Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm

US 9,471,798 B2
Filed: 09/11/2014
Issued: 10/18/2016
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying, by a computer system of an access management system, a global policy that is stored within a global policy container and that is shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications;

identifying, by the computer system, a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container;

determining, by the computer system, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource;

identifying, by the computer system, a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and

determining, by the computer system, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application'"'"'s resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

34 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- identifying, by a computer system of an access management system, a global policy that is stored within a global policy container and that is shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications;
  
  identifying, by the computer system, a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container;
  
  determining, by the computer system, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource;
  
  identifying, by the computer system, a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and
  
  determining, by the computer system, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource.
- View Dependent Claims (2, 3, 4, 5, 17)
- - 2. The computer-implemented method of claim 1, further comprising:
    - in response to determining that either the global rule or the first application-specific rule does not permit the first application to access the requested resource, denying the first application access to the requested resource.
  - 3. The computer-implemented method of claim 1, further comprising:
    - in response to determining that either the global rule or the second application-specific rule not permit the second application to access the requested resource, denying the second application access to the requested resource.
  - 4. The computer-implemented method of claim 1, further comprising:
    - in response to determining that both the global rule and the first application-specific rule permit the first application to access the requested resource, permitting the first application to access the requested resource.
  - 5. The computer-implemented method of claim 1, further comprising:
    - in response to determining that both the global rule and the second application-specific rule permit the second application to access the requested resource, permitting the second application to access the requested resource.
  - 17. The method of claim 1, wherein the global rule differs from the first application-specific rule.

6. An apparatus comprising:
- means for identifying a global policy, the global policy being stored within a global policy container and being shared by multiple applications, wherein the identified global policy includes a global rule for determining access to a resource by a plurality of applications;
  
  means for identifying a first application-specific container from application-specific policy containers, the first application-specific container identified based on an association with a first application, wherein each of the application-specific policy containers stores an application-specific policy that includes an application-specification rule for determining access to a resource by an application associated with the application-specific policy container;
  
  means for determining, by applying the global rule of the global policy and a first application-specific rule of the identified first application-specific container, whether the first application is permitted to access a requested resource;
  
  means for identifying a second application-specific container from the application-specific policy containers, the second application-specific container identified based on an association with a second application; and
  
  means for determining, by applying the global rule of the global policy and a second application-specific rule of a second application-specific policy in the identified second application-specific container, whether the second application is permitted to access the requested resource.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, further comprising:
    - means for denying the first application access to the requested resource in response to determining that either the global rule or the first application-specific rule does not permit the first application to access the requested resource.
  - 8. The apparatus of claim 6, further comprising:
    - means for denying the second application access to the requested resource in response to determining that either the global rule or the second application-specific rule does not permit the second application to access the requested resource.
  - 9. The apparatus of claim 6, further comprising:
    - means for permitting the first application to access the requested resource in response to determining that both the global rule and the first application-specific rule permit the first application to access the requested resource.
  - 10. The apparatus of claim 6, further comprising:
    - means for permitting the second application to access the requested resource in response to determining that both the global rule and the second application-specific rule permit the second application to access the requested resource.
  - 11. The apparatus of claim 6, further comprising:
    - .means for storing the global policy in a global container that is accessible to administrators of both the first and second applications;
      
      means for storing a first application-specific policy in a first application-specific container that is accessible to an administrator of the first application but not to an administrator of the second application; and
      
      means for storing a second application-specific policy in a second application-specific container that is accessible to an administrator of the second application but not to an administrator of the first application.

12. A computer-implemented method comprising:
- determining, by a computer system of an access management system, a mapping between a first policy-combining rule and a first application of the computer system;
  
  determining, by the computer system, a mapping between a second policy-combining rule to a second application of the computer system;
  
  upon applying, by the computer system, a first rule of a first policy and a second rule of a second policy to authorize access to a resource by the first application, applying, by the computer system, the first policy-combing rule to reconcile results of applying the first rule and the second rule; and
  
  upon applying, by the computer system, a third rule of a third policy and a fourth rule of a fourth policy to authorize access to a resource of the computer system by the second application, applying, by the computer system, the second policy-combing rule to reconcile results of applying the third rule and the fourth rule;
  
  wherein the first policy-combining rule differs from the second policy-combining rule.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-implemented method of claim 12, wherein combined rules of the first policy and the second policy are the same as combined rules of the third policy and fourth policy.
  - 14. The computer-implemented method of claim 13, wherein combined rules of the first policy and the second policy differ from combined rules of the third policy and fourth policy.
  - 15. The computer-implemented method of claim 13, wherein:
    - the first policy and the third policy are global policies that include one or more rules to determine whether applications are to be granted or denied access to a resource;
      
      the second policy is an application specific policy including rules to determine only whether the first application should be granted or denied access to the resource; and
      
      the fourth policy is an application specific policy including rules to determine only whether the second application should be granted or denied access to the resource.
  - 16. The computer-implemented method of claim 15, wherein reconciling results of applying the first rule and the second rule comprises reconciling results of applying the global rule with results of applying a rule of the second policy;
    - and wherein reconciling results of applying the first rule and the second rule comprises reconciling results of applying the global rule with results of applying a rule of the fourth policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ding, Cynthia, Vepa, Sirish V., Sastry, Hari, Cao, Alan
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Ho, Thomas

Application Number

US14/484,050
Publication Number

US 20150089575A1
Time in Patent Office

768 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6281   at program execution time, ...

H04L 41/0893   Assignment of logical group...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links