×

Optimized policy matching and evaluation for non-hierarchical resources

  • US 9,547,764 B2
  • Filed: 04/24/2012
  • Issued: 01/17/2017
  • Est. Priority Date: 04/24/2012
  • Status: Active Grant
First Claim
Patent Images

1. A computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:

  • instructions that cause at least one processor from the one or more processors to receive an authorization request to be authorized, the authorization request identifying a subject, resource information, and an action, the resource information comprising a resource expression identifying a resource;

    instructions that cause at least one processor from the one or more processors to determine that the resource identified by the authorization request is a particular resource type, the particular resource type including a hierarchical resource type or a non-hierarchical resource type;

    instructions that cause at least one processor from the one or more processors to access a plurality of memory structures stored for a plurality of policies targeting a plurality of resources of the particular resource type, at least one memory structure from the plurality of memory structures representing multiple policies from the plurality of policies, wherein each stored memory structure from the plurality of memory structures comprises one or more nodes, a node in a memory structure from the plurality of memory structures corresponding to a character in one or more path components of a resource expression identifying one or more resources;

    instructions that cause at least one processor from the one or more processors to determine a set of characters from the resource expression identifying the resource in the authorization request;

    instructions that cause at least one processor from the one or more processors to search the plurality of memory structures using the set of characters determined from the resource expression, wherein searching the plurality of memory structures includes analyzing nodes of the plurality of memory structures using the set of characters to determine one or more matches between one or more nodes of the plurality of memory structures and one or more characters from the one or more path components of the resource expression;

    instructions that cause at least one processor from the one or more processors to identify, from the plurality of memory structures based upon the one or more matches between the one or more nodes of the plurality of memory structures with the one or more characters from the one or more path components of the resource expression, a first set of policies from the plurality of policies that are applicable for authorizing the authorization request in order to reduce an amount of policies to evaluate in accordance with a number of path components in the resource expression of the authorization request, wherein a number of policies in the first set of policies is less than a number of policies in the plurality of policies; and

    instructions that cause at least one processor from the one or more processors to evaluate one or more policies from the first set of policies to determine whether the subject identified in the authorization request is authorized to perform the action identified in the authorization request on the resource identified in the authorization request.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×