Authorization system for heterogeneous enterprise environments

US 9,058,471 B2
Filed: 03/15/2013
Issued: 06/16/2015
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;

storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;

determining that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications;

performing a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, in response to the determining, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model;

evaluating the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and

granting access to at least one resource within the enterprise based on a result of the evaluating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. Components in the enterprise utilizing either Java Platform Security (JPS) or Oracle Access Manager (OAM) can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources. A unified policy decision engine can evaluate whether authorization policies are satisfied, regardless of the access control models that those policies follow.

119 Citations

15 Claims

1. A computer-implemented method comprising:
- storing, in a policy store that is stored within a computer-readable storage memory and utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
  
  storing, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
  
  determining that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications;
  
  performing a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, in response to the determining, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model;
  
  evaluating the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and
  
  granting access to at least one resource within the enterprise based on a result of the evaluating.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the first type of authorization environment is a Java™
    - Platform Security (JPS) environment.
  - 3. The method of claim 1, further comprising:
    - storing, in the policy store, a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
      
      querying the policy store to retrieve the hybrid policy from the policy store;
      
      evaluating the hybrid policy within the policy engine; and
      
      granting access to at least one resource within the environment based on a result of the evaluating of the hybrid policy;
      
      wherein the hybrid policy specifies at least one policy set, at least one role hierarchy, and at least one attribute constraint.
  - 4. The method of claim 1, wherein:
    - the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform; and
      
      wherein the specified canonical format includes a field for a policy set, a field for a roles hierarchy, and a field for an attribute constraint.
  - 5. The method of claim 1, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.

6. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
- instructions to cause the one or more processors to store, in a policy store that is utilized by a plurality of applications in an enterprise, a first authorization policy that specifies features that are used within a first type of authorization environment;
  
  instructions to cause the one or more processors to store, in the policy store, a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment;
  
  instructions to cause the one or more processors to determine that the first authorization policy and the second authorization policy in the policy store are relevant to a request from an application of the plurality of applications;
  
  instructions to cause the one or more processing to perform a union of the first authorization policy, configured for use within the first type of authorization environment, and the second authorization policy, configured for use within the second type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model;
  
  instructions to cause the one or more processors to evaluate the union of the first policy and the second policy within a policy engine that evaluates both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category; and
  
  instructions to cause the one or more processors to grant access to at least one resource within the enterprise based on a result of the evaluating.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable storage memory of claim 6, wherein the first type of authorization environment is a Java™
    - Platform Security (JPS) environment.
  - 8. The computer-readable storage memory of claim 6, wherein the particular instructions further comprise:
    - instructions to cause the one or more processors to store, in the policy store, a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
      
      instructions to cause the one or more processors to query the policy store to retrieve the hybrid policy from the policy store;
      
      instructions to cause the one or more processors to evaluate the hybrid policy within the policy engine; and
      
      instructions to cause the one or more processors to grant access to at least one resource within the environment based on a result of the evaluating of the hybrid policy.
  - 9. The computer-readable storage memory of claim 6, wherein the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform.
  - 10. The computer-readable storage memory of claim 6, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.

11. A system comprising:
- one or more processors; and
  
  a computer-readable storage memory that stores;
  
  a policy store that contains (1) a first authorization policy that specifies features that are used within a first type of authorization environment and (2) a second authorization policy that specifies features that are used within a second type of authorization environment that differs from the first type of authorization environment, wherein the second type of authorization environment is an Oracle Access Manager (OAM) environment, wherein the first authorization policy specifies features of a role-based access control (RBAC) model including a role category to which multiple roles belong, and wherein the second authorization policy specifies features of a discretionary access control (DAC) model; and
  
  executable code that represents a policy engine that is configured to perform a union of the first authorization policy and the second authorization policy and to evaluate the union by evaluating both features that are used within the first type of authorization environment and features that are used within the second type of authorization environment wherein evaluating the features that are used within the first type of authorization policy comprises determining whether an access-requesting subject is associated with a particular role that belongs to the role category.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the first type of authorization environment is a Java Platform Security™
    - (JPS) environment.
  - 13. The system of claim 11, wherein the policy store contains a hybrid authorization policy that specifies both (a) features that are used within the first type of authorization environment but not the second type of authorization environment and (b) features that are used within the second type of authorization environment but not the first type of authorization environment;
    - and wherein the policy engine is configurable to evaluate the hybrid policy.
  - 14. The system of claim 11, wherein the first authorization policy and the second authorization policy both conform to a specified canonical format to which all policies stored in the policy store conform.
  - 15. The system of claim 11, wherein the first authorization policy specifies a resource type that the at least one resource possesses;
    - and wherein the resource type is possessed by multiple separate resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sastry, Hari VN., Vepa, Sirish V, Srinivasan, Uppili, Joshi, Vrinda S.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US13/838,113
Publication Number

US 20130332984A1
Time in Patent Office

823 Days
Field of Search

726/1, 726/4, 726/30
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/30   Authentication, i.e. establ...

G06F 21/6236   between heterogeneous systems

H04L 63/102   Entity profiles

Authorization system for heterogeneous enterprise environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

119 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization system for heterogeneous enterprise environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links