GB2442273A - Mechanism for allowing access to unsecured resources via a security engine using inverted security policies - Google Patents

Mechanism for allowing access to unsecured resources via a security engine using inverted security policies Download PDF

Info

Publication number
GB2442273A
GB2442273A GB0619203A GB0619203A GB2442273A GB 2442273 A GB2442273 A GB 2442273A GB 0619203 A GB0619203 A GB 0619203A GB 0619203 A GB0619203 A GB 0619203A GB 2442273 A GB2442273 A GB 2442273A
Authority
GB
United Kingdom
Prior art keywords
policy
resource
access
users
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0619203A
Other versions
GB0619203D0 (en
Inventor
John Colgrave
James Ronald Lewis Orchard
Gary Owen Whittingham
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to GB0619203A priority Critical patent/GB2442273A/en
Publication of GB0619203D0 publication Critical patent/GB0619203D0/en
Priority to PCT/EP2007/060229 priority patent/WO2008037748A1/en
Publication of GB2442273A publication Critical patent/GB2442273A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • H04L29/06829
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A system provides a number of resources, some of which are subjected to security policies and some of which are not. For secured resources a policy specifying how the resource may be used and by whom is drawn up as usual <B>(Fig. 4a).</B> The system then creates a complementary policy which specifies that all users can use the resource <B>(Fig. 4b).</B> For unsecured resources no security policies are created. When access to a resource is requested <B>302</B> the normal policy is checked in the normal fashion <B>304</B> and access allowed <B>306</B> or denied as usual. If usual access is denied then the complementary policy is checked <B>310,</B> however the result of this check is inverted. That is, where a policy allows blanket access the access is denied <B>314</B>. Whereas where there is no access policy the access is allowed <B>312.</B> In this fashion access to the unsecured resources with no security policies is facilitated <B>(Fig. 4c).</B>

Description

PARTITIONING A SERVICE REPOSITORY
This invention relates to partitioning a service repository.
BACKGROUND
Service-oriented architecture (SOA) offers the promise of business agility and resilience through reuse, loose coupling, flexibility, interoperability, integration and governance. These are realized by separating service descriptions from their implementations, and using this descriptive metadata across the service life cycle. Standards-based service metadata artefacts, such as Web Service Definition Language (WSDL), XML schema, policy or Service Component Architecture (SCM documents, capture the technical details of what a service can do, how it can be invoked, or what it expects other services to do. Semantic annotations and other metadata can be associated with these artefacts to offer insight to potential users of the service on how and when it can be used, and what purposes it serves.
Service metadata is used by analysts, architects, and developers during a Development Phase of the SOA life cycle to locate services to * reuse and to evaluate the impact of changes to service configurations.
Service metadata is used by deployers in a Change and Release Phase and by **,* administrators in a Runtime Integration Phase. It is used in the Operation Phase of the life cycle to support policy enforcement required by Service Level Agreements (SLAs) arid to present a more comprehensive view of the managed service environment. S ** * S *
S
* Within a scheme for role based access control' users are allocated **.
roles and the permissions' are allocated to these roles. There is a requirement to partition the space defining the resources within a repository into a checked space' and unchecked space'. The checked space' contains resources over which access control is required arid to which a particular permission applies. Unchecked space' is uncontrolled space containing resources over which no access permission is required. The partitions must be disjoint and their union must completely specify the set of possible resources.
If the set of resources is not portioned in this way then explicit permission for each set of resources over which control is exercised must be specified.
The access control mechanism being used allows the allocation of permissions' to named roles or to a pre-defined unchecked' role.
SU(ARY OP INVENTION According to a first aspect of the present invention there is provided a method of granting user access to resources, the method comprising: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
This method relates to a system having a security layer that denies all user access to resources where there is no user resource permission in a policy. The above solution overrides the security layer.
Preferably a complementary policy is generated from the original policy, said complementary policy comprising existing user resource permissions extended for other users not previously given permission; and wherein users are selected if they have permission to use the resource in the complementary policy and the selected users are denied access; and users who have no resource permission in the complementary policy are :. allowed access.
* 20'* **.
The advantage of this seemingly complex logic is that the same method is used for the checking permissions in the original policy and then for checking of permissions in the complementary policy. It also relatively *:. simple step to deny access where permission is allowed and to allow access 2' where permission is denied. * **
:.:. Advantageously existing user resource permissions are given only to all users not previously given access to that resource.
A simpler solution is to extend existing user resource permissions to all users.
According to a second aspect of the invention there is provided a system of granting user access to a resource, the system comprising: an evaluation engine permitting user access to a resource where a user resource permission exists in a policy and permitting user access to other resources that are not mentioned in the policy.
According to a third aspect of the invention there is provided a computer program product for granting user access to resources in a service repository, the computer program product whexi loaded into a compute causing the computer to execute the following steps: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
According to a fourth aspect of the present invention there is provided a service for granting user access to resources in a service repository comprising: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
DESCRIPTION OF DRAWINGS
Embodiments of the invention will now be described, by means of example only, with reference to the accompanying drawings in which: Figure 1 is a schematic of the preferred embodiment showing the phases in a service life cycle; Figure 2 is a schematic of the service registry and repository including the service metadata manager; * . * 2" S...
****** Figure 3 a schematic of an access controller method according to the preferred embodiment of the present invention; *5** * *5*S *:. Figure 4A is an example of a policy; 2 5 Figure 4B is a example of a complementary policy; and Figure 4C shows the outcomes of access control using the policy of Figure 4A and complementary policy of Figure 4B
DESCRIPTION OF TEE EMBODIMENTS
IBM WebSphere Service Registry and Repository is the master metadata repository for service interaction endpoint descriptions. A broad definition of service" applies here. This includes traditional Web services that implement WSDL interfaces with SOAP/HTTP bindings as well as a broad range of SOA services that can be described using WSDL, XSD and policy decorations, but might use a range of protocols and be implemented according to a variety of programming models.
Figure 1 illustrates SOA life cycle phases: Service Development; Change and Release Management; Runtime Integration and Operation. As the integration point for service metadata, WebSphere Service Registry and Repository establishes a central point for finding and managing service metadata acquired from a number of sources, including service application deployments and other service metadata and endpoint registries and repositories, such as Universal Description, Discovery, and Integration (UDDI). It is where service metadata that is scattered across an enterprise is brought together to provide a single, comprehensive description of a service. Once this happens, visibility is controlled, versions are managed, proposed changes are analyzed and communicated, usage is monitored and other parts of the SOA foundation can access service metadata with the confidence that they have found the copy of record.
The preferred embodiment of the invention is service registry and repository 10 as shown in Figure 2. The service registry and repository 10 comprises a service metadata manager 12; object model repository 14; and service metadata file directory 16.
The service metadata manager 12 comprises: complementary policy generator 18; security layer 20; policy evaluation engine 22; and schema repository 24.
Complementary policy generator 18 creates a new policy, a complementary policy, where existing resource permissions are give to all users not previously given access to that resource. Existing user resource : permissions may be given only to users not previously given access to that resource but a preferred solution is to extend user resource permissions to 25' all users since this makes no difference to the end result. * *.
:.: Security layer 20 denies all user access to resources where there is no user resource permission in a policy. This is a system level function that makes it difficult for hackers to break in. Whenever the policy evaluation engine looks at a policy or complementary policy the security layer will deny user access where there is no user resource permission in a policy.
Policy evaluation engine 22 loads policies and complementary policies and looks for specific permissions.
Schema repository 24 comprises: development schema 26; change and release schema 28; runtime integration schema 30 and operation schema 32.
Each of the development scheinas relate to a group of users-. Development schema 26 is used by the developers; change and release schema 28 is used by testers and deployers; runtime integration schema 30 is used by administration; and operation schema 32 is used by the end users and business operation manager.
The method 300 of the policy evaluation engine 22 is described with reference to Figure 3.
In step 302 the policy evaluation engine 22 receives an access request for a user to access a resource and loads a policy from the object model repository 14.
In step 304, the policy evaluation engine 22 checks the permissions and moves to step 306 if the user is specifically permitted to use the resource. However, if the user is not specifically mentioned then the method continues at step 308.
In step 306 the user is allowed access to the requested resource and the method ends at 314.
In step 308, the policy evaluation engine loads the complementary policy.
In step 310 the policy evaluation engine 22 checks to see if the user is specifically permitted to use the resource and moves to step 314 if S...
***** permitted. The security layer moves users to step 312 if normally they
S I...
* In step 312, the permission is reversed and users that were denied 25' permission by the security layer in step 310 are allowed access so : ** overriding the security layer. The process ends at step 316. *5* *
In step 314, the permission is reversed and users that were permitted by the policy evaluation engine 310 are denied access. The process ends at step 316.
Step 316 is the end of the policy evaluation method 300.
Example
Examples of the use of the preferred embodiment are now described with reference to Figure 4A; Figure 4B and Figure 4C.
Figure 4A shows a policy permitting a developer access to resource A. Figure 4B shows a complementary policy permitting all users access to resource A. This complementary policy is generated by the complementary policy generator.
Figure 4C shows a table with the four possible outcomes of the policy for resource A and resource B. If a developer requests the resource A then access is allowed at step 306. If the developer requests resource B then permission is denied at step 304 and step 310 but access is allowed at step 312. If any other user requests resource A then permission is denied at step 304 and allowed at step 310 but access is denied at step 314. If any other user requests resource B then permission is denied at step 304 and step 310 but access is permitted at step 312.1 think It will be clear to one of ordinary skill in the art that all or part of the method of the preferred embodiments of the present invention may suitably and usefully be embodied in a logic apparatus, or a plurality of logic apparatus, comprising logic elements arranged to perform the steps of the method and that such logic elements may comprise hardware components, firmware components or a combination thereof.
It will be equally clear to one of skill in the art that all or part of a logic arrangement according to the preferred embodiments of the present invention may suitably be embodied in a logic apparatus comprising logic elements to perform the steps of the method, and that such logic elements may comprise components such as logic gates in, for example a programmable logic array or application-specific integrated circuit. Such a logic arrangement may further be embodied in enabling elements for temporarily or permanently establishing logic structures in such an array 25' or circuit using, for example, a virtual hardware descriptor language, which may be stored and transmitted using fixed or transmittable carrier media. S..
It will be appreciated that the method and arrangement described above may also suitably be carried out fully or partially in software running on one or more processors (not shown in the figures), and that the software may be provided in the form of one or more computer program elements carried on any suitable data-carrier (also not shown in the figures) such as a magnetic or optical disk or the like. Channels for the transmission of data may likewise comprise storage media of all descriptions as well as signal-carrying media, such as wired or wireless signal-carrying media.
The present invention may further suitably be embodied as a computer program product for use with a computer system. Such an implementation may comprise a series of computer-readable instructions either fixed on a tangible medium, such as a computer readable medium, for example, diskette, CD-ROM, ROM, or hard disk, or transmittable to a computer system, using a modem or other interface device, over either a tangible medium, including but not limited to optical or analogue communications lines, or intangibly using wireless techniques, including but not limited to microwave, infrared or other transmission techniques. The series of computer readable instructions embodies all or part of the functionality previously described herein.
Those skilled in the art will appreciate that such computer readable instructions can be written in a number of programming languages for use with many computer architectures or operating systems. Further, such instructions may be stored using any memory technology, present or future, including but not limited to, semiconductor, magnetic, or optical, or transmitted using any communications technology, present or future, including but not limited to optical, infrared, or microwave. It is contemplated that such a computer program product may be distributed as a removable medium with accompanying printed or electronic documentation, for example, shrink-wrapped software, pre-loaded with a computer system, for example, on a system ROM or fixed disk, or distributed from a server or electronic bulletin board over a network, for example, the Internet or World Wide Web.
* 2c.. I...
***,* In an alternative, the preferred embodiment of the present invention may be realized in the form of a computer implemented method of deploying a service comprising steps of deploying computer program code operable to, :. when deployed into a computer infrastructure and executed thereon, cause the computer system to perform all the steps of the method. * **
In a further alternative, the preferred embodiment of the present invention may be realized in the form of a data carrier having functional data thereon, said functional data comprising functional computer data structures to, when loaded into a computer system and operated upon thereby, enable said computer system to perform all the steps of the method.
It will be clear to one skilled in the art that many improvements and modifications can be made to the foregoing exemplary embodiment without departing from the scope of the present invention.

Claims (16)

1. A method of granting user access to resources, the method comprising: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
2. A method according to claim 1 further comprising: generating a complementary policy to the original policy, said complementary policy comprising existing user resource permissions extended for other users not previously given permission; and wherein users are selected if they have permission to use the resource in the complementary policy and the selected users are denied access; and users who have no resource permission in the complementary policy are allowed access.
3. A method according to claim 2 wherein existing user resource : 2C permissions are given only to all users not previously given access to that * * resource.
*.:
4. p, method according to claim 2 wherein user resource permissions are extended to all users.
: *.*
5. A system of granting user access to a resource, the system *.* * * comprising: S..
an evaluation engine permitting user access to a resource where a user resource permission exists in a policy and permitting user access to other resources that are not mentioned in the policy.
6. A system according to claim 5 further comprising: a complementary policy generator for generating a complementary policy to the original policy, said complementary policy comprising existing user resource permissions extended for other users not previously given permission; and wherein users are selected if they have permission to use the resource in the complementary policy and the selected users are denied access; and users who have no resource permission in the complementary policy are allowed access.
7. A system according to claim 6 wherein user resource permissions existing in the policy are given only to users not previously given access to that resource.
8. A system according to claim 6 wherein user resource permissions existing in the policy are extended to all users in the complementary policy.
9. A computer program product for granting user access to resources in a service repository, the computer program product when loaded into a compute causing the computer to execute the following steps: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
10. A computer program product according to claim 9, the steps further comprising: generating a complementary policy to the original policy, said complementary policy comprising existing user resource permissions extended :23.. for other users not previously given permission; and wherein users are S...
selected if they have permission to use the resource in the complementary policy and the selected users are denied access; and users who have no : resource permission in the complementary policy are allowed access.
U
2
11. A computer program product according to claim 10 wherein existing : * user resource permissions are given only to all users not previously given access to that resource.
12. A computer program product according to claim 10 wherein user resource permissions are extended to all users.
13. A service for granting user access to resources in a service repository comprising: permitting user access to a resource where a user resource permission exists in a policy; and permitting user access to other resources that are not mentioned in the policy.
14. A service according to claim 13 further comprising: generating a complementary policy to the original policy, said complementary policy comprising existing user resource permissions extended for other users not previously given permission; and wherein users are selected if they have permission to use the resource in the complementary policy and the selected users are denied access; and users who have no resource permission in the complementary policy are allowed access.
15. A service according to claim 14 wherein existing user resource permissions are given only to all users not previously given access to that resource.
16. A service according to claim 14 wherein user resource permissions are extended to all users. * * * 0s. * I **** I...
I ***. S..
S * S. * * * *. *
I **
I
GB0619203A 2006-09-29 2006-09-29 Mechanism for allowing access to unsecured resources via a security engine using inverted security policies Withdrawn GB2442273A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB0619203A GB2442273A (en) 2006-09-29 2006-09-29 Mechanism for allowing access to unsecured resources via a security engine using inverted security policies
PCT/EP2007/060229 WO2008037748A1 (en) 2006-09-29 2007-09-26 Partitioning a service repository

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0619203A GB2442273A (en) 2006-09-29 2006-09-29 Mechanism for allowing access to unsecured resources via a security engine using inverted security policies

Publications (2)

Publication Number Publication Date
GB0619203D0 GB0619203D0 (en) 2006-11-08
GB2442273A true GB2442273A (en) 2008-04-02

Family

ID=37434893

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0619203A Withdrawn GB2442273A (en) 2006-09-29 2006-09-29 Mechanism for allowing access to unsecured resources via a security engine using inverted security policies

Country Status (2)

Country Link
GB (1) GB2442273A (en)
WO (1) WO2008037748A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0407060A2 (en) * 1989-06-30 1991-01-09 Novell, Inc. Method of providing mandatory secrecy and integrity file security in a computer system
US5889953A (en) * 1995-05-25 1999-03-30 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
EP1513075A2 (en) * 2003-06-11 2005-03-09 Microsoft Corporation Method and apparatus for protecting regions of an electronic document
US20050071275A1 (en) * 2003-09-30 2005-03-31 Pss Systems, Inc Method and apparatus for transitioning between states of security policies used to secure electronic documents

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0407060A2 (en) * 1989-06-30 1991-01-09 Novell, Inc. Method of providing mandatory secrecy and integrity file security in a computer system
US5889953A (en) * 1995-05-25 1999-03-30 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
EP1513075A2 (en) * 2003-06-11 2005-03-09 Microsoft Corporation Method and apparatus for protecting regions of an electronic document
US20050071275A1 (en) * 2003-09-30 2005-03-31 Pss Systems, Inc Method and apparatus for transitioning between states of security policies used to secure electronic documents

Also Published As

Publication number Publication date
GB0619203D0 (en) 2006-11-08
WO2008037748A1 (en) 2008-04-03

Similar Documents

Publication Publication Date Title
EP3278535B1 (en) Nested namespaces for selective content sharing
US10356161B2 (en) System and method for classloading in a multitenant application server environment
US7200530B2 (en) Architecture for distributed computing system and automated design, deployment, and management of distributed applications
US8024564B2 (en) Automating configuration of software applications
CN102460382B (en) Annotating virtual application processes
US9973384B2 (en) System and method for enterprise java bean support in a multitenant application server environment
US8132231B2 (en) Managing user access entitlements to information technology resources
CN109479062B (en) Usage tracking in hybrid cloud computing systems
US20070006325A1 (en) Method, system and computer program for controlling access to resources in web applications
US20060161582A1 (en) Application object as primitive of operating system
JP2013541069A (en) Method, service registry, and computer program for service deployment from a service registry
JP4848430B2 (en) Virtual role
WO2012054202A2 (en) Installing software remotely using a high privilege process
Sparks Enabling docker for HPC
US11625287B2 (en) Method and system for using defined computing entities
Davi et al. Trusted virtual domains on OKL4: Secure information sharing on smartphones
Zou et al. A layered virtual organization architecture for grid
KR101044173B1 (en) Architecture for distributed computing system and automated design, deployment, and management of distributed applications
Walfield et al. A critique of the GNU Hurd multi-server operating system
GB2442273A (en) Mechanism for allowing access to unsecured resources via a security engine using inverted security policies
CN116991472B (en) Method for managing global resources and computing device
Turilli et al. Flexible services for the support of research
Victor Solaris™ Containers Technology Architecture Guide
Alqahtani et al. A Context-Based Security Framework for Cloud Services
Bassemir et al. IBM AIX Version 7.1 Differences Guide

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)