Techniques for providing role-based security with instance-level granularity

US 7,774,827 B2
Filed: 06/06/2005
Issued: 08/10/2010
Est. Priority Date: 06/06/2005
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method to execute on a machine, comprising:

detecting, by the machine, a request by a principal for access to a resource, access is conditioned on a status of a role associated with the request, the principal, and the resource, the role provides instance-level granularity for security permission assignments with respect to accessing the resource, the instance-level granularity represents instance-level data created by an application within a context manager and the instance-level data includes a name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, and parameter data passed by the principal in a call to the method;

providing, by the machine via the context manager a processing environment within which the resource and the method process and the context manager providing transaction services, lifecycle management services, memory persistence, and security service, the context manager also informing the method of the request and the context manager providing a list of available roles for the principal back to the method that the method resolves within the context of the request, the processing environment provided by the context manager is a virtual machine overlaid on an operating system;

evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a percentage, the expression includes operators, values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and

providing, by the machine, the status to the context manager, which decides whether to provide access to the resource for purposes of satisfying the request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing role-based security with instance-level granularity are provided. A security service detects a request made by a principal for access to a resource. Access to the resource is conditioned on a status of a role. The role is associated with the request, the principal, and the resource. The security service evaluates a constraint associated with the role to determine the status. The status is subsequently consumed to determine whether access to the resource for the purposes of satisfying the request is permissible.

92 Citations

View as Search Results

23 Claims

1. A machine-implemented method to execute on a machine, comprising:
- detecting, by the machine, a request by a principal for access to a resource, access is conditioned on a status of a role associated with the request, the principal, and the resource, the role provides instance-level granularity for security permission assignments with respect to accessing the resource, the instance-level granularity represents instance-level data created by an application within a context manager and the instance-level data includes a name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, and parameter data passed by the principal in a call to the method;
  
  providing, by the machine via the context manager a processing environment within which the resource and the method process and the context manager providing transaction services, lifecycle management services, memory persistence, and security service, the context manager also informing the method of the request and the context manager providing a list of available roles for the principal back to the method that the method resolves within the context of the request, the processing environment provided by the context manager is a virtual machine overlaid on an operating system;
  
  evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a percentage, the expression includes operators, values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and
  
  providing, by the machine, the status to the context manager, which decides whether to provide access to the resource for purposes of satisfying the request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising, supplying, by the machine, the context manager with the role, wherein the role assists the context manager in deciding whether to provide access to the resource.
  - 3. The method of claim 1 further comprising, determining, by the machine, whether access to the resource for the purposes of satisfying the request is permissible in response to the status.
  - 4. The method of claim 3 further comprising, at least one of:
    - denying, by the machine, the principal access to the resource if the status is determined to be false; and
      
      permitting, by the machine, access by the principal to the resource if the status is determined to be true.
  - 5. The method of claim 1 further comprising:
    - assigning, by the machine, a time-to-access or a time-to-live value to the status; and
      
      providing, by the machine, the time-to-access or the time-to-live value to the context manager.

6. A machine-implemented method to execute on a machine, comprising:
- detecting, by the machine, a request made by a principal for access to a resource, access is contingent on a status of a role associated with the principal and a condition associated with the principal and the resource;
  
  statically defining, by the machine and via a context manager the role based on a configuration associated with an identity of the principal, the context manager is a virtual machine overlaid on an operating system;
  
  evaluating, by the machine, a constraint associated with the role to determine the status, the constraint is an expression that evaluates to a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint; and
  
  providing, by the machine, the status, the status is subsequently processed to resolve the condition and determine whether access to the resource for the purposes of satisfying the request is permissible.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6, wherein providing further includes supplying the status to a context manager, wherein the context manager determines whether access to the resource is permissible.
  - 8. The method of claim 6 further comprising, assigning, by the machine, the status to the role in response to evaluating the constraint.
  - 9. The method of claim 6 further comprising, receiving, by the machine, the role from an identity service.
  - 10. The method of claim 9, wherein receiving further includes receiving the role and an identity for the principal as an assertion from the identity service which vouches for the role and for the identity of the principal.
  - 11. The method of claim 6 further comprising, dynamically modifying, by the machine, the status and providing the modified status to a context manager, wherein the modified status revokes previous access permitted by the context manger to the resource.
  - 12. The method of claim 6, wherein evaluating further includes dynamically determining whether the condition is true or false at least partially in response to a statically assigned role.

13. A machine-implemented system, comprising:
- a role;
  
  a constraint associated with the role; and
  
  a security service implemented in a machine-readable medium and to execute on a machine, the security service detects a request made by a principal for access to a resource, access is contingent on a status of the role and a condition associated with the principal and the resource, and the security service evaluates the constraint to determine the status, the constraint is an expression that evaluates to a percentage or a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint, and the security service provides the status to a context manager which controls access to the resource, the context manager statically defines the role based on a configuration associated with an identity of the principal, the context manager is a virtual machine overlaid on an operating system.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, further comprising an identity service, wherein the identity service supplies the security service with one or more roles which can be associated with the principal.
  - 15. The system of claim 14, wherein the identity service interacts with the security service according to a trust specification.
  - 16. The system of claim 14, wherein the identity service provides the roles to the security service as an assertion.
  - 17. The system of claim 13, wherein the security service communicates with the context manager through an Application Programming Interface (API) associated with an external interface of the context manager.
  - 18. The system of claim 13, wherein the request includes instance-level data having at least one of a method name associated with the resource, parameter data associated with the principal, parameter data associated with the resource, parameter data associated with the method name, and temporal data associated the request, and wherein the constraint includes one or more policies associated with the instance-level data.
  - 19. The system of claim 18, wherein the operation of the security service is transparent to at least one of the context manager, the principal, and the resource.

20. A system, comprising:
- a context manager implemented in a machine-readable medium and to execute on a machine; and
  
  a security service implemented in a machine-readable medium and to execute on a machine, a principal makes a request for access to a resource within an environment of the context manager, the context manager is a virtual machine overlaid on an operation system, the security service detects the request and supplements a decision regarding access by at least one of resolving a role for the principal, evaluating a constraint associated with the role, the constraint is an expression that evaluates to a range of values, the expression includes operators, other values, function calls, method calls, and variables, and the constraint is either a global constraint or a local constraint, and evaluating a condition associated with the principal and the resource, the security service communicates an access decision to the context manager in a manner recognized by the context manager, the context manager decides in response to its own independent decision and in response to the security service'"'"'s access decision whether to grant access to the resource in order to satisfy the request of the principal, and the context manager statically defines the role based on a configuration associated with an identity of the principal.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20 further comprising, an identity service that assists the security service in at least one of resolving the identity of the principal and resolving a list of roles with which the principal may be associated.
  - 22. The system of claim 20, wherein the security service acquires information associated with the environment when evaluating the constraint.
  - 23. The system of claim 22, wherein the information includes access-related data associated with at least one of the resource and one or more principals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen R., Burch, Lloyd Leon, Kinser, Stephen Hugh
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US11/145,704
Publication Number

US 20060277595A1
Time in Patent Office

1,891 Days
Field of Search

726/3, 726/2
US Class Current

726/3
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Techniques for providing role-based security with instance-level granularity

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for providing role-based security with instance-level granularity

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links