Methods and apparatus for scoped role-based access control

US 8,458,337 B2
Filed: 06/09/2008
Issued: 06/04/2013
Est. Priority Date: 06/30/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:

receiving a request to access a resource by a subject;

controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, andwherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, andwherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role,wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role,wherein controlling access to the requested resource comprises;

determining if the requested resource is accessible by the subject based on a defined first scope;

determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope;

permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and

denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject,wherein controlling access is implemented by a computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing role-based access control of a resource by a subject in an access control system are provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.

Citations

20 Claims

1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:
- receiving a request to access a resource by a subject;
  
  controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, andwherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, andwherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role,wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role,wherein controlling access to the requested resource comprises;
  
  determining if the requested resource is accessible by the subject based on a defined first scope;
  
  determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope;
  
  permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and
  
  denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject,wherein controlling access is implemented by a computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the step of determining if the requested resource is accessible by the subject comprises the step of determining if the subject is included in a table of one or more subjects that may access the resource.
  - 3. The method of claim 2, wherein the table of one or more subjects is implemented using at least one of a distributed relation database and a distributed hashing table.
  - 4. The method of claim 2, wherein the table of one or more subjects is maintained by at least one of the access control system and the resource.
  - 5. The method of claim 1, wherein the step of determining if the requested resource is accessible by a role and an associated permission set associated with the subject comprises the step of determining if the role and the associated permission set of the subject are included in a table of one or more role-permission pairs that may access the resource.
  - 6. The method of claim 5, wherein each role-permission pair defines at least one action performable by an associated subject on the resource.
  - 7. The method of claim 5, wherein the table of role-permission pairs is implemented using at least one of a distributed relation database and a distributed hashing table.
  - 8. The method of claim 5, wherein the table of one or more role-permission pairs is maintained by at least one of the access control system and the resource.
  - 9. The method of claim 1, wherein the step of determining if the requested resource is accessible by the subject comprises the step of determining if the subject is included in a table of subject-role-permission sets, and wherein the step of determining if the requested resource is accessible by a role and an associated permission set associated with the subject comprises the step of determining if the role and the associated permission set of the subject are included in a table of subject-role-permission sets.

10. Apparatus for providing role-based access control of a resource by a subject in an access control system, comprising:
- a memory; and
  
  at least one processor coupled to the memory and operative to;
  
  process of request to access a resource by a subject;
  
  control access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, andwherein a first scope is defined to directly associate a set of one or more subjects with a given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, andwherein a second scope is defined to associate a set of one or more resources with as given permission set associated with a given role,wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role,wherein the at least one processor is operative to control access to the requested resource by;
  
  determining if the requested resource is accessible by the subject based on a defined first scope;
  
  determining if the requested resource is accessible by as role and an associated permission set associated with the subject based on a defined second scope;
  
  permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and
  
  denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if the subject is included in a table of one or more subjects that may access the resource.
  - 12. The apparatus of claim 11, wherein the table of one or more subjects is implemented using at least one of a distributed relation database and a distributed hashing table.
  - 13. The apparatus of claim 11, wherein the table of one or more subjects is maintained by at least one of the access control system and the resource.
  - 14. The apparatus of claim 10, wherein the operation of determining if the requested resource is accessible by a role and an associated permission set associated with the subject comprises the operation of determining if the role and the associated permission set of the subject is included in a table of one or more role-permission pairs that may access the resource.
  - 15. The apparatus of claim 14, wherein each role-permission pair defines at least one action performable by an associated subject on the resource.
  - 16. The apparatus of claim 10, wherein the operation of determining if the requested resource is accessible by the subject comprises the operation of determining if the subject is included in a table of subject-role-permission sets and wherein the step of determining if the requested resource is accessible by a role and an associated permission set associated with the subject comprises the step of determining if the role and the associated permission set of the subject are included in a table of subject-role-permission sets.

17. An article of manufacture for providing role-based access control of a resource by a subject in an access control system, comprising a machine readable storage device containing one or more programs which when executed implement the steps of:
- receiving a request to access as resource by a subject;
  
  controlling access to the requested resource by a scoped role-based access control system, wherein the scoped role-based access control system defines a plurality of roles, wherein at least one role is associated with multiple permission sets wherein each permission set associated with a given role is bound to a set of different resources, andwherein a first scope is defined to directly associate a set of one or more subjects with as given resource, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined first scopes, andwherein a second scope is defined to associate a set of one or more resources with a given permission set associated with a given role,wherein the defined first and second scopes allow multiple subjects having a same role to have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role,wherein controlling access to the requested resource comprises;
  
  determining if the requested resource is accessible by the subject based on a defined first scope;
  
  determining if the requested resource is accessible by a role and an associated permission set associated with the subject based on a defined second scope;
  
  permitting access control of the requested resource by the subject when the requested resource is determined to be accessible by both the subject and the role and the associated permission set associated with the subject; and
  
  denying access control of the requested resource by the subject when the requested resource is determined to not be accessible by either the subject or the role and the associated permission set associated with the subject.

18. A role-based access control system for controlling access to a plurality of resources, comprising:
- a memory; and
  
  at least one processor coupled to the memory and operative to;
  
  define one or more roles capable of association with one or more subjects;
  
  define a plurality of permission sets, wherein one or more of the plurality of permission sets are associated with each of the one or more roles, wherein at least one role is associated with multiple permission sets wherein each permission set is bound to a set of different resources of the plurality of resources, anddefine one or more scopes that directly associate each of the plurality of resources with a set of one or more subjects, wherein multiple subjects having a same role can be assigned access to different resources associated with the same role based on different defined scopes; and
  
  control access to the plurality of resources, wherein each of the plurality of resources are associated with set of one or more subjects wherein a given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource such that multiple subjects having a same role can have a different set of permissions associated with said same role against different sets of resources associated with the different sets of permissions of said same role.
- View Dependent Claims (19, 20)
- - 19. The role-based access control system of claim 18, wherein each of the plurality of permission sets comprise one or more actions that may be performed on a resource.
  - 20. The role-based access control system of claim 18, wherein a first subject of the one or more subjects and a second subject of the one or more subjects are both associated with a same role of the one or more roles but are associated with differing permission sets associated with the same role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Corley, Carole Rhoads, Lobo, Jorge, Vassberg, Lorraine Phyllis, Wang, Xiping
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
SHAW, ROBERT A

Application Number

US12/135,535
Publication Number

US 20080243856A1
Time in Patent Office

1,821 Days
Field of Search

709/229, 707781-788
US Class Current

709/227
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

Methods and apparatus for scoped role-based access control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for scoped role-based access control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links