Method and apparatus for using a role based access control system on a network
First Claim
1. A method for using a role based access control system on a network, the method comprising the computer-implemented steps of:
- detecting that a user has initiated, during a network session, an operation to be performed requiring a resource provided on the network;
identifying a condition specified from the user initiating the operation;
wherein the condition is that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource;
determining, based on the condition, whether the particular conditional role is to be assigned to the user during the network session, the particular conditional role defining a set of one or more privileges for a class of users on the network, the set of one or more privileges comprising a privilege required to perform the operation; and
in the same network session, dynamically assigning to the user in response to the detecting and determining, the particular conditional role from a plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied.
1 Assignment
0 Petitions
Accused Products
Abstract
A role based access control system is described that assigns roles, which otherwise are mutually exclusive, to users based on detecting designated conditions when the user initiates actions or operations on the network. The assignment of the role to a particular user may be conditional upon one or more such designated conditions occurring. In particular, two roles that are mutually exclusive of one another may be occupied by one user for purpose of performing specified operations upon designated conditions being detected when the user initiates one or more of the specified operations. Business rules specify conditions for assigning the conditional roles.
83 Citations
39 Claims
-
1. A method for using a role based access control system on a network, the method comprising the computer-implemented steps of:
-
detecting that a user has initiated, during a network session, an operation to be performed requiring a resource provided on the network; identifying a condition specified from the user initiating the operation; wherein the condition is that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource; determining, based on the condition, whether the particular conditional role is to be assigned to the user during the network session, the particular conditional role defining a set of one or more privileges for a class of users on the network, the set of one or more privileges comprising a privilege required to perform the operation; and in the same network session, dynamically assigning to the user in response to the detecting and determining, the particular conditional role from a plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for using a role based access control system on a network, the method comprising the computer-implemented steps of:
-
detecting that a user has initiated, during a network session, an operation to be performed, the operation requiring a resource provided on the network; identifying whether a set of one or more rules are designated for the user the operation; determining whether a user can mutually occupy at least (i) a first role assigned to the user when the user initiates the operation, and (ii) a second role required to perform the operation that is not assigned to the user when the user initiates the operation wherein the first role and the second role are designated to be mutually exclusive of one another unless the determination is that the set of one or more rules allow for the user to mutually occupy the first role and the second role when performing the operation; and in the same network session, dynamically assigning to the user in response to the detecting and determining, at least one conditional role from the plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied; wherein the condition is that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for using a role based access control system on a network, the method comprising the computer-implemented steps of:
-
detecting that a user has initiated, during a network session, an operation to be performed, the operation requiring a resource provided on the network; designating a set of conditions that may be identified from the user initiating the operation to be performed using resources provided on the network; wherein the set of conditions includes a condition that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource; determining at least one of a plurality of roles that the user may conditionally occupy by correlating at least one of the conditions in the set of conditions that are identifiable from the user initiating the operation with the roles that include instructions for controlling access to resources on the network, wherein determining the roles comprises determining, based on the one or more conditions occurring, whether the user can mutually occupy at least (i) a first role assigned to the user prior to the user initiating the operation, and (ii) a second role required to perform the operation wherein the first role and the second role are designated to be mutually exclusive of one another unless the determination is that the user to mutually occupy the first role and the second role when performing the operation; and in the same network session, dynamically assigning to the user in response to the detecting and determining, at least one conditional role from the plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable storage medium carrying instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:
-
detecting that a user has initiated, during a network session, an operation to be performed, the operation requiring a resource provided on the network; designating a set of conditions that may be identified from a user initiating an operation to be performed using resources provided on the network; wherein the set of conditions includes a condition that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource; and determining one or more roles that the user may conditionally occupy by correlating one or more conditions in the set of conditions that are identifiable from the user initiating the operation with the one or more roles in a set of roles that control access to resources on the network, wherein the determining the one or more roles comprises determining, based on the one or more conditions occurring, whether the user can mutually occupy at least (i) a first role assigned to the user prior to the user initiating the operation, and (ii) a second role required to perform the operation wherein the first role and the second role are designated to be mutually exclusive of one another unless the determination is that the user to mutually occupy the first role and the second role when performing the operation; and in the same network session, dynamically assigning to the user based on the detecting and determining, at least one conditional role from the plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied.
-
-
26. A computer system for using a role based access control system on a network, the computer system comprising an apparatus having one or more processors and comprising:
-
means for designating a set of conditions that may be identified from a user initiating, during a network session, an operation to be performed using resources provided on the network; wherein the set of conditions includes a condition that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource; and means for determining one or more roles that the user may conditionally occupy with correlation of one or more conditions in the set of conditions that are identifiable from the user initiating the operation with the one or more roles in a set of roles that control access to resources on the network, wherein the means for determining the one or more roles includes means for determining, based on the one or more conditions occurring, whether the user can mutually occupy at least (i) a first role assigned to the user prior to the user initiating the operation, and (ii) a second role required to perform the operation, wherein the first role and the second role are designated to be mutually exclusive of one another unless the determination is that the user to mutually occupy the first role and the second role when performing the operation; and means for in the same network session, dynamically assigning to the user, in response to functions performed with the detecting means and the determining means, at least one conditional role from the plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied. - View Dependent Claims (34, 35, 36, 37, 38, 39)
-
-
27. A computer system for using a role based access control system on a network, the computer system comprising:
-
a bus; a communication interface coupled to the bus for linking the computer system to the network; and a processor coupled to the bus, wherein the processor is configured for; detecting that a user has initiated, during a network session, an operation to be performed, the operation requiring a resource provided on the network; designating a set of conditions that may be identified from a user initiating an operation to be performed using resources provided on the network; wherein the set of conditions includes a condition is that the user must be assigned a particular conditional role, which is mutually exclusive with at least one other role already assigned to the user, to perform the operation requiring the resource; determining one or more roles that the user may conditionally occupy by correlating one or more conditions in the set of conditions that are identifiable from the user initiating the operation with the one or more roles in a set of roles that control access to resources on the network, wherein the processor determines the one or more roles with a correlation that is, based on the one or more conditions occurring, whether the user can mutually occupy at least (i) a first role assigned to the user prior to the user initiating the operation, and (ii) a second role required to perform the operation, wherein the first role and the second role are designated to be mutually exclusive of one another unless the determination is that the user to mutually occupy the first role and the second role when performing the operation; and in the same network session, dynamically assigning to the user, in response to the detecting and determining at least one conditional role from the plurality of otherwise mutually exclusive roles that the user is allowed to mutually occupy if the condition is satisfied. - View Dependent Claims (28, 29, 30, 31, 32, 33)
-
Specification