AUTHORIZATION SYSTEM FOR HETEROGENEOUS ENTERPRISE ENVIRONMENTS

US 20130332984A1
Filed: 03/15/2013
Published: 12/12/2013
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;

storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;

querying the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications;

evaluating the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and

granting access to at least one resource within the enterprise based on a result of the evaluating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. For example, components in the enterprise utilizing either JPS or OAM can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both JSP and OAM environments, such as both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A single unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources. A single unified policy decision engine can evaluate whether authorization policies are satisfied, regardless of the access control models that those policies follow.

61 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
  
  storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
  
  querying the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications;
  
  evaluating the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and
  
  granting access to at least one resource within the enterprise based on a result of the evaluating.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first authorization policy specifies features of a role-based access control (RBAC) model, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model.
  - 3. The method of claim 1, wherein the first type of authorization environment is a Java Platform Security (JPS) environment and wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment.
  - 4. The method of claim 1, further comprising:
    - storing, in the policy store, a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
      
      querying the policy store to retrieve the hybrid policy from the policy store;
      
      evaluating the hybrid policy within the policy engine; and
      
      granting access to at least one resource within the environment based on a result of the evaluating of the hybrid policy.
  - 5. The method of claim 1, wherein the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform.
  - 6. The method of claim 1, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.
  - 7. The method of claim 1, wherein the first authorization policy specifies a role category to which multiple roles belong;
    - and wherein evaluating the first policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category.

8. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
- instructions to cause the one or more processors to store, in a policy store that is utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
  
  instructions to cause the one or more processors to store, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
  
  instructions to cause the one or more processors to query the policy store to retrieve the first authorization policy and the second authorization policy from the policy store in response to a request from an application of the plurality of applications;
  
  instructions to cause the one or more processors to evaluate the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment; and
  
  instructions to cause the one or more processors to grant access to at least one resource within the enterprise based on a result of the evaluating.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage memory of claim 8, wherein the first authorization policy specifies features of a role-based access control (RBAC) model, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model.
  - 10. The computer-readable storage memory of claim 8, wherein the first type of authorization environment is a Java Platform Security (JPS) environment and wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment.
  - 11. The computer-readable storage memory of claim 8, wherein the particular instructions further comprise:
    - instructions to cause the one or more processors to store, in the policy store, a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
      
      instructions to cause the one or more processors to query the policy store to retrieve the hybrid policy from the policy store;
      
      instructions to cause the one or more processors to evaluate the hybrid policy within the policy engine; and
      
      instructions to cause the one or more processors to grant access to at least one resource within the environment based on a result of the evaluating of the hybrid policy.
  - 12. The computer-readable storage memory of claim 8, wherein the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform.
  - 13. The computer-readable storage memory of claim 8, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.
  - 14. The computer-readable storage memory of claim 8, wherein the first authorization policy specifies a role category to which multiple roles belong;
    - and wherein the instructions to cause the one or more processors to evaluate the first policy comprise instructions to cause the one or more processors to determine whether an access-requesting subject is associated with a particular role that belongs to the role category.

15. A system comprising:
- one or more processors; and
  
  a computer-readable storage memory that stores;
  
  a policy store that contains (1) a first authorization policy that specifies features that are used within a first type of authorization environment and (2) a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; and
  
  executable code that represents a policy engine that is configurable to evaluate the first authorization policy and the second authorization policy by evaluating both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the first authorization policy specifies features of a role-based access control (RBAC) model, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model.
  - 17. The system of claim 15, wherein the first type of authorization environment is a Java Platform Security (JPS) environment and wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment.
  - 18. The system of claim 15, wherein the policy store contains a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
    - and wherein the policy engine is configurable to evaluate the hybrid policy.
  - 19. The system of claim 15, wherein the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform.
  - 20. The system of claim 15, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Sastry, Hari VN., Vepa, Sirish V, Joshi, Vrinda S.

Granted Patent

US 9,058,471 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/30   Authentication, i.e. establ...

G06F 21/6236   between heterogeneous systems

H04L 63/102   Entity profiles

AUTHORIZATION SYSTEM FOR HETEROGENEOUS ENTERPRISE ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHORIZATION SYSTEM FOR HETEROGENEOUS ENTERPRISE ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links