Unified management policy
First Claim
1. In a computing environment, a method of defining a unified management policy expression for expressing an access control policy controlling operations on resources and execution of events or workflows, the method comprising:
- storing access control information that defines permissions for access to resources based on one or more entities and one or more operations requested by the one or more entities;
storing events or workflows that are executed in response to the one or more operations being allowed on resources by one or more entities and one or more operations requested by the one or more entities, wherein storing events or workflows comprises storing the events or workflows in a same definition as the access control information in unified management policy rules;
receiving a request to execute the one or more operations on one or more objects;
calculating one or more of the unified management policy rules that apply for a given request and verifying the access control information against the request, wherein verifying comprises performing a single retrieval, retrieving both the access control information and the events or workflows, and wherein the unified management policy rules includes one or more rules that are reflexive such that calculating the one or more of the applicable unified management policy rules comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object of the one or more objects; and
executing the workflows defined in the definition.
2 Assignments
0 Petitions
Accused Products
Abstract
Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed.
-
Citations
19 Claims
-
1. In a computing environment, a method of defining a unified management policy expression for expressing an access control policy controlling operations on resources and execution of events or workflows, the method comprising:
-
storing access control information that defines permissions for access to resources based on one or more entities and one or more operations requested by the one or more entities; storing events or workflows that are executed in response to the one or more operations being allowed on resources by one or more entities and one or more operations requested by the one or more entities, wherein storing events or workflows comprises storing the events or workflows in a same definition as the access control information in unified management policy rules; receiving a request to execute the one or more operations on one or more objects; calculating one or more of the unified management policy rules that apply for a given request and verifying the access control information against the request, wherein verifying comprises performing a single retrieval, retrieving both the access control information and the events or workflows, and wherein the unified management policy rules includes one or more rules that are reflexive such that calculating the one or more of the applicable unified management policy rules comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object of the one or more objects; and executing the workflows defined in the definition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. In a computing environment, a tangible computer readable storage device having stored thereon a data structure including a definition of unified management policy, the unified management policy including provisions for unified management policy controlling access to resources and resultant actions, the tangible computer readable storage device comprising:
-
a condition definition, wherein the condition definition defines when the unified management policy is applicable, and wherein the condition definition comprises; a first field comprising data stored on the computer readable storage device, the first field comprising a definition of one or more principals to whom the a rule applies when performing one or more requested actions, wherein the definition of one or more principals to whom a rule applied when performing one or more actions is part of a definition of the unified management policy; a second field comprising data stored on the computer readable storage device, the second field comprising a definition of the one or more requested actions, wherein the definition of the one or more requested actions is part of the definition of the unified management policy; a third field comprising data stored on the computer readable storage device, the third field including attribute information defining the attributes on which the one or more principals perform the one or more actions on; a fourth field comprising data stored on the computer readable storage device, the fourth field including resource information defining the resources on which the one or more principals perform the one or more actions on; and a fifth field comprising data stored on the computer readable storage device, the fifth field including Grant right Boolean information indicating that permission will be granted to the principles to perform the actions; and an event definition, wherein the event definition comprises a definition of what occurs when conditions in the condition definition are met, and wherein the event definition comprises; a sixth field, comprising data stored on the computer readable storage device, the sixth field comprising a definition of an action workflow that that is executed when the conditions in the conditions definition are met, wherein the definition of the action workflow is part of the definition of the unified management policy, wherein the unified management policy includes one or more rules that are reflexive such that calculating one or more unified management policy rules that apply for a given request comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object. - View Dependent Claims (14, 15, 16, 17)
-
-
18. In a computing environment, a method of defining a unified management policy expression for access control and events or workflows, the method comprising:
-
receiving user input at a computer implemented user interface selecting one or more principals; receiving user input at a computer implemented user interface selecting one or more operation to be performed on one or more objects by the one or more principals; receiving user input at a computer implemented user interface selecting one or more attributes of the one or more resources, the attributes being attributes that the one or more principals perform the one or more operations on; receiving user input at a computer implemented user interface defining one or more workflows that are performed if conditions of the unified management policy rule are met; defining one or more unified policy rules for the one or more operations, the unified policy rules controlling access to resources, wherein defining unified policy rules comprises defining access control rules including workflows that are executed; and storing the one or more unified management policy rules, including the workflows that are executed in response to the one or more operations being requested, wherein storing events or workflows comprises storing the events or workflows in a same definition as the unified management policy information a computer readable medium among a collection of unified management policy rules, wherein the one or more unified management policy includes at least one rule that is reflexive such that calculating a unified management policy rule that applies for a given request comprises determining that a particular requestor is defined in the rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object. - View Dependent Claims (19)
-
Specification