REST-BASED DECLARATIVE POLICY MANAGEMENT

US 20190098056A1
Filed: 05/29/2018
Published: 03/28/2019
Est. Priority Date: 09/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method for policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the method comprising:

receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system;

determining an applicable policy associated with the IAM service;

determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class;

obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class;

evaluating the applicable policy at run-time using at least the obtained attribute value; and

performing the IAM service based on the result of the evaluating of the policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment performs policy evaluation in a multi-tenant cloud-based identity and access management (“IAM”) system. The embodiment receives a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system, and determines an applicable policy associated with the IAM service. The embodiment determines a policy expression of the applicable policy, where the policy expression includes a reference to an attribute value, and where the reference either includes a function or includes an application programming interface (“API”) of an attribute retriever class. The embodiment obtains the attribute value by invoking the function or by invoking the API of the attribute retriever class. The embodiment evaluates the applicable policy at run-time using at least the obtained attribute value, and performs the IAM service based on the result of the evaluating of the policy.

26 Citations

View as Search Results

20 Claims

1. A method for policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the method comprising:
- receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system;
  
  determining an applicable policy associated with the IAM service;
  
  determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class;
  
  obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class;
  
  evaluating the applicable policy at run-time using at least the obtained attribute value; and
  
  performing the IAM service based on the result of the evaluating of the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the applicable policy is a declarative policy configured by a policy engine that is a common module available for uptake by microservices providing cloud-based IAM services to tenants of the multi-tenant cloud-based IAM system, wherein the declarative policy is configured by the policy engine using at least one Representational State Transfer (REST) API request configured according to System for Cross-domain Identity Management (SCIM).
  - 3. The method of claim 2, wherein the policy engine defines a data model comprising resource types corresponding to policy artifacts associated with the declarative policy, wherein the policy artifacts comprise:
    - the declarative policy;
      
      a policy type;
      
      rules;
      
      condition groups; and
      
      conditions.
  - 4. The method of claim 3, wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine and performs the IAM service, wherein the policy type is defined by the component of the multi-tenant cloud-based IAM system that uptakes the policy engine by configuring one or more control switches that control the run-time evaluation behavior of the declarative policy.
  - 5. The method of claim 4, wherein each of the conditions comprises an IF/THEN/ELSE statement, wherein each of the condition groups comprises a Boolean combination of one or more conditions using OR/AND/NOT operators, wherein each of the rules comprises a Boolean combination of one or more condition groups or conditions using OR/AND/NOT operators and defines a value to be returned if the Boolean combination is evaluated positively.
  - 6. The method of claim 5, wherein the declarative policy comprises the rules configured in an ordered sequence, wherein the declarative policy is evaluated at run-time according to flags configured in the policy type to return values based on evaluation of the rules according to the ordered sequence.
  - 7. The method of claim 6, wherein at least one rule or condition of the declarative policy requires the attribute value as an input.
  - 8. The method of claim 7, wherein the input comprises dynamic run-time data that depends on data evaluated by a prior rule or condition of the declarative policy.
  - 9. The method of claim 7, wherein the input comprises dynamic run-time data that is not part of input data fed to the policy engine by the request for the IAM service.
  - 10. The method of claim 7, wherein the function is used by the policy engine in configuring a condition or return value of the declarative policy.
  - 11. The method of claim 10, wherein the reference to the attribute value comprises the function, wherein the obtaining of the attribute value comprises:
    - parsing the policy expression into the function at run-time;
      
      determining input arguments to the function based on the request for the IAM service; and
      
      invoking the parsed function with the input arguments.
  - 12. The method of claim 7, wherein the policy engine configures an element in the policy type of the declarative policy, wherein the element identifies the attribute retriever class as an allowed input reference.
  - 13. The method of claim 12, wherein the reference to the attribute value comprises the API of the attribute retriever class, wherein the policy engine invokes the API of the attribute retriever class at run-time to retrieve the attribute value if the corresponding attribute is referenced in at least one condition or rule of the declarative policy.
  - 14. The method of claim 1, wherein the function is provided by an administrator of the tenant of the multi-tenant cloud-based IAM system.
  - 15. The method of claim 1, wherein the attribute retriever class is provided by an administrator of the tenant of the multi-tenant cloud-based IAM system.
  - 16. The method of claim 1, wherein the declarative policy is associated with a resource or a container of the tenant of the multi-tenant cloud-based IAM system.
  - 17. The method of claim 1, wherein the declarative policy is customized for the tenant of the multi-tenant cloud-based IAM system by a corresponding tenant administrator or a security administrator, wherein the corresponding tenant administrator or the security administrator configures the declarative policy according to business requirements of the tenant.
  - 18. The method of claim 17, wherein the corresponding tenant administrator or the security administrator configures the declarative policy using an administration console UI.

19. A system comprising:
- a computer-readable medium storing instructions; and
  
  a processor configured to execute the instructions, wherein the instructions, when executed by the processor, cause the processor to implement policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the implementing comprising;
  
  receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system;
  
  determining an applicable policy associated with the IAM service;
  
  determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class;
  
  obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class;
  
  evaluating the applicable policy at run-time using at least the obtained attribute value; and
  
  performing the IAM service based on the result of the evaluating of the policy

20. A computer-readable medium storing instructions that, when executed by a processor, cause the processor to implement policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the implementing comprising:
- receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system;
  
  determining an applicable policy associated with the IAM service;
  
  determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class;
  
  obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class;
  
  evaluating the applicable policy at run-time using at least the obtained attribute value; and
  
  performing the IAM service based on the result of the evaluating of the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
PITRE, Ashutosh, WILSON, Gregg, SRINIVASAN, Prashant

Granted Patent

US 10,834,137 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

REST-BASED DECLARATIVE POLICY MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

REST-BASED DECLARATIVE POLICY MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others