when executed by a computer cause the computer to perform a method for optimizing CPU cost of security policy evaluation, the method comprising:
- retrieving one or more roles associated with a user;
  
  if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL);
  
  updating the one or more roles associated with the user;
  
  updating the set of ACEs based on the updated one or more roles and the access control list; and
  
  subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The storage device of claim 15, wherein retrieving the one or more roles associated with the user comprises retrieving a directed acyclic graph of roles associated with the user.
  - 17. The storage device of claim 15, wherein generating the set of ACEs associated with the one or more roles from the ACL comprises:
    - retrieving an XML document representing the ACL;
      
      parsing the retrieved XML document; and
      
      generating the set of ACEs associated with the one or more roles from the parsed XML document.
  - 18. The storage device of claim 17, wherein generating the set of ACEs that is associated with the one or more roles from the parsed XML document comprises:
    - generating a set of privileges that are granted and associated with the one or more roles from the parsed XML document; and
      
      generating a set of privileges that are denied and associated with the one or more roles from the parsed XML document.
  - 19. The storage device of claim 15, wherein updating the one or more roles associated with the user comprises at least one of a system administrator changing the one or more roles, a process temporarily enabling a role, a role expiring because of a time limit, and the one or more roles remaining the same.
  - 20. The storage device of claim 15, wherein updating the set of ACEs based on the updated one or more roles and the ACL comprises:
    - deleting the set of ACEs; and
      
      generating from the ACL an updated set of ACEs associated with the updated one or more roles.
  - 21. The storage device of claim 15, wherein updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles comprises:
    - storing a bit vector for a grant list associated with the updated set of ACEs so that the bit vector for the grant list is associated with the updated one or more roles in the session-level cache; and
      
      storing a bit vector for a deny list associated with updated the set of ACEs so that the bit vector for the deny list is associated with the updated one or more roles in the session level cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Surpur, Ashwini, Yu, Tim Wing, Khaladkar, Bhushan, Idicula, Sam, Agarwal, Nipun, Petride, Sabina, Rafiq, Mohammed Irfan

Granted Patent

US 8,584,196 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links