Rest-based declarative policy management
First Claim
1. A method for policy evaluation in a multi-tenant cloud-based based identity and access management (IAM) system, the method comprising:
- receiving a request for an IAM service for a tenant of a plurality of tenants of the multi-tenant cloud-based IAM system;
determining an applicable policy associated with the IAM service;
determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class;
obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class;
evaluating the applicable policy at run-time using at least the obtained attribute value, the applicable policy comprising a declarative policy configured by a policy engine; and
performing the IAM service based on the result of the evaluating of the policy;
wherein the policy engine defines a data model comprising resource types corresponding to policy artifacts associated with the declarative policy, the policy artifacts comprising at least one of the declarative policy, a policy type, rules, condition groups, or conditions;
wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine and performs the IAM service, and the policy type is defined by the component of the multi-tenant cloud-based IAM system that uptakes the policy engine by configuring one or more control switches that control a run-time evaluation behavior of the declarative policy.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment performs policy evaluation in a multi-tenant cloud-based identity and access management (“IAM”) system. The embodiment receives a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system, and determines an applicable policy associated with the IAM service. The embodiment determines a policy expression of the applicable policy, where the policy expression includes a reference to an attribute value, and where the reference either includes a function or includes an application programming interface (“API”) of an attribute retriever class. The embodiment obtains the attribute value by invoking the function or by invoking the API of the attribute retriever class. The embodiment evaluates the applicable policy at run-time using at least the obtained attribute value, and performs the IAM service based on the result of the evaluating of the policy.
325 Citations
20 Claims
-
1. A method for policy evaluation in a multi-tenant cloud-based based identity and access management (IAM) system, the method comprising:
-
receiving a request for an IAM service for a tenant of a plurality of tenants of the multi-tenant cloud-based IAM system; determining an applicable policy associated with the IAM service; determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class; obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class; evaluating the applicable policy at run-time using at least the obtained attribute value, the applicable policy comprising a declarative policy configured by a policy engine; and performing the IAM service based on the result of the evaluating of the policy; wherein the policy engine defines a data model comprising resource types corresponding to policy artifacts associated with the declarative policy, the policy artifacts comprising at least one of the declarative policy, a policy type, rules, condition groups, or conditions; wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine and performs the IAM service, and the policy type is defined by the component of the multi-tenant cloud-based IAM system that uptakes the policy engine by configuring one or more control switches that control a run-time evaluation behavior of the declarative policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a computer-readable medium storing instructions; and one or more hardware processors configured to execute the instructions, wherein the instructions, when executed by the processors, cause the processors to implement policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the implementing comprising; receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system; determining an applicable policy associated with the IAM service; determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class; obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class; evaluating the applicable policy at run-time using at least the obtained attribute value, the applicable policy comprising a declarative policy configured by a policy engine; and performing the IAM service based on the result of the evaluating of the policy; wherein the policy engine defines a data model comprising resource types corresponding to policy artifacts associated with the declarative policy, the policy artifacts comprising at least one of the declarative policy, a policy type, rules, condition groups, or conditions; wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine and performs the IAM service, and the policy type is defined by the component of the multi-tenant cloud-based IAM system that uptakes the policy engine by configuring one or more control switches that control a run-time evaluation behavior of the declarative policy.
-
-
18. A non-transitory computer-readable medium storing instructions that, when executed by a processor, cause the processor to implement policy evaluation in a multi-tenant cloud-based identity and access management (IAM) system, the implementing comprising:
-
receiving a request for an IAM service for a tenant of the multi-tenant cloud-based IAM system; determining an applicable policy associated with the IAM service; determining a policy expression of the applicable policy, wherein the policy expression comprises a reference to an attribute value, wherein the reference either comprises a function or comprises an application programming interface (API) of an attribute retriever class; obtaining the attribute value by invoking the function or by invoking the API of the attribute retriever class; evaluating the applicable policy at run-time using at least the obtained attribute value, the applicable policy comprising a declarative policy configured by a policy engine; and performing the IAM service based on the result of the evaluating of the policy; wherein the policy engine defines a data model comprising resource types corresponding to policy artifacts associated with the declarative policy, the policy artifacts comprising at least one of the declarative policy, a policy type, rules, condition groups, or conditions; wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine and performs the IAM service, and the policy type is defined by the component of the multi-tenant cloud-based IAM system that uptakes the policy engine by configuring one or more control switches that control a run-time evaluation behavior of the declarative policy. - View Dependent Claims (19, 20)
-
Specification