Policy-based method for configuring an access control service

US 8,024,771 B2
Filed: 09/19/2007
Issued: 09/20/2011
Est. Priority Date: 09/19/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing an access control list configuration request by a first control service using a first control specification language, and a second control service using a second control specification language, the method comprising steps of:

receiving the access control list configuration request from a configuration request handler;

providing the request to a first stand-alone control service using a high level programming language;

providing the request to a second stand-alone control service using a low level programming language;

receiving a decision on the request from each of the first and second control services; and

comparing the decisions to determine if they differ, wherein differing decisions indicate a need to modify the configuration of said access control list using said first control service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language includes steps of: receiving the request from a requestor; providing the request to the first and second control services; receiving a decision on the request from each of the first and second control services; and comparing the decisions. The first control specification language is an access control policy.

34 Citations

View as Search Results

35 Claims

1. A method for processing an access control list configuration request by a first control service using a first control specification language, and a second control service using a second control specification language, the method comprising steps of:
- receiving the access control list configuration request from a configuration request handler;
  
  providing the request to a first stand-alone control service using a high level programming language;
  
  providing the request to a second stand-alone control service using a low level programming language;
  
  receiving a decision on the request from each of the first and second control services; and
  
  comparing the decisions to determine if they differ, wherein differing decisions indicate a need to modify the configuration of said access control list using said first control service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising providing a notification to the requester if the two decisions differ.
  - 3. The method of claim 1, further comprising returning a response to the requester based on a comparison of the decisions of the two control services.
  - 4. The method of claim 1 wherein the first control specification language is an attribute-based access control policy.
  - 5. The method of claim 4 further comprising:
    - if the two decisions differ, modifying a control specification configuration of the second control service so that its decision agrees with the decision of the first control service.
  - 6. The method of claim 5 wherein modifying the control specification configuration of the second control service comprises first deleting said control specification configuration.
  - 7. The method of claim 6 further comprising providing a unique non-sequential identifier associated with the control specification configuration.
  - 8. The method of claim 7 wherein providing the unique identifier comprises:
    - creating a unique identifier;
      
      maintaining a log of all processed requests; and
      
      creating an association between the identifier, the access control policy, and the log of requests.
  - 9. The method of claim 8 further comprising restoring a previous control specification configuration associated with a particular identifier.
  - 10. The method of claim 9 further comprising:
    - retrieving the association for the particular identifier;
      
      using the access control policy associated with the particular identifier; and
      
      feeding the requests and associated decisions associated with the identifier in the process of configuring the second control service, for restoring a previous configuration associated with a particular identifier.
  - 11. The method of claim 4, wherein the second control service is IBM®
    - RACF®
      
      .
  - 12. The method of claim 4, wherein the policy is provided in an encoded form comprising an OASIS XACML standard.
  - 13. The method of claim 4, wherein the attribute-based access control policy is a sequestration policy.
  - 14. The method of claim 13, wherein the attribute-based access control policy is encoded using OASIS XACML standard privacy profile.
  - 15. The method of claim 6, further comprising:
    - configuring the second control service on a non-production instance of the first control service; and
      
      installing the configuration when it is complete onto a production instance of the first control service.
  - 16. The method of claim 15 further comprising:
    - associating a state of finished with the second control service configuration; and
      
      blocking all further updates to said configuration, for locking the control service configuration.
  - 17. The method of claim 15, further comprising:
    - marking the configuration as not-finished;
      
      processing additional system requests; and
      
      marking the configuration as finished when all desired system requests have been processed, for updating said configuration.
  - 18. The method of claim 17 further comprising a first user providing the above method for a second user.
  - 19. The method of claim 4 further comprising modifying the configuration of the second control service such that its decision will agree with that of the first control service.

20. A system configured for processing an access control list configuration request by a first control service using a first control specification language, and a second control service using a second control specification language, the system comprising:
- data storage configured for storing the first and second control specification languages;
  
  a database configured for creation, deletion, and modification of persistent data;
  
  memory comprising logic; and
  
  a processor operatively connected to said memory and configured to;
  
  receive the access control list configuration request from a configuration request handler;
  
  provide the request to a first stand-alone control service using high level programming language;
  
  provide the request to a second stand-alone control service using low level programming language;
  
  receive a decision on the request from each of the first and second control services; and
  
  compare the decisions to determine if they differ.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20 further comprising an input/output subsystem configured for providing a notification to the requester if the two decisions differ.
  - 22. The system of claim 20 wherein the first control specification language is an access control policy.
  - 23. The system of claim 22 further comprising a log of all processed requests.
  - 24. The system of claim 22 further comprising a table of subject-mappings between the access control policy terms and elements of the first control service.
  - 25. The system of claim 24 further comprising additional tables for action-mappings, and resource-mappings.
  - 26. The system of claim 22 wherein the storage is further configured for storing previous access control configurations.
  - 27. The system of claim 22 further comprising a non-production instance of the second control service for testing purposes.

28. A computer program product tangibly embodied on a non-transitory computer readable medium and comprising instructions that, when executed, enables a processor to:
- process a request by a first control service using a first control specification language, and a second control service using a second control specification language, the enable element comprising steps of;
  
  receiving the access control list configuration request from a configuration request handler;
  
  providing the request to a first stand-alone control service using a high level programming language;
  
  providing the request to a second stand-alone control service using a low level programming language;
  
  receiving a decision on the request from each of the first and second control services; and
  
  comparing the decisions to determine if they differ.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The computer program product of claim 28 wherein the first control specification language is an access control policy.
  - 30. The computer program product of claim 29 wherein the processor is further enabled to provide a unique identifier associated with the first control specification configuration.
  - 31. The computer program product of claim 30 wherein the processor is further enabled to:
    - maintain a log of all processed requests and the decisions made on those requests; and
      
      create an association between the unique identifier, the access control policy and the log.
  - 32. The computer program product of claim 31 wherein the processor is further enabled to restore a previous control specification configuration associated with the unique identifier, the restore element comprising steps of:
    - retrieving the access control policy associated with the unique identifier;
      
      retrieving the log of processed requests and decisions associated with the unique identifier; and
      
      providing the processed requests and decisions to the first control service to configure the first control service with the previous control specification configuration.
  - 33. The computer program product of claim 29 wherein the processor is further enabled to:
    - modify the second control specification configuration so that its decisions agree with the decisions of the first control service.
  - 34. The computer program product of claim 29 wherein the processor is further enabled to initialize the control specification configuration by setting the control service to deny all access requests.

35. A system for obtaining services for processing an access control list configuration request by a first control service using a first control specification language, and a second control service using a second control specification language, the system comprising:
- receiving the access control list configuration request from a configuration request handler;
  
  providing the access request to a first stand-alone control service using a high-level programming language ;
  
  providing the access request to a second stand-alone control service using a low-level programming language;
  
  receiving a decision on the access request from each of the first control services;
  
  comparing the decisions to determine if they differ, wherein differing decisions indicate a need to modify the configuration of said access control list using said first control service; and
  
  providing notification of the comparison to the requestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Webb, Alan Michael, Malkin, Peter Kenneth
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Jackson; Jenise E

Application Number

US11/857,952
Publication Number

US 20090077086A1
Time in Patent Office

1,462 Days
Field of Search

726/1, 726/16, 726/21, 713/167
US Class Current

726/1
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/6236   between heterogeneous systems

G06F 2221/2141   Access rights, e.g. capabil...

Policy-based method for configuring an access control service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based method for configuring an access control service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links