Method and apparatus for XSL/XML based authorization rules policy implementation

US 7,512,976 B2
Filed: 11/06/2003
Issued: 03/31/2009
Est. Priority Date: 11/06/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a data processing system for controlling access to a resource, the method comprising:

receiving access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for the controlling of the access to the resource;

formatting the access decision information into an access decision information document in the extensible markup language format;

evaluating the access decision information document in an extensible markup language format with an extensible markup language rule, wherein the evaluating step uses two different extensible markup language entities as input to its evaluation process, which are (i) the access decision information document in the extensible markup language format and (ii) the extensible markup language rule, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information; and

generating an access decision based on the evaluation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for implementing XSL/XML based authorization rules policy on a given set of data. An authorization rules engine is created which uses authorization rules defined in XSL to operate on access decision information (ADI) provided by the user. Inside the authorization rules engine, a boolean authorization rules mechanism is implemented to constrain the XSL processor to arrive at a boolean authorization decision. By applying the constrained authorization rules, the authorization rules engine evaluates available ADI data from an ADI XML input document. An output from a set of predetermined authorization decisions is provided to the user when the ADI input data is successfully evaluated. An error message is also provided to the user if required ADI data is unavailable for evaluation.

Citations

20 Claims

1. A method in a data processing system for controlling access to a resource, the method comprising:
- receiving access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for the controlling of the access to the resource;
  
  formatting the access decision information into an access decision information document in the extensible markup language format;
  
  evaluating the access decision information document in an extensible markup language format with an extensible markup language rule, wherein the evaluating step uses two different extensible markup language entities as input to its evaluation process, which are (i) the access decision information document in the extensible markup language format and (ii) the extensible markup language rule, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information; and
  
  generating an access decision based on the evaluation.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the access decision is in a plain text format.
  - 3. The method of claim 1, wherein the access decision is one of true, false, or indifferent.
  - 4. The method of claim 1, wherein the extensible markup language rule references at least one valid element within the access decision information.
  - 5. The method of claim 1, wherein the extensible markup language rule is a valid extensible stylesheet fragment.
  - 6. The method of claim 5, wherein the extensible markup language rule is validated as the valid extensible stylesheet fragment by an extensible markup language processor prior to the evaluating step.
  - 7. The method of claim 1, wherein the evaluating step includes:
    - determining whether the access decision information document includes all required data; and
      
      attempting to gather missing data if any of the required data is missing.

8. An authorization system comprising:
- a set of extensible markup language rule objects; and
  
  an extensible markup language processor, wherein the extensible markup language processor receives access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for controlling access to a resource, formats the access decision information into an access decision information document in the extensible markup language format , evaluates the access decision information document in the extensible markup language format against a rule object in the set of extensible markup language rule objects, wherein the extensible markup language processor has two different extensible markup language entities as input, which are (i) the access decision information document in the extensible markup language format and (ii) the rule object in the set of extensible markup language rule objects, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information, and generates a plain-text result of an access decision based on the evaluation.

9. A data processing system for controlling access to a resource, the data processing system comprising:
- receiving means for receiving access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for the controlling of the access to the resource;
  
  formatting means for formatting the access decision information into the access decision information document in the extensible markup language format;
  
  evaluating means for evaluating the access decision information document in an extensible markup language format with an extensible markup language rule, wherein the evaluation means has two different extensible markup language entities as input, which are (i) the access decision information document in the extensible markup language format and (ii) the extensible markup language rule, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information; and
  
  generating means for generating an access decision based on the evaluation.
- View Dependent Claims (10, 11, 12)
- - 10. The data processing system of claim 9, wherein the access decision is in a plain text format.
  - 11. The data processing system of claim 9, wherein the access decision is one of true, false, or indifferent.
  - 12. The data processing system of claim 9, wherein the extensible markup language rule references at least one valid element within the access decision information.

13. A computer program product in a computer readable storage medium for controlling access to a resource, the computer program product comprising:
- first instructions for receiving access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for the controlling of the access to the resource;
  
  second instructions for formatting the access decision information into the access decision information document in the extensible markup language format;
  
  third instructions for evaluating the access decision information document in an extensible markup language format with an extensible markup language rule, wherein the second instructions for evaluating uses two different extensible markup language entities as input, which are (i) the access decision information document in the extensible markup language format and (ii) the extensible markup language rule, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information; and
  
  fourth instructions for generating an access decision based on the evaluation.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer program product in the computer readable storage medium of claim 13, wherein the access decision is in a plain text format.
  - 15. The computer program product in the computer readable storage medium of claim 13, wherein the access decision is one of true, false, or indifferent.
  - 16. The computer program product in the computer readable storage medium of claim 13, wherein the extensible markup language rule references at least one valid element within the access decision information.
  - 17. The computer program product in the computer readable storage medium of claim 13, wherein the extensible markup language rule is a valid extensible stylesheet fragment.
  - 18. The computer program product in the computer readable storage medium of claim 17, wherein the extensible markup language rule is validated as the valid extensible stylesheet fragment by an extensible markup language processor and the second instructions for evaluating are responsive to such validation by the extensible markup language processor.
  - 19. The computer program product in the computer readable storage medium of claim 13, wherein the evaluating step includes:
    - fifth instructions for determining whether the access decision information document includes all required data; and
      
      sixth instructions for attempting to gather missing data if any of the required data is missing.

20. A data processing system comprising:
- a bus system;
  
  a memory connected to the bus system, wherein the memory includes a set of instructions; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to receive access decision information from a client in a format other than in an extensible markup language format, wherein the access decision information is usable for controlling access to a resource, format the access decision information into an access decision information document in the extensible markup language format;
  
  evaluate the access decision information document in an extensible markup language format with an extensible markup language rule, wherein the processing unit uses two different extensible markup language entities as input, which are (i) the access decision information document in the extensible markup language format and (ii) the extensible markup language rule, wherein the extensible markup language rule is in a compiled rule object compiled by an extensible markup language processor and identifies the access decision information; and
  
  generate an access decision based on the evaluation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirBNB Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Burrows, Warwick Leslie
Primary Examiner(s)
Abrishamkar; Kaveh

Application Number

US10/703,014
Publication Number

US 20050102530A1
Time in Patent Office

1,972 Days
Field of Search

None
US Class Current

726/20
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Method and apparatus for XSL/XML based authorization rules policy implementation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for XSL/XML based authorization rules policy implementation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links