Fine-grained authorization by authorization table associated with a resource

US 7,546,640 B2
Filed: 12/10/2003
Issued: 06/09/2009
Est. Priority Date: 12/10/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining access rights to a resource managed by an application, the method comprising:

receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;

locating, based on the request, the resource in a structure having groupings of resources, wherein each of the groupings have similar authorization constraints for the resources therein;

reading an authorization table associated with a grouping having the resource among the groupings, wherein the authorization table comprises a mapping of one or more roles to each user, and the roles comprise one or more permitted actions;

determining, based on the reading, whether to grant the access rights for performing the action on the resource; and

whereby, assigning users to one or more of the groupings permits enhanced scalability and limited storage requirements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media are disclosed for determining access rights to a resource managed by an application. One embodiment includes receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource. Further, the embodiment includes locating, based on the request, the resource in a structure having groupings of resources, wherein the groupings include a grouping having the resource. Typically the groupings comprise files having mappings of resources to assigned groups, and each group has an associated authorization table mapping roles or policies to users. Further still, the embodiment includes reading an authorization table associated with the grouping having the resource, and determining whether to grant the access rights for performing the action on the resource.

Citations

30 Claims

1. A method for determining access rights to a resource managed by an application, the method comprising:
- receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;
  
  locating, based on the request, the resource in a structure having groupings of resources, wherein each of the groupings have similar authorization constraints for the resources therein;
  
  reading an authorization table associated with a grouping having the resource among the groupings, wherein the authorization table comprises a mapping of one or more roles to each user, and the roles comprise one or more permitted actions;
  
  determining, based on the reading, whether to grant the access rights for performing the action on the resource; and
  
  whereby, assigning users to one or more of the groupings permits enhanced scalability and limited storage requirements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising prompting the user for security information to access the application.
  - 3. The method of claim 1, further comprising prompting the user for the request before the receiving a request.
  - 4. The method of claim 1, further comprising, prior to the receiving, arranging the groupings by similar authorization constraints for the resources, and associating each of the groupings with the authorization table tailored for each of the groupings.
  - 5. The method of claim 1, wherein the application comprises an application management server system.
  - 6. The method of claim 1, wherein the locating comprises searching the structure and finding within the structure the grouping having the resource.
  - 7. The method of claim 1, wherein the groupings and the authorization table comprise extensible markup language files.
  - 8. The method of claim 1, wherein the reading comprises reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the resource.
  - 9. The method of claim 8, wherein the action of the request is defined by one of the roles.
  - 10. The method of claim 1, wherein the determining whether to grant access rights for performing the action on the resource to a user comprises granting access if the authorization table associated with the grouping having the resource indicates the user has permission to perform the action.

11. A device for determining access rights to a resource managed by an application, the device comprising:
- the application operable on a computer system having a processor;
  
  an input module associated with the application for receiving a request from a user in order to perform an action on a resource;
  
  a locator module associated with the application for locating, based on the request, the resource in a structure having groupings of resources, wherein each of the groupings have similar authorization constraints for the resources therein;
  
  a reader module associated with the application for reading an authorization table associated with a grouping having the resource among the groupings, wherein the authorization table comprises a mapping of one or more roles to each user, and the roles comprise one or more permitted actions;
  
  a decision module associated with the application for determining whether to grant the access rights for performing the action on the resource; and
  
  whereby, enhanced scalability and limited storage requirements result from assigning users to one or more of the groupings.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The device of claim 11, further comprising a prompter for entering security information to access the application.
  - 13. The device of claim 11, further comprising a prompter for entering the request into the input module.
  - 14. The device of claim 11, further comprising an arrangement module for arranging the groupings of resources by similar authorization constraints, and an associator module for associating each of the groupings with the authorization table tailored for each of the groupings.
  - 15. The device of claim 11, wherein the application comprises an application management server system.
  - 16. The device of claim 11, wherein the locator module comprises a search module for searching the structure and a find module for finding in the structure the grouping having the resource.
  - 17. The device of claim 11, wherein the groupings and the authorization table comprise extensible markup language files.
  - 18. The device of claim 11, wherein the reader module comprises reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the resource.
  - 19. The device of claim 18, wherein the action of the request is defined by one of the roles.
  - 20. The device of claim 11, wherein the decision module for determining whether to grant access rights for performing the action on the resource to a user comprises granting access if the authorization table associated with the grouping having the resource indicates the user has permission to perform the action.

21. A machine-accessible storage medium containing instructions, which when executed by a machine, cause the machine to perform operations for determining access rights to a resource managed by an application, comprising:
- receiving a request by the application, wherein the request comprises an action a user seeks to perform on the resource;
  
  locating, based on the request, the resource in a structure having groupings of resources, wherein each of the groupings have similar authorization constraints for the resources therein;
  
  reading an authorization table associated with a grouping having the resource among the groupings, wherein the authorization table comprises a mapping of one or more roles to each user, and the roles comprise one or more permitted actions;
  
  determining, based on the reading, whether to grant the access rights for performing the action on the resource; and
  
  whereby, assigning users to one or more of the groupings permits enhanced scalability and limited storage requirements.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The machine-accessible storage medium of claim 21, further comprising instructions to perform operations for prompting the user for security information to access the application.
  - 23. The machine-accessible storage medium of claim 21, further comprising instructions to perform operations for prompting a user for the request before the receiving a request.
  - 24. The machine-accessible storage medium of claim 21, further comprising, prior to the instructions to perform operations for receiving, instructions to perform operations for arranging the groupings by similar authorization constraints for the resources, and instructions to perform operations for associating each of the groupings with the authorization table tailored for each of the groupings.
  - 25. The machine-accessible storage medium of claim 21, wherein the application comprises an application management server system.
  - 26. The machine-accessible storage medium of claim 21, wherein the instructions for locating comprise instructions to perform operations for searching the structure and instructions to perform operations for finding within the structure the grouping having the resource.
  - 27. The machine-accessible storage medium of claim 21, wherein the groupings and the authorization table comprise extensible markup language files.
  - 28. The machine-accessible storage medium of claim 21, wherein instructions for reading comprise instructions for reading a mapping of roles to users, wherein the roles comprise a collection of actions permitted by the user on the resource.
  - 29. The machine-accessible storage medium of claim 28, wherein the action of the request is defined by one of the roles.
  - 30. The machine-accessible storage medium of claim 21, wherein the instructions for determining whether to grant access rights for performing the action on the resource to a user comprise instructions for granting access if the authorization table associated with the grouping having the resource indicates the user has permission to perform the action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Venkataramappa, Vishwanath, Chang, David Yu, Williamson, Leigh Allen
Primary Examiner(s)
Cervetti; David G

Application Number

US10/732,628
Publication Number

US 20050132220A1
Time in Patent Office

2,008 Days
Field of Search

726/4, 726/1, 726/28, 726/29
US Class Current

726/28
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/101 Access control lists [ACL]

Fine-grained authorization by authorization table associated with a resource

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-grained authorization by authorization table associated with a resource

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links