Composable roles
First Claim
1. A computer-implemented method of defining security for an application set comprising at least one application, the method comprising:
- at development of an application in the application set, defining a plurality of roles for the application to specify access privileges to processing services provided by the application;
at deployment of the application, binding one of the roles to a composite role;
at deployment of the application, binding the composite role to at least one user identity; and
at runtime of the application, granting a user identity access to a processing service provided by the application if a role having access privileges to the processing service is bound to a composite role bound to the user identity.
2 Assignments
0 Petitions
Accused Products
Abstract
An application developer grants access privileges to application processing services in an object-based application by defining logical classes of users called roles. When the application is deployed on a host computer system, an administrator populates the roles with users and groups recognized by the host computer system. At runtime, a user is not permitted access to a processing service unless the user is a member of a permitted role for the processing service. To ease administration, two or more roles can be composed. In one implementation, roles are associated with a separate composite role. The administrator can then populate the composite role instead of individually populating each of the roles associated with the composite role. In another implementation, the administrator can specify that a role follows another role; user identities in the followed role are automatically considered members of the following role. Additional features include an installation utility to help compose roles when installing an application on the host computer system. An exemplary security framework for implementing composable roles relieves application developers from including security logic in application components.
-
Citations
27 Claims
-
1. A computer-implemented method of defining security for an application set comprising at least one application, the method comprising:
-
at development of an application in the application set, defining a plurality of roles for the application to specify access privileges to processing services provided by the application;
at deployment of the application, binding one of the roles to a composite role;
at deployment of the application, binding the composite role to at least one user identity; and
at runtime of the application, granting a user identity access to a processing service provided by the application if a role having access privileges to the processing service is bound to a composite role bound to the user identity. - View Dependent Claims (2, 3, 4, 5)
altering identities having access privileges for processing services defined for the plurality of roles bound to the composite role by altering the identities bound to the composite role.
-
-
6. A computer-implemented method of providing runtime security to an object application set comprising at least two applications, wherein processing services are provided by the applications in the application set, the method comprising:
-
at development of applications in the application set, performing the steps of;
(a) defining a plurality of roles for the application; and
(b) declaring access privileges of the roles to the processing services of the application; and
at deployment of the applications in the application set on a computer system having a security configuration comprising a plurality of identities associated with users, performing the steps of;
(a) binding at least one of the roles to at least one composite role; and
(b) binding the composite role to at least one of the identities. - View Dependent Claims (7, 8, 9, 10, 11, 12)
at runtime, providing an affirmative response to a request to determine whether a specified identity is a member of a role if the specified identity is bound to a composite role bound to the role.
-
-
9. The method of claim 6 wherein at least one composite role is also an application role defined at development of an application.
-
10. The method of claim 6 wherein at least one composite role is bound to a plurality of application roles, wherein a first application role of the application roles is an application role defined at development time of a first application, and a second application of the application roles is an application role defined at development time of a second application different from the first.
-
11. The method of claim 6 wherein a first application is installed on a host computer, the method further comprising:
-
at deployment of a second application on the host computer, automatically selecting a new role from the second application; and
binding the new role to a composite role having members identical to those bound to a role in the first application.
-
-
12. The method of claim 11 wherein the selecting step is performed by an installation utility and the role in the first application is selected by a user from a list of roles in the first application presented by the installation utility.
-
13. In a computer system having a security configuration comprising a plurality of identities associated with users, a computer-implemented method of enforcing security for a first application and a second application, wherein the first application provides a first group of processing services and the second application provides a second group of processing services, wherein access privileges to the first group of processing services is limited to a first set of roles declared at development time of the first application and access privileges to the second group of processing services is limited to a second set of roles declared at development time of the second application, the method comprising:
-
defining at least one composite role;
populating the composite role with a set of user identities;
mapping at least a first role from the first set of roles and a second role from the second set of roles to the composite role;
at runtime, determining whether an identity is a member of a role mapped to the composite role by comparing the identity to the set of user identities populating the composite role; and
denying access to a processing service if the processing service is requested by a user identity not a member of a role having access privileges to the processing service. - View Dependent Claims (14)
-
-
15. A computer-implemented method of installing a package having a first set of roles defined for a first application on a computer system having installed thereon a second application, wherein a second set of roles for the second application is defined in a catalog on the computer system, the method comprising:
-
importing the roles defined for the first application from the package into the catalog;
composing the first and second applications by binding in the catalog a first role defined for the first application to a second role defined for the second application. - View Dependent Claims (16, 17)
altering membership of the first role and the second role by performing a change operation on membership of the second role.
-
-
18. A security administration utility for managing membership of roles defined for a plurality of applications installed on a host computer system, the administration utility comprising:
-
code for presenting a graphical user interface for selecting one of the roles and populating the selected role to add identities to the selected role'"'"'s membership;
code for composing a first one of the roles and a second one of the roles having a membership by binding the first role to the membership of the second role; and
code for writing the role'"'"'s bindings to a central store on the host computer system. - View Dependent Claims (19, 20)
-
-
21. A security service for monitoring calls to a plurality of secured objects to limit access to the secured objects to specified sets of user identities, the service comprising:
-
a central store of security settings comprising;
(a) entries binding roles to identities, wherein at least two roles are transitively bound to a same set of identities by being bound to a composite role bound to the set of identities; and
(b) entries indicating which roles have access privileges to the secured objects;
a role membership manager operative to add an additional identity to the composite role by binding the composite role to the additional identity; and
a runtime service operative to monitor a call to one of the secured objects, the runtime service further operative to determine a caller identity associated with the call and allow the call only if the central store indicates the caller identity is bound to a role having access privileges to the secured object, wherein transitively bound identities are considered bound identities. - View Dependent Claims (22, 23, 24)
a runtime service operative to receive a specified role from an inquiring caller and further operative to indicate the inquiring caller to the runtime service is in the specified role if the inquiring caller'"'"'s identity is bound to the role, wherein transitively bound identities are considered bound identities.
-
-
24. The method of claim 23 wherein the runtime service is implemented in a wrapper interposed before the called secured object.
-
25. A computer-readable medium having stored thereon a data structure for limiting access to processing services provided by a plurality of object-based applications having roles for defining access to the processing services by mapping processing services to user identifiers, the data structure comprising:
-
for each application, a set of processing service entries binding a processing service with a role permitted to access the processing service;
at least one composite role entry binding a first role defined for a first application with a second role defined for a second application; and
for each composite role entry, a set of user identifiers bound to the composite role entry;
wherein the data structure maps a particular processing service to a particular user identifier if the particular processing service is bound to a particular role, the particular role is bound to a particular composite role, and the particular role is bound to the particular user identifier. - View Dependent Claims (26, 27)
-
Specification