Access control decision method and system

US 7,856,448 B2
Filed: 02/14/2008
Issued: 12/21/2010
Est. Priority Date: 02/14/2008
Status: Expired due to Fees

First Claim

Patent Images

1. An access control method comprising:

enabling, by a computing system for a requestor, access to said computing system, wherein said computing system comprises a memory system, wherein said memory system comprises group based access control data and computing resource data, wherein said group based access control data and said computing resource data are organized based on an extensible markup language (XML) schema, wherein said XML schema comprises a recursive format used to support a plurality of branch levels in a resource tree, wherein said XML schema defines nodes defining element types labeled as ResourceTree, ResourceTreeGroup, ResourceTreeItemT, and ResourceTreeItem, and wherein said computing resource data comprises object identifiers associated with said computing resource data;

associating, by said computing system in response to said enabling, first group data of said group based access control data with said requestor, wherein said first group data comprises a specified group to which said requestor belongs;

receiving, by said computing system from said requestor, a first request for accessing said computing resource data, wherein said first request for accessing said computing resource data comprises a request for retrieving a list of application resource items;

associating, by said computing system in response to said first request, said first group data with a first group of computing resources of said computing resource data;

generating, by said computing system, a first list comprising attribute values for said first group of computing resources, wherein said attribute values are associated with an XML string that conforms to said XML schema;

determining, by said computing system, an access control decision associated with said first request and specified by an object identifier of said object identifiers, said group based access control data, and said requestor;

applying, by said computing system, said access control decision to said first list, wherein said access control decision indicates whether the requested resource data is allowed to be accessed by said requestor; and

presenting, by said computing system to said requestor, said first access control decision.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control method and system. The method includes enabling, by a computing system for a requester, access to the computing system. The computing system comprises group based access control data and computing resource data organized based on an XML schema that comprises a recursive format used to support a plurality of branch levels in a resource tree. The computing system associates first group data of the group based access control data with the requester. The computing system receives a request from the requester to access the computing resource data. The computing system determines an access control decision associated with the request to access the computing resource data. The computing system presents the access control decision to the requester.

Citations

23 Claims

1. An access control method comprising:
- enabling, by a computing system for a requestor, access to said computing system, wherein said computing system comprises a memory system, wherein said memory system comprises group based access control data and computing resource data, wherein said group based access control data and said computing resource data are organized based on an extensible markup language (XML) schema, wherein said XML schema comprises a recursive format used to support a plurality of branch levels in a resource tree, wherein said XML schema defines nodes defining element types labeled as ResourceTree, ResourceTreeGroup, ResourceTreeItemT, and ResourceTreeItem, and wherein said computing resource data comprises object identifiers associated with said computing resource data;
  
  associating, by said computing system in response to said enabling, first group data of said group based access control data with said requestor, wherein said first group data comprises a specified group to which said requestor belongs;
  
  receiving, by said computing system from said requestor, a first request for accessing said computing resource data, wherein said first request for accessing said computing resource data comprises a request for retrieving a list of application resource items;
  
  associating, by said computing system in response to said first request, said first group data with a first group of computing resources of said computing resource data;
  
  generating, by said computing system, a first list comprising attribute values for said first group of computing resources, wherein said attribute values are associated with an XML string that conforms to said XML schema;
  
  determining, by said computing system, an access control decision associated with said first request and specified by an object identifier of said object identifiers, said group based access control data, and said requestor;
  
  applying, by said computing system, said access control decision to said first list, wherein said access control decision indicates whether the requested resource data is allowed to be accessed by said requestor; and
  
  presenting, by said computing system to said requestor, said first access control decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said computing resource data is organized using a hierarchal ranking format.
  - 3. The method of claim 1, wherein said first request comprises a request for generating said access control decision.
  - 4. The method of claim 1, wherein said requestor comprises an entity selected from the group consisting of a person and a software application.
  - 5. The method of claim 1, wherein said XML schema defines leaf nodes comprising attributes defined by said attribute values, and wherein said attributes comprise a mandatory ID attribute and a mandatory label attribute.
  - 6. The method of claim 1, wherein said attribute values define a optional description attribute and an optional ShortCutKeys attribute.
  - 7. The method of claim 1, wherein said computing system comprises parsing logic, wherein said XML schema defines leaf nodes comprising first attributes defined by said attribute values, wherein said parsing logic performs said associating said first group data with said first group of computing resources, and wherein said first attributes comprise attributes selected from the group consisting of an ID attribute, a label attribute, a description attribute, and a ShortCutKeys attribute.
  - 8. The method of claim 1, wherein said determining comprises comparing a first object identifier of said object identifiers to said first list.
  - 9. The method of claim 1, wherein said computing system comprises Boolean expression evaluation logic and a Boolean expression, and wherein said determining comprises:
    - inserting, by said computing system, said attribute values into said Boolean expression;
      
      executing said Boolean expression evaluation logic on said Boolean expression comprising said attribute values; and
      
      calculating, by said Boolean expression evaluation logic in response to said executing, a response value associated with said first request, wherein said response value comprises a value of yes, true, or 1 if said requestor is allowed to access an associated computing resource of said computing resources, and wherein said response value comprises a value of no, false, or 0 if said requestor is not allowed to access said associated computing resource of said computing resources.

10. A computing system comprising a processor coupled to a computer-readable memory unit, said memory unit comprising instructions that when executed by the processor implements an access control method, said method comprising:
- enabling, by said computing system for a requestor, access to said computing system, wherein said memory unit comprises group based access control data and computing resource data, wherein said group based access control data and said computing resource data are organized based on an extensible markup language (XML) schema, wherein said XML schema comprises a recursive format used to support a plurality of branch levels in a resource tree, wherein said XML schema defines nodes defining element types labeled as ResourceTree, ResourceTreeGroup, ResourceTreeItemT, and ResourceTreeItem, and wherein said computing resource data comprises object identifiers associated with said computing resource data;
  
  associating, by said computing system in response to said enabling, first group data of said group based access control data with said requestor, wherein said first group data comprises a specified group to which said requestor belongs;
  
  receiving, by said computing system from said requestor, a first request for accessing said computing resource data, wherein said first request for accessing said computing resource data comprises a request for retrieving a list of application resource items;
  
  associating, by said computing system in response to said first request, said first group data with a first group of computing resources of said computing resource data;
  
  generating, by said computing system, a first list comprising attribute values for said first group of computing resources, wherein said attribute values are associated with an XML string that conforms to said XML schema;
  
  determining, by said computing system, an access control decision associated with said first request and specified by an object identifier of said object identifiers, said group based access control data, and said requestor;
  
  applying, by said computing system, said access control decision to said first list, wherein said access control decision indicates whether the requested resource data is allowed to be accessed by said requestor; and
  
  presenting, by said computing system to said requestor, said first access control decision.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computing system of claim 10, wherein said computing resource data is organized using a hierarchal ranking format.
  - 12. The computing system of claim 10, wherein said first request comprises a request for generating said access control decision.
  - 13. The computing system of claim 10, wherein said requestor comprises an entity selected from the group consisting of a person and a software application.
  - 14. The computing system of claim 10, wherein said XML schema defines leaf nodes comprising attributes defined by said attribute values, and wherein said attributes comprise a mandatory ID attribute and a mandatory label attribute.
  - 15. The computing system of claim 10, wherein said computing system comprises parsing logic, wherein said XML schema defines leaf nodes comprising first attributes defined by said attribute values, wherein said parsing logic performs said associating said first group data with said first group of computing resources, and wherein said first attributes comprise attributes selected from the group consisting of an ID attribute, a label attribute, a description attribute, and a ShortCutKeys attribute.
  - 16. The computing system of claim 10, wherein said determining comprises comparing a first object identifier of said object identifiers to said first list.
  - 17. The computing system of claim 10, wherein said computing system comprises Boolean expression evaluation logic and a Boolean expression, and wherein said determining comprises:
    - inserting, by said computing system, said attribute values into said Boolean expression;
      
      executing said Boolean expression evaluation logic on said Boolean expression comprising said attribute values; and
      
      calculating, by said Boolean expression evaluation logic in response to said executing, a response value associated with said first request, wherein said response value comprises a value of yes, true, or 1 if said requestor is allowed to access an associated computing resource of said computing resources, and wherein said response value comprises a value of no, false, or 0 if said requestor is not allowed to access said associated computing resource of said computing resources.

18. A computer program product, comprising a computer readable memory unit comprising a computer readable program code embodied therein, said computer readable program code adapted to implement an access control method within a computing system comprising said computer readable memory unit, said method comprising:
- enabling, by said computing system for a requestor, access to said computing system, wherein said computer readable medium comprises group based access control data and computing resource data, wherein said group based access control data and said computing resource data are organized based on an extensible markup language (XML) schema, wherein said XML schema comprises a recursive format used to support a plurality of branch levels in a resource tree, wherein said XML schema defines nodes defining element types labeled as ResourceTree, ResourceTreeGroup, ResourceTreeItemT, and ResourceTreeItem, and wherein said computing resource data comprises object identifiers associated with said computing resource data;
  
  associating, by said computing system in response to said enabling, first group data of said group based access control data with said requestor, wherein said first group data comprises a specified group to which said requestor belongs;
  
  receiving, by said computing system from said requestor, a first request for accessing said computing resource data, wherein said first request for accessing said computing resource data comprises a request for retrieving a list of application resource items;
  
  associating, by said computing system in response to said first request, said first group data with a first group of computing resources of said computing resource data;
  
  generating, by said computing system, a first list comprising attribute values for said first group of computing resources, wherein said attribute values are associated with an XML string that conforms to said XML schema;
  
  determining, by said computing system, an access control decision associated with said first request and specified by an object identifier of said object identifiers, said group based access control data, and said requestor;
  
  applying, by said computing system, said access control decision to said first list, wherein said access control decision indicates whether the requested resource data is allowed to be accessed by said requestor; and
  
  presenting, by said computing system to said requestor, said first access control decision.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18, wherein said determining comprises comparing a first object identifier of said object identifiers to said first list.
  - 20. The computer program product of claim 18, wherein said computing system comprises Boolean expression evaluation logic and a Boolean expression, and wherein said determining comprises:
    - inserting, by said computing system, said attribute values into said Boolean expression;
      
      executing said Boolean expression evaluation logic on said Boolean expression comprising said attribute values; and
      
      calculating, by said Boolean expression evaluation logic in response to said executing, a response value associated with said first request, wherein said response value comprises a value of yes, true, or 1 if said requestor is allowed to access an associated computing resource of said computing resources, and wherein said response value comprises a value of no, false, or 0 if said requestor is not allowed to access said associated computing resource of said computing resources.

21. A process for supporting computer infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable code in a computing system comprising a computer-readable memory unit, wherein the code in combination with the computing system is capable of performing an access control method, said method comprising:
- enabling, by said computing system for a requestor, access to said computing system, wherein said computing system comprises a memory system, wherein said memory system comprises group based access control data and computing resource data, wherein said group based access control data and said computing resource data are organized based on an extensible markup language (XML) schema, wherein said XML schema comprises a recursive format used to support a plurality of branch levels in a resource tree, wherein said XML schema defines nodes defining element types labeled as labeled as ResourceTree, ResourceTreeGroup, ResourceTreeItemT, and ResourceTreeItem, and wherein said computing resource data comprises object identifiers associated with said computing resource data;
  
  associating, by said computing system in response to said enabling, first group data of said group based access control data with said requestor, wherein said first group data comprises a specified group to which said requestor belongs;
  
  receiving, by said computing system from said requestor, a first request for accessing said computing resource data, wherein said first request for accessing said computing resource data comprises a request for retrieving a list of application resource items;
  
  associating, by said computing system in response to said first request, said first group data with a first group of computing resources of said computing resource data;
  
  generating, by said computing system, a first list comprising attribute values for said first group of computing resources, wherein said attribute values are associated with an XML string that conforms to said XML schema;
  
  determining, by said computing system, an access control decision associated with said first request and specified by an object identifier of said object identifiers, said group based access control data, and said requestor;
  
  applying, by said computing system, said access control decision to said first list, wherein said access control decision indicates whether the requested resource data is allowed to be accessed by said requestor; and
  
  presenting, by said computing system to said requestor, said first access control decision.
- View Dependent Claims (22, 23)
- - 22. The process of claim 21, wherein said determining comprises comparing a first object identifier of said object identifiers to said first list.
  - 23. The process of claim 22, wherein said computing system comprises Boolean expression evaluation logic and a Boolean expression, and wherein said determining comprises:
    - inserting, by said computing system, said attribute values into said Boolean expression;
      
      executing said Boolean expression evaluation logic on said Boolean expression comprising said attribute values; and
      
      calculating, by said Boolean expression evaluation logic in response to said executing, a response value associated with said first request, wherein said response value comprises a value of yes, true, or 1 if said requestor is allowed to access an associated computing resource of said computing resources, and wherein said response value comprises a value of no false, or 0 if said requestor is not allowed to access said associated computing resource of said computing resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sheehan, Alexander Brantley
Primary Examiner(s)
LU, CHARLES EDWARD

Application Number

US12/030,956
Publication Number

US 20090210421A1
Time in Patent Office

1,041 Days
Field of Search

707/786, 707/781, 707/783
US Class Current

707/783
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Access control decision method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Access control decision method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links