Selective cache flushing in identity and access management systems

US 7,398,311 B2
Filed: 10/03/2006
Issued: 07/08/2008
Est. Priority Date: 07/10/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for flushing cache memories in an Access System, comprising the steps of:

detecting, at an administrative server, a change to authorization data residing on an LDAP directory server, said change caused by an administrator or user having some delegated administrator authority, using a graphical user interface, said authorization data used to determine whether another user is authorized to access said resource;

assigning a first global sequence number to said detected change;

transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data;

flushing only said authorization data identified by a previous synchronization record from a cache of said Access Server;

storing said first global sequence number in said Access Server;

storing said synchronization record in said Access Server;

transmitting said first global sequence number from said Access Server to a component of said system, said component storing a second global sequence number, said component comprising a Web gateway;

comparing said first global sequence number to said second global sequence number;

requesting all synchronization records comprising global sequence numbers generated after said second global sequence number;

requesting all synchronization records identified by a list of synchronization records stored by said component;

transmitting synchronization records to said component;

flushing from a cache of said component all data identified by said synchronization records transmitted to said component; and

storing said first global sequence number in said component.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

257 Citations

37 Claims

1. A method for flushing cache memories in an Access System, comprising the steps of:
- detecting, at an administrative server, a change to authorization data residing on an LDAP directory server, said change caused by an administrator or user having some delegated administrator authority, using a graphical user interface, said authorization data used to determine whether another user is authorized to access said resource;
  
  assigning a first global sequence number to said detected change;
  
  transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data;
  
  flushing only said authorization data identified by a previous synchronization record from a cache of said Access Server;
  
  storing said first global sequence number in said Access Server;
  
  storing said synchronization record in said Access Server;
  
  transmitting said first global sequence number from said Access Server to a component of said system, said component storing a second global sequence number, said component comprising a Web gateway;
  
  comparing said first global sequence number to said second global sequence number;
  
  requesting all synchronization records comprising global sequence numbers generated after said second global sequence number;
  
  requesting all synchronization records identified by a list of synchronization records stored by said component;
  
  transmitting synchronization records to said component;
  
  flushing from a cache of said component all data identified by said synchronization records transmitted to said component; and
  
  storing said first global sequence number in said component.

2. A method for flushing cache memories in a network-based system, the method comprising:
- providing a graphical user interface for an administrator or user having some delegated administrator authority to modify authorization data, said authorization data residing on a directory server and used for determining if a user has authorization to a resource;
  
  receiving, via the graphical user interface, a change to said authorization data;
  
  detecting at an administration server for said system said change to said authorization data;
  
  an administration server transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data, wherein said Access Server determines whether said user has permission to access said resource, when said user accesses said resource;
  
  comparing said synchronization record with a previous synchronization record identifying said authorization data; and
  
  flushing only said authorization data identified in said previous synchronization record from a cache of said Access server.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 3. The method of claim 2, wherein said authorization data comprises access rules.
  - 4. The method of claim 2, further comprising:
    - assigning a first global sequence number to said detected change in authorization data; and
      
      storing said first global sequence number in said Access Server.
  - 5. The method of claim 4, further comprising:
    - a component receiving from said Access server a second synchronization record having said first global sequence number;
      
      comparing said first global sequence number to a second global sequence number stored by said component;
      
      requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; and
      
      flushing from said caches of said component all data identified by said synchronization records transmitted to said component.
  - 6. The method of claim 5, said method further comprising the steps of:
    - requesting all synchronization records identified by a list of synchronization records stored by said component; and
      
      removing said transmitted synchronization records from said list.
  - 7. The method of claim 4, wherein:
    - said detecting is performed by an Access Manager running on an Administration Server.
  - 8. The method of claim 4, wherein:
    - said synchronization record comprises;
      
      said first global sequence number;
      
      an identification of said changed data;
      
      a description of a type of said detected change; and
      
      a time at which said step of detecting occurred.
  - 9. The method of claim 5, wherein:
    - said component is a Web Server plug-in.
  - 10. The method of claim 9, wherein:
    - said plug-in is an NSAPI Web Server plug-in or ISAPI Web Server plug-in or Web Gateway.
  - 11. The method of claim 2, wherein:
    - said user is authenticated for access to said resource using said user'"'"'s log-on information before determining whether said user is authorized to access said resource using a policy rule.
  - 12. The method of claim 5, wherein:
    - said caches of said Web gateway comprise;
      
      a resource cache; and
      
      an authentication scheme cache.
  - 13. The method of claim 2, wherein:
    - said system is an Access System.
  - 14. The method of claim 13, wherein:
    - said authorization data includes an attribute of a user identity profile.
  - 15. The method of claim 13, wherein:
    - said authorization data is a default authorization rule specifying a default method for verifying said user access to resources mapped to a policy domain, said authorization data used only after said user is authenticated to said system.
  - 16. The method of claim 13, wherein:
    - said authorization data is a policy authorization rule specifying a method for verifying user access to resources matched to a policy rule.
  - 17. The method of claim 13, wherein:
    - said authorization data is a first level authorization rule for granting user access to resources in said Access System.
  - 18. The method of claim 13, wherein:
    - said authorization data is a second level authorization rule for granting user access to a subset of resources in said Access System.
  - 19. The method of claim 2, wherein:
    - said system is an Access Management System providing security for resources across one or more web servers.
  - 20. The method of claim 19, wherein:
    - said authorization data includes a policy domain.
  - 21. The method of claim 2, wherein:
    - said directory server is an LDAP directory server.
  - 22. The method of claim 2, wherein:
    - said directory server utilizes LDAP, said system further comprising;
      
      an Administration Server coupled to a plurality of Access Servers;
      
      said plurality of Access Servers utilizing LDAP; and
      
      a plurality of Web Servers running Web Server plug-ins, said plurality of Web Servers coupled to said plurality of Access Servers.
  - 23. The method of claim 2, wherein:
    - said detected change is a modification to said authorization data.
  - 24. The method of claim 2, wherein:
    - said detected change is a deletion of said authorization data.
  - 25. The method of claim 2, wherein:
    - said detected change is an addition of said authorization data.

26. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors, said processor readable code comprising:
- code for detecting, at an administration server, a change to authorization data residing on a directory server, wherein said authorization data comprises a rule to access data by a user and said change to said authorization data is caused by an administrator via a graphical user interface;
  
  code for determining at an Access Server whether said user has permission to access said resource, when said user attempts to access said resource;
  
  code for transmitting a synchronization record to said Access server of said system from said administration server, said synchronization record identifying said changed authorization data;
  
  code for comparing said synchronization record with a previous synchronization record identifying said authorization data; and
  
  code for flushing said authorization data identified in said previous synchronization record from a cache of said Access Server.
- View Dependent Claims (27, 28, 29, 30)
- - 27. One or more processor readable storage devices according to claim 26, wherein said processor readable code further comprises:
    - code for storing said synchronization record in said Access Server.
  - 28. One or more processor readable storage devices according to claim 26, wherein said processor readable code further comprises:
    - code for assigning a first global sequence number to said detected change; and
      
      code for storing said first global sequence number in said Access Server.
  - 29. One or more processor readable storage devices according to claim 28, wherein said processor readable code further comprises:
    - code for comparing said first global sequence number to a second global sequence number stored by a component;
      
      code for requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; and
      
      code flushing from said caches of said component all changed authorization data identified by said synchronization records transmitted to said component.
  - 30. One or more processor readable storage devices according to claim 29, wherein said processor readable code further comprises:
    - code for requesting all synchronization records identified by a list of synchronization records stored by said component; and
      
      code for removing said transmitted synchronization records from said list.

31. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more storage devices comprising processor readable code for programming said one or more processors, said processor readable code comprising;
  
  code for detecting a change to authorization data residing on a directory server, wherein said authorization data comprises a rule to access data by a user and said change to said authorization data is caused by an administrator or user having some delegated administrator authority via a graphical user interface;
  
  code for transmitting a synchronization record from an administration server to an Access Server of said system, said synchronization record identifying said authorization data;
  
  code for comparing said synchronization record with a previous synchronization record identifying said authorization data; and
  
  code for flushing said authorization data identified in said previous synchronization record from a cache of said Access Server.
- View Dependent Claims (32, 33, 34, 35)
- - 32. An apparatus according to claim 31, wherein said processor readable code further comprises:
    - code for authenticating said user by using said user'"'"'s log-on information before determining if said user is authorized to access said resource.
  - 33. An apparatus according to claim 31, wherein said processor readable code further comprises:
    - code for assigning a first global sequence number to said detected change; and
      
      code for storing said first global sequence number in a Web Gateway component.
  - 34. An apparatus according to claim 33, wherein said processor readable code further comprises:
    - code for comparing said first global sequence number to a second global sequence number stored by said component;
      
      code for requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; and
      
      code for flushing from said caches of said component all changed data identified by said synchronization records transmitted to said component.
  - 35. An apparatus according to claim 34, wherein said processor readable code further comprises:
    - code for requesting all synchronization records identified by a list of synchronization records stored by said component; and
      
      code for removing said transmitted synchronization records from said list.

36. A system, comprising:
- a web server comprising a component;
  
  a directory server in communication with the web server;
  
  an Access Server in communication with the web server and the directory server; and
  
  an administration server in communication with the Access Server and the directory server, wherein the administration server comprises computer readable code executable by the administration server, the computer readable code comprising;
  
  code for detecting a change to access rule data residing on the directory server; and
  
  code for transmitting a synchronization record for reception by the Access Server, wherein the synchronization record identifies a set of data to be flushed from a cache at the Access Server;
  
  code for comparing said synchronization record with a previous synchronization record identifying said authorization data;
  
  wherein the Access Server causes the component to flush from one or more caches of the component the set of data identified in the previous synchronization record.
- View Dependent Claims (37)
- - 37. The system recited by claim 36, wherein the component is a web server plug in.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Joshi, Vrinda S., Swadi, Praveen R., Summers, Robert L.
Primary Examiner(s)
Cardone; Jason
Assistant Examiner(s)
Pollack; Melvin H

Application Number

US11/542,311
Publication Number

US 20070027986A1
Time in Patent Office

644 Days
Field of Search

709/203, 709218-221, 709223-229, 709/248, 709/249, 713/100, 726 4- 6, 726/30, 707/8, 707/9, 707/201, 707/203, 707/206
US Class Current

709/225
CPC Class Codes

G06F 12/0804   with main memory updating G...

G06F 16/955   using information identifie...

G06F 16/9574   of access to content, e.g. ...

G06F 21/62   Protecting access to data v...

H04L 61/4523   using lightweight directory...

H04L 63/08   for authentication of entit...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99953   Recoverability

Selective cache flushing in identity and access management systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

257 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Selective cache flushing in identity and access management systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

257 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links