System and methods for providing dynamic authorization in a computer system
First Claim
1. A method for dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:
- initializing a client authorization context for the client using one or more client context initialization routines;
determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed;
invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries;
identifying an access control entry as a callback access control entry; and
in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application.
2 Assignments
0 Petitions
Accused Products
Abstract
A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.
-
Citations
20 Claims
-
1. A method for dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:
-
initializing a client authorization context for the client using one or more client context initialization routines; determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed; invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries; identifying an access control entry as a callback access control entry; and in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer cause the computer to carry out a method for dynamically updating a client authorization context in a computer system having a client thereof requesting access to a resource from an application, the method comprising:
-
computing a client authorization context after the request for the resource is received from the client; determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed; invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries; identifying an access control entry as a callback access control entry; and in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer cause the computer to perform a method of dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:
-
computing a client authorization context after the access request for the resource is received from the client; determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed; providing said dynamic data and the client authorization context to an access check routine; comparing the client authorization context to at least one access control entry of an access control list to determine if the client represented by the client authorization context is allowed access to the resource; identifying an access control entry having an identifier that matches an identifier in the client authorization context as a callback access control entry; and in response to identifying the access control entry as a callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application. - View Dependent Claims (15, 16)
-
-
17. For an application in a computer system having a resource manager that manages and controls access to a resource and a client thereof requesting access to a resource from an application, a computer readable storage medium having computer executable instructions stored thereon that when executed by the computer system causes the computer system to carry out a method for carrying out a dynamic authorization callback mechanism that provides extensible support for application-defined business rules via a set of APIs and DACLs including a dynamic groups routine and a dynamic access routine customized to the application, the method comprising:
-
initializing a client authorization context for the client; carrying out said dynamic groups routine to update said client authorization context based upon dynamic data possessed by the application and a first dynamic policy tailored to said application through which the resource is accessed; and carrying out said dynamic access routine to determine if the client represented by the updated client authorization context is allowed access to the resource, said dynamic access routine using said dynamic data and a second dynamic policy in a callback access control entry when an identifier in the client authorization context matches an identifier in the callback access control entry, wherein said dynamic data includes run-time data managed by the application. - View Dependent Claims (18)
-
-
19. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer causes the computer to provide dynamic authorization of an application in a computer system based upon application-specific or business rules that incorporate dynamic data, the dynamic data including an identifier for identifying whether a dynamic access check callback function should be invoked for conducting said dynamic authorization of said application, data from client operation parameters, authorization policy data stored in a callback access control entry, and any other authorization policy data managed, computed or retrieved by the application, the computer executing said computer executable instructions to perform the steps of:
-
the application using an initialization routine to register with a resource manager dynamic group functions that enable the application to assign temporary group membership based upon said dynamic data to a client for the purpose of checking access rights to a resource protected by the resource manager and to register with said resource manager dynamic access check callback functions that enable the application to perform customized procedures for checking access rights to said resource based on said dynamic data; adding said dynamic access check callback functions to the resource manager'"'"'s registered callback list; when a user attempts to connect to the application to request the resource, automatically invoking a registered dynamic group function to augment said client authorization context with client contextual data computed using said dynamic data; and invoking a registered dynamic access check callback function to provide said customized procedures for checking access rights to the resource based on said dynamic data and said augmented client authorization context. - View Dependent Claims (20)
-
Specification