AUTHORIZATION POLICY OBJECTS SHARABLE ACROSS APPLICATIONS, PERSISTENCE MODEL, AND APPLICATION-LEVEL DECISION-COMBINING ALGORITHM
First Claim
Patent Images
1. A computer-implemented method comprising:
- identifying, by a computer system of an access management system, a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy;
identifying, by the computer system, a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications;
determining, by the computer system, by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and
upon determining that the application is permitted access to the resource, allowing the application to access the resource.
2 Assignments
0 Petitions
Accused Products
Abstract
A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application'"'"'s resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.
16 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
identifying, by a computer system of an access management system, a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy; identifying, by the computer system, a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications; determining, by the computer system, by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and upon determining that the application is permitted access to the resource, allowing the application to access the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
one or more processors; and a memory accessible by the one or more processors, the memory storing instructions that, upon execution by the one or more processors, cause the one or more processors to; identify a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy; identify a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications; determining by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and upon determining that the application is permitted access to the resource, allow the application to access the resource. - View Dependent Claims (18)
-
-
19. A non-transitory computer-readable medium storing one or more instructions that, upon execution by one or more processors, causes the one or more processors to:
-
identify a first policy that is shared by a plurality of applications, wherein the first policy defines access to a resource by the plurality of applications that share the first policy; identify a second policy for an application of the plurality of applications, wherein the second policy defines access to the resource by the application, wherein the second policy is identified as one of a plurality of policies, each of the plurality of policies associated with a different one of the plurality of applications; determining by applying the first policy to the application and the second policy to the application, whether the application is permitted to access the resource; and upon determining that the application is permitted access to the resource, allow the application to access the resource. - View Dependent Claims (20)
-
Specification