Access control in data processing system

US 8,875,224 B2
Filed: 05/01/2012
Issued: 10/28/2014
Est. Priority Date: 03/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a processor, whether a policy data structure defines an authorization for a request to access a resource, the policy data structure defining a plurality of predetermined authorizations, each predetermined authorization relating to authorization of at least one user to access at least one resource, each predetermined authorization further relating to a plurality of dynamic access requests, each dynamic access request indicating a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request;

in response to determining that the policy data structure defines an authorization for the request to access the resource, applying the authorization, by the processor, to determine whether to grant the request;

in response to determining that the policy data structure does not define an authorization for the request to access the resource,determining, by the processor, whether the policy data structure defines a dynamic access requirement determinative for the request;

in response to determining that the policy data structure defines a dynamic access requirement determinative for the request,determining, by the processor, whether to grant the request in accordance with the respective set of attributes associated with the request;

for at least one user request, after determining whether to grant the request, adding a dynamic authorization relating to authorization to access the resource within the request, by the processor, to the policy data structure.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure.

Citations

10 Claims

1. A method comprising:
- determining, by a processor, whether a policy data structure defines an authorization for a request to access a resource, the policy data structure defining a plurality of predetermined authorizations, each predetermined authorization relating to authorization of at least one user to access at least one resource, each predetermined authorization further relating to a plurality of dynamic access requests, each dynamic access request indicating a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request;
  
  in response to determining that the policy data structure defines an authorization for the request to access the resource, applying the authorization, by the processor, to determine whether to grant the request;
  
  in response to determining that the policy data structure does not define an authorization for the request to access the resource,determining, by the processor, whether the policy data structure defines a dynamic access requirement determinative for the request;
  
  in response to determining that the policy data structure defines a dynamic access requirement determinative for the request,determining, by the processor, whether to grant the request in accordance with the respective set of attributes associated with the request;
  
  for at least one user request, after determining whether to grant the request, adding a dynamic authorization relating to authorization to access the resource within the request, by the processor, to the policy data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising, for at least one user request, adding the dynamic authorization to the policy data structure where the request has been granted.
  - 3. The method of claim 1, further comprising:
    - identifying any temporal validity limitation for the set of attributes associated with the request to which the dynamic access requirement is applied; and
      
      ,determining whether to add the dynamic authorization to the policy data structure in accordance with the temporal validity limitation.
  - 4. The method of claim 1, further comprising, where the dynamic authorization has been added to the policy data structure:
    - defining an expiration time for the dynamic authorization within the policy data structure in accordance with a temporal validity limitation indicated for the respective set of attributes associated with the request; and
      
      ,only applying the dynamic authorization to a subsequent request up to the expiration time.
  - 5. The method of claim 4, further comprising:
    - upon adding the dynamic authorization to the policy data structure, setting a temporary authorization flag associated with the dynamic authorization in the policy data structure; and
      
      ,before applying an authorization to a further request,determining whether the temporary authorization flag is set for the authorization;
      
      in response to determining that the temporary authorization flag is set for the authorization, checking the expiration time for the authorization.
  - 6. The method of claim 4, further comprising:
    - removing the dynamic authorization from the policy data structure upon the expiration time having been reached.
  - 7. The method of claim 1, wherein the policy data comprises a static authorization data structure defining the predetermined authorizations,and wherein the dynamic authorization added to the policy data structure is integrated within the static authorization data structure.
  - 8. The method of claim 7, further comprising:
    - maintaining in the policy data structure a list identifying the dynamic authorization in the policy data structure and indicating an expiration time associated with the dynamic authorization.
  - 9. The method of claim 1, wherein the predetermined authorizations are defined by access control lists (ACLs) within the policy data structure,wherein the dynamic authorization is defined by at least one ACL within the policy data structure,and wherein adding the dynamic authorization to the policy data structure comprises adding an ACL defining the dynamic authorization to the policy data structure.
  - 10. The method of claim 1, further comprising, upon applying the dynamic access requirement to the request, storing at least some of the respective set of attributes associated within the request in a memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Gross, Thomas R., Karjoth, Guenter
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/460,842
Publication Number

US 20120216247A1
Time in Patent Office

910 Days
Field of Search

726/1, 726/2
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Access control in data processing system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Access control in data processing system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links