System and method for hierarchical role-based entitlements

US 7,591,000 B2
Filed: 02/14/2003
Issued: 09/15/2009
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authorization to adaptively control access to a resource, comprising the steps of:

providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;

wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;

providing for the evaluation of a policy based on the at least one role; and

providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy;

wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authorization to adaptively control access to a resource, comprising the steps of providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource; providing for the evaluation of a policy based on the at least one role; and providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.

322 Citations

51 Claims

1. A method for authorization to adaptively control access to a resource, comprising the steps of:
- providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  providing for the evaluation of a policy based on the at least one role; and
  
  providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 51)
- - 2. The method of claim 1 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 3. The method of claim 1 wherein:
    - the step of providing for the mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 4. The method of claim 1 including the step of:
    - determining whether the at least one role is true or false for the principal in a context.
  - 5. The method of claim 1 wherein:
    - the at least one role is a Boolean expression that can include at least one of (1) another Boolean expression and (2) a predicate.
  - 6. The method of claim 5 wherein:
    - the predicate is one of user, group, time and segment.
  - 7. The method of claim 5 wherein:
    - the predicate is evaluated against the principal and a context.
  - 8. The method of claim 5 wherein:
    - the predicate is a segment that is specified in plain language.
  - 9. The method of claim 1 wherein:
    - the policy is an association between the resource and a set of roles.
  - 10. The method of claim 9 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.
  - 51. The method of claim 1, wherein the at least one role is based on rules that take into account information about the principal, information about a communication session, and information about a current state of a system on which the resource resides.

11. A method for authorization for adaptively controlling access to a resource, comprising the steps of:
- providing for the evaluation of a policy based on at least one role applicable to a principal attempting to access the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  providing for the granting of access to the resource based on the evaluation; and
  
  wherein the resource, the policy and the at least one role are hierarchically related;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 13. The method of claim 11 wherein:
    - the at least one role is applicable to a principal if the at least one role is satisfied by the principal.
  - 14. The method of claim 11 including the step of:
    - evaluating the at least one role to true or false for the principal in a context.
  - 15. The method of claim 11 wherein:
    - the at least one role is a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 16. The method of claim 15 wherein:
    - the predicate is one of user, group, time and segment.
  - 17. The method of claim 15 includes the step of:
    - evaluating the predicate against the principal and a context.
  - 18. The method of claim 16 wherein:
    - the segment predicate is specified in plain language.
  - 19. The method of claim 11 wherein:
    - the policy is an association between the resource and a set of roles.
  - 20. The method of claim 19 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

21. A method for authorization for adaptively controlling access to a resource, comprising the steps of:
- providing to a security framework information pertaining to a principal and the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy; and
  
  utilizing the security framework to provide an authorization result based on evaluating at least one security policy by associating at least one role to the principal; and
  
  wherein the resource, the security policy, and the at least one role are hierarchically related;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 23. The method of claim 21 wherein:
    - associating at least one role to a principal includes determining whether or not the at least one role is satisfied by the principal.
  - 24. The method of claim 21 including the step of:
    - evaluating the at least one role to true or false for the principal in a context.
  - 25. The method of claim 21 wherein:
    - the at least one role is a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 26. The method of claim 25 wherein:
    - the predicate is one of user, group, time and segment.
  - 27. The method of claim 25 wherein:
    - the predicate is evaluated against the principal and a context.
  - 28. The method of claim 25 wherein:
    - the predicate is a segment and is specified in plain language.
  - 29. The method of claim 21 wherein:
    - the policy is an association between the resource and a set of roles.
  - 30. The method of claim 29 further including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

31. A computer-based system for authorization adapted for controlling access to a resource, comprising:
- at least one processor and at least one memory, the at least one processor and at least one memory implementing;
  
  at least one role-mapper to map a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  at least one authorizer coupled to the at least one role-mapper, the at least one authorizer to determine if a policy is satisfied based on the at least one role; and
  
  an adjudicator coupled to the at least one authorizer, the adjudicator to render a final decision based on the determination of the at least one authorizer;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The computer-based system of claim 31 wherein:
    - the principal is an authenticated user, group or process.
  - 33. The computer-based system of claim 31 wherein:
    - mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 34. The computer-based system of claim 31 wherein:
    - the at least one role evaluates to true or false for the principal in a context.
  - 35. The computer-based system of claim 31 wherein:
    - the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
  - 36. The computer-based system of claim 35 wherein:
    - the predicate is one of user, group, time and segment.
  - 37. The computer-based system of claim 35 wherein:
    - the predicate can be evaluated against the principal and a context.
  - 38. The computer-based system of claim 36 wherein:
    - the segment predicate is specified in plain language.
  - 39. The computer-based system of claim 31 wherein:
    - the policy is an association between the resource and a set of roles.
  - 40. The computer-based system of claim 39 wherein:
    - access is granted to the resource if the at least one role is in the set of roles.

41. A method for authorization to adaptively control access to a resource in an enterprise application, comprising the steps of:
- providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  providing for the evaluation of a policy based on the at least one role; and
  
  providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy; and
  
  wherein the at least one role, the policy and the resource are part of an enterprise application;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 42. The method of claim 41 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 43. The method of claim 41 wherein:
    - the step of providing for the mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 44. The method of claim 41 including the step of:
    - determining whether the at least one role is true or false for the principal in a context.
  - 45. The method of claim 41 wherein:
    - the at least one role is a Boolean expression includes at least one of (1) another Boolean expression and (2) a predicate.
  - 46. The method of claim 45 wherein:
    - the predicate is one of user, group, time and segment.
  - 47. The method of claim 45 wherein:
    - the predicate is evaluated against the principal and a context.
  - 48. The method of claim 45 wherein:
    - the predicate is a segment that is specified in plain language.
  - 49. The method of claim 41 wherein:
    - the policy is an association between the resource and a set of roles.
  - 50. The method of claim 49 including the step of:
    - granting access to the resource if the at least one role is in the set of roles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Griffin, Philip B., McCauley, Rod, Toussaint, Alex, Devgan, Manish
Primary Examiner(s)
Lipman; Jacob

Application Number

US10/367,177
Publication Number

US 20040162906A1
Time in Patent Office

2,405 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for hierarchical role-based entitlements

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

322 Citations

51 Claims

Specification

Use Cases

Quick Links

Others

System and method for hierarchical role-based entitlements

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

322 Citations

51 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others