Optimized policy matching and evaluation for non-hierarchical resources

US 10,419,487 B2
Filed: 01/12/2017
Issued: 09/17/2019
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium comprising one or more processors and a memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising:

instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information from the authorization request comprises a resource expression identifying a resource;

instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;

instructions that cause at least one processor from the one or more processors to access a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system;

instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;

instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression;

instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request;

instructions that cause at least one processor from the one or more processors to filter the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies;

instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; and

in response to evaluating the one or more policies from the first set of policies, instructions that cause at least one processor from the one or more processors to allow or deny the subject identified in the authorization request to perform the action identified in the authorization request;

instructions that cause at least one processor from the one or more processors to identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type;

instructions that cause at least one processor from the one or more processors to filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and

in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.

10 Citations

22 Claims

1. A non-transitory computer-readable medium comprising one or more processors and a memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising:
- instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information from the authorization request comprises a resource expression identifying a resource;
  
  instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;
  
  instructions that cause at least one processor from the one or more processors to access a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system;
  
  instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;
  
  instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression;
  
  instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request;
  
  instructions that cause at least one processor from the one or more processors to filter the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies;
  
  instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; and
  
  in response to evaluating the one or more policies from the first set of policies, instructions that cause at least one processor from the one or more processors to allow or deny the subject identified in the authorization request to perform the action identified in the authorization request;
  
  instructions that cause at least one processor from the one or more processors to identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type;
  
  instructions that cause at least one processor from the one or more processors to filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and
  
  in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-readable medium of claim 1 wherein the instructions that cause at least one processor from the one or more processors to evaluate the one or more policies comprise:
    - instructions that cause at least one processor from the one or more processors to determine a second set of policies from the first set of policies that were filtered from the plurality of policies based upon the subject and the action identified in the authorization request; and
      
      instructions that cause at least one processor from the one or more processors to evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the non-hierarchical resource identified in the authorization request.
  - 3. The computer-readable medium of claim 1 wherein processing performed during the identifying depends upon a number of characters in the set of characters and is independent of a number of resources in the plurality of non-hierarchical resources and a number of policies in the plurality of policies.
  - 4. The computer-readable medium of claim 1 wherein the plurality of policies comprises a first policy and the plurality of memory structures comprises a first memory structure for the first policy, the plurality of instructions further comprising:
    - for the first policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a first resource expression specified by the first policy, the first resource expression identifying a first set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the first policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine a first set of characters from the first resource expression; and
      
      instructions that cause at least one processor from the one or more processors to generate the first memory structure for the first policy, the first memory structure storing information representing each character in the first set of characters and storing information representing relative positions of the first set of characters in the first resource expression, the first memory structure comprising a reference to the first policy.
  - 5. The computer-readable medium of claim 4 wherein the plurality of policies comprises a second policy, the plurality of instructions further comprising:
    - for the second policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a second resource expression specified by the second policy, the second resource expression identifying a second set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the second policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine that the first resource expression and the second resource expression are of same expression type;
      
      instructions that cause at least one processor from the one or more processors to determine a second set of characters from the second resource expression; and
      
      instructions that cause at least one processor from the one or more processors to augment the first memory structure to store information for the second policy, the first memory structure storing information representing each character in the second set of characters and storing information representing relative positions of the second set of characters in the second resource expression, the first memory structure comprising a reference to the second policy.
  - 6. The computer-readable medium of claim 5 wherein the plurality of policies comprises a third policy and the plurality of memory structures comprises a second memory structure for the third policy, the plurality of instructions further comprising:
    - for the third policy in the plurality of policies;
      
      instructions that cause at least one processor from the one or more processors to determine a third resource expression specified by the third policy, the third resource expression identifying a third set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the third policy applies;
      
      instructions that cause at least one processor from the one or more processors to determine that an expression type associated with the third resource expression is different from the expression type associated with the first and second resource expressions;
      
      instructions that cause at least one processor from the one or more processors to determine a third set of characters from the third resource expression; and
      
      instructions that cause at least one processor from the one or more processors to generate the second memory structure to store information for the third policy, the second memory structure storing information representing each character in the third set of characters and storing information representing relative positions of the third set of characters in the third resource expression, the second memory structure comprising a reference to the third policy.
  - 7. The computer-readable medium of claim 1 wherein each memory structure in the plurality of memory structures is associated with an expression type determined from a plurality of expression types, wherein the expression type for a memory structure is determined based upon a resource expression specified by a policy represented by the memory structure.
  - 8. The computer-readable medium of claim 7 wherein the plurality of expression types includes an exact expression type, a prefix expression type, a postfix expression type, a contains expression type, and a custom expression type.
  - 9. The computer-readable medium of claim 1 wherein:
    - each memory structure in the plurality of memory structures represents at least one policy in the plurality of policies, wherein a memory structure representing a particular policy comprises;
      
      a node for each character in a first set of characters determined from a resource expression of the particular policy represented by the memory structure;
      
      information representing relative positions of the first set of characters in the resource expression of the particular policy; and
      
      a reference to the particular policy; and
      
      the instructions that cause at least one processor from the one or more processors to identify the first set of policies further comprise;
      
      instructions that cause at least one processor from the one or more processors to search the plurality of memory structures based upon the set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;
      
      instructions that cause at least one processor from the one or more processors to, based upon the searching, identify a first path of one or more nodes in a memory structure from the plurality of memory structures; and
      
      instructions that cause at least one processor from the one or more processors to include all policies referenced by the one or more nodes in the first path in the first set of policies.
  - 10. The computer-readable medium of claim 1, wherein one of the plurality of memory structures comprises a hierarchical resource and one of the plurality of memory structures comprises the non-hierarchical resource.
  - 11. The computer-readable medium of claim 1, further comprising instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches, a second set of policies from the first set of policies that are applicable for authorizing the authorization request to reduce the amount of policies to evaluate, a number of policies in the second set of policies being less than the number of policies in the first set of policies.
  - 12. The computer-readable medium of claim 1, further comprising instructions that cause at least one processor from the one or more processors to, in response to filtering the plurality of policies based on a subject identified in the authorization request, further filter the plurality of policies from the plurality of policies that are applicable for authorizing the authorization request based on an action identified in the authorization request in order to obtain the first set of policies.
  - 13. The computer-readable medium of claim 1, further comprising instructions that cause at least one processor from the one or more processors to determine whether the resource expression is one of an exact match expression type, a prefix expression type, a postfix expression type, a contains expression type, and a custom expression type;
    - andpopulating the plurality of memory structures in according to the determined expression type.

14. A system comprising:
- one or more memories configured to store a plurality of memory structures and each of the plurality of memory structures is configured for a plurality of policies targeting access to a plurality of non-hierarchical resources; and
  
  one or more processors configured to access the plurality of memory structures stored by the one or more memories, the one or more processors configured to;
  
  receive an authorization request, the authorization request identifying resource information, wherein the resource information comprises a resource expression identifying a resource;
  
  determine that the resource identified by the authorization request is a non-hierarchical;
  
  determine a set of characters from the resource expression identifying a non-hierarchical resource in the authorization request;
  
  search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression;
  
  identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies stored in a data store from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request;
  
  filtering the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies;
  
  evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request;
  
  in response to evaluating the one or more policies from the first set of policies, allowing or denying the subject identified in the authorization request to perform the action identified in the authorization request;
  
  identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type;
  
  filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and
  
  in response to the matching policy not being obtained, further filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein to evaluate the one or more polices the one or more processors are configured to:
    - determine a second set of policies from the first set of policies that were filtered from the plurality of policies based upon the subject and the action identified in the authorization request; and
      
      evaluate the second set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on a non-hierarchical resource identified in the authorization request.
  - 16. The system of claim 14, wherein processing performed during the identifying depends upon a number of characters in the set of characters and is independent of a number of resources in the plurality of non-hierarchical resources and a number of policies in the plurality of policies.
  - 17. The system of claim 14, wherein the plurality of policies comprises a first policy and the plurality of memory structures comprises a first memory structure for the first policy, the one or more processors further configured to:
    - for the first policy in the plurality of policies;
      
      determine a first resource expression specified by the first policy, the first resource expression identifying a first set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the first policy applies;
      
      determine a first set of characters from the first resource expression; and
      
      generate the first memory structure for the first policy, the first memory structure storing information representing each character in the first set of characters and storing information representing relative positions of the first set of characters in the first resource expression, the first memory structure comprising a reference to the first policy.
  - 18. The system of claim 17, wherein the plurality of policies comprises a second policy, the one or more processors further configured to:
    - for the second policy in the plurality of policies;
      
      determine a second resource expression specified by the second policy, the second resource expression identifying a second set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the second policy applies;
      
      determine that the first resource expression and the second resource expression are of same expression type;
      
      determine a second set of characters from the second resource expression; and
      
      augment the first memory structure to store information for the second policy, the first memory structure storing information representing each character in the second set of characters and storing information representing relative positions of the second set of characters in the second resource expression, the first memory structure comprising a reference to the second policy.
  - 19. The system of claim 18, wherein the plurality of policies comprises a third policy and the plurality of memory structures comprises a second memory structure for the third policy, the one or more processors further configured to:
    - for the third policy in the plurality of policies;
      
      determine a third resource expression specified by the third policy, the third resource expression identifying a third set of one or more non-hierarchical resources, from the plurality of non-hierarchical resources, to which the third policy applies;
      
      determine that an expression type associated with the third resource expression is different from the expression type associated with the first and second resource expressions;
      
      determine a third set of characters from the third resource expression; and
      
      generate the second memory structure to store information for the third policy, the second memory structure storing information representing each character in the third set of characters and storing information representing relative positions of the third set of characters in the third resource expression, the second memory structure comprising a reference to the third policy.
  - 20. The system of claim 14 wherein each memory structure in the plurality of memory structures is associated with an expression type determined from a plurality of expression types, wherein the expression type for a memory structure is determined based upon a resource expression specified by a policy represented by the memory structure.
  - 21. The system of claim 14 wherein:
    - each memory structure in the plurality of memory structures represents at least one policy in the plurality of policies, wherein a memory structure representing a particular policy comprises;
      
      a node for each character in a first set of characters determined from a resource expression of the particular policy represented by the memory structure;
      
      information representing relative positions of the first set of characters in the resource expression of the particular policy; and
      
      a reference to the particular policy; and
      
      to identify the first set of policies, the one or more processors are configured to;
      
      search the plurality of memory structures based upon the set of characters from the resource expression identifying a non-hierarchical resource in the authorization request;
      
      based upon the search, identify a first path of one or more nodes in a memory structure from the plurality of memory structures; and
      
      include all policies referenced by the one or more nodes in the first path in the first set of policies.

22. A method comprising:
- receiving, by a computing system, an authorization request, the authorization request identifying resource information, and wherein the resource information comprises a resource expression identifying a resource;
  
  determining, by the computing system, that the resource identified by the authorization request is a non-hierarchical resource;
  
  accessing, by the computing system, a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system;
  
  determining, by the computing system, a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;
  
  searching the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression;
  
  identifying, by the computing system, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request;
  
  filtering the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies;
  
  evaluating, by the computing system, one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request;
  
  in response to evaluating the one or more policies from the first set of policies, allowing or denying the subject identified in the authorization request to perform the action identified in the authorization request;
  
  identifying the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type;
  
  filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and
  
  in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Biswas, Kamalendu, Kapishnikov, Andrei, Hari, Sastry
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Johnson, Carlton

Application Number

US15/405,008
Publication Number

US 20170134431A1
Time in Patent Office

978 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Optimized policy matching and evaluation for non-hierarchical resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Optimized policy matching and evaluation for non-hierarchical resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links