Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm
First Claim
Patent Images
1. A computer-implemented method comprising:
- identifying, by a computer system of an access management system, a global policy that is stored within a global policy container and that is shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications;
identifying, by the computer system, a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container;
determining, by the computer system, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource;
identifying, by the computer system, a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and
determining, by the computer system, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application'"'"'s resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.
34 Citations
17 Claims
-
1. A computer-implemented method comprising:
-
identifying, by a computer system of an access management system, a global policy that is stored within a global policy container and that is shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications; identifying, by the computer system, a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container; determining, by the computer system, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource; identifying, by the computer system, a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and determining, by the computer system, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource. - View Dependent Claims (2, 3, 4, 5, 17)
-
-
6. An apparatus comprising:
-
means for identifying a global policy, the global policy being stored within a global policy container and being shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications; means for identifying a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container; means for determining, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource; means for identifying a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and means for determining, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A computer-implemented method comprising:
-
determining, by a computer system of an access management system, a mapping between a first policy-combining rule and a first application of the computer system; determining, by the computer system, a mapping between a second policy-combining rule to a second application of the computer system; upon applying, by the computer system, a first rule of a first policy and a second rule of a second policy to authorize access to a resource by the first application, applying, by the computer system, the first policy-combing rule to reconcile results of applying the first rule and the second rule; and upon applying, by the computer system, a third rule of a third policy and a fourth rule of a fourth policy to authorize access to a resource of the computer system by the second application, applying, by the computer system, the second policy-combing rule to reconcile results of applying the third rule and the fourth rule; wherein the first policy-combining rule differs from the second policy-combining rule. - View Dependent Claims (13, 14, 15, 16)
-
Specification