Methods and apparatus for scoped role-based access control
First Claim
1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:
- receiving a request to access a resource by a subject;
controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, andwherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, andwherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role,wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role,wherein controlling access to the requested resource comprises;
determining if the requested resource is accessible by the subject based on a defined first scope;
determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope;
permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and
denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject,wherein controlling access is implemented by a computer.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for providing role-based access control of a resource by a subject in an access control system are provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
-
Citations
20 Claims
-
1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:
-
receiving a request to access a resource by a subject; controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, and wherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, and wherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role, wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role, wherein controlling access to the requested resource comprises; determining if the requested resource is accessible by the subject based on a defined first scope; determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope; permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject, wherein controlling access is implemented by a computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Apparatus for providing role-based access control of a resource by a subject in an access control system, comprising:
-
a memory; and at least one processor coupled to the memory and operative to; process of request to access a resource by a subject; control access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, and wherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, and wherein a second scope is defined to associate a set of one or more resources with as given permission set associated with a given role, wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role, wherein the at least one processor is operative to control access to the requested resource by; determining if the requested resource is accessible by the subject based on a defined first scope; determining if the requested resource is accessible by as role and an associated permission set associated with the subject based on a defined second scope; permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. An article of manufacture for providing role-based access control of a resource by a subject in an access control system, comprising a machine readable storage device containing one or more programs which when executed implement the steps of:
-
receiving a request to access as resource by a subject; controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, and wherein a first scope is defined to directly associate a set of one or more subjects with as given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, and wherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role, wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role, wherein controlling access to the requested resource comprises; determining if the requested resource is accessible by the subject based on a defined first scope; determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope; permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject.
-
-
18. A role-based access control system for controlling access to a plurality of resources, comprising:
-
a memory; and at least one processor coupled to the memory and operative to; define one or more roles capable of association with one or more subjects; define a plurality of permission sets, wherein one or more of the plurality of permission sets are associated with each of the one or more roles, wherein at least one role is associated with multiple permission sets wherein each permission set is bound to a set of different resources of the plurality of resources, and define one or more scopes that directly associate each of the plurality of resources with a set of one or more subjects, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined scopes; and control access to the plurality of resources, wherein each of the plurality of resources are associated with set of one or more subjects wherein a given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource such that multiple subjects having a same role can have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role. - View Dependent Claims (19, 20)
-
Specification