OPTIMIZED POLICY MATCHING AND EVALUATION FOR NON-HIERARCHICAL RESOURCES
First Claim
Patent Images
1. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information comprises a resource expression identifying a resource;
instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;
instructions that cause at least one processor from the one or more processors to access a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources;
instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;
instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from the one or more path components of the resource expression;
instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies; and
instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.
-
Citations
20 Claims
-
1. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
-
instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information comprises a resource expression identifying a resource; instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource; instructions that cause at least one processor from the one or more processors to access a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources; instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request; instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from the one or more path components of the resource expression; instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies; and instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a memory configured to store a plurality of memory structures and each of the plurality of memory structures is configured for a plurality of policies targeting access to a plurality of non-hierarchical resources; and one or more processors configured to access the plurality of memory structures stored by the memory, the one or more processors configured to; receive an authorization request, the authorization request identifying resource information, wherein the resource information comprises a resource expression identifying a resource; determine that the resource identified by the authorization request is a non-hierarchical; determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request; search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from the one or more path components of the resource expression; identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies; and evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method comprising:
-
receiving, by a computing system, an authorization request, the authorization request identifying resource information, and wherein the resource information comprises a resource expression identifying a resource; determining, by the computing system, that the resource identified by the authorization request is a non-hierarchical resource; accessing, by the computing system, a plurality of memory structures stored for a plurality of policies targeting a plurality of non-hierarchical resources; determining, by the computing system, a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request; searching the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from the one or more path components of the resource expression; identifying, by the computing system, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies; and evaluating, by the computing system, one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
-
Specification