Optimized policy matching and evaluation for hierarchical resources

US 9,152,803 B2
Filed: 04/24/2012
Issued: 10/06/2015
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing, by a computing system, a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type;

receiving, by the computing system, an authorization request comprising subject information identifying a subject, resource information, and action information identifying an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components;

identifying, by the computing system, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including;

determining, by the computing system, that the resource type identified in the authorization request is the first resource type;

selecting, by the computing system, the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and

identifying, by the computing system, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and

evaluating, by the computing system, one or more policies of the first set of policies to determine a success or a failure of the authorization request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.

26 Citations

View as Search Results

20 Claims

1. A method comprising:
- storing, by a computing system, a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type;
  
  receiving, by the computing system, an authorization request comprising subject information identifying a subject, resource information, and action information identifying an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components;
  
  identifying, by the computing system, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including;
  
  determining, by the computing system, that the resource type identified in the authorization request is the first resource type;
  
  selecting, by the computing system, the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and
  
  identifying, by the computing system, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and
  
  evaluating, by the computing system, one or more policies of the first set of policies to determine a success or a failure of the authorization request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - determining a second set of policies from the first set of policies based upon the subject and the action identified in the authorization request; and
      
      evaluating the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the resource identified in the authorization request.
  - 3. The method of claim 1 wherein storing the plurality of memory structures comprises:
    - for a first policy in the plurality of policies;
      
      determining a first resource expression specified by the first policy, the first resource expression identifying one or more resources from the plurality of resources to which the policy applies; and
      
      constructing a first memory structure for the first policy based upon a resource type specified by the first policy and a resource expression type of the first resource expression.
  - 4. The method of claim 3 wherein:
    - the resource type specified by the first policy is the first resource type;
      
      the first resource expression is of the first resource expression type, the first resource expression comprising one or more components of a hierarchy of resources; and
      
      constructing the first memory structure comprises;
      
      creating the first memory structure comprising a first set of one or more nodes, each node corresponding to a component in the one or more components in the first resource expression; and
      
      storing a first reference from at least one node in the first memory structure to the first policy.
  - 5. The method of claim 4 wherein storing the plurality of memory structures comprises:
    - for a second policy in the plurality of policies;
      
      determining a resource type specified by the second policy is the first resource type;
      
      determining that a resource expression specified by the second policy is of the first resource expression type, the resource expression specified by the second policy comprising one or more components of the hierarchy of resources; and
      
      adding at least one node to the first memory structure for the second resource expression; and
      
      storing a second reference from the at least one node in the first memory structure to the second policy.
  - 6. The method of claim 1 wherein:
    - the storing comprises;
      
      storing the memory structure for a first policy from the plurality of policies, the first policy specifying a first resource expression of the first resource expression type; and
      
      storing a second memory structure for a second policy from the plurality of policies, the second policy specifying a second resource expression of the second resource expression type; and
      
      the identifying comprises searching both the memory structure and the second memory structure using the resource expression identified by the authorization request to identify the first set of policies.
  - 7. The method of claim 6 wherein searching the memory structure comprises:
    - identifying a first path of the one or more nodes in the memory structure that match at least one of the one or more components of the resource expression specified by the authorization request; and
      
      including all policies referenced by the one or more nodes in the first path in the first set of policies.
  - 8. The method of claim 1 wherein a number of comparisons performed to identify the first set of policies depends upon a number of the one or more components specified by the resource expression in the authorization request and is independent of the set of resources and a number of policies in the plurality of policies.

9. A computer-readable storage memory storing a plurality of instructions executable by a computing system, the plurality of instructions comprising:
- instructions that cause the computing system to store a plurality of memory structures, for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type;
  
  instructions that cause the computing system to determine, for an authorization request, a subject specified by the authorization request, resource information specified by the authorization request, and action specified by the authorization request, the resource information comprising a resource expression and identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components;
  
  instructions that cause the computing system to identify, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the instructions that cause the computing system to identify the plurality of policies to the first set of policies including;
  
  instructions that cause the computing system to determine that the resource type identified in the authorization request is the first resource type;
  
  instructions that cause the computing system to select the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and
  
  instructions that cause the computing system to identify, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and
  
  instructions that cause the computing system to evaluate one or more policies of the first set of policies to determine a success or a failure of the authorization request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage memory of claim 9 further comprising:
    - instructions that cause the computing system to determine a second set of policies from the first set of policies based upon the subject and the action identified in the authorization request; and
      
      instructions that cause the computing system to evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the resource identified in the authorization request.
  - 11. The computer-readable storage memory of claim 9 wherein the instructions that cause the computing system to store the plurality of memory structures comprise:
    - for a first policy in the plurality of policies;
      
      instructions that cause the computing system to determine a first resource expression specified by the first policy, the first resource expression identifying one or more resources from the plurality of resources to which the policy applies; and
      
      instructions that cause the computing system to construct a first memory structure for the first policy based upon a resource type specified by the first policy and a resource expression type of the first resource expression.
  - 12. The computer-readable storage memory of claim 11 wherein:
    - the resource type specified by the first policy is the first resource type;
      
      the first resource expression is of the first resource expression type, the first resource expression comprising one or more components of a hierarchy of resources; and
      
      the instructions that cause the computing system to construct the first memory structure comprise;
      
      instructions that cause the computing system to create the first memory structure comprising a first set of one or more nodes, each node corresponding to a component in the one or more components in the first resource expression; and
      
      instructions that cause the computing system to store a first reference from at least one node in the first memory structure to the first policy.
  - 13. The computer-readable storage memory of claim 12 wherein the instructions that cause the computing system to store the plurality of memory structures comprise:
    - for a second policy in the plurality of policies;
      
      instructions that cause the computing system to determine a resource type specified by the second policy is the first resource type;
      
      instructions that cause the computing system to determine that a resource expression specified by the second policy is of the first resource expression type, the resource expression specified by the second policy comprising one or more components of the hierarchy of resources; and
      
      instructions that cause the computing system to add at least one node to the first memory structure for the second resource expression; and
      
      instructions that cause the computing system to store a second reference from the at least one node in the first memory structure to the second policy.
  - 14. The computer-readable storage memory of claim 9 wherein:
    - the instructions that cause the computing system to store comprise;
      
      instructions that cause the computing system to store the memory structure for a first policy from the plurality of policies, the first policy specifying a first resource expression of the first resource expression type; and
      
      instructions that cause the computing system to store a second memory structure for a second policy from the plurality of policies, the second policy specifying a second resource expression of the second resource expression type; and
      
      the instructions that cause the computing system to identify comprise instructions that cause the computing system to search both the memory structure and the second memory structure using the resource expression identified by the authorization request to identify the first set of policies.
  - 15. The computer-readable storage memory of claim 14 wherein the instructions that cause the computing system to search the memory structure comprise:
    - instructions that cause the computing system to identify a first path of the one or more nodes in the emory structure that match at least one of the one or more components of the resource expression specified by the authorization request; and
      
      instructions that cause the computing system to include all policies referenced by the one or more nodes in the first path in the first set of policies.
  - 16. The computer-readable storage memory of claim 9 wherein a number of comparisons performed to identify the first set of policies depends upon a number of the one or more components specified by the resource expression in the authorization request and is independent of the set of resources and a number of policies in the plurality of policies.

17. A system comprising:
- a memory configured to store a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type; and
  
  a set of one or more processors, wherein one or more processors from the set of processors are configured to;
  
  determine, from an authorization request, a subject, resource information, and an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components;
  
  identify, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including;
  
  determining that the resource type identified in the authorization request is the first resource type;
  
  selecting the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and
  
  identifying the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and
  
  evaluate one or more policies of the first set of policies to determine a success or a failure of the authorization request.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 wherein one or more processors from the set of processors are configured to:
    - determine a second set of policies from the first set of policies based upon the subject and the action identified in the authorization request; and
      
      evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the resource identified in the authorization request.
  - 19. The system of claim 17 wherein one or more processors from the set of processors are configured to:
    - store the memory structure for a first policy from the plurality of policies, the first policy specifying a first resource expression of a first resource expression type;
      
      storing a second memory structure for a second policy from the plurality of policies, the second policy specifying a second resource expression of a second resource expression typed different from the first resource expression type;
      
      search both the memory structure and the second memory structure using the resource expression identified by the authorization request to identify the first set of policies;
      
      identify a first path of the one or more nodes in the memory structure that match at least one of the one or more components of the resource expression specified by the authorization request; and
      
      include all policies referenced by the one or more nodes in the first path in the first set of policies.
  - 20. The system of claim 17 wherein one or more processors from the set of processors are configured to identify the first set of policies by comparing the resource expression in the authorization request to the first set of memory structures, wherein a number of comparisons performed to identify the first set of policies depends upon a number of the one or more components specified by the resource expression in the authorization request and is independent of the set of resources and a number of policies in the plurality of policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Biswas, Kamalendu, Kapishnikov, Andrei, Hari, Sastry
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
PHAM, QUY C

Application Number

US13/454,771
Publication Number

US 20130283339A1
Time in Patent Office

1,260 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Optimized policy matching and evaluation for hierarchical resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Optimized policy matching and evaluation for hierarchical resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links