Mechanism for determining restrictions to impose on an implementation of a service
First Claim
1. In a system wherein an application requests an implementation of a particular service, a method for determining restrictions to impose on the implementation, comprising:
- determining whether any permissions have been granted to the application requesting the implementation; and
in response to a determination that at least one permission has been granted to the application, processing said permission to derive a set of zero or more restrictions to impose on the implementation.
2 Assignments
0 Petitions
Accused Products
Abstract
A mechanism for determining restrictions to impose on an implementation of a service is disclosed. When an application desires an implementation for a particular service, the application makes a request to a framework. The framework receives the request and, in response, determines what restrictions, if any, need to be imposed on the requested implementation. The restrictions are determined by determining whether any permissions have been granted to the application requesting the implementation, and if so, processing the permissions to derive a set of zero or more restrictions to impose on the implementation. The permissions are processed such that the set of restrictions is least restrictive. Once the restrictions are determined, the framework dynamically constructs the requested implementation. The requested implementation is constructed such that it incorporates a general implementation of the service, the restrictions, and enforcement logic for enforcing the restrictions on the general implementation. Once the requested implementation is constructed, it is provided to the application. Thereafter, the application invokes the requested implementation directly for services. Since the requested implementation incorporates the restrictions and enforcement logic for enforcing the restrictions, it will guarantee that the restrictions are enforced.
-
Citations
42 Claims
-
1. In a system wherein an application requests an implementation of a particular service, a method for determining restrictions to impose on the implementation, comprising:
-
determining whether any permissions have been granted to the application requesting the implementation; and
in response to a determination that at least one permission has been granted to the application, processing said permission to derive a set of zero or more restrictions to impose on the implementation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
in response to a determination that no permissions have been granted to the application, accessing a set of default limitations; and
deriving said set of zero or more restrictions based upon said default limitations.
-
-
4. The method of claim 3, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
5. The method of claim 1, wherein processing said permission comprises:
-
determining whether said permission is an all-encompassing permission; and
in response to a determination that said permission is an all-encompassing permission, providing an indication that the implementation is unrestricted.
-
-
6. The method of claim 1, wherein processing said permission comprises:
-
determining whether said permission requires an exemption mechanism to be implemented; and
in response to a determination that said permission does not require an exemption mechanism to be implemented, deriving said set of zero or more restrictions based upon said permission.
-
-
7. The method of claim 6, wherein deriving said restrictions comprises:
-
determining whether said permission specifies a set of parameters; and
in response to a determination that said permission specifies a set of parameters, deriving said set of zero or more restrictions based upon said parameters.
-
-
8. The method of claim 6, wherein deriving said restrictions comprises:
-
determining whether said permission specifies a set of parameters; and
in response to a determination that said permission does not specify a set of parameters, providing an indication that the implementation is unrestricted.
-
-
9. The method of claim 1, wherein processing said permission comprises:
-
determining whether said permission requires a particular exemption mechanism to be implemented; and
in response to a determination that said permission requires a particular exemption mechanism to be implemented, accessing a set of exempt limitations; and
reconciling said permission and said exempt limitations to derive said set of zero or more restrictions.
-
-
10. The method of claim 9, wherein reconciling said permission and said exempt limitations comprises:
-
determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, deriving said set of zero or more restrictions based upon said exempt limitations.
-
-
11. The method of claim 9, wherein reconciling said permission and said exempt limitations comprises:
-
determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, accessing a set of default limitations; and
deriving said set of zero or more restrictions based upon said default limitations.
-
-
12. The method of claim 9, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
13. The method of claim 1, wherein determining whether any permissions have been granted to the application comprises:
traversing a call stack to determine which application requested the implementation.
-
14. The method of claim 13, wherein determining whether any permissions have been granted to the application further comprises:
authenticating the application.
-
15. In a system wherein an application requests an implementation of a particular service, an apparatus for determining restrictions to impose on the implementation, comprising:
-
a mechanism for determining whether any permissions have been granted to the application requesting the implementation; and
a mechanism for processing, in response to a determination that at least one permission has been granted to the application, said permission to derive a set of zero or more restrictions to impose on the implementation. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
a mechanism for accessing, in response to a determination that no permissions have been granted to the application, a set of default limitations; and
a mechanism for deriving said set of zero or more restrictions based upon said default limitations.
-
-
18. The apparatus of claim 17, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
19. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
-
a mechanism for determining whether said permission is an all-encompassing permission; and
a mechanism for providing, in response to a determination that said permission is an all-encompassing permission, an indication that the implementation is unrestricted.
-
-
20. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
-
a mechanism for determining whether said permission requires an exemption mechanism to be implemented; and
a mechanism for deriving, in response to a determination that said permission does not require an exemption mechanism to be implemented, said set of zero or more restrictions based upon said permission.
-
-
21. The apparatus of claim 20, wherein the mechanism for deriving said restrictions comprises:
-
a mechanism for determining whether said permission specifies a set of parameters; and
a mechanism for deriving, in response to a determination that said permission specifies a set of parameters, said set of zero or more restrictions based upon said parameters.
-
-
22. The apparatus of claim 20, wherein the mechanism for deriving said restrictions comprises:
-
a mechanism for determining whether said permission specifies a set of parameters; and
a mechanism for providing, in response to a determination that said permission does not specify a set of parameters, an indication that the implementation is unrestricted.
-
-
23. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
-
a mechanism for determining whether said permission requires a particular exemption mechanism to be implemented; and
a mechanism for accessing, in response to a determination that said permission requires a particular exemption mechanism to be implemented, a set of exempt limitations; and
a mechanism for reconciling said permission and said exempt limitations to derive said set of zero or more restrictions.
-
-
24. The apparatus of claim 23, wherein the mechanism for reconciling said permission and said exempt limitations comprises:
-
a mechanism for determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
a mechanism for deriving, in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, said set of zero or more restrictions based upon said exempt limitations.
-
-
25. The apparatus of claim 23, wherein the mechanism for reconciling said permission and said exempt limitations comprises:
-
a mechanism for determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
a mechanism for accessing, in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, a set of default limitations; and
a mechanism for deriving said set of zero or more restrictions based upon said default limitations.
-
-
26. The apparatus of claim 23, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
27. The apparatus of claim 15, wherein the mechanism for determining whether any permissions have been granted to the application comprises:
a mechanism for traversing a call stack to determine which application requested the implementation.
-
28. The apparatus of claim 27, wherein the mechanism for determining whether any permissions have been granted to the application further comprises:
a mechanism for authenticating the application.
-
29. A computer readable medium having stored thereon instructions which, when executed by one or more processors, cause the one or more processors to determine restrictions to impose on an implementation of a particular service requested by an application, said computer readable medium comprising:
-
instructions for causing one or more processors to determine whether any permissions have been granted to the application requesting the implementation; and
instructions for causing one or more processors to process, in response to a determination that at least one permission has been granted to the application, said permission to derive a set of zero or more restrictions to impose on the implementation. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
instructions for causing one or more processors to access, in response to a determination that no permissions have been granted to the application, a set of default limitations; and
instructions for causing one or more processors to derive said set of zero or more restrictions based upon said default limitations.
-
-
32. The computer readable medium of claim 31, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
33. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
-
instructions for causing one or more processors to determine whether said permission is an all-encompassing permission; and
instructions for causing one or more processors to provide, in response to a determination that said permission is an all-encompassing permission, an indication that the implementation is unrestricted.
-
-
34. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
-
instructions for causing one or more processors to determine whether said permission requires an exemption mechanism to be implemented; and
instructions for causing one or more processors to derive, in response to a determination that said permission does not require an exemption mechanism to be implemented, said set of zero or more restrictions based upon said permission.
-
-
35. The computer readable medium of claim 34, wherein the instructions for causing one or more processors to derive said restrictions comprises:
-
instructions for causing one or more processors to determine whether said permission specifies a set of parameters; and
instructions for causing one or more processors to derive, in response to a determination that said permission specifies a set of parameters, said set of zero or more restrictions based upon said parameters.
-
-
36. The apparatus of claim 34, wherein the instructions for causing one or more processors to derive said restrictions comprises:
-
instructions for causing one or more processors to determine whether said permission specifies a set of parameters; and
instructions for causing one or more processors to provide, in response to a determination that said permission does not specify a set of parameters, an indication that the implementation is unrestricted.
-
-
37. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
-
instructions for causing one or more processors to determine whether said permission requires a particular exemption mechanism to be implemented; and
instructions for causing one or more processors to access, in response to a determination that said permission requires a particular exemption mechanism to be implemented, a set of exempt limitations; and
instructions for causing one or more processors to reconcile said permission and said exempt limitations to derive said set of zero or more restrictions.
-
-
38. The computer readable medium of claim 37, wherein the instructions for causing one or more processors to reconcile said permission and said exempt limitations comprises:
-
instructions for causing one or more processors to determine whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
instructions for causing one or more processors to derive, in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, said set of zero or more restrictions based upon said exempt limitations.
-
-
39. The computer readable medium of claim 37, wherein the instructions for causing one or more processors to reconcile said permission and said exempt limitations comprises:
-
instructions for causing one or more processors to determine whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
instructions for causing one or more processors to access, in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, a set of default limitations; and
instructions for causing one or more processors to derive said set of zero or more restrictions based upon said default limitations.
-
-
40. The computer readable medium of claim 37, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
-
41. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to determine whether any permissions have been granted to the application comprises:
instructions for causing one or more processors to traverse a call stack to determine which application requested the implementation.
-
42. The computer readable medium of claim 41, wherein the instructions for causing one or more processors to determine whether any permissions have been granted to the application further comprises:
instructions for causing one or more processors to authenticate the application.
Specification