System and method for hierarchical role-based entitlements

US 7,992,189 B2
Filed: 08/05/2009
Issued: 08/02/2011
Est. Priority Date: 02/14/2003
Status: Active Grant

First Claim

Patent Images

1. A computer readable medium having instructions stored thereon that when executed by a processor cause a system to:

map a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;

wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;

evaluate a policy based on the at least one role; and

determine whether to grant access to the resource based on the evaluation of the policy;

wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authorization to adaptively control access to a resource, comprising the steps of providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource; providing for the evaluation of a policy based on the at least one role; and providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.

335 Citations

20 Claims

1. A computer readable medium having instructions stored thereon that when executed by a processor cause a system to:
- map a principal to at least one role, wherein the at least one role is hierarchically related to the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  evaluate a policy based on the at least one role; and
  
  determine whether to grant access to the resource based on the evaluation of the policy;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer readable medium of claim 1 further comprising instructions which when executed cause the system to:
    - allow the principal to be an authenticated user, group or process.
  - 3. The computer readable medium of claim 1 wherein:
    - mapping includes determining whether or not the at least one role is satisfied by the principal.
  - 4. The computer readable medium of claim 1 further comprising instructions which when executed cause the system to:
    - evaluate the at least one role to true or false for the principal in a context.
  - 5. The computer readable medium of claim 1 wherein:
    - the at least one role is a Boolean expression that can include at least one of another Boolean expression and a predicate.
  - 6. The computer readable medium of claim 5 wherein:
    - the predicate is evaluated against the principal and a context.
  - 7. The computer readable medium of claim 5 wherein:
    - the predicate is one of user, group, time and segment.
  - 8. The computer readable medium of claim 7 wherein:
    - the segment predicate is specified in plain language.
  - 9. The computer readable medium of claim 1 wherein:
    - the policy is an association between the resource and a set of roles.
  - 10. The computer readable medium of claim 9 further comprising instructions which when executed cause the system to:
    - grant access to the resource if the at least one role is in the set of roles.

11. A computer readable medium have sets of instructions stored thereon which, when executed by a machine, cause the machine to:
- evaluate a policy based on at least one role applicable to a principal attempting to access the resource, the resource being part of a resource hierarchy;
  
  wherein the resource is a portal, a portlet or a page, the resource inheriting a role from another resource higher in the resource hierarchy;
  
  grant access to the resource based on the evaluation; and
  
  wherein the resource, the policy and the at least one role are hierarchically related;
  
  wherein roles are inherited by resources lower in the resource hierarchy unless the resources lower in the resource hierarchy are associated with roles of the same name, in which case, the role inheritance is overridden.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer readable medium of claim 11, wherein the sets of instructions when further executed by the machine, cause the machine to allow the principal to be an authenticated user, group or process.
  - 13. The computer readable medium of claim 11, wherein the at least one role is applicable to a principal if the at least one role is satisfied by the principal.
  - 14. The computer readable medium of claim 11 , wherein the sets of instructions when further executed by the machine, cause the machine to evaluate the at least one role to true or false for the principal in a context.
  - 15. The computer readable medium of claim 11, wherein the at least one role is a Boolean expression that includes at least one of (1) another Boolean expression and (2) a predicate.
  - 16. The computer readable medium of claim 15 , wherein the sets of instructions when further executed by the machine, cause the machine to evaluate the predicate against the principal and a context.
  - 17. The computer readable medium of claim 15, wherein the predicate is one of user, group, time and segment.
  - 18. The computer readable medium of claim 17, wherein the segment predicate is specified in plain language.
  - 19. The computer readable medium of claim 11, wherein the policy is an association between the resource and a set of roles.
  - 20. The computer readable medium of claim 19, wherein the sets of instructions when further executed by the machine, cause the machine to grant access to the resource if the at least one role is in the set of roles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Griffin, Philip B., McCauley, Rod, Toussaint, Alex, Devgan, Manish
Primary Examiner(s)
Lipman; Jacob

Application Number

US12/536,183
Publication Number

US 20100037290A1
Time in Patent Office

727 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for hierarchical role-based entitlements

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

335 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for hierarchical role-based entitlements

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

335 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others