Sub-tree access control in network architectures

US 7,664,866 B2
Filed: 04/10/2007
Issued: 02/16/2010
Est. Priority Date: 04/10/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A system for access control in a directory by a requesting entity, comprising:

a security user; and

a security protocol adaptation module configured to;

review a data request from the requesting entity received in a directory operations server,locate a security rule pertaining to the requesting entity,modify the data request so that the data request appears to originate from the security user if such data request modification is set forth by the located security rule, andreturn the modified data request to the directory operations server, wherein the security user comprises a security permission set that determines access control to entries in the directory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A logical network directory database compliant with the X.500 standard for a directory data system is disclosed. The network directory database provides a source of subscriber and service data accessible by various control and management processes that require subscriber information. The network directory database may be extensible across various communications service providers and IT domain. Further, the disclosed network directory database may be applied to new and existing services, such as, IP Multimedia Subsystem, Unlicensed Mobile Access (UMA) and other IP services.

Citations

34 Claims

1. A system for access control in a directory by a requesting entity, comprising:
- a security user; and
  
  a security protocol adaptation module configured to;
  
  review a data request from the requesting entity received in a directory operations server,locate a security rule pertaining to the requesting entity,modify the data request so that the data request appears to originate from the security user if such data request modification is set forth by the located security rule, andreturn the modified data request to the directory operations server, wherein the security user comprises a security permission set that determines access control to entries in the directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, further comprising:
    - an access control unit configured to control access in the directory, wherein the requesting entity has no permissions for any entry in the directory.
  - 3. The system of claim 1 wherein the directory operations server forwards the modified data request to an access control unit configured to control access in the directory.
  - 4. The system of claim 3 wherein the access control unit is configured to control access in accordance with a standard protocol for access control.
  - 5. The system of claim 1 wherein locating the security rule pertaining to the requesting entity, comprises:
    - matching a name associated with the data request against a set of name prefixes to determine the security rule.
  - 6. The system of claim 5 wherein the determined security rule includes an associated action.
  - 7. The system of claim 6 wherein the associated action is one of “
    - respond with an error,”
      
      “
      
      log the operation attempt,” and
      
      “
      
      continue the data request as received, but assume a different user and/or authentication level for purposes of access control.”
  - 8. The system of claim 5 wherein determining the security rule comprises:
    - examining the name associated with the data request to determine a longest matching name in the set of name prefixes.
  - 9. The system of claim 1 wherein the security protocol adaptation module is further configured to locate a security rule from a first field in the data request and an identity of the requesting entity.
  - 10. The system of claim 1 wherein locating the security rule further comprises determining an alias dereferenced name for data of the data request such that the security protocol adaptation module can find the security rule pertaining to the data request.
  - 11. The system of claim 10, further comprising:
    - a name resolution module configured to determine a location for data in the directory by resolving a path to an entry containing the data using an original path and alias dereferencing instructions and further configured to report the alias dereferenced path to the security protocol adaptation module.
  - 12. The system of claim 1, wherein the security protocol adaptation module is configured to locate the security rule using contextual information.
  - 13. The system of claim 12 wherein the contextual information relates to a time of day and wherein the security protocol adaptation module is further configured to determine a time of day in order to select the security rule.
  - 14. The system of claim 1 wherein the data request comprises a chained data request wherein the security rule includes an instruction that results provided to the requesting entity are derived from an operation actually performed in a directory operations server local to the security protocol adaptation module.
  - 15. The system of claim 1 wherein the directory represents a first portion of a distributed directory and wherein the data request involves data found in a second portion of the distributed directory, the security protocol adaptation module further configured to control a chaining request for the data found in the second portion of the distributed directory.
  - 16. The system of claim 15 wherein the chained data request is a portion of a data request that further comprises another chained request, and wherein the security protocol adaptation module is further configured to:
    - modify the another chained data request to comprise at least one revised data request based on the security rule in parallel with modifying the chained data request to comprise an operation based on the security rule.
  - 17. The system of claim 1 wherein the data request comprises a variant data request, wherein the security protocol adaptation module forwards the data request to a variant processing unit comprising:
    - a data request receiver configured to receive the variant data request to perform an action on data in an attribute of a first entry at a first location in the directory provided by the requesting entity, wherein data for the attribute requested in the data request resides in a second entry at a second location in the directory;
      
      a location deriver configured to derive the second location in the directory for the data in the attribute of the variant data request using information associated with the first entry, wherein the location deriver performs the derivation at a point of access to/from a data storage mechanism for the directory; and
      
      a read/update module configured to find the data in the attribute of the data request at the second entry using the derived second location and perform the action on the data at the derived second location upon successful approval of the action by the security protocol adaptation module.

18. A method for access control in a directory by a requesting entity, comprising:
- reviewing in a security protocol adaptation module a data request from the requesting entity received in a directory operations server;
  
  locating by the security protocol adaptation module a security rule pertaining to the requesting entity;
  
  modifying by the security protocol adaptation module the data request so that the data request appears to originate from a security user if such data request modification is set forth by the located security rule; and
  
  returning the modified data request to the directory operations server, wherein the security user has a security permission set that determines access control to entries in the directory.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The method of claim 18 wherein the requesting entity itself has no permissions for any entry in the directory.
  - 20. The method of claim 18, further comprising forwarding by the directory operations server the modified data request to an access control unit configured to control access in the directory.
  - 21. The method of claim 20, further comprising controlling access to the directory by the access control unit in accordance with a standard protocol for access control.
  - 22. The method of claim 18 wherein locating the security rule pertaining to the requesting entity further comprises:
    - matching a name associated with the data request against a set of name prefixes to determine the security rule.
  - 23. The method of claim 22 wherein the determined security rule includes an associated action.
  - 24. The method of claim 23, further comprising performing the associated action by the security protocol adaptation module where the associated action is one of “
    - respond with an error,”
      
      “
      
      log the operation attempt,” and
      
      “
      
      continue the data request as received, but assume a different user and/or authentication level for purposes of access control.”
  - 25. The method of claim 22 wherein determining the security rule comprises:
    - examining the name associated with the data request to determine a longest matching name in the set of name prefixes.
  - 26. The method of claim 18, further comprising locating by the security protocol adaptation module the security rule from a first field in the data request and an identity of the requesting entity.
  - 27. The method of claim 18 wherein locating the security rule further comprises determining an alias dereferenced name for data of the data request such that the security protocol adaptation module can find the security rule pertaining to the data request.
  - 28. The method of claim 27, further comprising:
    - determining by a name resolution module a location for data in the directory by resolving a path to an entry containing the data using an original path and alias dereferencing instructions and further configured to report the alias dereferenced path to the security protocol adaptation module.
  - 29. The method of claim 18, locating, by the security protocol adaptation module, the security rule using contextual information.
  - 30. The method of claim 29 wherein the contextual information relates to a time of day, the method further comprising determining by the security protocol adaptation module a time of day in order to select the security rule.
  - 31. The method of claim 18 wherein the data request comprises a chained data request wherein the security rule includes an instruction that results provided to the requesting entity are derived from an operation actually performed in a directory operations server local to the security protocol adaptation module.
  - 32. The method of claim 18 wherein the directory represents a first portion of a distributed directory and wherein the data request involves data found in a second portion of the distributed directory, the method further comprising chaining, under control of the security protocol adaptation module, to the data found in the second portion of the distributed directory.
  - 33. The method of claim 32 wherein the chained data request is a portion of a data request that further comprises another chained request, the method further comprising:
    - modifying the another chained data request to comprise at least one revised data request based on the security rule in parallel with modifying the chained data request to comprise an operation based on the security rule.
  - 34. The method of claim 18 wherein data request comprises a variant data request, wherein the security protocol adaptation module forwards the data request to a variant processing unit whose operations comprise:
    - receiving the data request to perform an action on data in an attribute of a first entry at a first location in the directory provided by the requesting entity, wherein data for the attribute requested in the data request resides in a second entry at a second location in the directory;
      
      deriving the second location in the directory for the data in the attribute of the data request using information associated with the first entry, wherein the derivation is performed at a point of access to/from a data storage mechanism for the directory; and
      
      finding the data in the attribute of the data request at the second entry using the derived second location; and
      
      performing the action on the data at the derived second location upon successful approval of the action by the security protocol adaptation module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apertio Ltd. (Nokia Corporation)
Original Assignee
Apertio Ltd. (Nokia Corporation)
Inventors
Wakefield, Kevin
Primary Examiner(s)
Meky; Moustafa M

Application Number

US11/783,539
Publication Number

US 20080256250A1
Time in Patent Office

1,043 Days
Field of Search

709200-203, 709217-229, 707/1, 707/9, 713164-170
US Class Current

709/229
CPC Class Codes

H04L 61/4588 containing mobile subscribe...

H04L 63/104 Grouping of entities

Sub-tree access control in network architectures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Sub-tree access control in network architectures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links