AUTHORIZATION SYSTEM FOR HETEROGENEOUS ENTERPRISE ENVIRONMENTS
First Claim
1. A computer-implemented method comprising:
- storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
querying the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications;
evaluating the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and
granting access to at least one resource within the enterprise based on a result of the evaluating.
1 Assignment
0 Petitions
Accused Products
Abstract
A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. For example, components in the enterprise utilizing either JPS or OAM can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both JSP and OAM environments, such as both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A single unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources. A single unified policy decision engine can evaluate whether authorization policies are satisfied, regardless of the access control models that those policies follow.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment; storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; querying the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications; evaluating the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and granting access to at least one resource within the enterprise based on a result of the evaluating. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
-
instructions to cause the one or more processors to store, in a policy store that is utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment; instructions to cause the one or more processors to store, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; instructions to cause the one or more processors to query the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications; instructions to cause the one or more processors to evaluate the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and instructions to cause the one or more processors to grant access to at least one resource within the enterprise based on a result of the evaluating. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more processors; and a computer-readable storage memory that stores; a policy store that contains (1) a first authorization policy that specifies features that are used within a first type of authorization environment and (2) a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; and executable code that represents a policy engine that is configurable to evaluate the first authorization policy and the second authorization policy by evaluating both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification