AUTHORIZATION POLICY OBJECTS SHARABLE ACROSS APPLICATIONS, PERSISTENCE MODEL, AND APPLICATION-LEVEL DECISION-COMBINING ALGORITHM

US 20170019408A1
Filed: 09/28/2016
Published: 01/19/2017
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying, by a computer system of an access management system, a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy;

identifying, by the computer system, a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications;

determining, by the computer system, by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and

upon determining that the application is permitted access to the resource, allowing the application to access the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application'"'"'s resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

16 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- identifying, by a computer system of an access management system, a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy;
  
  identifying, by the computer system, a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications;
  
  determining, by the computer system, by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and
  
  upon determining that the application is permitted access to the resource, allowing the application to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-implemented method of claim 1, wherein the application is a first application of the plurality of applications, and wherein the method further comprises:
    - identifying, by the computer system, a third policy for a second application of the plurality of applications, wherein the third policy defines access to the resource by the second application, wherein the third policy is identified as one of the plurality of policies, the third policy differing from the second policy; and
      
      determining, by the computer system, by applying the first policy to the second application and the third policy to the second application, whether the second application is permitted to access the resource.
  - 3. The computer-implemented method of claim 2, wherein the third policy is substantially similar to the second policy.
  - 4. The computer-implemented method of claim 1, wherein the resource is a first resource, and wherein the method further comprises:
    - identifying, by the computer system, a third policy for the application, wherein the third policy defines access to a second resource by the application, wherein the third policy is identified as one of the plurality of policies; and
      
      determining, by the computer system, by applying the first policy to the application and the third policy to the application, whether the application is permitted to access the second resource.
  - 5. The computer-implemented method of claim 4, wherein the first resource and the second resource are included in a plurality of resources, and wherein each of the plurality of resources is associated with one or more of the plurality of policies.
  - 6. The computer-implemented method of claim 1, further comprising:
    - identifying a rule that is based on a combination of the first policy and the second policy; and
      
      wherein the determining whether the application is permitted to access the resource includes applying, by the computer system, the rule to the application to resolve conflicts between results of applying the first policy to the application and the second policy to the application.
  - 7. The computer-implemented method of claim 6, wherein the rule is a first rule included in a plurality of rules, and wherein each of the plurality of rules is based on a combination of two or more policies, and wherein the method further comprises:
    - identifying, by the computer system, a second rule that is based on a combination of a plurality of policies, the second plurality of policies containing policies other than at least one of the first policy or the second policy.
  - 8. The computer-implemented method of claim 7, wherein each of the plurality of policies is associated with one or more applications of the plurality of applications, and wherein each of the plurality of policies is used to determine whether the one or more applications associated with a policy of the plurality of policies is permitted to access the resource.
  - 9. The computer-implemented method of claim 7, wherein each of the plurality of policies is associated with one or more resources of a plurality of resources, wherein each of the plurality of policies is used to determine whether the application is permitted to access the one or more resources.
  - 10. The computer-implemented method of claim 7, wherein the first rule is substantially similar to the second rule.
  - 11. The computer-implemented method of claim 7, wherein the first policy is stored within a global policy memory structure associated with the plurality of applications and the second policy is stored within an application-specific memory structure associated with the application.
  - 12. The computer-implemented method of claim 1, wherein the determining that the application is permitted access to the resource includes determining that the first policy and the second policy both indicate that the application is permitted to access the resource.
  - 13. The computer-implemented method of claim 1, wherein each of the plurality of policies are stored within a corresponding memory structure, the corresponding memory structures each being associated with a corresponding one of the plurality of applications.
  - 14. The computer-implemented method of claim 1, wherein the first policy is stored within a memory structure associated with the plurality of applications that share the first policy, and wherein the memory structure that is different from one or more memory structures storing any of the plurality of policies.
  - 15. The computer-implemented method of claim 1, further comprising:
    - upon determining that the application is not permitted to access the resource, denying the application access to the resource.
  - 16. The computer-implemented method of claim 15, wherein the determining that the application is not permitted to access the resource includes determining that either the first policy or the second policy indicates that the application is not permitted to access the resource.

17. A system comprising:
- one or more processors; and
  
  a memory accessible by the one or more processors, the memory storing instructions that, upon execution by the one or more processors, cause the one or more processors to;
  
  identify a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy;
  
  identify a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications;
  
  determining by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and
  
  upon determining that the application is permitted access to the resource, allow the application to access the resource.
- View Dependent Claims (18)
- - 18. The system claim 17, wherein the first policy includes a first plurality of rules and the second policy includes a second plurality of rules;
    - andthe determining whether the application is permitted to access the resource includes applying a rule of the first plurality of rules to the application and a rule of the second plurality of rules to the application.

19. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
- identify a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy;
  
  identify a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications;
  
  determining by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and
  
  upon determining that the application is permitted access to the resource, allow the application to access the resource.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the resource includes a file, a directory, an application, a communication port, a memory segment, a computer device, or a combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Vepa, Sirish V., Sastry, Hari, Cao, Alan, Ding, Cynthia

Granted Patent

US 10,230,732 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6281   at program execution time, ...

H04L 41/0893   Assignment of logical group...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

AUTHORIZATION POLICY OBJECTS SHARABLE ACROSS APPLICATIONS, PERSISTENCE MODEL, AND APPLICATION-LEVEL DECISION-COMBINING ALGORITHM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHORIZATION POLICY OBJECTS SHARABLE ACROSS APPLICATIONS, PERSISTENCE MODEL, AND APPLICATION-LEVEL DECISION-COMBINING ALGORITHM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links