OPTIMIZED POLICY MATCHING AND EVALUATION FOR NON-HIERARCHICAL RESOURCES

US 20130283340A1
Filed: 04/24/2012
Published: 10/24/2013
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:

instructions that cause at least one processor from the one or more processors to receive an authorization request to be authorized, the authorization request identifying a subject, resource information, and an action, the resource information comprising a resource expression identifying a non-hierarchical resource;

instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;

instructions that cause at least one processor from the one or more processors to access a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources;

instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical in the authorization request;

instructions that cause at least one processor from the one or more processors to identify, using the plurality of memory structures and the set of characters, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request; and

instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.

12 Citations

View as Search Results

20 Claims

1. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- instructions that cause at least one processor from the one or more processors to receive an authorization request to be authorized, the authorization request identifying a subject, resource information, and an action, the resource information comprising a resource expression identifying a non-hierarchical resource;
  
  instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;
  
  instructions that cause at least one processor from the one or more processors to access a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources;
  
  instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical in the authorization request;
  
  instructions that cause at least one processor from the one or more processors to identify, using the plurality of memory structures and the set of characters, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request; and
  
  instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable memory of claim 1 wherein the instructions that cause at least one processor from the one or more processors to evaluate the one or more policies comprise:
    - instructions that cause at least one processor from the one or more processors to determine a second set of policies from the first set of policies based upon the subject and the action identified in the authorization request; and
      
      instructions that cause at least one processor from the one or more processors to evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
  - 3. The computer-readable memory of claim 1 wherein processing performed during the identifying depends upon a number of characters in the set of characters and is independent of a number of resources in the plurality of non-hierarchical resources and a number of policies in the plurality of policies.
  - 4. The computer-readable memory of claim 1 wherein the plurality of policies comprises a first policy and the plurality of memory structures comprises a first memory structure for the first policy, the plurality of instructions further comprising:
    - for the first policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a first resource expression specified by the first policy, the first resource expression identifying a first set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the first policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine a first set of characters from the first resource expression; and
      
      instructions that cause at least one processor from the one or more processors to generate the first memory structure for the first policy, the first memory structure storing information representing each character in the first set of characters and storing information representing relative positions of the first set of characters in the first resource expression, the first memory structure comprising a reference to the first policy.
  - 5. The computer-readable memory of claim 4 wherein the plurality of policies comprises a second policy, the plurality of instructions further comprising:
    - for the second policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a second resource expression specified by the second policy, the second resource expression identifying a second set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the second policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine that the first resource expression and the second resource expression are of same expression type;
      
      instructions that cause at least one processor from the one or more processors to determine a second set of characters from the second resource expression; and
      
      instructions that cause at least one processor from the one or more processors to augment the first memory structure to store information for the second policy, the first memory structure storing information representing each character in the second set of characters and storing information representing relative positions of the second set of characters in the second resource expression, the first memory structure comprising a reference to the second policy.
  - 6. The computer-readable memory of claim 5 wherein the plurality of policies comprises a third policy and the plurality of memory structures comprises a second memory structure for the third policy, the plurality of instructions further comprising:
    - for the third policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a third resource expression specified by the third policy, the third resource expression identifying a third set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the third policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine that an expression type associated with the third resource expression is different from the expression type associated with the first and second resource expressions;
      
      instructions that cause at least one processor from the one or more processors to determine a third set of characters from the third resource expression; and
      
      instructions that cause at least one processor from the one or more processors to generate the second memory structure to store information for the third policy, the second memory structure storing information representing each character in the third set of characters and storing information representing relative positions of the third set of characters in the third resource expression, the second memory structure comprising a reference to the third policy.
  - 7. The computer-readable memory of claim 1 wherein each memory structure in the plurality of memory structures is associated with an expression type determined from a plurality of expression types, wherein the expression type for a memory structure is determined based upon a resource expression specified by a policy represented by the memory structure.
  - 8. The computer-readable memory of claim 7 wherein the plurality of expression types includes an exact expression type, a prefix expression type, a postfix expression type, a contains expression type, and a custom expression type.
  - 9. The computer-readable memory of claim 1 wherein the instructions that cause at least one processor from the one or more processors to identify the first set of policies comprise:
    - instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters to determine one or more matches; and
      
      instructions that cause at least one processor from the one or more processors to determine the first set of policies from the plurality of memory structures based upon the one or more matches.
  - 10. The computer-readable memory of claim 1 wherein:
    - each memory structure in the plurality of memory structures represents at least one policy in the plurality of policies, wherein the memory structure representing a particular policy comprises;
      
      a node for each character in a set of characters determined from the resource expression of the particular policy represented by the memory structure;
      
      information representing relative positions of the set of characters in the resource expression of the particular policy; and
      
      a reference to the particular policy; and
      
      the instructions that cause at least one processor from the one or more processors to identify the first set of policies further comprise;
      
      instructions that cause at least one processor from the one or more processors to search the plurality of memory structures based upon the set of characters from the resource expression identifying the non-hierarchical in the authorization request;
      
      instructions that cause at least one processor from the one or more processors to, based upon the searching, identify a first path of one or more nodes in a memory structure from the plurality of memory structures; and
      
      instructions that cause at least one processor from the one or more processors to include all policies referenced by the one or more nodes in the first path in the first set of policies.

11. A system comprising:
- a memory configured to store a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources; and
  
  one or more processors configured to access the plurality of memory structures stored by the memory, the one or more processors configured to;
  
  receive an authorization request to be authorized, the authorization request identifying a subject, resource information, and an action, the resource information comprising a resource expression identifying a non-hierarchical resource;
  
  determine that the resource identified by the authorization request is a non-hierarchical resource;
  
  determine a set of characters from the resource expression identifying the non-hierarchical in the authorization request;
  
  identify using the plurality of memory structures and the set of characters, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request; and
  
  evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11 wherein to evaluate the one or more polices the one or more processors are configured to:
    - determine a second set of policies from the first set of policies based upon the subject and the action identified in the authorization request; and
      
      evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
  - 13. The system of claim 11 wherein processing performed during the identifying depends upon a number of characters in the set of characters and is independent of a number of resources in the plurality of non-hierarchical resources and a number of policies in the plurality of policies.
  - 14. The system of claim 11 wherein the plurality of policies comprises a first policy and the plurality of memory structures comprises a first memory structure for the first policy, the one or more processors further configured to:
    - for the first policy in the plurality of policies;
      
      determine a first resource expression specified by the first policy, the first resource expression identifying a first set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the first policy applies;
      
      determine a first set of characters from the first resource expression; and
      
      generate the first memory structure for the first policy, the first memory structure storing information representing each character in the first set of characters and storing information representing relative positions of the first set of characters in the first resource expression, the first memory structure comprising a reference to the first policy.
  - 15. The system of claim 14 wherein the plurality of policies comprises a second policy, the one or more processors further configured to:
    - for the second policy in the plurality of policies;
      
      determine a second resource expression specified by the second policy, the second resource expression identifying a second set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the second policy applies;
      
      determine that the first resource expression and the second resource expression are of same expression type;
      
      determine a second set of characters from the second resource expression; and
      
      augment the first memory structure to store information for the second policy, the first memory structure storing information representing each character in the second set of characters and storing information representing relative positions of the second set of characters in the second resource expression, the first memory structure comprising a reference to the second policy.
  - 16. The system of claim 15 wherein the plurality of policies comprises a third policy and the plurality of memory structures comprises a second memory structure for the third policy, the one or more processors further configured to:
    - for the third policy in the plurality of policies;
      
      determine a third resource expression specified by the third policy, the third resource expression identifying a third set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the third policy applies;
      
      determine that an expression type associated with the third resource expression is different from the expression type associated with the first and second resource expressions;
      
      determine a third set of characters from the third resource expression; and
      
      generate the second memory structure to store information for the third policy, the second memory structure storing information representing each character in the third set of characters and storing information representing relative positions of the third set of characters in the third resource expression, the second memory structure comprising a reference to the third policy.
  - 17. The system of claim 11 wherein each memory structure in the plurality of memory structures is associated with an expression type determined from a plurality of expression types, wherein the expression type for a memory structure is determined based upon a resource expression specified by a policy represented by the memory structure.
  - 18. The system of claim 11 wherein to identify the first set of policies, the one or more processors are configured to:
    - search the plurality of memory structures using the set of characters to determine one or more matches; and
      
      determine the first set of policies from the plurality of memory structures based upon the one or more matches.
  - 19. The system of claim 11 wherein:
    - each memory structure in the plurality of memory structures represents at least one policy in the plurality of policies, wherein the memory structure representing a particular policy comprises;
      
      a node for each character in a set of characters determined from the resource expression of the particular policy represented by the memory structure;
      
      information representing relative positions of the set of characters in the resource expression of the particular policy; and
      
      a reference to the particular policy; and
      
      to identify the first set of policies, the one or more processors are configured to;
      
      search the plurality of memory structures based upon the set of characters from the resource expression identifying the non-hierarchical in the authorization request;
      
      based upon the search, identify a first path of one or more nodes in a memory structure from the plurality of memory structures; and
      
      include all policies referenced by the one or more nodes in the first path in the first set of policies.

20. A method comprising:
- receiving, by a computing system, an authorization request to be authorized, the authorization request identifying a subject, resource information, and an action, the resource information comprising a resource expression identifying a non-hierarchical resource;
  
  determining, by the computing system, that the resource identified by the authorization request is a non-hierarchical resource;
  
  accessing, by the computing system, a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources;
  
  determining, by the computing system, a set of characters from the resource expression identifying the non-hierarchical in the authorization request;
  
  identifying, by the computing system, using the plurality of memory structures and the set of characters, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request; and
  
  evaluating, by the computing system, one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Biswas, Kamalendu, Kapishnikov, Andrei, Hari, Sastry

Granted Patent

US 9,547,764 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

OPTIMIZED POLICY MATCHING AND EVALUATION FOR NON-HIERARCHICAL RESOURCES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

OPTIMIZED POLICY MATCHING AND EVALUATION FOR NON-HIERARCHICAL RESOURCES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others