Role-based access control system, method and computer program product

US 9,032,076 B2
Filed: 10/03/2005
Issued: 05/12/2015
Est. Priority Date: 10/22/2004
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A role-based access control system, comprising:

a role definition system for defining roles to be sets of permissions on individual resources thus forming role instances, respectively;

a super role definition system for defining at least one super role by assigning at least one set of role instances to at least one group and assigning the at least one group to the at least one super role,wherein each super role is modified by adding or removing the role instances from the at least one group, andwherein each super role is nested according to a plurality of properties including a name, a parent role, the set of role instances, and an externalisation state; and

a super role assignment system for assigning a user or a user group to the at least one super role.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

The invention relates to a role-based access control system, including a role definition system for defining roles to be sets of permissions on individual resources thus forming role instances, respectively; and a super role definition system for defining at least one super role by grouping a set of role instances into one super role, wherein the one super role contains all permissions contained in the grouped resource instances. Furthermore, the present invention deals with an appropriate method, a computer program and a computer program product.

Citations

17 Claims

1. A role-based access control system, comprising:
- a role definition system for defining roles to be sets of permissions on individual resources thus forming role instances, respectively;
  
  a super role definition system for defining at least one super role by assigning at least one set of role instances to at least one group and assigning the at least one group to the at least one super role,wherein each super role is modified by adding or removing the role instances from the at least one group, andwherein each super role is nested according to a plurality of properties including a name, a parent role, the set of role instances, and an externalisation state; and
  
  a super role assignment system for assigning a user or a user group to the at least one super role.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system according to claim 1, wherein the role definition system is configured for defining role types by assigning one set of permissible actions to one role type, respectively, further comprising a role binding system for binding role types to resources of a structure of resources, respectively, thus forming a structure of role instances, wherein the structure of role instances corresponds to a hierarchical tree of role instances and each role instance within the structure of role instances has an associated domain root instance, so that an instance of a role type is inherited by hierarchical descendants of the domain root instance.
  - 3. The system according to claim 2, further comprising a role blocking system for establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
  - 4. The system according to claim 1, wherein each super role is registered within a structure of protected resource instances, thus defining a protected super role instance.
  - 5. The system according to claim 1, wherein the at least one super role is dynamically and conditionally assigned to the user or the user group, and wherein the assigning is conditioned upon a status of an associated workflow object.

6. A role-based access control method, comprising:
- defining roles to be sets of permissions on individual resources, thus forming role instances, respectively;
  
  assigning at least one set of role instances to at least one group and assigning the at least one group to at least one super role; and
  
  nesting each super role according to a plurality of properties including a name, a parent role, the set of role instances, and an externalisation state,wherein each super role is modified by adding or removing the role instances from the at least one group.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method according to claim 6, the defining step includinga. defining role types by assigning one set of permissible actions to one role type, respectively;
    - b. providing a structure of resources; and
      
      c. binding the role types to resources of the structure of resources, thus forming a structure of role instances.
  - 8. The method according to claim 7, wherein the structure of role instances corresponds to a hierarchical tree of role instances and each role instance within the structure of role instances has an associated domain root instance, so that an instance of a role type is inherited by hierarchical descendants of the domain root instance.
  - 9. The method according to claim 7, comprising the further step of establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
  - 10. The method according to claim 6, wherein each super role is registered within a structure of protected resource instances as a protected resource instance, thus defining a protected super role instance.
  - 11. The method according to claim 6, further comprising assigning a user or a user group to the at least one super role.

12. A computer program product stored on a non-transitory computer-readable storage medium which when executed by a computer, causes the computer to control access, the controlling comprising:
- defining roles to be sets of permissions on individual resources, thus forming role instances, respectively;
  
  assigning at least one set of role instances to at least one group and assigning the at least one group to at least one super role; and
  
  nesting each super role according to a plurality of properties including a name, a parent role, the set of role instances, and an externalisation state,wherein each super role is modified by adding or removing the role instances from the at least one group.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12, wherein the defining includesa. defining role types by assigning one set of permissible actions to one role type, respectively;
    - b. providing a structure of resources; and
      
      c. binding the role types to resources of the structure of resources, thus forming a structure of role instances.
  - 14. The computer program product of claim 13, wherein the structure of role instances corresponds to a hierarchical tree of role instances and each role instance within the structure of role instances has an associated domain root instance, so that an instance of a role type is inherited by hierarchical descendants of the domain root instance.
  - 15. The computer program product of claim 13, comprising the further step of establishing a role type block for the role type, wherein the role type block limits inheritance of the instances of the role type.
  - 16. The computer program product of claim 12, wherein each super role is registered within a structure of protected resource instances as a protected resource instance, thus defining a protected super role instance.
  - 17. The computer program product of claim 12, further comprising assigning a user or a user group to the at least one super role.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Daedalus Blue LLC (Daedalus Group LLC)
Original Assignee
International Business Machines Corporation
Inventors
Buehler, Dieter, Hurek, Thomas, Jones, Donald N.
Primary Examiner(s)
ZUNIGA ABAD, JACKIE

Application Number

US11/242,247
Publication Number

US 20060089932A1
Time in Patent Office

3,508 Days
Field of Search

709227-229
US Class Current

709/226
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/105 Multiple levels of security

Role-based access control system, method and computer program product

First Claim

4 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access control system, method and computer program product

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links