Policy Creation Using Dynamic Access Controls
First Claim
Patent Images
1. A method for dynamically managing access to an asset, comprising:
- receiving a user request to access an asset;
in response to receiving the user request, retrieving an access control policy associated with the asset from a storage area, wherein the access control policy comprises one or more access controls and a logical statement specifying a logical relationship of the one or more access controls to each other, wherein each access control comprises one or more specified options for an attribute, and is linked to a data source that comprises a value for the attribute;
parsing the logical statement, and for each access control in the logical statement, determining whether the access control has a true or false result by;
connecting to the linked data source;
retrieving the value for the attribute from the data source; and
comparing the retrieved value to the one or more specified options in the access control, wherein if the retrieved value matches one or more of the specified options, then the access control result is true, and if the retrieved value does not match one or more of the specified options, then the access control result is false;
evaluating the truth or falsity of the logical statement by processing the true or false results for each access control in the logical statement according to the logical relationship; and
determining whether the user is allowed to access the asset, wherein if the logical statement is true the user is allowed access, and if the logical statement is false the user is denied access.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for dynamically managing access to assets such as an electronic document or a hardware component, using policies that comprise one or more dynamic access controls, which are linked to data sources such as databases or web services. The access controls are dynamic because, each time the policy is invoked, the policy and its component access controls must be evaluated with respect to the current information in the linked data sources.
40 Citations
20 Claims
-
1. A method for dynamically managing access to an asset, comprising:
-
receiving a user request to access an asset; in response to receiving the user request, retrieving an access control policy associated with the asset from a storage area, wherein the access control policy comprises one or more access controls and a logical statement specifying a logical relationship of the one or more access controls to each other, wherein each access control comprises one or more specified options for an attribute, and is linked to a data source that comprises a value for the attribute; parsing the logical statement, and for each access control in the logical statement, determining whether the access control has a true or false result by; connecting to the linked data source; retrieving the value for the attribute from the data source; and comparing the retrieved value to the one or more specified options in the access control, wherein if the retrieved value matches one or more of the specified options, then the access control result is true, and if the retrieved value does not match one or more of the specified options, then the access control result is false; evaluating the truth or falsity of the logical statement by processing the true or false results for each access control in the logical statement according to the logical relationship; and determining whether the user is allowed to access the asset, wherein if the logical statement is true the user is allowed access, and if the logical statement is false the user is denied access. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for dynamically managing access to an asset, comprising:
-
a client operable by a user to; send an access control request requesting access to an asset; receive an access decision; and grant or deny access to the asset based on the received access decision; and an access control process configured to process the access control request by; receiving the access control request from the client; in response to the access control request, retrieving an access control policy associated with the asset from a storage area, wherein the access control policy comprises one or more access controls and a logical statement specifying a logical relationship of the one or more access controls to each other, wherein each access control comprises one or more specified options for an attribute, and is linked to a data source that comprises a value for the attribute; parsing the logical statement, and for each access control in the logical statement, determine whether the access control has a true or false result by; connecting to the linked data source; retrieving the value for the attribute from the data source; and comparing the retrieved value to the one or more specified options in the access control, wherein if the retrieved value matches one or more of the specified options, then the access control result is true, and if the retrieved value does not match one or more of the specified options, then the access control result is false; evaluating the truth or falsity of the logical statement by processing the true or false results for each access control in the logical statement according to the logical relationship; creating the access decision, wherein if the logical statement is true the access decision specifies that the user is granted access, and if the logical statement is false the access decision specifies that the user is denied access; and sending the access decision to the client. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
an administrative client operable by a user to; send a request to create or modify the access control policy to the access control process; receive a set of policy options from the access control process; select one or more policy options from the received set of policy options; edit the logical statement; and send the selected policy options and the logical statement to the access control process; wherein the access control process is further configured to create or modify the access control policy by; receiving the request to create or modify the access control policy from the client; in response to receiving the request, creating the access control policy if it does not yet exist, or retrieving the access control policy from the storage area if it already exists; sending a set of policy options to the client, wherein the policy options comprise an asset list of one or more assets to which access can be controlled by the access control policy and an access control list of one or more access controls that can be included in the access control policy; receiving the selected policy options and the edited logical statement from the client, wherein the selected policy options include one or more selected assets from the list of one or more assets, and one or more selected access controls from the access control list; and saving the access control policy comprising the received policy options and the edited logical statement in the storage area.
-
-
16. The system of claim 11, further comprising:
-
an administrative client operable by a user to; send a request to create or modify one of the access controls to the access control process; receive a set of control options from the access control process; select one or more control options from the received set of control options; and send the selected control options to the access control process; wherein the access control process is further configured to create or modify the access control by; receiving the request to create or modify the access control from the client; in response to receiving the request, creating the access control if it does not yet exist, or retrieving the access control from the storage area if it already exists; sending a set of control options to the client, wherein the control options comprise a source list of data sources that can be linked to the access control, wherein each data source comprises a value for each of one or more attributes, and each attribute of each data source may be different than each attribute of the same or another data source; receiving the selected control options from the client, wherein the selected control options include one or more selected data sources from the source list, and, for each selected data source one or more selected attributes from that data source and one or more options for each selected attribute; and saving the access control comprising the received control options in the storage area.
-
-
17. The system of claim 11, wherein the data source is a database.
-
18. The system of claim 11, wherein the data source is a web service.
-
19. The system of claim 11, wherein the asset is a hardware component of the system.
-
20. The system of claim 11, wherein the asset is an electronic document.
Specification