TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY
First Claim
1. A computer-executed method for efficiently evaluating a security policy, comprising:
- retrieving one or more roles associated with a user;
if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL);
updating the one or more roles associated with the user;
updating the set of ACEs based on the updated one or more roles and the access control list; and
subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles.
27 Citations
21 Claims
-
1. A computer-executed method for efficiently evaluating a security policy, comprising:
-
retrieving one or more roles associated with a user; if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL); updating the one or more roles associated with the user; updating the set of ACEs based on the updated one or more roles and the access control list; and subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus that efficiently evaluates a security policy, comprising:
-
a role retrieval mechanism configured to retrieve one or more roles associated with a user; an access control entry (ACE) retrieval mechanism configured to retrieve a set of ACEs associated with the one or more roles from a session-level cache if the ACE exists in the session-level cache and is associated with the one or more roles; an ACE generation mechanism configured to generate a set of ACEs that is associated with the one or more roles from an access control list (ACL) if the session-level cache does not contain an set of ACEs associated with the one ore more roles; a role updating mechanism configured to update the one or more roles associated with the user; an ACE updating mechanism configured to update the set of ACEs based on the updated one or more roles and the access control list; and a session-level cache updating mechanism configured to subsequently update the session-level cache so that the updated set of ACEs is associated with the updated one or more roles. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage device storing instructions that when executed by a computer cause the computer to perform a method for optimizing CPU cost of security policy evaluation, the method comprising:
-
retrieving one or more roles associated with a user; if the ACE exists in the session-level cache and is associated with the one or more roles, retrieving a set of access control entries (ACEs) associated with the one or more roles from a session-level cache, otherwise, generating a set of ACEs that is associated with the one or more roles from an access control list (ACL); updating the one or more roles associated with the user; updating the set of ACEs based on the updated one or more roles and the access control list; and subsequently updating the session-level cache so that the updated set of ACEs is associated with the updated one or more roles. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification