Method and system for generating user group identifiers

US 8,302,157 B2
Filed: 02/22/2010
Issued: 10/30/2012
Est. Priority Date: 10/21/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

generating a plurality of user-role relationships, whereinthe plurality of user-role relationships are generated for a set of entities,each entity of the set of entities represents one of a plurality of users,the each entity is assigned a role subset from a plurality of role subsets,each role subset of the plurality of role subsets comprises one or more roles from a set of roles,the plurality of user-role relationships define network access permitted to the each entity, andthe network access permitted to the each entity is based on the role subset assigned to the each entity; and

assigning a user group identifier to the each role subset of the plurality of role subsets.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for generating user group identifiers using a permissions matrix is disclosed. The permissions matrix includes an entry that is associated with a row and a column of the permissions matrix. The row of the permissions matrix is indexed with a first role and the column of the permissions matrix is indexed with a second role. A data structure implementing such a method can include, for example, a user group identifier matrix. Alternatively, a method is disclosed in which the expiration of a user group identifier is detected. In such a case, the user group identifier is updated by accessing a user group identifier matrix.

Citations

23 Claims

1. A computer-implemented method comprising:
- generating a plurality of user-role relationships, whereinthe plurality of user-role relationships are generated for a set of entities,each entity of the set of entities represents one of a plurality of users,the each entity is assigned a role subset from a plurality of role subsets,each role subset of the plurality of role subsets comprises one or more roles from a set of roles,the plurality of user-role relationships define network access permitted to the each entity, andthe network access permitted to the each entity is based on the role subset assigned to the each entity; and
  
  assigning a user group identifier to the each role subset of the plurality of role subsets.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, further comprising:
    - forming a role permissions list using the plurality of user-role relationships, whereinthe role permissions list defines an access control relationship for the each role subset of the plurality of role subsets.
  - 3. The computer-implemented method of claim 1, further comprising:
    - updating the plurality of role subsets, whereinthe plurality of role subsets is updated by eliminating redundant role subsets.

4. A computer-implemented method comprising:
- generating a user group identifier matrix, whereinthe user group identifier matrix comprises an entry,the entry is associated with a row and a column of the user group identifier matrix,the row of the user group identifier matrix is configured to be indexed according to a source user group identifier, andthe column of the user group identifier matrix is configured to be indexed according to a destination user group identifier; and
  
  accessing a user group permissions list, whereinthe user group permissions list is accessed using the entry in the user group identifier matrix.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The computer-implemented method of claim 4, whereinthe user group permissions list is generated by taking a Cartesian product of the source and destination user group identifiers.
  - 6. The computer-implemented method of claim 5, whereinthe Cartesian product of the source and destination user group identifiers is generated byreplacing the source and destination user group identifiers with a source and destination role subset, respectively, andtaking a Cartesian product of the source and destination role subsets to obtain a set of ordered pairs, whereineach ordered pair in the set of ordered pairs corresponds to an entry in a role permissions matrix.
  - 7. The computer-implemented method of claim 6, further comprising:
    - obtaining a role permissions list for the each ordered pair in the set of ordered pairs; and
      
      merging the role permissions list for the each ordered pair to form the user group permissions list.
  - 8. The computer-implemented method of claim 6, further comprising:
    - minimizing the set of ordered pairs.
  - 9. The computer-implemented method of claim 4, further comprising:
    - optimizing the user group identifier matrix, whereinthe user group identifier matrix is optimized bydetecting an expiration of at least one user group identifier, andupdating the at least one user group identifier within the user group identifier matrix.
  - 10. The computer-implemented method of claim 4, further comprising:
    - obtaining a user group identifier of a user upon authentication, wherein the user group identifier is a security group tag.
  - 11. The computer-implemented method of claim 4, further comprising:
    - determining security information for a packet, whereinthe security information for the packet is determined using the entry in the user group identifier matrix and the user group permissions list; and
      
      distributing the security information for the packet throughout a network.

12. A non-transitory computer program product comprising:
- a first set of instructions, executable on a computer system, configured to generate a user group identifier matrix, whereinthe user group identifier matrix comprises an entry,the entry is associated with a row and a column of the user group identifier matrix,the row of the user group identifier matrix is configured to be indexed according to a source user group identifier, andthe column of the user group identifier matrix is configured to be indexed according to a destination user group identifier;
  
  a second set of instructions, executable on the computer system, configured to access a user group permissions list, whereinthe user group permissions list is accessed using the entry in the user group identifier matrix; and
  
  a persistent computer readable media, wherein the non-transitory computer program product is encoded in the persistent computer readable media.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory computer program product of claim 12, further comprising:
    - a third set of instructions, executable on the computer system, configured to take a Cartesian product of the source and destination user group identifiers to generate the user group permissions list, wherein the third set of instructions comprises;
      
      a first subset of instructions, executable on the computer system, configured toreplace the source and destination user group identifiers with a source and destination role subset, respectively, andtake a Cartesian product of the source and destination role subsets to obtain a set of ordered pairs, whereineach ordered pair in the set of ordered pairs corresponds to an entry in a role permissions matrix.
  - 14. The non-transitory computer program product of claim 13, further comprising:
    - a fourth set of instructions, executable on the computer system, configured to obtain a role permissions list for the each ordered pair in the set of ordered pairs; and
      
      a fifth set of instructions, executable on the computer system, configured to merge the role permissions list for the each ordered pair to form the user group permissions list.
  - 15. The non-transitory computer program product of claim 12, further comprising:
    - a third set of instructions, executable on the computer system, configured to optimize the user group identifier matrix, wherein the third set of instructions comprises;
      
      a first subset of instructions, executable on the computer system, configured todetect an expiration of at least one user group identifier, anda second subset of instructions, executable on the computer system, configured to update the at least one user group identifier within the user group identifier matrix.
  - 16. The non-transitory computer program product of claim 12, further comprising:
    - a third set of instructions, executable on the computer system, configured to obtain a user group identifier of a user upon authentication, wherein the user group identifier is a security group tag.
  - 17. The non-transitory computer program product of claim 12, further comprising:
    - a third set of instructions, executable on the computer system, configured to determine security information for a packet, whereinthe security information for the packet is determined using the entry in the user group identifier matrix and the user group permissions list; and
      
      a fourth set of instructions, executable on the computer system, configured to distribute the security information for the packet throughout a network.

18. An apparatus comprising:
- means for generating a user group identifier matrix, whereinthe user group identifier matrix comprises an entry,the entry is associated with a row and a column of the user group identifier matrix,the row of the user group identifier matrix is configured to be indexed according to a source user group identifier, andthe column of the user group identifier matrix is configured to be indexed according to a destination user group identifier; and
  
  means for accessing a user group permissions list, whereinthe user group permissions list is accessed using the entry in the user group identifier matrix.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus of claim 18, further comprising:
    - means for taking a Cartesian product of the source and destination user group identifiers to generate the user group permissions list, wherein the means for taking the Cartesian product of the source and destination user group identifiers comprises;
      
      means for replacing the source and destination user group identifiers with a source and destination role subset, respectively, andmeans for taking a Cartesian product of the source and destination role subsets to obtain a set of ordered pairs, whereineach ordered pair in the set of ordered pairs corresponds to an entry in a role permissions matrix.
  - 20. The apparatus of claim 19, further comprising:
    - means for obtaining a role permissions list for the each ordered pair in the set of ordered pairs; and
      
      means for merging the role permissions list for the each ordered pair to form the user group permissions list.
  - 21. The apparatus of claim 18, further comprising:
    - means for optimizing the user group identifier matrix, wherein the means for optimizing the user group identifier matrix comprisesmeans for detecting an expiration of at least one user group identifier, andmeans for updating the at least one user group identifier within the user group identifier matrix.
  - 22. The apparatus of claim 18, further comprising:
    - means for obtaining a user group identifier of a user upon authentication, wherein the user group identifier is a security group tag.
  - 23. The apparatus of claim 18, further comprising:
    - means for determining security information for a packet, whereinthe security information for the packet is determined using the entry in the user group identifier matrix and the user group permissions list; and
      
      means for distributing the security information for the packet throughout a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US12/709,770
Publication Number

US 20110004923A1
Time in Patent Office

981 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

Method and system for generating user group identifiers

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for generating user group identifiers

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links