Systems and methods for testing whether access to a resource is authorized based on access information

US 7,464,162 B2
Filed: 02/26/2001
Issued: 12/09/2008
Est. Priority Date: 07/10/2000
Status: Active Grant

First Claim

Patent Images

1. A method for testing access to a resource available on a network, comprising the steps of:

receiving access information;

testing whether access to said resource is authorized based on said access information without granting authorization to said resource, said testing includes accessing an authorization rule for said resource and accessing an identity profile for a first user to determine whether at least a portion of said authorization rule is satisfied based on information in said identity profile, said authorization rule is not part of said identity profile; and

reporting whether access to said resource is authorized based on said step of testing.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The Access Tester allows an administrator, or any other authorized user, to determine who or what entities have access to a resource, whether a particular individual or set of individuals have access to a resource under certain conditions and whether the authorization rules associated with a resource operate as intended. In one embodiment, an administrator uses a graphical user interface to enter access information. Exemplar access information includes one or more URLs identifying the resource(s), one or more request methods, one or more IP addresses, date and time restrictions, and an identification of one or more users. The Access Tester determines whether the identified users are authorized to access the resource(s) associated with the URL(s) using the request methods, during the date and time provided.

286 Citations

37 Claims

1. A method for testing access to a resource available on a network, comprising the steps of:
- receiving access information;
  
  testing whether access to said resource is authorized based on said access information without granting authorization to said resource, said testing includes accessing an authorization rule for said resource and accessing an identity profile for a first user to determine whether at least a portion of said authorization rule is satisfied based on information in said identity profile, said authorization rule is not part of said identity profile; and
  
  reporting whether access to said resource is authorized based on said step of testing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method according to claim 1, wherein:
    - said step of receiving access information includes receiving said access information from a user interface.
  - 3. A method according to claim 1, wherein:
    - said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.
  - 4. A method according to claim 1, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a user name for said first user; and
      
      said step of testing includes determining whether said first user can access said resource.
  - 5. A method according to claim 1, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a user role; and
      
      said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.
  - 6. A method according to claim 1, wherein:
    - said access information includes timing information.
  - 7. A method according to claim 6, wherein:
    - said timing information includes a time range; and
      
      said step of testing includes determining whether a set of entities can access said resource within said time range.
  - 8. A method according to claim 6, wherein:
    - said timing information includes a date range; and
      
      said step of testing includes determining whether a set of entities can access said resource within said date range.
  - 9. A method according to claim 1, wherein:
    - said access information includes an address of a device; and
      
      said step of testing includes determining whether an entity using said device can access said resource.
  - 10. A method according to claim 1, wherein:
    - said access information includes an access request method; and
      
      said step of testing includes determining whether an entity can access said resource using said access request method.
  - 11. A method according to claim 1, wherein:
    - said access information includes a URL identifying said resource.
  - 12. A method according to claim 1, wherein:
    - said access information includes an identification of a set of entities; and
      
      said step of testing includes the steps of;
      
      (a) selecting an entity,(b) checking authorization for said entity, and(c) repeating steps (a) and (b) for each remaining entity in said set of entities.
  - 13. A method according to claim 1, wherein:
    - said access information includes an identification of said resource and does not include an identification of any entities; and
      
      said step of testing determines which entities can access said resource.
  - 14. A method according to claim 1, wherein:
    - said access information includes an identification of an entity and does not include an identification of any resources; and
      
      said step of testing includes determining which resources can be accessed by said entity.
  - 15. A method according to claim 1, wherein:
    - said step of testing includes determining whether all of said authorization rule is satisfied.
  - 16. A method according to claim 15, wherein:
    - said access information includes information for identifying a set of one or more entities;
      
      said authorization rule includes role criteria; and
      
      said step of determining whether all of said authorization rule is satisfied includes evaluating whether said set of one or more entities meet said role criteria.
  - 17. A method according to claim 15, wherein:
    - said access information includes information for identifying a set of one or more entities;
      
      said authorization rule includes rule criteria; and
      
      said step of determining whether all of said authorization rule is satisfied includes evaluating whether said set of one or more entities meet said rule criteria.
  - 18. A method according to claim 1, wherein:
    - said step of reporting is user configurable so that a user can provide an indication of whether to display one or more authorization rules.
  - 19. A method according to claim 1, wherein:
    - said step of reporting includes displaying first information indicating that said first user can access said resource at a first time and second information indicating that said first user cannot access said resource at a second time.
  - 20. A method according to claim 1, wherein sad step of testing includes the steps of:
    - searching for a specific authorization rule;
      
      determining authorization using said specific rule if said specific rule is found; and
      
      determining authorization using a default rule if said specific rule is not found.
  - 21. A method according to claim 1, wherein said step of testing includes the steps of:
    - identifying a policy domain;
      
      searching for a policy;
      
      determining authorization using a default rule for said policy domain if no policy is found; and
      
      determining authorization using a specific rule for said policy if said policy is found.

22. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method, comprising the steps of:
- receiving access information; and
  
  testing whether access to a resource is authorized based on said access information, said testing includes;
  
  identifying a policy domain to which said resource belongs, said policy domain includes a set of one or more policies,determining whether said resource is associated with a policy in said set of one or more policies,if said resource is not associated with a policy in said set, determining whether access to said resource is authorized using an authorization rule associated with said policy domain but not a policy in said set of one or more policies, andif said resource is associated with a policy in said set, determining whether access to said resource is authorized using an authorization rule associated with said policy with which said resource is associated.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. One or more processor readable storage devices according to claim 22, wherein said processor readable code includes:
    - a user interface console;
      
      an access tester; and
      
      an authorization module.
  - 24. One or more processor readable storage devices according to claim 22, wherein:
    - said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.
  - 25. One or more processor readable storage devices according to claim 22, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a user role; and
      
      said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.
  - 26. One or more processor readable storage devices according to claim 22, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a rule; and
      
      said step of testing includes determining whether a set of one or more entities satisfying said rule can access said resource.
  - 27. One or more processor readable storage devices according to claim 22, wherein:
    - said access information includes timing information;
      
      said timing information includes a time range; and
      
      said step of testing includes determining whether a set of entities can access said resource within said time range.
  - 28. One or more processor readable storage devices according to claim 22, wherein:
    - said access information includes an access request method; and
      
      said step of testing includes determining whether an entity can access said resource using said access request method.
  - 29. One or more processor readable storage devices according to claim 22, wherein:
    - said access information includes information for identifying a first user; and
      
      said step of testing includes the steps of;
      
      accessing an identity profile for said first user, andcomparing information in said identity profile to authorization criteria for said resource to determine whether said first user is authorized to access said resource.
  - 30. One or more processor readable storage devices according to claim 22, wherein:
    - said step of testing includes determining whether an authorization rule is satisfied;
      
      said access information includes information for identifying a set of one or more entities;
      
      said authorization rule includes rule criteria; and
      
      said step of determining whether an authorization rule is satisfied includes evaluating whether said set of one or more entities meet said rule criteria.

31. An apparatus comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to perform a method comprising the steps of;
  
  receiving access information, andtesting whether access to a resource secured by an access system is authorized based on said access information, said access system includes an access management system and an identity management system wherein testing includesidentifying a policy domain;
  
  searching for a policy;
  
  determining authorization using a default rule for said policy domain if no policy is found; and
  
  determining authorization using a specific rule for said policy if said policy is found.
- View Dependent Claims (32, 33, 34, 35, 36, 37)
- - 32. An apparatus according to claim 31, wherein:
    - said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.
  - 33. An apparatus according to claim 31, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a user role; and
      
      said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.
  - 34. An apparatus according to claim 31, wherein:
    - said access information includes an identification of one or more entities;
      
      said identification of one or more entities includes a rule; and
      
      said step of testing includes determining whether a set of one or more entities satisfying said rule can access said resource.
  - 35. An apparatus according to claim 31, wherein:
    - said access information includes timing information;
      
      said timing information includes a time range; and
      
      said step of testing includes determining whether a set of entities can access said resource within said time range.
  - 36. An apparatus according to claim 31, wherein:
    - said access information includes an access request method; and
      
      said step of testing includes determining whether an entity can access said resource using said access request method.
  - 37. An apparatus according to claim 31, wherein:
    - said access information includes information for identifying a first user; and
      
      said step of testing includes the steps of;
      
      accessing an identity profile for said first user, andcomparing information in said identity profile to authorization criteria for said resource to determine whether said first user is authorized to access said resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Chan, Christine Wai Han
Primary Examiner(s)
Cardone; Jason
Assistant Examiner(s)
Pollack; Melvin H

Application Number

US09/792,918
Publication Number

US 20020165960A1
Time in Patent Office

2,843 Days
Field of Search

709/203, 709/219, 709223-229, 713200-202, 726/4, 726/14, 726 27- 30
US Class Current

709/225
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Systems and methods for testing whether access to a resource is authorized based on access information

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for testing whether access to a resource is authorized based on access information

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links