Techniques for supporting application-specific access controls with a separate server

US 7,020,653 B2
Filed: 02/10/2003
Issued: 03/28/2006
Est. Priority Date: 11/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to application-specific operations performed by an application, comprising the steps of:

receiving privilege information at a server that is distinct from the application;

causing the server to determine, based on the privilege information, whether a particular application-specific operation is allowed under a particular set of conditions; and

causing the server to communicate to the application an indication of whether the particular application-specific operation is allowed under said particular set of conditions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for supporting access controls on application-specific operations performed by an application include receiving first data at a server distinct from the application. The first data describes a first set of privileges for performing a first set of application-specific operations. Second data is also received at the server. The second data associates a first user of the application with a privilege in the first set of privileges. In response to receiving a request at the server from the application, it is determined whether a particular user may have the application perform a particular application-specific operation based on the first data and the second data. The request indicates the particular user and the particular application-specific operation. A response is sent to the application. The response indicates whether the particular user may have the application perform the particular application-specific operation.

Citations

38 Claims

1. A method for controlling access to application-specific operations performed by an application, comprising the steps of:
- receiving privilege information at a server that is distinct from the application;
  
  causing the server to determine, based on the privilege information, whether a particular application-specific operation is allowed under a particular set of conditions; and
  
  causing the server to communicate to the application an indication of whether the particular application-specific operation is allowed under said particular set of conditions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 wherein the step of receiving privilege information includes receiving, at said server, first data that describes a first set of privileges for performing a first plurality of application-specific operations.
  - 3. The method of claim 2 wherein the step of receiving privilege information further includes receiving, at said server, second data that associates users of the application with one or more privileges in the first set of privileges.
  - 4. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 3.
  - 5. The method of claim 2, said step of managing the cache further comprising the step of storing in the cache data indicating a type of data item associated with each user.
  - 6. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 5.
  - 7. The method of claim 2, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.
  - 8. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 7.
  - 9. The method of claim 1 further comprising the steps of:
    - in response to receiving, at the server from the application, a request that indicates a particular user and a particular application-specific operation, determining whether the particular user may have the application perform the particular application-specific operation based on the privilege information; and
      
      wherein the step of causing the server to communicate to the application an indication includes the step of sending to the application a response that indicates whether the particular user may have the application perform the particular application-specific operation.
  - 10. The method of claim 9, wherein:
    - said step of receiving privilege information further comprises receiving first data that associates a first set of privileges with a first type of data items upon which the plurality of application-specific operations operate; and
      
      said step of receiving the request further comprises receiving a request that also indicates a particular data item; and
      
      said step of determining whether the particular user may have the application perform the particular application-specific operation further comprises determining whether the particular data item is a member of the first type of data items.
  - 11. The method of claim 10, wherein:
    - the method further comprises receiving, at the server, second data that describes a second set of privileges for performing a second plurality of application-specific operations on a second type of data items that is different than said first type of data items; and
      
      said step of determining whether the particular user may have the application perform the particular application-specific operation is based, in part, on the particular type of the particular data item.
  - 12. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 11.
  - 13. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 10.
  - 14. The method of claim 9, said step of determining whether the particular user may have the application perform the particular application-specific operation further comprising the step of managing a cache in fast memory for storing information that associates each of one or more users with one or more privileges in each of one or more sets of privileges.
  - 15. The method of claim 14, said step of managing the cache further comprising the step of storing in the cache a bitmap for each user, wherein:
    - each set of privileges forms a hierarchy of one or more levels of privileges;
      
      each different position in the bitmap corresponds to one different leaf node in each hierarchy of the one or more sets of privileges; and
      
      a leaf node is a node of a hierarchy that does not have any child node.
  - 16. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 15.
  - 17. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 14.
  - 18. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 9.
  - 19. The method of claim 1, said step of receiving privilege information comprises receiving a document in extensible markup language (XML).
  - 20. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 19.
  - 21. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 1.
  - 22. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 2.

23. A method for controlling access to application-specific operations performed by an application, comprising the steps of:
- communicating privilege information to a server that is distinct from the application;
  
  sending a request, from the application to the server, for the server to determine, based on the privilege information, whether a particular application-specific operation is allowed under a particular set of conditions;
  
  receiving from the server an indication of whether the particular application-specific operation is allowed under said particular set of conditions; and
  
  the application only allowing the particular application-specific operation if the server indicated that the application-specific operation was allowed under said particular set of conditions.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 24. The method of claim 23 wherein:
    - the step of communicating privilege information to a server includes;
      
      sending, to a server distinct from the application, first data that describes a first set of privileges for performing a first plurality of application-specific operations; and
      
      sending to the server second data that associates a first user of the application with a privilege in the first set of privileges.
  - 25. The method of claim 24, wherein:
    - said step of sending the first data further comprises sending first data that also associates the first set of privileges with a first type of data items upon which the plurality of application-specific operations operate; and
      
      said step of sending the request further comprises sending the request that also indicates a particular data item; and
      
      said step of receiving the response based on the first data and the second data further comprises receiving the response also based on whether the particular data item is a member of the first type of data items.
  - 26. The method of claim 25, wherein:
    - the method further comprises sending to the server third data that describes a different second set of privileges for performing a second plurality of application-specific operations on a different second type of data items; and
      
      said step of sending the second data further comprises sending second data that also associates a second user of the application with a privilege in the second hierarchy of privileges; and
      
      said step of receiving the response based on the first data and the second data further comprises receiving the response also based on whether a particular type of the particular data item is associated with a particular set of privileges for a particular plurality of application-specific operations that include the particular application-specific operation.
  - 27. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 26.
  - 28. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 25.
  - 29. The method of claim 24, wherein the application does not manage a cache in fast memory for storing information that associates each of one or more users with one or more privileges in each of one or more sets of privileges including the first set of privileges.
  - 30. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 29.
  - 31. The method of claim 24, wherein the first set of privileges forms a first hierarchy of two or more levels of privileges.
  - 32. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 31.
  - 33. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 24.
  - 34. The method of claim 23 further comprising the steps of:
    - receiving at the application a command from a particular user, which command involves the application performing a particular application-specific operation;
      
      sending to the server a request that indicates the particular user and the particular application-specific operation;
      
      wherein the step of receiving from the server an indication of whether the particular application-specific operation is allowed under said particular set of conditions includes receiving from the server a response that indicates whether the particular user may have the application perform the particular application-specific operation based on the first data and the second data; and
      
      performing the particular application-specific operation only if the response indicates the particular user may have the application perform the particular application-specific operation.
  - 35. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 34.
  - 36. The method of claim 23, said step of communicating privilege information further comprises sending a document in extensible markup language (XML).
  - 37. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 36.
  - 38. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 23.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Idicula, Sam, Murthy, Ravi, Agarwal, Nipun
Primary Examiner(s)
Mizrahi, Diane D.

Application Number

US10/364,610
Publication Number

US 20040088340A1
Time in Patent Office

1,142 Days
Field of Search

707 1- 10, 707100-1041, 707200-205, 709/237, 709/216, 709/217, 709/207, 710/62, 713/200, 713/201, 711/164, 715/511, 370/450
US Class Current

709/203
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/629   to features or functions of...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/956   Hierarchical

Techniques for supporting application-specific access controls with a separate server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for supporting application-specific access controls with a separate server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links