Hierarchical policy-based shared resource access control
First Claim
1. A computer-implemented method of accessing shared computing resources, the method comprising:
- receiving a request to access a computing resource in a computing resource hierarchy stored in a memory or storage of a computing device;
generating, by operations carried out by one or more processors, an effective access control list for the computing resource, wherein generating the effective access control list comprises;
collecting available access control policies for one or more parent computing resources of the computing resource in the computing resource hierarchy, andanalyzing the permissions specified in the collected access control policies to generate the effective access control list, wherein the analyzing comprises propagating the permissions specified in the available access control policies for the one or more parent computing resources and storing the propagated permissions in the effective access control list;
determining, based at least in part on the generated effective access control list for the computing resource, whether to grant the requested access to the computing resource;
receiving a subsequent request to access the computing resource;
identifying the generated effective access control list associated with the computing resource; and
determining, based at least in part on the generated effective access control list, whether to grant the subsequent requested access to the computing resource, wherein the determining comprises analyzing the propagated permissions for the one or more parent computing resources in the generated effective access control list.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.
-
Citations
20 Claims
-
1. A computer-implemented method of accessing shared computing resources, the method comprising:
-
receiving a request to access a computing resource in a computing resource hierarchy stored in a memory or storage of a computing device; generating, by operations carried out by one or more processors, an effective access control list for the computing resource, wherein generating the effective access control list comprises; collecting available access control policies for one or more parent computing resources of the computing resource in the computing resource hierarchy, and analyzing the permissions specified in the collected access control policies to generate the effective access control list, wherein the analyzing comprises propagating the permissions specified in the available access control policies for the one or more parent computing resources and storing the propagated permissions in the effective access control list; determining, based at least in part on the generated effective access control list for the computing resource, whether to grant the requested access to the computing resource; receiving a subsequent request to access the computing resource; identifying the generated effective access control list associated with the computing resource; and determining, based at least in part on the generated effective access control list, whether to grant the subsequent requested access to the computing resource, wherein the determining comprises analyzing the propagated permissions for the one or more parent computing resources in the generated effective access control list. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by one or more processors, perform operations, the operations comprising:
-
receiving a request to perform a function on a particular computing resource, wherein the computing resource is contained within a hierarchy level in a computing resource hierarchy; retrieving one or more access control policies associated with one or more parent computing resources of the particular computing resource, wherein the one or more parent computing resources are contained within hierarchy levels in the computing resource hierarchy that are higher than the hierarchy level containing the particular computing resource; determining an effective access control list for the particular computing resource, wherein the effective access control list comprises a propagation of permissions associated with the retrieved one or more access control policies; determining whether the request to perform the function on the particular computing resource is authorized based on the effective access control list for the particular computing resource; receiving another request to perform the function; and determining whether the another request is authorized using the effective access control list for the particular computing resource, wherein the determining comprises analyzing the propagation of permissions in the effective access control list. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. One or more server computers implementing an access control system, the system comprising:
-
one or more processors; one or more memories; a computing resource hierarchy comprising computing resources in multiple hierarchy levels; an access policy collector that; retrieves, using at least one of the one or more processors, access control policies for one or more parent computing resources in hierarchy levels in the computing resource hierarchy that are above a hierarchy level of a target computing resource; and retrieves, using at least one of the one or more processors, a previously determined access control list for a particular parent computing resource if a previously determined effective access control list exists; an analysis engine that; determines, using at least one of the one or more processors, an effective access control list for the target computing resource, wherein the effective access control list comprises a propagation of permissions specified by the access control policies retrieved by the access policy collector, including one or more permissions specified in the previously determined effective access control list for the particular parent computing resource; and an access manager that; receives, using at least one of the one or more processors, an access request for a user to access a target computing resource in the computing resource hierarchy; and determines, using at least one of the one or more processors, whether to grant or deny the user access to the target computing resource based, at least in part, on the effective access control list, wherein the determining comprises analyzing the propagation of permissions in the effective access control list. - View Dependent Claims (19, 20)
-
Specification