Policy inheritance through nested groups

US 7,644,432 B2
Filed: 10/08/2004
Issued: 01/05/2010
Est. Priority Date: 10/10/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for policy inheritance, comprising:

providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;

defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group;

organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource;

defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;

provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;

sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;

wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;

wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;

wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;

inheriting the first policy by the second group;

inheriting each policy associated with the at least one parent resource by the at least one child resource; and

assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.

414 Citations

26 Claims

1. A computer-implemented method for policy inheritance, comprising:
- providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
  
  defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group;
  
  organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource;
  
  defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;
  
  provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
  
  sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
  
  wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
  
  wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;
  
  wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;
  
  inheriting the first policy by the second group;
  
  inheriting each policy associated with the at least one parent resource by the at least one child resource; and
  
  assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - defining a second policy wherein the second policy controls access to a second resource and wherein the second policy is associated with the second group.
  - 3. The computer-implemented method of claim 2 wherein:
    - the first group does not inherit the second policy.
  - 4. The computer-implemented method of claim 2, further comprising:
    - defining a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy and the second policy.
  - 5. The computer-implemented method of claim 1 wherein:
    - the resource hierarchy represents an application.
  - 6. The computer-implemented method of claim 1 wherein:
    - the first policy includes a constraint.
  - 7. The computer-implemented method of claim 1 wherein:
    - the second group has more actions than the first group.
  - 8. The computer-implemented method of claim 1, further comprising:
    - granting the second group access to the first parent resource based on the first policy.
  - 9. The computer-implemented method of claim 1, further comprising:
    - defining a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy.

10. A computer-implemented method for policy inheritance, comprising:
- providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
  
  defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group;
  
  organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource;
  
  defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;
  
  provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
  
  sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
  
  wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
  
  wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;
  
  wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;
  
  inheriting the first policy by the second group;
  
  inheriting each policy associated with the at least one parent resource by the at least one child resource;
  
  assigning policies to the at least one child resource wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource; and
  
  wherein the resource hierarchy represents an application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-implemented method of claim 10, further comprising:
    - defining a second policy wherein the second policy controls access to a second resource and wherein the second policy is associated with the second group.
  - 12. The computer-implemented method of claim 11 wherein:
    - the first group does not inherit the second policy.
  - 13. The computer-implemented method of claim 11, further comprising:
    - defining a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy and the second policy.
  - 14. The computer-implemented method of claim 10, further comprising:
    - granting the second group access to the first parent resource based on the first policy.
  - 15. The computer-implemented method of claim 11, further comprising:
    - defining a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy.

16. A computer readable medium having instructions stored thereon to cause a system to:
- provide a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
  
  define a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and second group nested within the first group;
  
  organize a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource;
  
  define a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;
  
  provision the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
  
  send a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
  
  wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
  
  wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;
  
  wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;
  
  inherit the first policy by the second group;
  
  inherit each policy associated with the at least one parent resource by the at least one child resource; and
  
  assign policies to the at least one child resource wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The computer readable medium of claim 16, further comprising instructions stored thereon to cause the system to:
    - define a second policy wherein the second policy controls access to a second resource and wherein the second policy is associated with the second group.
  - 18. The computer readable medium of claim 17 wherein:
    - the first group does not inherit the second policy.
  - 19. The computer readable medium of claim 17, further comprising instructions stored thereon to cause the system to:
    - define a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy and the second policy.
  - 20. The computer readable medium of claim 16 wherein:
    - the resource hierarchy represents an application.
  - 21. The computer readable medium of claim 16 wherein:
    - the first policy includes a constraint.
  - 22. The computer readable medium of claim 16 wherein:
    - the second group has more actions than the first group.
  - 23. The computer readable medium of claim 16, further comprising instructions stored thereon to cause the system to:
    - grant the second group access to the first parent resource based on the first policy.
  - 24. The computer readable medium of claim 16, further comprising instructions stored thereon to cause the system to:
    - define a third group wherein the third group is nested within the second group; and
      
      wherein the third group inherits the first policy.

25. A method for policy inheritance, comprising:
- providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
  
  defining a plurality of groups, organized in a group hierarchy;
  
  organizing a plurality of resources in a resource hierarchy, including first parent resource, a first child resource that is a child of the first parent resource, and a second child resource that is a child of the first child resource;
  
  defining a plurality of policies, including a first policy, a second policy, and a third policy, wherein the policies are used to control access to at least one resource from the plurality of resources and wherein each policy is associated with at least one group;
  
  provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
  
  sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
  
  wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
  
  associating the first policy with the first parent resource;
  
  associating the second policy with the first child resource;
  
  associating the third policy with the second child resource;
  
  inheriting the first policy by the first child resource and the second child resource where the first policy is for a different control of access from either the second policy or the third policy;
  
  inheriting the second policy by the second child resource where the second policy is for a different control of access from the third policy;
  
  overriding the first policy by the second policy at the first child resource where the first policy and second policy are for the same control of access and subsequently inheriting the second policy by the second child resource;
  
  overriding the second policy at the second child resource where the second policy and the third policy are for the same control of access.

26. A distributed enterprise security system with policy inheritance comprising:
- a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
  
  a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user;
  
  a second group wherein the second group is nested within the first group;
  
  a plurality of resources organized in a resource hierarchy including at least one parent resource and at least one child resource;
  
  a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;
  
  an administrative server that provisions the plurality of policies to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
  
  wherein the SCM sends a subset of the plurality of policies to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
  
  wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
  
  wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;
  
  wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;
  
  wherein the first policy is inherited by the second group and wherein each policy associated with the at least one parent resource is inherited by the at least one child resource;
  
  assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource;
  
  wherein the SSMintercepts a request from a client to perform an action on a resource at a server, wherein the client belongs to the at least one group; and
  
  determines, using the policies, whether the client can perform the action on the resource, andgranting or denying access to the client based on the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Byrne, David, Howes, Jason, Patrick, Paul, Riendeau, Richard J., Yagen, Kenneth D., Falco, Mark A., Xu, Mingde
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Su; Sarah

Application Number

US10/962,079
Publication Number

US 20050097166A1
Time in Patent Office

1,915 Days
Field of Search

726/1, 713/150, 713/152, 713/165, 717/172
US Class Current

726/1
CPC Class Codes

H04L 63/20 for managing network securi...

Policy inheritance through nested groups

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

414 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Policy inheritance through nested groups

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

414 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links