Optimized policy matching and evaluation for hierarchical resources
First Claim
Patent Images
1. A method comprising:
- storing, by a computing system, a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type;
receiving, by the computing system, an authorization request comprising subject information identifying a subject, resource information, and action information identifying an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components;
identifying, by the computing system, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including;
determining, by the computing system, that the resource type identified in the authorization request is the first resource type;
selecting, by the computing system, the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and
identifying, by the computing system, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and
evaluating, by the computing system, one or more policies of the first set of policies to determine a success or a failure of the authorization request.
1 Assignment
0 Petitions
Accused Products
Abstract
Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.
26 Citations
20 Claims
-
1. A method comprising:
-
storing, by a computing system, a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type; receiving, by the computing system, an authorization request comprising subject information identifying a subject, resource information, and action information identifying an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components; identifying, by the computing system, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including; determining, by the computing system, that the resource type identified in the authorization request is the first resource type; selecting, by the computing system, the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and identifying, by the computing system, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and evaluating, by the computing system, one or more policies of the first set of policies to determine a success or a failure of the authorization request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage memory storing a plurality of instructions executable by a computing system, the plurality of instructions comprising:
-
instructions that cause the computing system to store a plurality of memory structures, for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type; instructions that cause the computing system to determine, for an authorization request, a subject specified by the authorization request, resource information specified by the authorization request, and action specified by the authorization request, the resource information comprising a resource expression and identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components; instructions that cause the computing system to identify, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the instructions that cause the computing system to identify the plurality of policies to the first set of policies including; instructions that cause the computing system to determine that the resource type identified in the authorization request is the first resource type; instructions that cause the computing system to select the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and instructions that cause the computing system to identify, the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and instructions that cause the computing system to evaluate one or more policies of the first set of policies to determine a success or a failure of the authorization request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a memory configured to store a plurality of memory structures for a plurality of policies configured for a set of resources, the plurality of memory structures comprising a first set of memory structures corresponding to a first resource type and a second set of memory structures corresponding to a second resource type, the first resource type including a hierarchical resource type and the second resource type including a non-hierarchical resource type, wherein the first set of memory structures includes at least a first memory structure corresponding to a first resource expression type and a second memory structure corresponding to a second resource expression type, and wherein the second set of memory structures includes at least a third memory structure corresponding to the first resource expression type and a fourth memory structure corresponding to the second resource expression type; and a set of one or more processors, wherein one or more processors from the set of processors are configured to; determine, from an authorization request, a subject, resource information, and an action, the resource information comprising a resource expression identifying a resource and resource type information identifying a resource type, the resource expression comprising one or more components including one or more path components or one or more character components; identify, using the resource type information and the resource expression, a first set of policies from the plurality of policies to evaluate for authorizing the authorization request, a number of policies in the first set of policies being less than a number of policies in the plurality of policies, the identifying including; determining that the resource type identified in the authorization request is the first resource type; selecting the first set of memory structures from the plurality of memory structures based on the determination that the resource type is the first resource type, the first set of memory structures comprising a memory structure, the memory structure comprising one or more nodes corresponding to the one or more components included in the resource expression; and identifying the first set of policies from the plurality of policies that are applicable for authorizing the authorization request, the identifying including matching the one or more components of the resource expression with the first memory structure and the second memory structure in the selected first set of memory structures, the first memory structure corresponding to the first resource expression type, and the second memory structure corresponding to the second resource expression type; and evaluate one or more policies of the first set of policies to determine a success or a failure of the authorization request. - View Dependent Claims (18, 19, 20)
-
Specification