Method for delegated administration
First Claim
Patent Images
1. A method for processing administration and delegation requests for resources in a hierarchically arranged plurality of computing resources using role-based validation and enforcement, the method comprising:
- providing, at a computer system, a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein;
the first role is hierarchically superior to the second role; and
the second role is hierarchically superior to the third role;
providing the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein;
the first resource is hierarchically superior to the second resource;
the first resource is associated with a plurality of capabilities comprising;
an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and
a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and
the second resource is associated with an admin capability of the second computing resource;
receiving, at the computer system and from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role;
delegating, at the computer system, the admin capability of the first resource to the third role based at least in part on a determination that;
(1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and
(2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles;
receiving, at the computer system and from a second principal, a request to use the admin capability of the second resource in a second context;
determining, at the computer system, that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role;
determining that the second resource is not associated with any of the hierarchically arranged plurality of roles;
traversing up the hierarchically arranged plurality of computing resources to identify the first computing resource; and
allowing the second principal to use the admin capability of the second resource based on a determination that;
(1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources;
(2) the admin capability of the first resource has been delegated to the third role; and
(3) the second role is hierarchically superior to the third role.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for adaptively delegating a capability, comprising the steps of providing for the delegation of the capability to a first role; allowing the step of providing for the delegation to be initiated by a principal in a second role; and hierarchically relating the capability, the first role and the second role.
-
Citations
39 Claims
-
1. A method for processing administration and delegation requests for resources in a hierarchically arranged plurality of computing resources using role-based validation and enforcement, the method comprising:
-
providing, at a computer system, a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein; the first role is hierarchically superior to the second role; and the second role is hierarchically superior to the third role; providing the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein; the first resource is hierarchically superior to the second resource; the first resource is associated with a plurality of capabilities comprising; an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and the second resource is associated with an admin capability of the second computing resource; receiving, at the computer system and from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role; delegating, at the computer system, the admin capability of the first resource to the third role based at least in part on a determination that; (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles; receiving, at the computer system and from a second principal, a request to use the admin capability of the second resource in a second context; determining, at the computer system, that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role; determining that the second resource is not associated with any of the hierarchically arranged plurality of roles; traversing up the hierarchically arranged plurality of computing resources to identify the first computing resource; and allowing the second principal to use the admin capability of the second resource based on a determination that; (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources; (2) the admin capability of the first resource has been delegated to the third role; and (3) the second role is hierarchically superior to the third role. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
-
provide a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein; the first role is hierarchically superior to the second role; and the second role is hierarchically superior to the third role; provide the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein; the first resource is hierarchically superior to the second resource; the first resource is associated with a plurality of capabilities comprising; an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and the second resource is associated with an admin capability of the second computing resource; receive, from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role; delegate the admin capability of the first resource to the third role based at least in part on a determination that; (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles; receive, from a second principal, a request to use the admin capability of the second resource in a second context; determine that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role; determine that the second resource is not associated with any of the hierarchically arranged plurality of roles; traverse up the hierarchically arranged plurality of computing resources to identify the first computing resource; and allow the second principal to use the admin capability of the second resource based on a determination that; (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources; (2) the admin capability of the first resource has been delegated to the third role; and (3) the second role is hierarchically superior to the third role. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system comprising:
-
one or more processors; and a non-transitory machine-readable medium having sets of instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to; provide a hierarchically arranged plurality of roles including a first role, a second role, and a third role, wherein; the first role is hierarchically superior to the second role; and the second role is hierarchically superior to the third role; provide the hierarchically arranged plurality of computing resources including a first computing resource and a second computing resource, wherein; the first resource is hierarchically superior to the second resource; the first resource is associated with a plurality of capabilities comprising; an admin capability of the first computing resource that allows principals associated with the first role to administrate the first computing resource; and a delegate capability of the first computing resource that allows principals associated with the first role to delegate the admin capability of the first computing resource to hierarchically inferior roles; and the second resource is associated with an admin capability of the second computing resource; receive, from a first principal associated with the first role, a request to delegate the admin capabilty of the first resource to the third role; delegate the admin capability of the first resource to the third role based at least in part on a determination that; (1) the third role is hierarchically inferior to the first role in the hierarchically arranged plurality of roles; and (2) the delegate capability of the first computing resource was not previously delegated to the first role by another role that is hierarchically superior to the first role in the hierarchically arranged plurality of roles; receive, from a second principal, a request to use the admin capability of the second resource in a second context; determine that the second principal meets criteria for the second role in the second context, based at least in part on one or more role expressions that define the second role; determine that the second resource is not associated with any of the hierarchically arranged plurality of roles; traverse up the hierarchically arranged plurality of computing resources to identify the first computing resource; and allow the second principal to use the admin capability of the second resource based on a determination that; (1) the first computing resource is hierarchically superior to the second computing resource in the hierarchically arranged plurality of computing resources; (2) the admin capability of the first resource has been delegated to the third role; and (3) the second role is hierarchically superior to the third role. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
Specification