OBLIGATION SYSTEM FOR ENTERPRISE ENVIRONMENTS

US 20130332985A1
Filed: 03/15/2013
Published: 12/12/2013
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at an authorization system, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class;

wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation;

wherein the holder-permission object specifies additional information in a payload field of the holder-permission object;

wherein the payload field is defined within the basic permission class;

in response to receiving the holder-permission object, the authorization system determining whether one or more policies pertaining to the additional information are satisfied;

based at least in part on a determination of whether the one or more policies are satisfied by the additional information, the authorization system placing, within the holder-permission object, an indication of whether the application is allowed to perform the operation; and

returning, from the authorization system to the application, the holder-permission object containing the indication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Because the authorization system conforms to the legacy model, legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications. Such obligations can indicate requirements that those applications need to fulfill in conjunction with performing operations on resources.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, at an authorization system, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class;
  
  wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation;
  
  wherein the holder-permission object specifies additional information in a payload field of the holder-permission object;
  
  wherein the payload field is defined within the basic permission class;
  
  in response to receiving the holder-permission object, the authorization system determining whether one or more policies pertaining to the additional information are satisfied;
  
  based at least in part on a determination of whether the one or more policies are satisfied by the additional information, the authorization system placing, within the holder-permission object, an indication of whether the application is allowed to perform the operation; and
  
  returning, from the authorization system to the application, the holder-permission object containing the indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 15)
- - 2. The method of claim 1, wherein the authorization system is compliant with a JAVA 2 permission-based authorization standard.
  - 3. The method of claim 1, wherein receiving the holder-permission object at the authorization system comprises receiving the holder-permission object as a result of an invocation of an accessController.checkPermission( ) method of a standardized application programming interface (API).
  - 4. The method of claim 1, further comprising:
    - receiving, at the authorization system, from a second application, a permission object that is an instance of the basic permission class but not an instance of the holder-permission class;
      
      wherein the permission object specifies a second resource relative to which the second application is requesting to perform a second operation;
      
      wherein the permission object does not specify said additional information in the payload field of the permission object;
      
      in response to receiving the permission object, the authorization system determining whether one or more second policies pertaining to the second resource are satisfied;
      
      based at least in part on a determination of whether the one or more second policies are satisfied, the authorization system placing, within the permission object, a second indication of whether the second application is allowed to perform the second operation; and
      
      returning, from the authorization system to the second application, the permission object containing the second indication.
  - 5. The method of claim 1, wherein the one or more policies specify one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource, and further comprising:
    - based at least in part on a determination that the one or more policies are satisfied by the additional information, the authorization system placing the one or more obligations within the payload field of the holder-permission object;
      
      wherein returning the holder-permission object from the authorization system to the application comprises returning the holder-permission object containing the one or more obligations in the payload field.
  - 6. The method of claim 1, wherein the additional information specifies a current time;
    - andwherein a particular policy of the one or more policies indicates a time interval into which the current time needs to fall in order for the particular policy to be satisfied.
  - 7. The method of claim 1, wherein a particular policy of the one or more policies specifies a particular obligation that indicates that the application is required, in conjunction with the application performing the operation relative to the resource, to inform a supervisor that a particular user performed the operation relative to the resource, and further comprising:
    - based at least in part on a determination that the particular policy is satisfied by the additional information, the authorization system placing the particular obligation within the payload field of the holder-permission object;
      
      wherein returning the holder-permission object from the authorization system to the application comprises returning the holder-permission object containing the particular obligation in the payload field.
  - 15. The method of claim 1, The computer-readable storage memory of claim 8, wherein a particular obligation of the one or more obligations indicates that the application is required, in conjunction with the application performing the operation relative to the resource, to inform a supervisor that a particular user performed the operation relative to the resource.

8. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
- instructions to cause an authorization system to receive, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class;
  
  wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation;
  
  instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the resource are satisfied;
  
  wherein the one or more policies specify one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource;
  
  instructions to cause the authorization system to place, within the holder-permission object, and based at least in part on a determination that the one or more policies are satisfied, an indication that the application is allowed to perform the operation;
  
  instructions to cause the authorization system to place the one or more obligations within a payload field of the holder-permission object based at least in part on a determination that the one or more policies are satisfied;
  
  wherein the payload field is defined within the basic permission class; and
  
  instructions to cause the authorization system to return, to the application, the holder-permission object containing the indication and the one or more obligations.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage memory of claim 8, wherein the authorization system is compliant with a JAVA 2 permission-based authorization standard.
  - 10. The computer-readable storage memory of claim 8, wherein the instructions to cause the authorization system to receive the holder-permission object from the application comprise instructions for causing the holder-permission object to be received as a result of an invocation of an accessController.checkPermission( ) method of a standardized application programming interface (API).
  - 11. The computer-readable storage memory of claim 8, wherein the instructions to cause the authorization system to receive the holder-permission object from the application comprise instructions for causing the authorization system to receive additional information in the payload field of the holder-permission object;
    - and wherein the instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether the one or more policies pertaining to the resource are satisfied comprise instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the additional information are satisfied.
  - 12. The computer-readable storage memory of claim 8, wherein the instructions to cause the authorization system to receive the holder-permission object from the application comprise instructions for causing the authorization system to receive additional information in the payload field of the holder-permission object;
    - wherein the instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether the one or more policies pertaining to the resource are satisfied comprise instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the additional information are satisfied; and
      
      wherein the particular instructions further comprise;
      
      instructions to cause the authorization system to receive, from a second application, a permission object that is an instance of the basic permission class but not an instance of the holder-permission class;
      
      wherein the permission object specifies a second resource relative to which the second application is requesting to perform a second operation;
      
      wherein the permission object does not specify said additional information in the payload field of the permission object;
      
      instructions to cause the authorization system to determine, in response to receiving the permission object, whether one or more second policies pertaining to the second resource are satisfied;
      
      instructions to cause the authorization to place, based at least in part on a determination of whether the one or more second policies are satisfied, and within the permission object, a second indication of whether the second application is allowed to perform the second operation; and
      
      instructions to cause the authorization system to return, to the second application, the permission object containing the second indication but no obligations.
  - 13. The computer-readable storage memory of claim 8, wherein the holder-permission object returned to the application exposes a getObligations( ) method that is invocable by the application to cause the holder-permission object returned to the application to provide, to the application, the one or more obligations placed within the payload field of the holder-permission object.
  - 14. The computer-readable storage memory of claim 8, wherein a particular obligation of the one or more obligations indicates that the application is required, in conjunction with the application performing the operation relative to the resource, to log a fact that the operation was performed relative to the resource.

16. A system comprising:
- one or more processors; and
  
  a computer-readable storage memory that stores particular instructions comprising;
  
  instructions to cause an authorization system to receive, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class;
  
  wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation;
  
  wherein the holder-permission object specifies additional information in a payload field of the holder-permission object;
  
  instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the additional information are satisfied;
  
  wherein the one or more policies specify one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource;
  
  instructions to cause the authorization system to place, within the holder-permission object, and based at least in part on a determination that the one or more policies are satisfied by the additional information, an indication that the application is allowed to perform the operation;
  
  instructions to cause the authorization system to place the one or more obligations within a payload field of the holder-permission object based at least in part on a determination that the one or more policies are satisfied;
  
  wherein the payload field is defined within the basic permission class; and
  
  instructions to cause the authorization system to return, to the application, the holder-permission object containing the indication and the one or more obligations.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the authorization system is compliant with a JAVA 2 permission-based authorization standard.
  - 18. The system of claim 16, wherein the instructions to cause the authorization system to receive the holder-permission object from the application comprise instructions for causing the holder-permission object to be received as a result of an invocation of an accessController.checkPermission( ) method of a standardized application programming interface (API).
  - 19. The system of claim 16, wherein the particular instructions further comprise:
    - instructions to cause the authorization system to receive, from a second application, a permission object that is an instance of the basic permission class but not an instance of the holder-permission class;
      
      wherein the permission object specifies a second resource relative to which the second application is requesting to perform a second operation;
      
      wherein the permission object does not specify said additional information in the payload field of the permission object;
      
      instructions to cause the authorization system to determine, in response to receiving the permission object, whether one or more second policies pertaining to the second resource are satisfied;
      
      instructions to cause the authorization system to place, based at least in part on a determination of whether the one or more second policies are satisfied, and within the permission object, a second indication of whether the second application is allowed to perform the second operation; and
      
      instructions to cause the authorization system return, to the second application, the permission object containing the second indication but no obligations.
  - 20. The system of claim 16, wherein the holder-permission object to be returned to the application exposes a getObligations( ) method that is invocable by the application to cause the holder-permission object to be returned to the application to provide, to the application, the one or more obligations that are to be placed within the payload field of the holder-permission object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sastry, Hari VN., Srinivasan, Uppili, Joshi, Vrinda S., Vepa, Sirish V.

Granted Patent

US 9,053,302 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/30   Authentication, i.e. establ...

G06F 21/6236   between heterogeneous systems

H04L 63/102   Entity profiles

OBLIGATION SYSTEM FOR ENTERPRISE ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

OBLIGATION SYSTEM FOR ENTERPRISE ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links