Attaching web service policies to a group of policy subjects

US 9,589,145 B2
Filed: 05/31/2011
Issued: 03/07/2017
Est. Priority Date: 11/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing policies in an enterprise, the method comprising:

receiving, by a computer system, a reference to a first service policy;

receiving, by the computer system, a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise;

generating, by the computer system, a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope;

receiving, by the computer system, a request to access a resource, wherein the resource is the type of resource identified in the first policy attachment scope;

determining, by the computer system, an effective set of policies for the resource using the first global policy attachment metadata based at least in part on determining that the first service policy is in the effective set of policies for the resource;

controlling, by the computer system, access to the resource responsive to the request using the determined effective set of policies at least in part by granting, by the computer system, the request to access the resource based upon the effective set of policies,wherein the type of resource identified by the first policy attachment scope corresponds to a first level in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first type of resource associated with a broader level contains one or more types of resources associated with a narrower level,wherein the first policy attachment scope contains additional types of resources if the type of resource identified by the first policy attachment scope corresponds to a level that is broader than the level that corresponds with the additional types of resources, andwherein the requested resource corresponds to a level that is narrower than the level corresponding to the first policy attachment scope.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one set of embodiments, methods, systems, and apparatus are provided to attach one or more quality of service policies to resources in an enterprise system by receiving a first global policy attachment that references an attachment attribute value and a first service policy, receiving a request to access a policy subject associated with a subject attribute value, identifying an effective policy set referenced by the first global policy attachment, the effective policy set including the first service policy if the attachment attribute value equals the subject attribute value, and granting the request to access based upon the at least one effective policy. The at least one effective policy may further include a first service policy referenced by the first global policy attachment if a first policy attachment scope referenced by the first global policy attachment matches or contains a subject scope associated with the policy subject.

167 Citations

19 Claims

1. A method for enforcing policies in an enterprise, the method comprising:
- receiving, by a computer system, a reference to a first service policy;
  
  receiving, by the computer system, a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise;
  
  generating, by the computer system, a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope;
  
  receiving, by the computer system, a request to access a resource, wherein the resource is the type of resource identified in the first policy attachment scope;
  
  determining, by the computer system, an effective set of policies for the resource using the first global policy attachment metadata based at least in part on determining that the first service policy is in the effective set of policies for the resource;
  
  controlling, by the computer system, access to the resource responsive to the request using the determined effective set of policies at least in part by granting, by the computer system, the request to access the resource based upon the effective set of policies,wherein the type of resource identified by the first policy attachment scope corresponds to a first level in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first type of resource associated with a broader level contains one or more types of resources associated with a narrower level,wherein the first policy attachment scope contains additional types of resources if the type of resource identified by the first policy attachment scope corresponds to a level that is broader than the level that corresponds with the additional types of resources, andwherein the requested resource corresponds to a level that is narrower than the level corresponding to the first policy attachment scope.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving, by the computer system, a first policy attachment attribute, the first policy attachment attribute identifying an attribute of one or more resources in the enterprise;
      
      wherein generating the first global policy attachment metadata further includes using the first policy attachment attribute to define the attachment of the first service policy to the type of resource identified in the first policy attachment scope that has the attribute identified in the first policy attachment attribute; and
      
      wherein the first policy attachment attribute includes at least one wildcard, and the first policy attachment attribute matches or contains the attribute of the resource if the wildcard matches the attribute of the resource.
  - 3. The method of claim 1, wherein identifying at least one effective policy comprises identifying a second service policy referenced by a second global policy attachment,the second global policy attachment references a second policy attachment scope, and the at least one effective policy includes the second service policy if the second policy attachment scope identifies a type of resource that matches or contains the type of resource of the requested resource.
  - 4. The method of claim 3, wherein the first service policy is associated with a first policy category, the second service policy is associated with a second policy category, andthe at least one effective policy includes the second service policy if the second policy attachment scope identifies a type of resource that matches or contains the type of resource of the requested resource and the first policy category is different from the second policy category.
  - 5. The method of claim 1, the first policy attachment scope having a first scope name that includes a first plurality of level names and a second policy attachment scope having a second scope name that includes a second plurality of level names,wherein the first policy attachment scope contains the second policy attachment scope if the first scope name includes fewer level names than the second scope name, and the second plurality of level names includes the first plurality of level names in the same order and position that level names appear in the first plurality of level names, or if the first scope name includes more level names than the second scope name and any additional level names in the first scope name are wildcards that match any name.
  - 6. The method of claim 3, the first policy attachment scope having a first scope name that includes a first plurality of level names and the second policy attachment scope having a second scope name that includes a second plurality of level names,wherein the first policy attachment scope matches the second policy attachment scope if the second policy attachment scope includes a level name that equals or matches each level name in the first policy attachment scope by wildcard matching.
  - 7. The method of claim 1, further comprising:
    - receiving, by the computer system, at least one attribute value describing an arbitrary set of policy subjects for the first global policy attachment metadata having subject attribute values that match the at least one attribute value.
  - 8. The method of claim 7, wherein the at least one attribute includes a policy subject type.
  - 9. The method of claim 1, wherein the request is granted if one or more assertions included in the at least one effective policy are satisfied.

10. A system comprising:
- a hardware processor; and
  
  a memory storing a set of instructions which when executed by the processor configure the processor to;
  
  receive a first global policy attachment metadata that references an attachment attribute value and a first service policy, the first global policy attachment metadata defining an attachment of the first service policy to resources having the attachment attribute value, and the first global policy attachment metadata referencing a first policy attachment scope that indicates a first scope of policy subjects to which the first service policy applies;
  
  receive a request to access a policy subject, the policy subject associated with a subject attribute value and a subject scope;
  
  identify at least one effective policy referenced by the first global policy attachment metadata in response to determining that the attachment attribute value of the first global policy attachment metadata satisfies the subject attribute value, wherein the at least one effective policy includes the first service policy referenced by the first global policy attachment metadata if the attachment attribute value is equal to the subject attribute value and the first policy attachment scope matches or contains the subject scope; and
  
  grant the request to access the policy subject based upon the at least one effective policy,wherein the first policy attachment scope and the subject scope each correspond to respective levels in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first entity associated with a broader level contains one or more entities associated with a narrower level, andwherein the first policy attachment scope contains the subject scope if the first policy attachment scope is broader than the subject scope.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein the first policy attachment scope includes at least one wildcard, and the first policy attachment scope matches or contains the subject scope if the wildcard matches the subject scope.
  - 12. The system of claim 10, wherein the processor is further configured to identify a second service policy referenced by a second global policy attachment,the second global policy attachment references a second policy attachment scope, and the at least one effective policy includes the second service policy if the second policy attachment scope matches or contains the subject scope.
  - 13. The system of claim 12, wherein the first service policy is associated with a first policy category, the second service policy is associated with a second policy category, andthe at least one effective policy includes the second service policy if the second policy attachment scope matches or contains the subject scope and the first policy category is different from the second policy category.

14. A non-transitory machine-readable medium for a computer system, the non-transitory machine-readable medium having stored thereon a series of instructions which, when executed by a processor, cause the processor to:
- receive a reference to a first service policy;
  
  receive a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise;
  
  generate a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope;
  
  receive a request to access a resource;
  
  determine an effective set of policies for the resource using the first global policy attachment metadata at least in part by identifying at least one effective policy referenced by at least one global policy attachment to determine the effective set of policies for the resource, wherein the at least one effective policy includes the first service policy referenced by the first global policy attachment metadata if the first policy attachment scope matches or contains a subject scope associated with the resource,wherein the first policy attachment scope and the subject scope each correspond to respective levels in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first entity associated with a broader level contains one or more entities associated with a narrower level,and wherein the first policy attachment scope contains the subject scope if the first policy attachment scope is broader than the subject scope; and
  
  control access to the resource responsive to the request using the determined effective set of policies at least in part by granting the request to access the resource based upon the at least one effective policy.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory machine-readable medium of claim 14, wherein the first policy attachment scope includes at least one wildcard, and the first policy attachment scope matches or contains the subject scope if the wildcard matches the subject scope.
  - 16. The non-transitory machine-readable medium of claim 14, wherein identifying at least one effective policy comprises identifying a second service policy referenced by a second global policy attachment,the second global policy attachment references a second policy attachment scope, and the at least one effective policy includes the second service policy if the second policy attachment scope matches or contains the subject scope.
  - 17. The non-transitory machine-readable medium of claim 16, wherein the first service policy is associated with a first policy category, the second service policy is associated with a second policy category, andthe at least one effective policy includes the second service policy if the second policy attachment scope matches or contains the subject scope and the first policy category is different from the second policy category.
  - 18. The non-transitory machine-readable medium of claim 14, the first policy attachment scope having a first scope name that includes a first plurality of level names and the second policy attachment scope having a second scope name that includes a second plurality of level names,wherein the first policy attachment scope contains the second policy attachment scope if the first scope name includes fewer level names than the second scope name, and the second plurality of level names includes the first plurality of level names in the same order and position that the level names appear in the first plurality of level names, or if the first scope name includes more level names than the second scope name and any additional level names in the first scope name are wildcards that match any name.
  - 19. The non-transitory machine-readable medium of claim 14, the first policy attachment scope having a first scope name that includes a first plurality of level names and the second policy attachment scope having a second scope name that includes a second plurality of level names,wherein the first policy attachment scope matches the second policy attachment scope if the second scope name includes a level name that equals or matches each level name in the first scope name by wildcard matching.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bryan, Jeffrey Jason, Kavantzas, Nickolas, Yamuna, Prakash
Primary Examiner(s)
Obisesan, Augustine K
Assistant Examiner(s)
Htay, Lin Lin

Application Number

US13/118,947
Publication Number

US 20120131164A1
Time in Patent Office

2,107 Days
Field of Search

707/694
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Attaching web service policies to a group of policy subjects

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

167 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Attaching web service policies to a group of policy subjects

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links