Authorization system for heterogeneous enterprise environments
First Claim
1. A computer-implemented method comprising:
- storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
determining that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications;
performing a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, in response to the determining, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model;
evaluating the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and
granting access to at least one resource within the enterprise based on a result of the evaluating.
1 Assignment
0 Petitions
Accused Products
Abstract
A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. Components in the enterprise utilizing either Java Platform Security (JPS) or Oracle Access Manager (OAM) can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources. A unified policy decision engine can evaluate whether authorization policies are satisfied, regardless of the access control models that those policies follow.
119 Citations
15 Claims
-
1. A computer-implemented method comprising:
-
storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment; storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; determining that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications; performing a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, in response to the determining, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model; evaluating the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and granting access to at least one resource within the enterprise based on a result of the evaluating. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
-
instructions to cause the one or more processors to store, in a policy store that is utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment; instructions to cause the one or more processors to store, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment; instructions to cause the one or more processors to determine that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications; instructions to cause the one or more processing to perform a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model; instructions to cause the one or more processors to evaluate the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and instructions to cause the one or more processors to grant access to at least one resource within the enterprise based on a result of the evaluating. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more processors; and a computer-readable storage memory that stores; a policy store that contains (1) a first authorization policy that specifies features that are used within a first type of authorization environment and (2) a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model; and executable code that represents a policy engine that is configured to perform a union of the first authorization policy and the second authorization policy and to evaluate the union by evaluating both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category. - View Dependent Claims (12, 13, 14, 15)
-
Specification