System and method for controlling access to resources in a distributed environment

US 6,944,777 B1
Filed: 06/14/2000
Issued: 09/13/2005
Est. Priority Date: 05/15/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:

providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;

providing access list information for the resources in the resource hierarchy information; and

determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information;

wherein determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;

(a) initializing a first resource collection to include the particular resource;

(b) determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;

(c) if the permission is not asserted, initializing a second resource collection to include only members of the first collection, and reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;

(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and

(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed access controller for controlling access to resources in a multi-domain distributed computing environment. The access controller is configured to receive a request from a user requesting performance of one or more operations on a particular resource. The access controller attempts to resolve the requested operations based on user hierarchy information and access list information for the particular resource. If all the operations in the user'"'"'s request cannot be resolved based on the user hierarchy information and the access list information for the particular resource, the access controller then attempts to resolve the unresolved operations based on the particular user'"'"'s user hierarchy information in combination with resource hierarchy information, and access list information for the resources in the resource hierarchy information. In alternate embodiments, the access controller attempts to resolve the requested operations based on the resource hierarchy information and access list information for the resources in the resource hierarchy information. If all the operations in the user'"'"'s request cannot be resolved based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information, the access controller then attempts to resolve the unresolved operations based on the resource hierarchy information in combination with the particular user'"'"'s user hierarchy information, and the access list information for the resources in the resource hierarchy information.

159 Citations

7 Claims

1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
- providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
  
  providing access list information for the resources in the resource hierarchy information; and
  
  determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information;
  
  wherein determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;
  
  (a) initializing a first resource collection to include the particular resource;
  
  (b) determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;
  
  (c) if the permission is not asserted, initializing a second resource collection to include only members of the first collection, and reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;
  
  (d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and
  
  (e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the permission for the operation is a positive permission indicating that the particular user is authorized to perform the operation on the particular resource, or a negative permission indicating that the particular user is prohibited from performing the operation on the particular resource.
  - 3. The method of claim 1 wherein the access list information for the resources includes information indicating operations which can be performed on the resources, users which can perform operations on the resources, and permissions for the users and operations.
  - 4. The method of claim 1 wherein determining if the permission has been asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises:
    - determining if the permission is asserted for the operation in the access list information of the particular resource for the particular user;
      
      if the permission is not asserted;
      
      determining ancestor resources of the particular resource from the resource hierarchy information;
      
      determining if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user; and
      
      if the permission is asserted for the operation in the access list information of the ancestor resources for the particular user, attributing the permission to the particular user for the operation to be performed on the particular resource; and
      
      if the permission has been set for the user for the operation in the access list information of the particular resource, attributing the permission to the particular user for the operation to be performed on the particular resource.
  - 5. The method of claim 1 further comprising:
    - if it cannot be determined if the permission is asserted based on the resource hierarchy information and the access list information of the resources in the resource hierarchy information;
      
      providing user hierarchy information for the particular user, the user hierarchy information comprising information on hierarchical relationships between principals which include the particular user and the user'"'"'s ancestors; and
      
      determining if the permission has been asserted for the operation based on the user hierarchy information, the resource hierarchy information, and the access list information for the resources in the resource hierarchy information.
  - 6. The method of claim 5 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
    - determining ancestors of the particular user from the user hierarchy information;
      
      determining if the permission is asserted for the operation in the access list information of the particular resource and ancestor resources of the particular for ancestors of the particular user; and
      
      if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
  - 7. The method of claim 5 wherein determining if the permission is asserted for the operation based on the user hierarchy information, the resource hierarchy information, and access list information for the resources in the resource hierarchy information comprises:
    - (a) initializing a first variable to indicate a first user level;
      
      (b) determining ancestors of the particular user from the resource hierarchy information at a level indicated by the first variable;
      
      (c) determining if the permission is asserted for the operation in the access list information of the resources in the resource hierarchy information for the ancestor of the particular user determined in (b);
      
      (d) if the permission is not asserted, incrementing the first variable by one user level;
      
      (e) repeating (b), (c), and (d) while the permission is not asserted and the user hierarchy information comprises ancestors of the particular user at the level indicated by the first variable; and
      
      (f) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ileverage (Infor Incorporated)
Original Assignee
EPiphany Incorporated (Infor Incorporated)
Inventors
Garg, Suneet, Belani, Eshwar, Katiyar, Dinesh
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/594,869
Time in Patent Office

1,917 Days
Field of Search

713200-202, 709/223, 709/226, 709/227, 709/229, 707/1, 707/9, 707/10, 707/100, 707/103, 707/103.Y, 707/103.Z, 707/103.R
US Class Current

713/150
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

Y10S 707/99939   Privileged access

System and method for controlling access to resources in a distributed environment

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

159 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling access to resources in a distributed environment

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links