ENTITLEMENTS DETERMINATION VIA ACCESS CONTROL LISTS

US 20140298481A1
Filed: 03/29/2013
Published: 10/02/2014
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a computer, the method comprising:

receiving one or more respective resource identifiers identifying one or more respective resources;

generating one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Entitlements to resources can be determined by using access rules that are organized as respective ranges in an entitlement space. An access rule can represent a range between two rational numbers in the entitlement space; the range can be represented by a single rational number. Due to the way the rational numbers are chosen, a child rule is completely covered by its parent, and a parent has remaining room in the entitlement space for unlimited additional children. Entitlement checking for a large batch of resources can be performed quickly based on reusing calculated permitted ranges in the entitlement space. Implied permissions can be supported. Content can easily be added, and the access rules can be modified without unduly impacting the underlying tree structure, if at all.

21 Citations

View as Search Results

21 Claims

1. A method implemented at least in part by a computer, the method comprising:
- receiving one or more respective resource identifiers identifying one or more respective resources;
  
  generating one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. One or more computer-readable devices comprising computer-executable instructions causing a computing system to perform the method of claim 1.
  - 3. The method of claim 1 further comprising:
    - representing the access rules as respective rule ranges between two rational numbers in the entitlement space.
  - 4. The method of claim 3 wherein:
    - a rule range for an access rule is represented by a single rational number.
  - 5. The method of claim 1 wherein the generating comprises:
    - mapping a resource identifier to a resource range in the entitlement space; and
      
      comparing the resource range to permitted ranges in the entitlement space.
  - 6. The method of claim 1 wherein:
    - the rule ranges represent respective locations of the access rules in a hierarchical arrangement.
  - 7. The method of claim 6 wherein:
    - in the hierarchical arrangement, the rule ranges of rules in a same level of the hierarchical arrangement are non-overlapping in the entitlement space.
  - 8. The method of claim 6 wherein:
    - in the hierarchical arrangement, the rule range of a child rule is fully overlapped by that of a parent rule of the child rule in the entitlement space, and the child rule overlaps no other rules at a level in the hierarchical arrangement of the parent rule.
  - 9. The method of claim 6 wherein:
    - the rule range of a child rule in the entitlement space is computed according to a technique that supports endlessly adding additional sibling rules for the child rule and endlessly adding grandchild rules.
  - 10. The method of claim 1 wherein:
    - the rule ranges are represented by respective rational numbers; and
      
      a given rule range is uniquely identified by a single rational number.
  - 11. The method of claim 1 wherein:
    - the rule ranges are represented by respective rational numbers; and
      
      a given range is uniquely identified by continued-fraction form.
  - 12. The method of claim 1 wherein:
    - the rule ranges unambiguously represent a location of a rule in a hierarchical arrangement.
  - 13. The method of claim 1 further comprising:
    - receiving one or more security identifiers;
      
      wherein the generating generates entitlement decisions based on whether the access rules permit access by any of the security identifiers.
  - 14. The method of claim 13 wherein:
    - the one or more security identifiers identify a user.
  - 15. The method of claim 1 further comprising:
    - receiving one or more permission types;
      
      wherein the generating generates entitlement decisions based on whether the access rules permit access according to the permission types.
  - 16. The method of claim 15 wherein:
    - the permission types support implied permissions.

17. A system comprising:
- a plurality of access rules stored in one or more computer-readable devices;
  
  an entitlements engine configured to receive one or more resource identifiers, one or more permission types, and one or more security identifiers and further configured to generate one or more entitlement decisions based on the access rules;
  
  wherein the access rules are organized according to an underlying hierarchical tree defining an entitlement space, and the resource identifiers are associated with respective nodes in the underlying hierarchical tree that correspond to ranges in the entitlement space.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 wherein:
    - the underlying hierarchical tree defines permitted ranges in the entitlement space for a given set of permission types and a given set of security identifiers.
  - 19. The system of claim 18 wherein:
    - access rules in the underlying hierarchical tree are associated with respective single rational numbers that uniquely position the access rules in the underlying hierarchical tree.
  - 20. The system of claim 19 wherein:
    - the access rules are ordered by depth in the hierarchical tree.

21. One or more computer-readable devices comprising computer-executable instructions causing a computing system to perform a method comprising:
- receiving a plurality of resource identifiers;
  
  receiving a plurality of permission types;
  
  receiving a plurality of security identifiers;
  
  storing a set of access rules organized in a hierarchical arrangement according to depth in the hierarchical arrangement;
  
  based on the access rules, permission types, and security identifiers, constructing a representation of permitted ranges in an entitlement space;
  
  mapping the resource identifiers to respective resource ranges in the entitlement space;
  
  for the resource ranges, checking if the resource range overlaps with a permitted range in the entitlement space; and
  
  outputting entitlement decisions for respective of the resource identifiers according to the checking.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jive Software Incorporated (Wave Systems Corporation)
Original Assignee
Jive Software Incorporated (Wave Systems Corporation)
Inventors
Gilroy, Darren, Pellegrino, Seth

Granted Patent

US 9,111,104 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

ENTITLEMENTS DETERMINATION VIA ACCESS CONTROL LISTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ENTITLEMENTS DETERMINATION VIA ACCESS CONTROL LISTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links