Method for role and resource policy management optimization

US 7,653,930 B2
Filed: 02/14/2003
Issued: 01/26/2010
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:

determining, by a computer system, a first set of one or more roles that are within scope of the resource from one of;

     1) the hierarchy of resources; and

     2) a first cache;

determining, by the computer system, a policy within scope of the resource from one of;

     1) the hierarchy of resources; and

     2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;

determining, by the computer system, from the first set of roles, a third set of one or more roles that are satisfied by a principal;

providing, by the computer system, for an evaluation of the policy based on the third set of one or more roles;

determining, by the computer system, whether to grant the principal access to the resource based on the evaluation of the policy; and

granting, by the computer system, access to the resource if one or more roles from the third set of roles are in the second set of roles;

wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and

wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods are disclosed for authorization to adaptively control access to a resource in a resource hierarchy. At least one role for a principal is retrieved from the resource hierarchy or a first cache based on whether the at east one role was previously retrieved from the resource hierarchy. A policy is retrieved from the resource hierarchy or a second cache based on whether the policy was previously retrieved from the resource hierarchy. The policy is evaluated based on the at least one role and a determination on whether to grant the principal access to the resource is made based on the evaluation of the policy.

351 Citations

28 Claims

1. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:
- determining, by a computer system, a first set of one or more roles that are within scope of the resource from one of;
  
       1) the hierarchy of resources; and
  
       2) a first cache;
  
  determining, by the computer system, a policy within scope of the resource from one of;
  
       1) the hierarchy of resources; and
  
       2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;
  
  determining, by the computer system, from the first set of roles, a third set of one or more roles that are satisfied by a principal;
  
  providing, by the computer system, for an evaluation of the policy based on the third set of one or more roles;
  
  determining, by the computer system, whether to grant the principal access to the resource based on the evaluation of the policy; and
  
  granting, by the computer system, access to the resource if one or more roles from the third set of roles are in the second set of roles;
  
  wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 3. The method of claim 1 including the step of:
    - determining whether role expressions for the first set of roles evaluates to true or false for the principal in a context.
  - 4. The method of claim 1 wherein:
    - a role in the first set of roles has at least one role expression that is a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 5. The method of claim 4 wherein:
    - the predicate is one of user, group, time and segment.
  - 6. The method of claim 4 wherein:
    - the predicate is evaluated against the principal and a context.
  - 7. The method of claim 4 wherein:
    - the predicate is a segment that is specified in plain language.

8. A method for authorization to adaptively control access to a resource in a hierarchy of resources, comprising the steps of:
- determining a first set of one or more roles that are within scope of the resource for a principal from one of;
  
       1) a searchable hierarchically arranged plurality of roles; and
  
       2) a first cache;
  
  determining a policy within scope of the resource from one of;
  
       1) the hierarchy of resources; and
  
       2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies associated with resources in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;
  
  determining, from the first set of roles, a third set of one or more roles that are satisfied by the principal;
  
  providing for an evaluation of the policy based on the third set of one or more roles;
  
  determining whether to grant the principal access to the resource based on the evaluation of the policy; and
  
  granting access to the resource if one or more roles from the third set of roles are in the second set of roles;
  
  wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources; and
  
  wherein the first cache and the second cache are different.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 including the step of:
    - allowing the principal to be an authenticated user, group or process.
  - 10. The method of claim 8 including the step of:
    - evaluating role expressions for the first set of roles to true or false for the principal in a context.
  - 11. The method of claim 8 wherein:
    - a role in the first set of roles has at least one role expression that is a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 12. The method of claim 11 wherein:
    - the predicate is one of user, group, time and segment.
  - 13. The method of claim 11 include the step of:
    - evaluating the predicate against the principal and a context.
  - 14. The method of claim 12 wherein:
    - the segment predicate is specified in plain language.

15. A computer system for authorization adapted for controlling access to a resource in a hierarchy of resources, comprising:
- one or more processors;
  
  object code executing on the one or more processors implementing;
  
  at least one role-mapper to map a principal to a first set of one or more roles within scope of the resource, wherein a role in the first set of roles is retrieved from one of;
  
       1) the hierarchy of resources; and
  
       2) a first cache, wherein mapping includes determining whether or not the role is satisfied by the principal;
  
  at least one authorizer coupled to the at least one role-mapper, the at least one authorizer being configured to determine if a policy is satisfied based on the first set of roles, wherein the policy within scope of the resource is retrieved from one of;
  
       1) the hierarchy of resources and
  
       2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources; and
  
  an adjudicator coupled to the at least one authorizer, the adjudicator being configured to render a decision based on the determination of the at least one authorizer, wherein access is granted to the resource if one or more roles in the first set of roles is in the second set of roles; and
  
  wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources;
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15 wherein:
    - the principal is an authenticated user, group or process.
  - 17. The computer system of claim 15 wherein:
    - role expressions for the first set of roles evaluates to true or false for the principal in a context.
  - 18. The computer system of claim 15 wherein:
    - a role in the first set of roles has at least one role expression that is a Boolean expression that includes at least one of another Boolean expression and a predicate.
  - 19. The computer system of claim 18 wherein:
    - the predicate is one of user, group, time and segment.
  - 20. The computer system of claim 18 wherein:
    - the predicate is evaluated against the principal and a context.
  - 21. The computer system of claim 19 wherein:
    - the segment predicate is specified in plain language.

22. A machine readable medium having instructions stored thereon that when executed by a processor cause a system to:
- determine a first set of one or more roles that are within scope of a resource for a principal from one of;
  
       1) a hierarchy of resources; and
  
       2) a first cache;
  
  determine a policy within scope of the resource from one of;
  
       1) the hierarchy of resources; and
  
       2) a second cache, wherein the policy is an association between the resource and a second set of roles, wherein the policy is from a set of policies, each policy in the set of policies associated with a resource in the hierarchy of resources, and wherein a policy is within scope of a resource if the policy is associated with the resource or if the policy is associated with another resource that is hierarchically superior to the resource in the hierarchy of resources;
  
  determine a third set of one or more roles from the first set of roles that are satisfied by the principal;
  
  provide for an evaluation of the policy based on the third set of one or more roles;
  
  determine whether to grant the principal access to the resource based on the evaluation of the policy;
  
  grant access to the resource if one or more roles from the third set of roles are in the second set of roles;
  
  wherein a role in the first set of roles is retrieved from the first cache if the role was previously retrieved from the hierarchy of resources; and
  
  wherein the policy is retrieved from the second cache if the policy was previously retrieved from the hierarchy of resources.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The machine readable medium of claim 22 further comprising instructions which when executed cause the system to:
    - allow the principal to be an authenticated user, group or process.
  - 24. The machine readable medium of claim 22 further comprising instructions which when executed cause the system to:
    - evaluate role expressions for the first set of roles to true or false for the principal in a context.
  - 25. The machine readable medium of claim 22 wherein:
    - a role in the first set of roles has at least one role expression that is a Boolean expression that includes at least one of another Boolean expression and a predicate.
  - 26. The machine readable medium of claim 25 wherein:
    - the predicate is one of user, group, time and segment.
  - 27. The machine readable medium of claim 25 wherein:
    - the predicate is evaluated against the principal and a context.
  - 28. The machine readable medium of claim 26 wherein:
    - the segment predicate is specified in plain language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Griffin, Philip B., McCauley, Rod, Toussaint, Alex, Devgan, Manish
Primary Examiner(s)
Lipman; Jacob

Application Number

US10/366,778
Publication Number

US 20040162905A1
Time in Patent Office

2,538 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/105   Multiple levels of security

Method for role and resource policy management optimization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

351 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method for role and resource policy management optimization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

351 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links