Optimized policy matching and evaluation for non-hierarchical resources
First Claim
Patent Images
1. A non-transitory computer-readable medium comprising one or more processors and a memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising:
- instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information from the authorization request comprises a resource expression identifying a resource;
instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource;
instructions that cause at least one processor from the one or more processors to access a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system;
instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request;
instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression;
instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request;
instructions that cause at least one processor from the one or more processors to filter the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies;
instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; and
in response to evaluating the one or more policies from the first set of policies, instructions that cause at least one processor from the one or more processors to allow or deny the subject identified in the authorization request to perform the action identified in the authorization request;
instructions that cause at least one processor from the one or more processors to identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type;
instructions that cause at least one processor from the one or more processors to filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and
in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources.
10 Citations
22 Claims
-
1. A non-transitory computer-readable medium comprising one or more processors and a memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising:
-
instructions that cause at least one processor from the one or more processors to receive an authorization request, the authorization request identifying resource information, and wherein the resource information from the authorization request comprises a resource expression identifying a resource; instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a non-hierarchical resource; instructions that cause at least one processor from the one or more processors to access a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system; instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request; instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression; instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request; instructions that cause at least one processor from the one or more processors to filter the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies; instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; and in response to evaluating the one or more policies from the first set of policies, instructions that cause at least one processor from the one or more processors to allow or deny the subject identified in the authorization request to perform the action identified in the authorization request; instructions that cause at least one processor from the one or more processors to identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type; instructions that cause at least one processor from the one or more processors to filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system comprising:
-
one or more memories configured to store a plurality of memory structures and each of the plurality of memory structures is configured for a plurality of policies targeting access to a plurality of non-hierarchical resources; and one or more processors configured to access the plurality of memory structures stored by the one or more memories, the one or more processors configured to; receive an authorization request, the authorization request identifying resource information, wherein the resource information comprises a resource expression identifying a resource; determine that the resource identified by the authorization request is a non-hierarchical; determine a set of characters from the resource expression identifying a non-hierarchical resource in the authorization request; search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression; identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies stored in a data store from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request; filtering the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies; evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; in response to evaluating the one or more policies from the first set of policies, allowing or denying the subject identified in the authorization request to perform the action identified in the authorization request; identify the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type; filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and in response to the matching policy not being obtained, further filter the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method comprising:
-
receiving, by a computing system, an authorization request, the authorization request identifying resource information, and wherein the resource information comprises a resource expression identifying a resource; determining, by the computing system, that the resource identified by the authorization request is a non-hierarchical resource; accessing, by the computing system, a plurality of memory structures that correspond with a plurality of policies targeting a plurality of non-hierarchical resources, wherein the plurality of memory structures are stored in one or more memories in an authorization system; determining, by the computing system, a set of characters from the resource expression identifying the non-hierarchical resource in the authorization request; searching the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from one or more path components of the resource expression; identifying, by the computing system, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies stored in a data store that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request; filtering the plurality of policies to obtain the first set of policies from the plurality of policies that are applicable for authorizing the authorization request based on a subject identified in the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies, wherein the plurality of memory structures are updated to correspond with the first set of policies filtered from the plurality of policies; evaluating, by the computing system, one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform an action identified in the authorization request on the non-hierarchical resource identified in the authorization request; in response to evaluating the one or more policies from the first set of policies, allowing or denying the subject identified in the authorization request to perform the action identified in the authorization request; identifying the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type; filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the subject in the authorization request in order to obtain a matching policy; and in response to the matching policy not being obtained, further filtering the plurality of policies corresponding with the plurality of memory structures that are populated according to the determined expression type based on the action in the authorization request.
-
Specification