Fine grained role-based access to system resources
First Claim
1. A method of providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said method comprising the steps of:
- organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, each of said computer system objects representing a computer system resource to which access is to be controlled, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level, said Role Assignment portion and said Role Permission portion being independent of each other; and
responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level.
1 Assignment
0 Petitions
Accused Products
Abstract
A security policy process which provides role-based permissions for hierarchically organized system resources such as domains, clusters, application servers, and resources, as well as topic structures for messaging services. Groups of permissions are assigned to roles, and each user is assigned a role and a level of access within the hierarchy of system resources or topics. Forward or reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level. This allows simplified security policy definition and maintenance of user permissions as each user'"'"'s permission list must only be configured and managed at one hierarchical level with one role.
-
Citations
27 Claims
-
1. A method of providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said method comprising the steps of:
-
organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, each of said computer system objects representing a computer system resource to which access is to be controlled, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level, said Role Assignment portion and said Role Permission portion being independent of each other; and
responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer readable medium encoded with software for providing role-based access in a networked computer system, said computer system comprising a plurality of objects on which users wish to perform operations, said software causing a security server to perform the steps of:
-
organizing said computer system objects into a hierarchical tree structure having a plurality of parent-child object relationships, each of said computer system objects representing a computer system resource to which access is to be controlled, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
providing a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
providing a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level, said Role Assignment portion and said Role Permission portion being independent of each other; and
responsive to an operation request from a requesting user, evaluating said Role Permission and Role Assignment portions of the security policy, and granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for providing line grained access control to a plurality of system objects within a networked computer system on which users wish to perform operations, said system comprising:
-
a hierarchical tree structure representing said system objects, each of said computer system objects representing a computer system resource to which access is to be controlled, said tree structure having a plurality of parent-child object relationships, said hierarchical tree having a topmost parent object, and each child object having one or more ancestor objects towards and including said topmost parent object;
a Role Permission portion of a security policy in which operations on said computer system objects are grouped into permission collections and are assigned to corresponding security roles, said Role Permission portion defining a unidirectional inheritance definition such that when a particular role is applied to a certain level in said hierarchical tree structure, the scope of permitted access for that role is determined according to said inheritance definition and said parent-child object relationships;
a Role Assignment portion of a security policy in which a plurality of users are assigned a security role and a hierarchy level, said Role Assignment portion and said Role Permission portion being independent of each other;
a means for receiving an operation request from a requesting user, and for transmitting an operation grant to said requesting user; and
a security server means for evaluating said Role Permission and Role Assignment portions of the security policy upon receipt of an operation request, and for granting permission for said operation request only if said operation is permitted at said request user'"'"'s assigned role and system hierarchy level or if said operation is permitted via said inheritance definition at another system hierarchy level. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification