Determining group membership

US 7,363,339 B2
Filed: 11/30/2001
Issued: 04/22/2008
Est. Priority Date: 12/22/2000
Status: Active Grant

First Claim

Patent Images

1. A method for identifying members of a group, comprising the steps of:

determining dynamic members of a first user group based on a rule that defines dynamic membership for said first user group, wherein said rule is stored in a dynamic rule attribute of an identity profile of said first user group and wherein said first user group includes one or more static members and an identification of each of said static members is stored in a static member attribute for said identity profile of said first user group;

storing an identification of each of said dynamic members of said first user group wherein said identification of each of said dynamic members is stored in said static member attribute for said identity profile of said first user group;

determining nested members of said first user group;

storing an identification of each of said nested members of said first user group;

receiving a request to report members of said first user group, said request is received subsequent to said step of storing; and

reporting said dynamic members and said nested members of said first user group in response to said request, said reporting of said dynamic members is performed based on said stored identification of said dynamic members and said reporting of said nested members is performed based on said stored identification of said nested members.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to technology for determining the members of groups. A group can have static members, dynamic members and/or nested members. An entity is a nested member of a first group if that entity is a member of a second group and the second group is a member of the first group. There can be multiple levels of nesting. For example, an entity can be a nested member of a first group if that entity is a member of a second group, which is a member of a third group, which is a member of a fourth group, . . . , which is a member of the first group. The present invention can determine the membership of a group, including the static members, dynamic members and/or nested members. Furthermore, the present invention can be used to expand one or more groups so that future requests to view the membership of a group can be performed in a more efficient manner.

Citations

22 Claims

1. A method for identifying members of a group, comprising the steps of:
- determining dynamic members of a first user group based on a rule that defines dynamic membership for said first user group, wherein said rule is stored in a dynamic rule attribute of an identity profile of said first user group and wherein said first user group includes one or more static members and an identification of each of said static members is stored in a static member attribute for said identity profile of said first user group;
  
  storing an identification of each of said dynamic members of said first user group wherein said identification of each of said dynamic members is stored in said static member attribute for said identity profile of said first user group;
  
  determining nested members of said first user group;
  
  storing an identification of each of said nested members of said first user group;
  
  receiving a request to report members of said first user group, said request is received subsequent to said step of storing; and
  
  reporting said dynamic members and said nested members of said first user group in response to said request, said reporting of said dynamic members is performed based on said stored identification of said dynamic members and said reporting of said nested members is performed based on said stored identification of said nested members.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, wherein:
    - said identity profile of said first user group also includes an expansion attribute; and
      
      said method can only be performed if said expansion attribute includes an appropriate value.
  - 3. A method according to claim 2, wherein:
    - said method can only be performed for an entity having access to said expansion attribute and said dynamic rule attribute.
  - 4. A method according to claim 1, wherein:
    - said steps of determining and storing are automatically repeated.
  - 5. A method according to claim 1, wherein:
    - said steps of determining, storing and receiving are performed by an integrated identity and access system.
  - 6. A method according to claim 5, wherein:
    - said integrated identity and access system is capable of performing authorization services based on membership in said first user group.
  - 7. A method according to claim 1, wherein:
    - said nested members include members of multiple levels of nested groups.
  - 8. A method according to claim 1, wherein:
    - said step of determining nested members includes recursively determining members of group members.
  - 9. A method according to claim 1, wherein:
    - said step of reporting includes reporting said static members.
  - 10. A method according to claim 1, wherein said step of determining nested members includes the steps of:
    - determining all static group members of said first user group;
      
      determining all static and dynamic members of said static group members of said first user group;
      
      determining all static group members of said static group members of said first user group; and
      
      determining all members of said static group members of said static group members of said first user group.
  - 11. A method according to claim 1 wherein:
    - said first user group and nested groups of said first user group include rules defining criteria for being dynamic members; and
      
      said step of determining dynamic members includes the steps of determining a normalized set of said rules and determining which users are defined by said normalized set of said rules, said users defined by said normalized set of said rules are said dynamic members of said first user group.
  - 12. A method according to claim 1, wherein:
    - said step of reporting includes reporting said static members.

13. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- determining dynamic members of a first user group based on a rule that defines dynamic membership for said first user group, wherein said rule is stored in a dynamic rule attribute of an identity profile of said first user group and wherein said first user group includes one or more static members and an identification of each of said static members is stored in a static member attribute for said identity profile of said first user group;
  
  storing an identification of each of said dynamic members of said first user group wherein said identification of each of said dynamic members is stored in said static member attribute for said identity profile of said first user group;
  
  determining nested members of said first user group, said nested members include members of multiple levels of nested groups;
  
  storing an identification of each of said nested members of said first user group;
  
  receiving a request to report members of said first user group, said request is received subsequent to said step of storing; and
  
  reporting said dynamic members and said nested members of said first user group in response to said request, said reporting of said dynamic members is performed based on said stored identification of said dynamic members and said reporting of said nested members is performed based on said stored identification of said nested members.
- View Dependent Claims (14, 15, 16)
- - 14. One or more processor readable storage devices according to claim 13, wherein:
    - said step of reporting includes reporting said static members.
  - 15. One or more processor readable storage devices according to claim 14, wherein:
    - said steps of determining and storing are automatically repeated.
  - 16. One or more processor readable storage devices according to claim 14, wherein:
    - said steps of determining, storing and receiving are performed by an integrated identity and access system.

17. An apparatus that can determine members of a group, comprising:
- a communication interface; and
  
  one or more processors in communication with said communication interface, said one or more processors perform a method comprising the steps of;
  
  determining dynamic members of a first user group based on a rule that defines dynamic membership for said first user group, wherein said rule is stored in a dynamic rule attribute of an identity profile of said first user group and wherein said first user group includes one or more static members and an identification of each of said static members is stored in a static member attribute for said identity profile of said first user group,storing an identification of each of said dynamic members of said first user group wherein said identification of each of said dynamic members is stored in said static member attribute for said identity profile of said first user group,determining nested members of said first user group, said nested members include members of multiple levels of nested groups;
  
  storing an identification of each of said nested members of said first user group;
  
  receiving a request to report members of said first user group, said request is received subsequent to said step of storing, andreporting said static members, said dynamic members, and said nested members of said first user group in response to said request, said reporting of said dynamic members is performed based on said stored identification of said dynamic members and said reporting of said nested members is performed based on said stored identification of said nested members.
- View Dependent Claims (18, 19)
- - 18. An apparatus according to claim 17, wherein:
    - said steps of determining and storing are automatically repeated.
  - 19. An apparatus according to claim 17, wherein:
    - said steps of determining, storing and receiving are performed by an integrated identity and access system.

20. An integrated identity and access system comprising:
- an identity system adapted to determine dynamic members of a first user group based on a rule that defines dynamic membership for said first user group, wherein said rule is stored in a dynamic rule attribute of an identity profile of said first user group and wherein said first user group includes one or more static members and an identification of each of said static members is stored in a static member attribute for said identity profile of said first user group,store an identification of each of said dynamic members of said first user group wherein said identification of each of said dynamic members is stored in said static member attribute for said identity profile of said first user group, determine nested members of said first user group, store an identification of each of said nested members of said first user group, receive a request to report members of said first user group, said request is received subsequent to said step of storing, and report said dynamic members and said nested members of said first user group in response to said request, said reporting of said dynamic members is performed based on said stored identification of said dynamic members and said reporting of said nested members is performed based on said stored identification of said nested members; and
  
  an access system adapted to perform authentication services based on membership in said first user group.
- View Dependent Claims (21, 22)
- - 21. The integrated identity and access system of claim 20, wherein the identity system is adapted to determine nested members by:
    - determining all static group members of said first user group;
      
      determining all static and dynamic members of said static group members of said first user group;
      
      determining all static group members of said static group members of said first user group; and
      
      determining all members of said static group members of said static group members of said first user group.
  - 22. The integrated identity and access system of claim 20, wherein said first user group and nested groups of said first user group include rules defining criteria for being dynamic members and the identity system is adapted to determine dynamic members by determining a normalized set of said rules and determining which users are defined by said normalized set of said rules, said users defined by said normalized set of said rules are said dynamic members of said first user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ahmed, Sajeed, Delany, Shawn P., Ganitsky, Vivian M.
Primary Examiner(s)
Wiley; David
Assistant Examiner(s)
JEAN GILLES, JUDE

Application Number

US09/998,926
Publication Number

US 20020129135A1
Time in Patent Office

2,335 Days
Field of Search

709/200, 709220-226, 709/246, 709/229, 709/203, 709/227, 707/10, 707/104.1, 707/1, 707/103, 707/4, 715/523, 715/513, 715/501.1, 710/52, 710/56, 710/310, 370/256, 370/390, 370/408
US Class Current

709/202
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/1001   for accessing one among a p...

H04L 67/306   User profiles

H04L 67/561   Adding application-function...

H04L 67/564   Enhancement of application ...

H04L 67/5682   Policies or rules for updat...

H04L 69/329   in the application layer [O...

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

Determining group membership

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Determining group membership

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links