Methods and apparatus for controlling access to a resource
First Claim
1. A method for providing access control in a computing system environment, the method comprising the steps of:
- receiving an access request;
selecting, based on the access request, a set of rules containing at least one rule from a master set of rules; and
producing an access control decision based on performing rule operations in a given rule of the selected set of rules by sequentially performing rule operations in the given rule until performing a disregard instruction, the disregard instruction including disregard criteria identifying a type of other rule operations in the selected set of rules to disregard from performing; and
after performing the disregard instruction in the given rule;
i) evaluating the disregard criteria against any remaining unperformed rule operations in other rules of the selected set of rules, the other rules being rules other than the given rule;
ii) marking any remaining unperformed rule operations in the other rules of the selected set of rules that match the disregard criteria to be disregarded from further rule processing; and
iii) executing remaining unmarked rule operations in the other rules in the selected set of rules;
wherein the step of selecting includes the steps of;
determining an identity of a resource in the computing system environment to which access is requested in the access request; and
applying at least one filter operation, using the identity of the resource, for rules in the at least one master set of rules to produce the selected set of rules for use in determining the access control decision to the resource; and
wherein the method further includes the step of determining a role identity of a requestor submitting the access request; and
wherein the step of performing includes sequentially processing each rule operation in the selected set of rules using the role identity of the requestor submitting the access request in combination with the identity of the resource to determine if the requestor using the role identity can access the resource.
9 Assignments
0 Petitions
Accused Products
Abstract
An input/output interface receives an access request from a requester. A processor associated with the input/output interface applies a filter operation to select a subset of rules from a master set of rules maintained within an authorization database. Rules can be selected in this manner using filter operations so that all rules in the rule set need not be processed. A rule may include a disregard instruction. The processor further performs at least one rule operation based on the subset of rules to produce an access control decision in the memory system until either a rule operation including a disregard instruction is performed to limit performance of rule operations in the selected set of rules or until all rule operations in the selected set of rules that are applicable to the access control decision are performed.
-
Citations
30 Claims
-
1. A method for providing access control in a computing system environment, the method comprising the steps of:
-
receiving an access request; selecting, based on the access request, a set of rules containing at least one rule from a master set of rules; and producing an access control decision based on performing rule operations in a given rule of the selected set of rules by sequentially performing rule operations in the given rule until performing a disregard instruction, the disregard instruction including disregard criteria identifying a type of other rule operations in the selected set of rules to disregard from performing; and after performing the disregard instruction in the given rule; i) evaluating the disregard criteria against any remaining unperformed rule operations in other rules of the selected set of rules, the other rules being rules other than the given rule; ii) marking any remaining unperformed rule operations in the other rules of the selected set of rules that match the disregard criteria to be disregarded from further rule processing; and iii) executing remaining unmarked rule operations in the other rules in the selected set of rules; wherein the step of selecting includes the steps of; determining an identity of a resource in the computing system environment to which access is requested in the access request; and applying at least one filter operation, using the identity of the resource, for rules in the at least one master set of rules to produce the selected set of rules for use in determining the access control decision to the resource; and wherein the method further includes the step of determining a role identity of a requestor submitting the access request; and wherein the step of performing includes sequentially processing each rule operation in the selected set of rules using the role identity of the requestor submitting the access request in combination with the identity of the resource to determine if the requestor using the role identity can access the resource. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system configured to provide access control, the computer system comprising:
-
at least one input/output interface; a processor; a memory system encoded with an authorization program; at least one authorization database; an interconnection mechanism coupling the processor, the at least one input/output interface, the memory system, and the at least one authorization database; based at least in part on the processor executing the authorization program, the processor supporting steps of; receiving an access request; selecting, based on the access request, a set of rules containing at least one rule from a master set of rules; producing an access control decision based on performing rule operations in a given rule of the selected set of rules by sequentially performing rule operations in the given rule until performing a disregard instruction, the disregard instruction including disregard criteria identifying a type of other rule operations in the selected set of rules to disregard from performing; and after performing the disregard instruction in the given rule; i) evaluating the disregard criteria against any remaining unperformed rule operations in other rules of the selected set of rules, the other rules being rules other than the given rule; ii) marking any remaining unperformed rule operations in the other rules of the selected set of rules that match the disregard criteria to be disregarded from further rule processing; and iii) executing remaining unmarked rule operations in the other rules in the selected set of rules. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method for providing access control in a computing system environment, the method comprising the steps of:
-
receiving an access request; selecting, based on the access request, a set of rules containing multiple rules from at least one master set of rules, at least one of the multiple rules including multiple rule operations to be performed in sequential order; for a first rule of the multiple rules; performing a filter operation associated with the first rule to identify whether to execute any rule operations in the first rule; and performing multiple operations in the first rule to determine whether to provide access to a storage system in response to receiving the access request, the first rule including a disregard instruction that, when executed, limits performance to fewer than all rule operations in a second rule of the selected set of rules as specified by disregard criteria in the disregard instruction; wherein the disregard instruction is a conditional disregard instruction, which limits a performance of other rule operations in multiple rules other than the first rule in the selected set of rules depending on occurrence of a corresponding condition as specified by the disregard criteria in the disregard instruction, the method further comprising; performing at least one other rule operation in the first rule as well as other rules in the selected set of rules after performing the conditional disregard instruction. - View Dependent Claims (13, 14)
-
-
15. A method for providing access control in a computing system environment, the method comprising:
-
receiving an access request; in response to receiving the access request, selecting a set of rules for processing to determine whether to permit the access request; during processing of the set of rules, performing a conditional disregard rule operation in the set of rules; based on performing the conditional disregard rule operation, disregarding execution of at least one rule operation other than the conditional disregard rule operation in the set of rules as specified by the conditional disregard rule operation; and after performing the conditional disregard rule operation, performing at least one other rule operation in the set of rules not specified by disregard criteria in the conditional disregard rule operation; wherein a field of data in the conditional disregard rule operation specifically identifies a first type of rule operations that are to be disregarded from execution in the set of rules, execution of the conditional disregard rule operation not having any affect on whether to perform a second type of rule operations in the set of rules. - View Dependent Claims (16, 17, 18)
-
-
19. A method for providing access control in a computing system environment, the method comprising:
-
receiving an access request; in response to receiving the access request, selecting a first set of rules and a second set of rules for processing to determine whether to permit the access request, the first set of rules and the second set of rules each including multiple rule operations; during processing of the first set of rules, performing a disregard rule operation in the first set of rules; and based on performing the disregard rule operation, disregarding execution of at least one rule operation in the second set of rules as identified by the disregard rule operation; after disregarding execution of at least one rule operation in the second set of rules as identified by the disregard rule operation in the first set of rules, performing at least one rule operation in the second set of rules not associated with the disregard rule operation; and following completion of executing the first set of rules and the second set of rules, generating an access control decision whether to permit the access request. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A method for providing access control in a computing system environment, the method comprising:
-
receiving an access request to access data in the computing system environment; comparing the access request to a master rule set, each rule in the master rule set including a filter and a corresponding set of rule operations to be performed pending evaluation of the filter condition; and for each rule containing a filter operation that evaluates to indicate execution of rule operations of that rule, executing the rule operations of that rule; during execution of rule operations of that rule, executing a first conditional disregard instruction that establishes a first set of pre-conditions that must be met in successive rules in the master rule set in order for those successive rules to be executed after the rule containing the first conditional disregard instruction has been executed; and executing at least one successive rule in the master rule set for which the access request meets the filters of those successive rules, and for which the first set of pre-conditions established by executing the first conditional disregard instruction are also met. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A computer program product having a computer-readable medium including computer program logic encoded thereon that when executed on a computer system provides a method for controlling access to a resource, and wherein when the computer program logic is executed on a processor in the computer system, the computer program logic causes the processor to perform the operations of:
-
receiving an access request to access data in the computing system environment; comparing the access request to a master rule set, each rule in the master rule set including a filter and a corresponding set of rule operations to be performed pending evaluation of the filter condition; and for each rule containing a filter operation that evaluates to indicate execution of rule operations of that rule, executing the rule operations of that rule; during execution of rule operations of that rule, executing a first conditional disregard instruction that establishes a first set of pre-conditions that must be met in successive rules in the master rule set in order for those successive rules to be executed after the rule containing the first conditional disregard instruction has been executed; and executing at least one successive rule in the master rule set for which the access request meets the filters of those successive rules, and for which the first set of pre-conditions established by executing the first conditional disregard instruction are also met.
-
Specification