Flexible authentication framework

US 9,479,494 B2
Filed: 11/02/2015
Issued: 10/25/2016
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method for building and using a secure index to service queries for a plurality of secure data stores, the method comprising:

crawling, by a computer system, the plurality of secure data stores residing on a plurality of different computer systems;

generating, by the computer system, an index of a plurality of documents from across the plurality of data stores, wherein;

each of the plurality of documents is associated with one or more security attributes; and

each of the one or more security attributes for each of the plurality of documents is associated with a set of acceptable security attribute values;

storing, by the computer system, in the index, for each document in the plurality of documents, the one or more security attributes of the document and each corresponding set of acceptable security attribute values;

receiving, by the computer system, a query from a client device;

in response to receiving the query, obtaining, by the computer system, security information for a user of the client device, the security information comprising one or more security attributes of the user and one or more security attribute values for each of the one or more security attributes of the user;

selecting, by the computer system, each document in the index that is responsive to the query and where, for each of the one or more security attributes of the document;

the security attribute of the document matches at least one of the one or more security attributes of the user; and

at least one of the one or more security attribute values of the at least one of the one or more security attributes of the user falls within the set of acceptable security attribute values of the security attribute of the document; and

transmitting, by the computer system, each selected document in the index as a result set to the client device to service the query from the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible and extensible architecture allows for secure searching across an enterprise. Such an architecture can provide a simple Internet-like search experience to users searching secure content inside (and outside) the enterprise. The architecture allows for the crawling and searching of a variety of sources across an enterprise, regardless of whether any of these sources conform to a conventional user role model. The architecture further allows for security attributes to be received at query time, for example, in order to provide real-time secure access to enterprise resources. The user query also can be transformed to provide for dynamic querying that provides for a more current result list than can be obtained for static queries.

236 Citations

20 Claims

1. A method for building and using a secure index to service queries for a plurality of secure data stores, the method comprising:
- crawling, by a computer system, the plurality of secure data stores residing on a plurality of different computer systems;
  
  generating, by the computer system, an index of a plurality of documents from across the plurality of data stores, wherein;
  
  each of the plurality of documents is associated with one or more security attributes; and
  
  each of the one or more security attributes for each of the plurality of documents is associated with a set of acceptable security attribute values;
  
  storing, by the computer system, in the index, for each document in the plurality of documents, the one or more security attributes of the document and each corresponding set of acceptable security attribute values;
  
  receiving, by the computer system, a query from a client device;
  
  in response to receiving the query, obtaining, by the computer system, security information for a user of the client device, the security information comprising one or more security attributes of the user and one or more security attribute values for each of the one or more security attributes of the user;
  
  selecting, by the computer system, each document in the index that is responsive to the query and where, for each of the one or more security attributes of the document;
  
  the security attribute of the document matches at least one of the one or more security attributes of the user; and
  
  at least one of the one or more security attribute values of the at least one of the one or more security attributes of the user falls within the set of acceptable security attribute values of the security attribute of the document; and
  
  transmitting, by the computer system, each selected document in the index as a result set to the client device to service the query from the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of secure data stores reside both inside of an enterprise and outside of the enterprise.
  - 3. The method of claim 1, wherein the security information for the user is obtained from an identity management system associated with at least one of the plurality of secure data sources.
  - 4. The method of claim 1, wherein the one or more security attributes includes at least one grant attribute for one deny attribute.
  - 5. The method of claim 1, wherein the one or more security attribute values of the user comprises a role, a group, or a project associated with the user.
  - 6. The method of claim 1, further comprising:
    - receiving, by the computer system, user identification information for the user;
      
      providing, by a computer system, the user identification information to a plurality of identity management systems, wherein each of the plurality of identity management systems receives the user identification information through a respective Application Program Interface (API); and
      
      validating, by a computer system, the user against at least one identity management system in the plurality of identity management systems.
  - 7. The method of claim 6, wherein a number or type of objects required from the user identification information by a first identity management system in the plurality of identity management systems is different from a number or type of objects required from the user identification information by a second identity management system in the plurality of identity management systems.

8. A non-transitory, computer-readable storage medium comprising instructions that, when executed by one or more processors, cause the one or more processors to build and use a secure index to service queries for a plurality of secure data stores by performing operations comprising:
- crawling the plurality of secure data stores residing on a plurality of different computer systems;
  
  generating an index of a plurality of documents from across the plurality of data stores, wherein;
  
  each of the plurality of documents is associated with one or more security attributes; and
  
  each of the one or more security attributes for each of the plurality of documents is associated with a set of acceptable security attribute values;
  
  storing, in the index, for each document in the plurality of documents, the one or more security attributes of the document and each corresponding set of acceptable security attribute values;
  
  receiving a query from a client device;
  
  in response to receiving the query, obtaining security information for a user of the client device, the security information comprising one or more security attributes of the user and one or more security attribute values for each of the one or more security attributes of the user;
  
  selecting each document in the index that is responsive to the query and where, for each of the one or more security attributes of the document;
  
  the security attribute of the document matches at least one of the one or more security attributes of the user; and
  
  at least one of the one or more security attribute values of the at least one of the one or more security attributes of the user falls within the set of acceptable security attribute values of the security attribute of the document; and
  
  transmitting each selected document in the index as a result set to the client device to service the query from the client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable storage medium of claim 8, wherein the plurality of secure data stores reside both inside of an enterprise and outside of the enterprise.
  - 10. The non-transitory, computer-readable storage medium of claim 8, wherein the security information for the user is obtained from an identity management system associated with at least one of the plurality of secure data sources.
  - 11. The non-transitory, computer-readable storage medium of claim 8, wherein the one or more security attributes includes at least one grant attribute for one deny attribute.
  - 12. The non-transitory, computer-readable storage medium of claim 8, wherein the one or more security attribute values of the user comprises a role, a group, or a project associated with the user.
  - 13. The non-transitory, computer-readable storage medium of claim 8, comprising additional instructions that cause the one or more processors to perform additional operations comprising:
    - receiving, by the computer system, user identification information for the user;
      
      providing, by a computer system, the user identification information to a plurality of identity management systems, wherein each of the plurality of identity management systems receives the user identification information through a respective Application Program Interface (API); and
      
      validating, by a computer system, the user against at least one identity management system in the plurality of identity management systems.
  - 14. The non-transitory, computer-readable storage medium of claim 13, wherein a number or type of objects required from the user identification information by a first identity management system in the plurality of identity management systems is different from a number or type of objects required from the user identification information by a second identity management system in the plurality of identity management systems.

15. A system comprising:
- one or more hardware processors; and
  
  one or more memory devices comprising instructions that, when executed by the one or more processors, cause the one or more processors to build and use a secure index to service queries for a plurality of secure data stores by configuring the one or more processors to;
  
  crawl the plurality of secure data stores residing on a plurality of different computer systems;
  
  generate an index of a plurality of documents from across the plurality of data stores, wherein;
  
  each of the plurality of documents is associated with one or more security attributes; and
  
  each of the one or more security attributes for each of the plurality of documents is associated with a set of acceptable security attribute values;
  
  store, in the index, for each document in the plurality of documents, the one or more security attributes of the document and each corresponding set of acceptable security attribute values;
  
  receive a query from a client device;
  
  in response to receiving the query, obtain security information for a user of the client device, the security information comprising one or more security attributes of the user and one or more security attribute values for each of the one or more security attributes of the user;
  
  select each document in the index that is responsive to the query and where, for each of the one or more security attributes of the document;
  
  the security attribute of the document matches at least one of the one or more security attributes of the user; and
  
  at least one of the one or more security attribute values of the at least one of the one or more security attributes of the user falls within the set of acceptable security attribute values of the security attribute of the document; and
  
  transmit each selected document in the index as a result set to the client device to service the query from the client device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the plurality of secure data stores reside both inside of an enterprise and outside of the enterprise.
  - 17. The system of claim 15, wherein the security information for the user is obtained from an identity management system associated with at least one of the plurality of secure data sources.
  - 18. The system of claim 15, wherein the one or more security attributes includes at least one grant attribute for one deny attribute.
  - 19. The system of claim 15, wherein the one or more security attribute values of the user comprises a role, a group, or a project associated with the user.
  - 20. The system of claim 15, comprising additional instructions that configure the one or more processors toreceive, by the computer system, user identification information for the user;
    - provide, by a computer system, the user identification information to a plurality of identity management systems, wherein each of the plurality of identity management systems receives the user identification information through a respective Application Program Interface (API); and
      
      validate, by a computer system, the user against at least one identity management system in the plurality of identity management systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Krishnaprasad, Muralidhar, Davis, Mark, Ture, Mark, Hsin, Cindy, Bhavsar, Meeten, Koide, Hiroshi, Delgado, Joaquin, Yang, Chi-Ming, Nimani, Visar, Ouyang, Hui, Bhatkar, Sachin, Chang, Thomas
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US14/930,475
Publication Number

US 20160055209A1
Time in Patent Office

358 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2455   Query execution

G06F 16/248   Presentation of query results

G06F 16/93   Document management systems

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/31   User authentication

G06F 21/6227   where protection concerns t...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

Flexible authentication framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

236 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Flexible authentication framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others