Method for role and resource policy management optimization
First Claim
1. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:
- determining, by a computer system, a first set of one or more roles that are within scope of the resource from one of;
1) the hierarchy of resources; and
2) a first cache;
determining, by the computer system, a policy within scope of the resource from one of;
1) the hierarchy of resources; and
2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;
determining, by the computer system, from the first set of roles, a third set of one or more roles that are satisfied by a principal;
providing, by the computer system, for an evaluation of the policy based on the third set of one or more roles;
determining, by the computer system, whether to grant the principal access to the resource based on the evaluation of the policy; and
granting, by the computer system, access to the resource if one or more roles from the third set of roles are in the second set of roles;
wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and
wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods are disclosed for authorization to adaptively control access to a resource in a resource hierarchy. At least one role for a principal is retrieved from the resource hierarchy or a first cache based on whether the at east one role was previously retrieved from the resource hierarchy. A policy is retrieved from the resource hierarchy or a second cache based on whether the policy was previously retrieved from the resource hierarchy. The policy is evaluated based on the at least one role and a determination on whether to grant the principal access to the resource is made based on the evaluation of the policy.
-
Citations
28 Claims
-
1. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:
-
determining, by a computer system, a first set of one or more roles that are within scope of the resource from one of;
1) the hierarchy of resources; and
2) a first cache;determining, by the computer system, a policy within scope of the resource from one of;
1) the hierarchy of resources; and
2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;determining, by the computer system, from the first set of roles, a third set of one or more roles that are satisfied by a principal; providing, by the computer system, for an evaluation of the policy based on the third set of one or more roles; determining, by the computer system, whether to grant the principal access to the resource based on the evaluation of the policy; and granting, by the computer system, access to the resource if one or more roles from the third set of roles are in the second set of roles; wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:
-
determining a first set of one or more roles that are within scope of the resource for a principal from one of;
1) a searchable hierarchically arranged plurality of roles; and
2) a first cache;determining a policy within scope of the resource from one of;
1) the hierarchy of resources; and
2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies associated with resources in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;determining, from the first set of roles, a third set of one or more roles that are satisfied by the principal; providing for an evaluation of the policy based on the third set of one or more roles; determining whether to grant the principal access to the resource based on the evaluation of the policy; and granting access to the resource if one or more roles from the third set of roles are in the second set of roles; wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources; and wherein the first cache and the second cache are different. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for authorization adapted for controlling access to a resource in a hierarchy of resources, comprising:
-
one or more processors; object code executing on the one or more processors implementing; at least one role-mapper to map a principal to a first set of one or more roles within scope of the resource, wherein a role in the first set of roles is retrieved from one of;
1) the hierarchy of resources; and
2) a first cache, wherein mapping includes determining whether or not the role is satisfied by the principal;at least one authorizer coupled to the at least one role-mapper, the at least one authorizer being configured to determine if a policy is satisfied based on the first set of roles, wherein the policy within scope of the resource is retrieved from one of;
1) the hierarchy of resources and
2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources; andan adjudicator coupled to the at least one authorizer, the adjudicator being configured to render a decision based on the determination of the at least one authorizer, wherein access is granted to the resource if one or more roles in the first set of roles is in the second set of roles; and wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
-
determine a first set of one or more roles that are within scope of a resource for a principal from one of;
1) a hierarchy of resources; and
2) a first cache;determine a policy within scope of the resource from one of;
1) the hierarchy of resources; and
2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;determine a third set of one or more roles from the first set of roles that are satisfied by the principal; provide for an evaluation of the policy based on the third set of one or more roles; determine whether to grant the principal access to the resource based on the evaluation of the policy; grant access to the resource if one or more roles from the third set of roles are in the second set of roles; wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification