ENTITLEMENTS DETERMINATION VIA ACCESS CONTROL LISTS
First Claim
1. A method implemented at least in part by a computer, the method comprising:
- receiving one or more respective resource identifiers identifying one or more respective resources;
generating one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space.
4 Assignments
0 Petitions
Accused Products
Abstract
Entitlements to resources can be determined by using access rules that are organized as respective ranges in an entitlement space. An access rule can represent a range between two rational numbers in the entitlement space; the range can be represented by a single rational number. Due to the way the rational numbers are chosen, a child rule is completely covered by its parent, and a parent has remaining room in the entitlement space for unlimited additional children. Entitlement checking for a large batch of resources can be performed quickly based on reusing calculated permitted ranges in the entitlement space. Implied permissions can be supported. Content can easily be added, and the access rules can be modified without unduly impacting the underlying tree structure, if at all.
21 Citations
21 Claims
-
1. A method implemented at least in part by a computer, the method comprising:
-
receiving one or more respective resource identifiers identifying one or more respective resources; generating one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a plurality of access rules stored in one or more computer-readable devices; an entitlements engine configured to receive one or more resource identifiers, one or more permission types, and one or more security identifiers and further configured to generate one or more entitlement decisions based on the access rules; wherein the access rules are organized according to an underlying hierarchical tree defining an entitlement space, and the resource identifiers are associated with respective nodes in the underlying hierarchical tree that correspond to ranges in the entitlement space. - View Dependent Claims (18, 19, 20)
-
-
21. One or more computer-readable devices comprising computer-executable instructions causing a computing system to perform a method comprising:
-
receiving a plurality of resource identifiers; receiving a plurality of permission types; receiving a plurality of security identifiers; storing a set of access rules organized in a hierarchical arrangement according to depth in the hierarchical arrangement; based on the access rules, permission types, and security identifiers, constructing a representation of permitted ranges in an entitlement space; mapping the resource identifiers to respective resource ranges in the entitlement space; for the resource ranges, checking if the resource range overlaps with a permitted range in the entitlement space; and outputting entitlement decisions for respective of the resource identifiers according to the checking.
-
Specification