Selective cache flushing in identity and access management systems
First Claim
1. A method for flushing cache memories in an Access System, comprising the steps of:
- detecting, at an administrative server, a change to authorization data residing on an LDAP directory server, said change caused by an administrator or user having some delegated administrator authority, using a graphical user interface, said authorization data used to determine whether another user is authorized to access said resource;
assigning a first global sequence number to said detected change;
transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data;
flushing only said authorization data identified by a previous synchronization record from a cache of said Access Server;
storing said first global sequence number in said Access Server;
storing said synchronization record in said Access Server;
transmitting said first global sequence number from said Access Server to a component of said system, said component storing a second global sequence number, said component comprising a Web gateway;
comparing said first global sequence number to said second global sequence number;
requesting all synchronization records comprising global sequence numbers generated after said second global sequence number;
requesting all synchronization records identified by a list of synchronization records stored by said component;
transmitting synchronization records to said component;
flushing from a cache of said component all data identified by said synchronization records transmitted to said component; and
storing said first global sequence number in said component.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.
257 Citations
37 Claims
-
1. A method for flushing cache memories in an Access System, comprising the steps of:
-
detecting, at an administrative server, a change to authorization data residing on an LDAP directory server, said change caused by an administrator or user having some delegated administrator authority, using a graphical user interface, said authorization data used to determine whether another user is authorized to access said resource; assigning a first global sequence number to said detected change; transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data; flushing only said authorization data identified by a previous synchronization record from a cache of said Access Server; storing said first global sequence number in said Access Server; storing said synchronization record in said Access Server; transmitting said first global sequence number from said Access Server to a component of said system, said component storing a second global sequence number, said component comprising a Web gateway; comparing said first global sequence number to said second global sequence number; requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; requesting all synchronization records identified by a list of synchronization records stored by said component; transmitting synchronization records to said component; flushing from a cache of said component all data identified by said synchronization records transmitted to said component; and storing said first global sequence number in said component.
-
-
2. A method for flushing cache memories in a network-based system, the method comprising:
-
providing a graphical user interface for an administrator or user having some delegated administrator authority to modify authorization data, said authorization data residing on a directory server and used for determining if a user has authorization to a resource; receiving, via the graphical user interface, a change to said authorization data; detecting at an administration server for said system said change to said authorization data; an administration server transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed authorization data, wherein said Access Server determines whether said user has permission to access said resource, when said user accesses said resource; comparing said synchronization record with a previous synchronization record identifying said authorization data; and flushing only said authorization data identified in said previous synchronization record from a cache of said Access server. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors, said processor readable code comprising:
-
code for detecting, at an administration server, a change to authorization data residing on a directory server, wherein said authorization data comprises a rule to access data by a user and said change to said authorization data is caused by an administrator via a graphical user interface; code for determining at an Access Server whether said user has permission to access said resource, when said user attempts to access said resource; code for transmitting a synchronization record to said Access server of said system from said administration server, said synchronization record identifying said changed authorization data; code for comparing said synchronization record with a previous synchronization record identifying said authorization data; and code for flushing said authorization data identified in said previous synchronization record from a cache of said Access Server. - View Dependent Claims (27, 28, 29, 30)
-
-
31. An apparatus, comprising:
-
a communication interface; one or more storage devices; and one or more processors in communication with said one or more storage devices and said communication interface, said one or more storage devices comprising processor readable code for programming said one or more processors, said processor readable code comprising; code for detecting a change to authorization data residing on a directory server, wherein said authorization data comprises a rule to access data by a user and said change to said authorization data is caused by an administrator or user having some delegated administrator authority via a graphical user interface; code for transmitting a synchronization record from an administration server to an Access Server of said system, said synchronization record identifying said authorization data; code for comparing said synchronization record with a previous synchronization record identifying said authorization data; and code for flushing said authorization data identified in said previous synchronization record from a cache of said Access Server. - View Dependent Claims (32, 33, 34, 35)
-
-
36. A system, comprising:
-
a web server comprising a component; a directory server in communication with the web server; an Access Server in communication with the web server and the directory server; and an administration server in communication with the Access Server and the directory server, wherein the administration server comprises computer readable code executable by the administration server, the computer readable code comprising; code for detecting a change to access rule data residing on the directory server; and code for transmitting a synchronization record for reception by the Access Server, wherein the synchronization record identifies a set of data to be flushed from a cache at the Access Server; code for comparing said synchronization record with a previous synchronization record identifying said authorization data; wherein the Access Server causes the component to flush from one or more caches of the component the set of data identified in the previous synchronization record. - View Dependent Claims (37)
-
Specification