Remote interface for policy decisions governing access control
First Claim
1. A method of controlling access to resources, said method comprising:
- receiving, by a server, a first request for a resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor;
referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said resource and based on said first requestor identify information;
receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor;
storing said first policy decision for said resource in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor identified by said second requestor identifying information;
receiving, subsequent to said first request, a second request for access to said resource, said second request comprising said first requestor identifying information;
evaluating said second request using said first policy decision in said local memory;
receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision;
marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said resource;
receiving, subsequent to said second request, a third request for access to said resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor;
evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated;
receiving, by said server and subsequent to said third request, a fourth request for said resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor;
identifying, by said server in response to said fourth request, said first policy decision as marked;
referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision;
receiving, by said server, said third policy decision from said remote source; and
evaluating said fourth request based on said third policy decision.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.
50 Citations
12 Claims
-
1. A method of controlling access to resources, said method comprising:
-
receiving, by a server, a first request for a resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor; referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said resource and based on said first requestor identify information; receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor; storing said first policy decision for said resource in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor identified by said second requestor identifying information; receiving, subsequent to said first request, a second request for access to said resource, said second request comprising said first requestor identifying information; evaluating said second request using said first policy decision in said local memory; receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision; marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said resource; receiving, subsequent to said second request, a third request for access to said resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor; evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated; receiving, by said server and subsequent to said third request, a fourth request for said resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor; identifying, by said server in response to said fourth request, said first policy decision as marked; referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision; receiving, by said server, said third policy decision from said remote source; and evaluating said fourth request based on said third policy decision. - View Dependent Claims (2, 3, 4)
-
-
5. A method of controlling access to resources, said method comprising:
-
receiving, by a server, a first request for access to a first resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor; referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said first resource and based on said first requestor identify information; receiving, by said server, from said remote source said first policy decision for said first resource, wherein said first policy decision is for said first requestor; storing said first policy decision in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor; receiving a second request for access to said first resource, said second request comprising said first requestor identifying information; evaluating said second request using said first policy decision in said local memory; receiving a notification from said remote source of a change in said policy definition, said notification identifying said first resource; marking said first policy decision based on said notification and said first policy decision associated with said first resource, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said first resource; receiving a third request for access to said first resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor; evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated; receiving, by said server, a fourth request for said first resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor; identifying, by said server in response to said fourth request, said first policy decision as unmarked; referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision; receiving, by said server, said third policy decision from said remote source; and evaluating said fourth request based on said third policy decision. - View Dependent Claims (6, 7, 8)
-
-
9. A computer-usable medium having computer-readable program code embodied therein for causing a computer system to perform a method of controlling access to resources, said method comprising:
-
receiving, by a server, a first request for a first resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor; referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said first resource and based on said first requestor identify information; receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor; storing in local memory said first policy decision for said first resource, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor; receiving, subsequent to said first request, a second request for access to said first resource, said second request comprising said first requestor identifying information; evaluating said second request using said first policy decision stored in said local memory; receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision; marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said first resource; receiving, subsequent to said second request, a third request for access to said first resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor; evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated; receiving, by said server and subsequent to said third request, a fourth request for said first resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor; identifying, by said server in response to said fourth request, said first policy decision as marked; referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision; receiving, by said server, said third policy decision from said remote source; and evaluating said fourth request based on said third policy decision. - View Dependent Claims (10, 11, 12)
-
Specification