Method for delegated administration

US 8,831,966 B2
Filed: 02/14/2003
Issued: 09/09/2014
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for processing administration and delegation requests for resources in a hierarchically arranged plurality of computing resources using role-based validation and enforcement, the method comprising:

providing, at a computer system, a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;

the first role is hierarchically superior to the second role; and

the second role is hierarchically superior to the third role;

providing the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;

the first resource is hierarchically superior to the second resource;

the first resource is associated with a plurality of capabilities comprising;

an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and

a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and

the second resource is associated with an admin capability of the second computing resource;

receiving, at the computer system and from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;

delegating, at the computer system, the admin capability of the first resource to the third role based at least in part on a determination that;

(1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and

(2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;

receiving, at the computer system and from a second principal, a request to use the admin capability of the second resource in a second context;

determining, at the computer system, that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;

determining that the second resource is not associated with any of the hierarchically arranged plurality of roles;

traversing up the hierarchically arranged plurality of computing resources to identify the first computing resource; and

allowing the second principal to use the admin capability of the second resource based on a determination that;

(1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;

(2) the admin capability of the first resource has been delegated to the third role; and

(3) the second role is hierarchically superior to the third role.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for adaptively delegating a capability, comprising the steps of providing for the delegation of the capability to a first role; allowing the step of providing for the delegation to be initiated by a principal in a second role; and hierarchically relating the capability, the first role and the second role.

Citations

39 Claims

1. A method for processing administration and delegation requests for resources in a hierarchically arranged plurality of computing resources using role-based validation and enforcement, the method comprising:
- providing, at a computer system, a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;
  
  the first role is hierarchically superior to the second role; and
  
  the second role is hierarchically superior to the third role;
  
  providing the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;
  
  the first resource is hierarchically superior to the second resource;
  
  the first resource is associated with a plurality of capabilities comprising;
  
  an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and
  
  a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and
  
  the second resource is associated with an admin capability of the second computing resource;
  
  receiving, at the computer system and from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;
  
  delegating, at the computer system, the admin capability of the first resource to the third role based at least in part on a determination that;
  
  (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and
  
  (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;
  
  receiving, at the computer system and from a second principal, a request to use the admin capability of the second resource in a second context;
  
  determining, at the computer system, that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;
  
  determining that the second resource is not associated with any of the hierarchically arranged plurality of roles;
  
  traversing up the hierarchically arranged plurality of computing resources to identify the first computing resource; and
  
  allowing the second principal to use the admin capability of the second resource based on a determination that;
  
  (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;
  
  (2) the admin capability of the first resource has been delegated to the third role; and
  
  (3) the second role is hierarchically superior to the third role.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein:
    - the first principal is an authenticated user, a group or a process; and
      
      the second principal is an authenticated user, a group or a process.
  - 3. The method of claim 1, wherein determining that the second principal meets criteria for the second role in the second context includes:
    - evaluating the one or more role expressions that define the second role to true or false for the second principal in the second context.
  - 4. The method of claim 3, wherein evaluating the one or more role expressions that define the second role to true or false for the second principal in the second context includes:
    - evaluating a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 5. The method of claim 4 wherein evaluating a predicate includes:
    - evaluating one of a user, a group, a time and a segment.
  - 6. The method of claim 4, wherein evaluating a predicate includes:
    - evaluating the predicate against the second principal and the second context.
  - 7. The method of claim 4, wherein evaluating a predicate includes:
    - evaluating a segment specified in plain language.
  - 8. The method of claim 3, wherein evaluating the one or more role expressions that define the second role to true or false for the second principal in the second context includes:
    - evaluating at least one rule based upon at least one of;
      
      account information including knowledge about the second principal, knowledge about a communication session, and a current state of a system.
  - 9. The method of claim 1 wherein delegating the admin capability of the first resource to the third role includes:
    - associating the admin capability with the third role.
  - 10. The method of claim 9 wherein associating the admin capability with the third role includes:
    - associating the first computing resource with the third role.
  - 11. The method of claim 1, wherein delegating the admin capability of the first resource to the third role further comprises:
    - associating a security policy with the admin capability.
  - 12. The method of claim 1, wherein:
    - the first role, the second role, the third role, and the admin capability are part of an enterprise application.
  - 13. The method of claim 1, wherein delegating the admin capability of the first resource to the third role further comprises:
    - delegating the admin capability to the third role responsive to initiation by the first principal in the first role.
  - 14. The method of claim 1, wherein determining that the second principal meets criteria for the second role in the second context includes:
    - evaluating the second role to determine a degree of certainty that access to the first computing resource will be granted.
  - 15. The method of claim 1, further comprising:
    - enabling the second principal to perform a task using the first computing computing resource, in accordance with the admin capability to which the second principal has been allowed to use.

16. A non-transitory machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
- provide a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;
  
  the first role is hierarchically superior to the second role; and
  
  the second role is hierarchically superior to the third role;
  
  provide the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;
  
  the first resource is hierarchically superior to the second resource;
  
  the first resource is associated with a plurality of capabilities comprising;
  
  an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and
  
  a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and
  
  the second resource is associated with an admin capability of the second computing resource;
  
  receive, from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;
  
  delegate the admin capability of the first resource to the third role based at least in part on a determination that;
  
  (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and
  
  (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;
  
  receive, from a second principal, a request to use the admin capability of the second resource in a second context;
  
  determine that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;
  
  determine that the second resource is not associated with any of the hierarchically arranged plurality of roles;
  
  traverse up the hierarchically arranged plurality of computing resources to identify the first computing resource; and
  
  allow the second principal to use the admin capability of the second resource based on a determination that;
  
  (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;
  
  (2) the admin capability of the first resource has been delegated to the third role; and
  
  (3) the second role is hierarchically superior to the third role.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The non-transitory machine readable medium of claim 16, wherein:
    - the first principal is one of an authenticated user, group or process and the second principal is one of an authenticated user, group or process.
  - 18. The non-transitory machine readable medium of claim 16, wherein the instructions that cause a system to determine that the second principal meets criteria for the second role in the second context include instructions which when executed cause the system to:
    - evaluate the one or more role expressions that define the second role to true or false for the second principal in a second context.
  - 19. The non-transitory machine readable medium of claim 18, wherein the instructions that cause a system to evaluate the one or more role expressions that define the second role to true or false for the second principal in the second context include instructions which when executed cause the system to:
    - evaluate a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 20. The non-transitory machine readable medium of claim 19 wherein the instructions that cause a system to evaluate a predicate include instructions which when executed cause the system to:
    - evaluate one of a user, a group, a time and a segment.
  - 21. The non-transitory machine readable medium of claim 19, wherein the instructions that cause a system to evaluate a predicate include instructions which when executed cause the system to:
    - evaluate the predicate against the second principal and the second context.
  - 22. The non-transitory machine readable medium of claim 19, wherein the instructions that cause a system to evaluate a predicate include instructions which when executed cause the system to:
    - evaluate a segment specified in plain language.
  - 23. The non-transitory machine readable medium of claim 18, wherein the instructions that cause a system to evaluate the one or more role expressions that define the second role to true or false for the second principal in the second context include instructions which when executed cause the system to:
    - evaluate at least one rule based upon at least one of;
      
      account information including knowledge about the second principal, knowledge about a communication session, and a current state of a system.
  - 24. The non-transitory machine readable medium of claim 16 wherein the instructions that cause a system to delegate the admin capability of the first resource to the third role include instructions which when executed cause the system to:
    - associate the capability with the third role.
  - 25. The non-transitory machine readable medium of claim 24, wherein the instructions that cause a system to associate the admin capability with the third role include instructions which when executed cause a system to:
    - associate the first computing resource with the third role.
  - 26. The non-transitory machine readable medium of claim 16, wherein the instructions that cause a system to determine that the second principal meets criteria for the second role in the second context include instructions which when executed cause the system to:
    - evaluate the second role to determine a degree of certainty that access to the first computing resource will be granted.
  - 27. The non-transitory machine readable medium of claim 16, wherein the instructions further cause the system to:
    - enable the second principal to perform a task using the first computing computing resource, in accordance with the admin capability to which the second principal has been allowed to use.

28. A system comprising:
- one or more processors; and
  
  a non-transitory machine-readable medium having sets of instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to;
  
  provide a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;
  
  the first role is hierarchically superior to the second role; and
  
  the second role is hierarchically superior to the third role;
  
  provide the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;
  
  the first resource is hierarchically superior to the second resource;
  
  the first resource is associated with a plurality of capabilities comprising;
  
  an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and
  
  a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and
  
  the second resource is associated with an admin capability of the second computing resource;
  
  receive, from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;
  
  delegate the admin capability of the first resource to the third role based at least in part on a determination that;
  
  (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and
  
  (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;
  
  receive, from a second principal, a request to use the admin capability of the second resource in a second context;
  
  determine that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;
  
  determine that the second resource is not associated with any of the hierarchically arranged plurality of roles;
  
  traverse up the hierarchically arranged plurality of computing resources to identify the first computing resource; and
  
  allow the second principal to use the admin capability of the second resource based on a determination that;
  
  (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;
  
  (2) the admin capability of the first resource has been delegated to the third role; and
  
  (3) the second role is hierarchically superior to the third role.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 29. The system of claim 28, wherein the first principal is one of an authenticated user, group or process and the second principal is one of an authenticated user, group or process.
  - 30. The system of claim 28, wherein determining that the second principal meets criteria for the second role in the second context includes:
    - evaluating the second role to true or false for the second principal in the second context.
  - 31. The system of claim 30, wherein evaluating the second role to true or false for the second principal in the second context includes:
    - evaluating a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 32. The system of claim 31, wherein evaluating a predicate includes:
    - evaluating one of a user, a group, a time and a segment.
  - 33. The system of claim 31, wherein evaluating a predicate includes:
    - evaluating the predicate against the second principal and the second context.
  - 34. The system of claim 31, wherein evaluating a predicate includes:
    - evaluating a segment specified in plain language.
  - 35. The system of claim 30, wherein evaluating the second role to true or false for the second principal in the second context includes:
    - evaluating at least one rule based upon at least one of;
      
      account information including knowledge about the second principal, knowledge about a communication sessions, and a current state of a system.
  - 36. The system of claim 28, wherein said delegating the admin capability of the first resource to the third role includes:
    - associating the admin capability with the third role.
  - 37. The system of claim 36, wherein delegating the admin capability of the first resource to the third role includes:
    - associating the first computing resource with the third role.
  - 38. The system of claim 28, wherein that the second principal meets criteria for the second role in the second context includes:
    - evaluating the second role to determine a degree of certainty that access to the first computing resource will be granted.
  - 39. The system of claim 28, wherein the instructions further cause the one or more processors to:
    - enable the second principal to perform a task using the first computing computing resource, in accordance with the admin capability to which the second principal has been allowed to use.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Griffin, Philip B., Devgan, Manish, Toussaint, Alex, McCauley, Rod
Primary Examiner(s)
Nguyen, Dean T

Application Number

US10/367,190
Publication Number

US 20040162733A1
Time in Patent Office

4,225 Days
Field of Search

705/1, 705/7, 705/8, 705/9, 705/26, 705/1.1, 705/7.12, 705/7.13, 705/7.14, 709/246, 709/204, 709/229, 713/201, 713/202
US Class Current

705/7.14
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

G06Q 10/10   Office automation; Time man...

Method for delegated administration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Method for delegated administration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links