System and method for controlling access to resources in a distributed environment
First Claim
1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
- providing access list information for the particular resource;
providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchy relationships between principals which include the particular user and the user'"'"'s ancestors; and
determining if a permission has been asserted for the operation based on the user hierarchy information and the access list information for the particular resource wherein determining if the permission is asserted for the operation based on the user hierarchy information and the access list information for the particular resource comprises;
(a) initializing a first collection to include the particular user;
(b) determining if the permission is asserted for the operation in the access list information of the particular resource for any of the members of the first collection;
(c) if the permission is not asserted, initializing a second collection to include members of the first collection, and reinitializing the first collection, based on the user hierarchy information, to include parents of the members in the second collection;
(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first collection includes at least one ancestor of the particular user; and
(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
18 Assignments
0 Petitions
Accused Products
Abstract
A distributed access controller for controlling access to resources in a multi-domain distributed computing environment. The access controller is configured to receive a request from a user requesting performance of one or more operations on a particular resource. The access controller attempts to resolve the requested operations based on user hierarchy information and access list information for the particular resource. If all the operations in the user'"'"'s request cannot be resolved based on the user hierarchy information and the access list information for the particular resource, the access controller then attempts to resolve the unresolved operations based on the particular user'"'"'s user hierarchy information in combination with resource hierarchy information, and access list information for the resources in the resource hierarchy information. In alternate embodiments, the access controller attempts to resolve the requested operations based on the resource hierarchy information and access list information for the resources in the resource hierarchy information. If all the operations in the user'"'"'s request cannot be resolved based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information, the access controller then attempts to resolve the unresolved operations based on the resource hierarchy information in combination with the particular user'"'"'s user hierarchy information, and the access list information for the resources in the resource hierarchy information.
398 Citations
28 Claims
-
1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
-
providing access list information for the particular resource;
providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchy relationships between principals which include the particular user and the user'"'"'s ancestors; and
determining if a permission has been asserted for the operation based on the user hierarchy information and the access list information for the particular resource wherein determining if the permission is asserted for the operation based on the user hierarchy information and the access list information for the particular resource comprises;
(a) initializing a first collection to include the particular user;
(b) determining if the permission is asserted for the operation in the access list information of the particular resource for any of the members of the first collection;
(c) if the permission is not asserted, initializing a second collection to include members of the first collection, and reinitializing the first collection, based on the user hierarchy information, to include parents of the members in the second collection;
(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first collection includes at least one ancestor of the particular user; and
(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
determining ancestors of the particular user from the user hierarchy information;
determining if the permission is asserted for the operation in the access list information of the particular resource for any of the ancestors; and
if the permission is asserted for the operation in the access list information of the resource for any of the ancestors, attributing the permission to the particular user for the operation to be performed on the particular resource; and
if the permission is asserted for the operation in the access list information of the particular resource, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
5. The method of claim 1 wherein determining if the permission has been asserted for the operation based on the user hierarchy information and the access list information for the particular resource comprises:
-
determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
(a) initializing a first variable to indicate a first level;
(b) determining ancestors of the particular user from the user hierarchy information at a level indicated by the first variable;
(c) determining if the permission is asserted for the operation in the access list information of the particular resource for the ancestors determined in step (b);
(d) if the permission is not asserted, incrementing the first variable by one level;
(e) repeating (b), (c), and (d) while the permission is not asserted and the user hierarchy information comprises ancestors of the particular user at the level indicated by the first variable; and
(f) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
6. The method of claim 1 further comprising:
-
if it cannot be determined if the permission is asserted based on the user hierarchy information and the access list information; providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
providing access list information for the resources in the resource hierarchy information; and
determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information.
-
-
7. The method of claim 6 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
determining ancestor resources of the particular resource from the resource hierarchy information;
determining if the permission is asserted for the operation in the access list information of any of the ancestor resources for any of the principals in the user hierarchy information for the particular user; and
if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
8. The method of claim 6 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
(a) initializing a first variable to indicate a first resource level;
(b) determining ancestor resources of the particular resource from the resource hierarchy information at a level indicated by the first variable;
(c) determining if the permission is asserted for the operation in the access list information of the ancestor resources determined in (b) for the principals in the user hierarchy information for the particular user;
(d) if the permission is not asserted, incrementing the first variable by one resource level;
(e) repeating (b), (c), and (d) while the permission is not asserted and the resource hierarchy information comprises ancestor resources of the particular resource at the level indicated by the first variable; and
(f) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
9. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
-
providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
providing access list information for the resources in the resource hierarchy information; and
determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information;
wherein determining if the permission has been asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;
determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
(a) initializing a first variable to indicate a first resource level;
(b) determining ancestor resources of the particular resource from the resource hierarchy information at a level indicated by the first variable;
(c) determining if the permission is asserted for the operation in the access list information of the ancestor resources determined in step (b) for the particular user;
(d) if the permission is not asserted, incrementing the first variable by one level;
(e) repeating (b), (c), and (d) while the permission is not asserted and the resource hierarchy information comprises ancestor resources of the particular resource at the level indicated by the first variable; and
(f) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
determining ancestor resources of the particular resource from the resource hierarchy information;
determining if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user; and
if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user, attributing the permission to the particular user for the operation to be performed on the particular resource; and
if the permission has been set for the user for the operation in the access list information of the particular resource, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
13. The method of claim 9 wherein determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises:
-
(a) initializing a first resource collection to include the particular resource;
(b) determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;
(c) if the permission is not asserted, initializing a second resource collection to include only members of the first collection, and reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;
(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and
(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
14. The method of claim 9 further comprising:
-
if it cannot be determined if the permission is asserted based on the resource hierarchy information and the access list information of the resources in the resource hierarchy information;
providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchical relationships between principals which include the particular user and the user'"'"'s ancestors; and
determining if the permission has been asserted for the operation based on the user hierarchy information, the resource hierarchy information, and the access list information for the resources in the resource hierarchy information.
-
-
15. The method of claim 14 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
determining ancestors of the particular user from the user hierarchy information;
determining if the permission is asserted for the operation in the access list information of the particular resource and ancestor resources of the particular for ancestors of the particular user; and
if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
16. The method of claim 14 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
(a) initializing a first variable to indicate a first user level;
(b) determining ancestors of the particular user from the resource hierarchy information at a level indicated by the first variable;
(c) determining if the permission is asserted for the operation in the access list information of the resources in the resource hierarchy information for the ancestors of the particular user determined in (b);
(d) if the permission is not asserted, incrementing the first variable by one user level;
(e) repeating (b), (c), and (d) while the permission is not asserted and the user hierarchy information comprises ancestors of the particular user at the level indicated by the first variable; and
(f) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
17. A computer program product for a computer system including a processor and a memory for determining if a particular user is authorized to perform an operation on a particular resource, the program product comprising:
-
code for providing access list information for the particular resource;
code for providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchical relationships between principals which include the particular user and the user'"'"'s ancestors;
code for determining if a permission has been asserted for the operation based on the user hierarchy information and the access list information for the particular resource; and
a computer-readable medium for storing the codes;
wherein the code for determining if the permission has been asserted for the operation based on the user hierarchy information and the access list information for the particular resource comprises;
code for determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
(a) code for initializing a first variable to indicate a first level;
(b) code for determining ancestors of the particular user from the user hierarchy information at a level indicated by the first variable;
(c) code for determining if the permission is asserted for the operation in the access list information of the particular resource for the ancestors determined in step (b);
(d) if the permission is not asserted, code for incrementing the first variable by one level;
(e) code for repeating (b), (c), and (d) while the permission is not asserted and the user hierarchy information comprises ancestors of the particular user at the level indicated by the first variable; and
(f) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource. - View Dependent Claims (18, 19, 20, 21, 22)
code for determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
code for determining ancestors of the particular user from the user hierarchy information;
code for determining if the permission is asserted for the operation in the access list information of the particular resource for any of the ancestors; and
if the permission is asserted for the operation in the access list information of the resource for any of the ancestors, code for attributing the permission to the particular user for the operation to be performed on the particular resource; and
if the permission is asserted for the operation in the access list information of the particular resource, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
19. The computer program product of claim 17 wherein the code for determining if the permission is asserted for the operation based on the user hierarchy information and the access list information for the particular resource comprises:
-
(a) code for initializing a first collection to include the particular user;
(b) code for determining if the permission is asserted for the operation in the access list information of the particular resource for any of the members of the first collection;
(c) if the permission is not asserted, code for initializing a second collection to include members of the first collection, and code for reinitializing the first collection, based on the user hierarchy information, to include parents of the members in the second collection;
(d) if the permission is not asserted, code for repeating steps (b) and (c) while the permission is not asserted and the first collection includes at least one ancestor of the particular user; and
(e) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
20. The computer program product of claim 17 further comprising:
-
if it cannot be determined if the permission is asserted based on the user hierarchy information and the access list information; code for providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
code for providing access list information for the resources in the resource hierarchy information; and
code for determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information.
-
-
21. The computer program product of claim 20 wherein the code for determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
code for determining ancestor resources of the particular resource from the resource hierarchy information;
code for determining if the permission is asserted for the operation in the access list information of any of the ancestor resources for any of the principals in the user hierarchy information for the particular user; and
if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
22. The computer program product of claim 20 wherein the code for determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
(a) code for initializing a first variable to indicate a first resource level;
(b) code for determining ancestor resources of the particular resource from the resource hierarchy information at a level indicated by the first variable;
(c) code for determining if the permission is asserted for the operation in the access list information of the ancestor resources determined in (b) for the principals in the user hierarchy information for the particular user;
(d) if the permission is not asserted, code for incrementing the first variable by one resource level;
(e) code for repeating (b), (c), and (d) while the permission is not asserted and the resource hierarchy information comprises ancestor resources of the particular resource at the level indicated by the first variable; and
(f) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
23. A computer program product for a computer system including a processor and a memory for determining if a particular user is authorized to perform an operation on a particular resource, the program product comprising:
-
code for providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
code for providing access list information for the resources in the resource hierarchy information;
code for determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information; and
a computer-readable medium for storing the codes;
wherein the code for determining if the permission has been asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;
code for determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
(a) code for initializing a first variable to indicate a first resource level;
(b) code for determining ancestor resources of the particular resource from the resource hierarchy information at a level indicated by the first variable;
(c) code for determining if the permission is asserted for the operation in the access list information of the ancestor resources determined in step (b) for the particular user;
(d) if the permission is not asserted, code for incrementing the first variable by one level;
(e) code for repeating (b), (c), and (d) while the permission is not asserted and the resource hierarchy information comprises ancestor resources of the particular resource at the level indicated by the first variable; and
(f) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource. - View Dependent Claims (24, 25, 26, 27, 28)
code for determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
if the permission is not asserted;
code for determining ancestor resources of the particular resource from the resource hierarchy information;
code for determining if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user; and
if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user, code for attributing the permission to the particular user for the operation to be performed on the particular resource; and
if the permission has been set for the user for the operation in the access list information of the particular resource, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
25. The computer program product of claim 23 wherein the code for determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises:
-
(a) code for initializing a first resource collection to include the particular resource;
(b) code for determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;
(c) if the permission is not asserted, code for initializing a second resource collection to include only members of the first collection, and code for reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;
(d) if the permission is not asserted, code for repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and
(e) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
26. The computer program product of claim 23 further comprising:
-
if it cannot be determined if the permission is asserted based on the resource hierarchy information and the access list information of the resources in the resource hierarchy information;
code for providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchical relationships between principals which include the particular user and the user'"'"'s ancestors; and
code for determining if the permission has been asserted for the operation based on the user hierarchy information, the resource hierarchy information, and the access list information for the resources in the resource hierarchy information.
-
-
27. The computer program product of claim 26 wherein the code for determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
code for determining ancestors of the particular user from the user hierarchy information;
code for determining if the permission is asserted for the operation in the access list information of the particular resource and ancestor resources of the particular for ancestors of the particular user; and
if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
-
28. The computer program product of claim 26 wherein the code for determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
-
(a) code for initializing a first variable to indicate a first user level;
(b) code for determining ancestors of the particular user from the resource hierarchy information at a level indicated by the first variable;
(c) code for determining if the permission is asserted for the operation in the access list information of the resources in the resource hierarchy information for the ancestors of the particular user determined in (b);
(d) if the permission is not asserted, code for incrementing the first variable by one user level;
(e) code for repeating (b), (c), and (d) while the permission is not asserted and the user hierarchy information comprises ancestors of the particular user at the level indicated by the first variable; and
(f) if the permission is asserted, code for attributing the permission to the particular user for the operation to be performed on the particular resource.
-
Specification