Techniques for providing role-based security with instance-level granularity
First Claim
Patent Images
1. A machine-implemented method to execute on a machine, comprising:
- detecting, by the machine, a request by a principal for access to a resource, access is conditioned on a status of a role associated with the request, the principal, and the resource, the role provides instance-level granularity for security permission assignments with respect to accessing the resource, the instance-level granularity represents instance-level data created by an application within a context manager and the instance-level data includes a name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, and parameter data passed by the principal in a call to the method;
providing, by the machine via the context manager a processing environment within which the resource and the method process and the context manager providing transaction services, lifecycle management services, memory persistence, and security service, the context manager also informing the method of the request and the context manager providing a list of available roles for the principal back to the method that the method resolves within the context of the request, the processing environment provided by the context manager is a virtual machine overlaid on an operating system;
evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a percentage, the expression includes operators, values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and
providing, by the machine, the status to the context manager, which decides whether to provide access to the resource for purposes of satisfying the request.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for providing role-based security with instance-level granularity are provided. A security service detects a request made by a principal for access to a resource. Access to the resource is conditioned on a status of a role. The role is associated with the request, the principal, and the resource. The security service evaluates a constraint associated with the role to determine the status. The status is subsequently consumed to determine whether access to the resource for the purposes of satisfying the request is permissible.
-
Citations
23 Claims
-
1. A machine-implemented method to execute on a machine, comprising:
-
detecting, by the machine, a request by a principal for access to a resource, access is conditioned on a status of a role associated with the request, the principal, and the resource, the role provides instance-level granularity for security permission assignments with respect to accessing the resource, the instance-level granularity represents instance-level data created by an application within a context manager and the instance-level data includes a name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, and parameter data passed by the principal in a call to the method; providing, by the machine via the context manager a processing environment within which the resource and the method process and the context manager providing transaction services, lifecycle management services, memory persistence, and security service, the context manager also informing the method of the request and the context manager providing a list of available roles for the principal back to the method that the method resolves within the context of the request, the processing environment provided by the context manager is a virtual machine overlaid on an operating system; evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a percentage, the expression includes operators, values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and providing, by the machine, the status to the context manager, which decides whether to provide access to the resource for purposes of satisfying the request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A machine-implemented method to execute on a machine, comprising:
-
detecting, by the machine, a request made by a principal for access to a resource, access is contingent on a status of a role associated with the principal and a condition associated with the principal and the resource; statically defining, by the machine and via a context manager the role based on a configuration associated with an identity of the principal, the context manager is a virtual machine overlaid on an operating system; evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and providing, by the machine, the status, the status is subsequently processed to resolve the condition and determine whether access to the resource for the purposes of satisfying the request is permissible. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A machine-implemented system, comprising:
-
a role; a constraint associated with the role; and a security service implemented in a machine-readable medium and to execute on a machine, the security service detects a request made by a principal for access to a resource, access is contingent on a status of the role and a condition associated with the principal and the resource, and the security service evaluates the constraint to determine the status, the constraint is an expression that evaluates to a percentage or a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint, and the security service provides the status to a context manager which controls access to the resource, the context manager statically defines the role based on a configuration associated with an identity of the principal, the context manager is a virtual machine overlaid on an operating system. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system, comprising:
-
a context manager implemented in a machine-readable medium and to execute on a machine; and a security service implemented in a machine-readable medium and to execute on a machine, a principal makes a request for access to a resource within an environment of the context manager, the context manager is a virtual machine overlaid on an operation system, the security service detects the request and supplements a decision regarding access by at least one of resolving a role for the principal, evaluating a constraint associated with the role, the constraint is an expression that evaluates to a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint, and evaluating a condition associated with the principal and the resource, the security service communicates an access decision to the context manager in a manner recognized by the context manager, the context manager decides in response to its own independent decision and in response to the security service'"'"'s access decision whether to grant access to the resource in order to satisfy the request of the principal, and the context manager statically defines the role based on a configuration associated with an identity of the principal. - View Dependent Claims (21, 22, 23)
-
Specification