×

Method for delegated administration

  • US 8,831,966 B2
  • Filed: 02/14/2003
  • Issued: 09/09/2014
  • Est. Priority Date: 02/14/2003
  • Status: Active Grant
First Claim
Patent Images

1. A method for processing administration and delegation requests for resources in a hierarchically arranged plurality of computing resources using role-based validation and enforcement, the method comprising:

  • providing, at a computer system, a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;

    the first role is hierarchically superior to the second role; and

    the second role is hierarchically superior to the third role;

    providing the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;

    the first resource is hierarchically superior to the second resource;

    the first resource is associated with a plurality of capabilities comprising;

    an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and

    a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and

    the second resource is associated with an admin capability of the second computing resource;

    receiving, at the computer system and from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;

    delegating, at the computer system, the admin capability of the first resource to the third role based at least in part on a determination that;

    (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and

    (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;

    receiving, at the computer system and from a second principal, a request to use the admin capability of the second resource in a second context;

    determining, at the computer system, that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;

    determining that the second resource is not associated with any of the hierarchically arranged plurality of roles;

    traversing up the hierarchically arranged plurality of computing resources to identify the first computing resource; and

    allowing the second principal to use the admin capability of the second resource based on a determination that;

    (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;

    (2) the admin capability of the first resource has been delegated to the third role; and

    (3) the second role is hierarchically superior to the third role.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×