Role-based access in a multi-customer computing environment

US 8,336,078 B2
Filed: 07/11/2006
Issued: 12/18/2012
Est. Priority Date: 07/11/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing role-based access in a multi-customer computing environment, the method comprising:

receiving, by a computing device, a request from an actor to take action within the multi-customer computing environment;

determining, by the computing device, a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same;

receiving, by the computing device, one value for each of the one or more context parameters assigned to the role based on the identification of the actor;

determining, by the computing device, a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor;

determining, by the computing device, an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role;

determining, by the computing device, a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor;

populating, by the computing device, policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and

providing to the actor, by the computing device, an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An actor is associated with a role, a policy type is associated with the role, and a role scope is associated with the role. One or more values are received for one or more corresponding context parameters associated with the actor. A request for access to a resource is received from the actor. A policy instance is determined based on the policy type and the one or more values for the one or more corresponding context parameters associated with the actor. One or more actor-role scope values are determined based on the role scope and the one or more values for the one or more corresponding context parameters associated with the actor. A response to the request is determined based on the policy instance and the actor-role scope values.

Citations

20 Claims

1. A method for managing role-based access in a multi-customer computing environment, the method comprising:
- receiving, by a computing device, a request from an actor to take action within the multi-customer computing environment;
  
  determining, by the computing device, a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same;
  
  receiving, by the computing device, one value for each of the one or more context parameters assigned to the role based on the identification of the actor;
  
  determining, by the computing device, a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor;
  
  determining, by the computing device, an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role;
  
  determining, by the computing device, a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor;
  
  populating, by the computing device, policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and
  
  providing to the actor, by the computing device, an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising generating, by the computing device, a role assignment record.
  - 3. The method of claim 2, wherein the role assignment record comprises the actor, the role, and the context parameters.
  - 4. The method of claim 2, wherein the role assignment record comprises the one or more actor-role scope values based on the role scope.
  - 5. The method of claim 1, wherein the request comprises a request to access a database, a system application, a document, or any combination thereof.
  - 6. The method of claim 1, wherein said actor comprises a user, a system account, a system application, a computing device, or any combination thereof.
  - 7. The method of claim 1 wherein the policy type includes an access control policy element, a data view/presentation policy element, a function performance/update operation policy element, or any combination thereof.
  - 8. The method of claim 1 wherein determining the policy instance comprises employing a hierarchical priority of the one or more of the context parameters.
  - 9. The method of claim 1 comprising defining, by the computing device, a default policy instance.
  - 10. The method of claim 9 wherein determining the policy instance comprises selecting the default policy instance when there is no match with the one or more of the context parameters.
  - 11. The method of claim 1 wherein the one or more context parameters constrains the role scope and the policy type.
  - 12. The method of claim 1 wherein determining a role scope for the role further comprises selecting the role scope from a set of role scopes that are available for the role.

13. A system for managing role-based access in a multi-customer computing environment, the system comprising:
- one or more servers configured to;
  
  receive a request from an actor to take action within the multi-customer computing environment;
  
  determine a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same;
  
  receive one value for each of the one or more context parameters assigned to the role based on the identification of the actor;
  
  determine a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor;
  
  determine an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role;
  
  determine a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor;
  
  populate policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and
  
  provide to the actor an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the one or more servers are further configured to generate a role assignment record.
  - 15. The system of claim 14, wherein the role assignment record comprises the actor, the role, and the context parameters.
  - 16. The system of claim 14, wherein the role assignment record comprises the one or more actor-role scope values based on the role scope.
  - 17. The system of claim 13, wherein said resource comprises a database, a system application, a document, or any combination thereof.
  - 18. The system of claim 13, wherein said actor comprises a user, a system account, a system application, a computing device, or any combination thereof.
  - 19. The system of claim 13, wherein the policy type includes an access control policy element, a data view/presentation policy element, a function performance/update operation policy element, or any combination thereof.

20. A computer program product, tangibly embodied in a non-transitory machine-readable storage device, for managing role-based access in a multi-customer computing environment, the computer program product including instructions being operable to cause data processing apparatus to:
- receive a request from an actor to take action within the multi-customer computing environment;
  
  determine a role from one or more roles for the actor based on an identification of the actor, wherein each role is assigned a plurality of context parameters, each role is used by a plurality of customers, and the role that is determined can have a first policy element for the actor and a second policy element for a different actor, the first policy element and the second policy element are not the same;
  
  receive one value for each of the one or more context parameters assigned to the role based on the identification of the actor;
  
  determine a role scope for the role based on the one value of each of the one or more context parameters assigned to the actor;
  
  determine an actor-role scope value based on the role scope and the one value of each of the one or more context parameters assigned to the role;
  
  determine a policy type based on the request from the actor and the actor'"'"'s role and the one or more context parameters assigned to actor;
  
  populate policy elements of the policy type to form a policy instance with one or more values from the one or more context parameters assigned to the role; and
  
  provide to the actor an access permission for the first policy element or the second policy element so the actor can take action within the multi-customer computing environment based on the policy instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FMR LLC
Original Assignee
FMR Corporation (FMR LLC)
Inventors
Dixit, Royyuru, Hafeman, Joseph Edward, Vetrano, Paul Michael, Spellman, Timothy Prentiss
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
TURCHEN, JAMES R

Application Number

US11/484,842
Publication Number

US 20080016580A1
Time in Patent Office

2,352 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Role-based access in a multi-customer computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access in a multi-customer computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links