System and method for controlling access to resources in a distributed environment
First Claim
1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
- providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
providing access list information for the resources in the resource hierarchy information; and
determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information;
wherein determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;
(a) initializing a first resource collection to include the particular resource;
(b) determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;
(c) if the permission is not asserted, initializing a second resource collection to include only members of the first collection, and reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;
(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and
(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource.
15 Assignments
0 Petitions
Accused Products
Abstract
A distributed access controller for controlling access to resources in a multi-domain distributed computing environment. The access controller is configured to receive a request from a user requesting performance of one or more operations on a particular resource. The access controller attempts to resolve the requested operations based on user hierarchy information and access list information for the particular resource. If all the operations in the user'"'"'s request cannot be resolved based on the user hierarchy information and the access list information for the particular resource, the access controller then attempts to resolve the unresolved operations based on the particular user'"'"'s user hierarchy information in combination with resource hierarchy information, and access list information for the resources in the resource hierarchy information. In alternate embodiments, the access controller attempts to resolve the requested operations based on the resource hierarchy information and access list information for the resources in the resource hierarchy information. If all the operations in the user'"'"'s request cannot be resolved based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information, the access controller then attempts to resolve the unresolved operations based on the resource hierarchy information in combination with the particular user'"'"'s user hierarchy information, and the access list information for the resources in the resource hierarchy information.
159 Citations
7 Claims
-
1. A computer implemented method for determining if a particular user is authorized to perform an operation on a particular resource, the method comprising:
-
providing resource hierarchy information describing hierarchical relationships between the particular resource and the particular resource'"'"'s ancestor resources;
providing access list information for the resources in the resource hierarchy information; and
determining if a permission is asserted for the operation based on the resource hierarchy information and access list information for the resources in the resource hierarchy information;
wherein determining if the permission is asserted for the operation based on the resource hierarchy information and the access list information for the resources in the resource hierarchy information comprises;
(a) initializing a first resource collection to include the particular resource;
(b) determining if the permission is asserted for the operation in the access list information of the members of the first collection for the particular user;
(c) if the permission is not asserted, initializing a second resource collection to include only members of the first collection, and reinitializing the first resource collection, based on the resource hierarchy information, to include only parents of the members in the second resource collection;
(d) if the permission is not asserted, repeating steps (b) and (c) while the permission is not asserted and the first resource collection includes at least one ancestor resource of the particular resource; and
(e) if the permission is asserted, attributing the permission to the particular user for the operation to be performed on the particular resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification