US20110314513A1 - Role policy management - Google Patents

Role policy management Download PDF

Info

Publication number
US20110314513A1
US20110314513A1 US13/222,258 US201113222258A US2011314513A1 US 20110314513 A1 US20110314513 A1 US 20110314513A1 US 201113222258 A US201113222258 A US 201113222258A US 2011314513 A1 US2011314513 A1 US 2011314513A1
Authority
US
United States
Prior art keywords
role
resource
service
response
augmentation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/222,258
Inventor
Stephen R. Carter
Duane Fredrick Buss
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US13/222,258 priority Critical patent/US20110314513A1/en
Publication of US20110314513A1 publication Critical patent/US20110314513A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the invention relates generally to security and more particularly to administering resource access using role policy management techniques.
  • Role Based Access Control (RBAC) systems advanced the art by attempting to secure and streamline user administration via constructing and maintaining a formal model of user privileges grouped into roles.
  • a method for extending a generalized role definition A role request and role assignment are received.
  • the role request identifies a principal and a Policy Enforcement Point (PEP) service that acts on behalf of the principal.
  • PEP Policy Enforcement Point
  • the role assignment represents permissible roles of the principal.
  • a resource association is evaluated in response to the role request and in response to the role assignment in order to identify a resource profile.
  • One or more resource decorations are applied in response to the identified resource profile.
  • the modified role assignment is sent to the PEP service for enforcement.
  • FIG. 1 is a diagram of a method for extending a generic role definition, according to an example embodiment.
  • FIG. 2 is a diagram of a method for modifying a role request response, according to an example embodiment.
  • FIG. 3 is a diagram of a method for receiving and enforcing fine-grained access restrictions against an application and a principal, according to an example embodiment.
  • FIG. 4 is a diagram of a role extension system, according to an example embodiment.
  • FIG. 5 is a diagram of example interactions for an architecture associated with the methods depicted in FIGS. 1-3 , according to an example embodiment.
  • resource refers to an electronic entity, an application or set of applications, a data store, a proxy, a directory, a service, or physical devices such as computers or peripherals etc. Resources may represent physical or logical entities.
  • a “principal” is a type of resource designation identifying a resource that requests access to or communicates with other resources.
  • a principal may be a user, an automated application, or an automated service that attempts to access another resource, such as a website, etc.
  • an identity refers to an electronic identifier, attribute, or representation for a resource (e.g., physical and logical). An identity may be assigned to a resource after authentication. An identity is authenticated via various techniques (e.g., challenge and response interaction, cookies, assertions, etc.) that use various identifying information (e.g., identifiers with passwords, biometric data, digital certificates, digital signatures, etc.).
  • identifying information e.g., identifiers with passwords, biometric data, digital certificates, digital signatures, etc.
  • a “true identity” is one that is unique to a resource across any context that the resource may engage in over a network (e.g., Internet, Intranet, etc.). However, each resource may have and manage a variety of identities, where each of these identities may only be unique within a given context (given service interaction, given processing environment, given virtual processing environment, etc.).
  • RBAC Role Based Access Control
  • Role Based Access Control is a technique that specifies role relations, interactions, and restrictions as a part of a role object model. Stated another way, RBAC is a security model to administer system access rights based on role assignments and rules (role policy).
  • Role Config is a data store or data structure having a collection of role definitions and which may also include specification information, separation of duties, rights, and privileges, inheritance specification, hierarchical location etc. Sometimes, role definitions include privileges associated with their hierarchical subordinates.
  • a “Policy Enforcement Point” (PEP) service is a module that dynamically enforces policy, including access restrictions and permissions, for resources within its purview. Policy decisions may be provided from a Policy Distribution Point (PDP) or decided by the PEP itself. Additionally, PEP modules submit access requests on behalf of principals or resources to a Role Calculation Engine (RCE).
  • PDP Policy Distribution Point
  • RCE Role Calculation Engine
  • a “PEP Config” is a data store or data structure that provides a PDP with PEP specific processing context information. This may include proxy, connection state, IP subnet, domain information, etc.
  • a PDP service supplies role policy and specifications associated with a resource to a RCE or PEP service.
  • a PDP may also deliver this same information to an augmentation service.
  • Role Policy defines the relationship between a resource and one or more roles. Role Policy may augment the use of a generic role by specifying activation, deactivation, and/or usage restraints. For example, role policy may dictate that a particular role may only be assigned to a principal if specific conditions are met (e.g., time of day (temporal restraint), subnet (network constraints), memory or processor capacity (hardware configuration), etc.).
  • a “Resource Decoration” defines a processing context to an augmentation service.
  • the processing context may include additional access restrictions or permissions, formatting and syntax requirements (i.e. to accommodate legacy applications).
  • a “Resource Association” defines and identifies relationships between resources, including role requests and role assignments, and maps particular relationships to resource profiles. The profiles map to context specific access permissions or restrictions.
  • a “Resource Config” includes one or more resource profiles or specifications. Each resource profile identifies one or more resource decorations that may be applied to a given role assignment or resource association. In other words, the resource config details the restrictions that may be imposed on a particular resource or processing context for that resource.
  • An “Augmentation service” is used as an augmentation calculator that accepts as inputs one or more roles, policies associated with those roles, role requests, or role assignments supplied by a PDP service or RCE and uses the identified resource associations in connection with the resource config to select a resource profile and acquire the appropriate resource decorations.
  • Another way to view the operation of the augmentation service is that, as will be described in greater detail below, it essentially permits more granular (fine-grain) roles to be realized by further adding access restrictions or permissions being calculated for a given role assignment.
  • the output of the augmentation service is in the same or similar format as the inputs supplied by the PDP service or RCE, such that multiple instances of the augmentation service can be chained together based on configuration setups to further granularize the access permissions and restrictions.
  • the augmentation calculation module may be a generalized, reusable module or logic specific to a given application.
  • Role Calculator associates one or more roles to a requesting resource and evaluates access requests for the resource by application of role policy to that resource's role assignments.
  • the Role Calculator is part of the Role Calculation Engine (RCE).
  • role, decoration, association, and interaction may refer to specific instances, patterns, or templates.
  • inventions of this invention can be implemented in existing network architectures and RBAC systems.
  • the techniques presented herein are implemented in whole or in part in the Novelle® network, proxy server products, operating system products, data center products, and/or directory services products distributed by Novelle®, Inc. of Provo, Utah. More specifically, embodiments of the invention may be implemented in the Novelle® Access Manager, Identity Manager, and Bandit products among others.
  • FIGS. 1-5 It is within this context, that various embodiments of the invention are now presented with reference to the FIGS. 1-5 .
  • FIG. 1 is a diagram of a method 100 for creating more granular (fine-grained) roles by extending a generic role definition without affecting other uses of the existing role management system, according to an example embodiment.
  • the method 100 (hereinafter “role extension service”) is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform the processing depicted in the FIG. 1 .
  • the role extension service is also operational over and performs within a network.
  • the network may be wired, wireless, or a combination of wired and wireless.
  • the role extension service permits a generic role assignment to be modified with access permissions or restrictions specific to a given PEP, application, and/or principal via an augmentation service.
  • the phrase “decorating a role assignment” is synonymous with modifying the access permissions of a given role assignment.
  • the role extension service receives a role request and role assignment.
  • the role request identifies a requesting PEP service and the principal that the PEP service is representing.
  • the role assignment represents one or more permissible roles of the principal.
  • a role request represents a principal's desire to access one or more resources. In some situations, it may be necessary that a principal be assigned more than one role to receive access to a particular resource.
  • the role request and role assignment are sent from a RCE that previously made the role assignment in response to the role request. More than one role assignment may be associated with a given role request.
  • the role extension service may receive the role request and role assignment by “intercepting” a transmission originally intended for a PEP service. Where an application makes a role request on behalf of a principal the role request may include information identifying the application and principal.
  • the role extension service identifies the requesting principal and/or an application being used by the principal.
  • the role extension service evaluates a resource association in response to the role request and role assignment to identify a resource profile within the resource config module.
  • the augmentation processing may consider the identified relationship between one or more of the following: the true identity of the principal, the role request, the role assignment, the PEP service, the application, membership inheritance requirements, dynamic membership exclusions based on temporal restraints, etc.
  • the role extension service applies the resource decorations identified in the selected resource profile to the role assignment at 130 . In this manner, generalized role definitions may be modified and extended through decorating a role assignment without burdening the generic role specification.
  • resource decorations may implement the limitation that membership inheritance from the role hierarchy for a given application be restricted to only one level whereas another application must inherit from each available level.
  • manager A a second level manager
  • Manager B oversees only regular salaried employees
  • manager C oversees outside contract workers.
  • Manager A in her role as second level manager, should be able to access all the information about manager B, manager C, and the subordinates of manager C (all regular salaried employees) but not the confidential information relating to the outside contract workers that manger B supervises.
  • the role extension service applies access restrictions and/or permissions to the role assignment.
  • the role extension service generates PEP specific role extensions for a generalized role definition associated with the role assignment.
  • the role extension service leaves the generalized role definition unchanged so that other systems/services interacting with or using a traditional RBAC system may continue to function normally and unabated.
  • the role extension service formats the role request response to accommodate formatting and syntax requirements of any legacy application, service, or system.
  • the role extension service sends the modified role assignments to the PEP service for enforcement against subsequent processing actions of the requesting principal.
  • a coarse-grain role definition may be extended to create one or more fine-grain role extensions and without affecting how other applications, services, systems, and resources use the coarse-grain role.
  • FIG. 2 is a diagram of a method 200 for modifying a role request response, according to an example embodiment.
  • the method 200 (hereinafter “proxy service”) is implemented as instructions in a machine-accessible and readable medium.
  • the instructions when executed by a machine perform the functions depicted in the FIG. 2 .
  • the processing is also operational over and performs within a network.
  • the network may be wired, wireless, or a combination of wired and wireless.
  • the proxy service receives a role request from a first resource on behalf of a second resource. It may also be the case, at 211 , that the proxy service recognizes the first resource as a PEP service and the second resource as a principal.
  • the role request may be sent from a PEP service directly or arrive at the proxy service indirectly.
  • the proxy service acquires a response that associates one or more roles with the second resource.
  • the response may be acquired from a role calculator.
  • the roles, which are associated with the second resource may include each available role or may include just a subset of roles of the second resource's permissible roles, depending on the access rights sought by the second resource.
  • Environmental conditions such as hardware limitations, network constraints, software configurations, time of day, location, etc. may also determine which roles are associated with the second resource. For example, some roles may not be accessible to the second resource if the second resource is requesting access in a remote physical environment, such as through a virtual connection.
  • the proxy service may generate the response itself by dynamically associating one or more roles with the second resource.
  • the proxy service forwards the role request and the response to an augmentation service at 230 .
  • the augmentation service selects resource decorations according to a resource profile, in a manner similar to the detailed description provided at 120 above with respect to method 100 of the FIG. 1 .
  • the augmentation service identifies the resource profile in response to an identified relationship among the role request, the first resource, and role assignments associated with the second resource.
  • the proxy service may select more than one resource profile; additionally, a selected resource profile may be used to select additional resource profiles.
  • the proxy service receives a modified response from the augmentation service.
  • the modified response is customized for the second resource by application of resource decorations to the original response. This may include changing access permissions and/or restrictions of the active roles associated with the second resource. Additionally, the customization may include altering the format and syntax of the response.
  • the proxy service sends the modified response to the first resource.
  • the first resource enforces the access permissions and restrictions contained in the response against the second resource.
  • the method 200 may be implemented as a plug-in to a RCE. In another embodiment, at 252 , the method 200 may be implemented as modifications within an RCE. According to yet another embodiment, at 253 the method 200 may by implemented as a proxy service that interacts with a RCE and PEP service.
  • FIG. 3 is a diagram of a method 300 for receiving and enforcing fine-grained access restrictions against an application and a principal, according to an example embodiment.
  • the method 300 (hereinafter “PEP service”) is implemented as instructions in a machine-accessible and readable medium.
  • the instructions when executed by a machine perform the functions depicted in the FIG. 3 .
  • the processing is also operational over and performs within a network.
  • the network may be wired, wireless, or a combination of wired and wireless.
  • the PEP service receives a role request from an application on behalf of a principal.
  • the same PEP service may administer service dispositions for more than one application or principal.
  • the PEP service forwards the role request to a RCE.
  • An RCE generates a response by assigning one or more roles associated with the principal or with the application and forwards the response to an augmentation service for customization.
  • the RCE may forward the response to another PEP service and the response may be “intercepted” by an augmentation service.
  • Two or more augmentation services may be “chained” together via their augmentation calculators.
  • the RCE response may be forwarded from one augmentation service to another augmentation service as necessary for customization.
  • Some augmentation services may be logic specific for particular applications.
  • consumer and maintenance Application Programming Interfaces are associated with the PEPservice. Further flexibility is created by allowing applications to change PEP services and PEP chaining associated with API and management functions. For example, this allows an application to specify that, after a particular application decoration has been associated with a role, the role may not be further modified without the PEP service that represents the application ensuring that the modification is acceptable.
  • an augmentation service evaluates a resource association against the role request and one or more role assignments to select a resource profile.
  • the augmentation service may also select a resource profile based on the identity of the principal and require that the principal authenticate a true identity.
  • the augmentation service selects the resource decorations in response to the identified resource profile.
  • the augmentation service applies the resource decorations to the response, customizing the response for the requesting application and principal.
  • the augmentation service's activities leave the RCE processing unchanged so that other uses of the RBAC system are not impacted.
  • the PEP service receives a modified response from the augmentation service.
  • the augmentation service has already customized the RCE response, as described in detail above, for the application and the principal by applying resource decorations.
  • the PEP service enforces the access rights and/or restrictions contained in the modified response against the application and principal. In this manner, fine-grain access restrictions may be realized. Such grainular security may even be used to ensure governmental regulations are being satisfied with respect to security.
  • FIG. 4 is a diagram of a role extension system 400 that allows disparate systems to add role functionality without impacting other systems/services using a role management system/service, according to an example embodiment.
  • the role extension system 400 is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform, among other things, the processing depicted in FIGS. 1-3 .
  • the role extension system 400 is also operational over a network and the network may be wired, wireless, or a combination of wired and wireless.
  • the role extension system 400 includes a PEP service 420 and an augmentation service 440 ; each of which are discussed in more detail below.
  • the role extension system 400 may also include one or more resources 410 , a RCE 430 , and additional augmentation services 450 .
  • the PEP service 420 was described in detail above, especially with reference to the method 200 of the FIG. 2 .
  • the PEP service 420 is an intermediary adapted to receive role requests from one or more resources, often applications or principals, and forward those requests to a RCE 430 . Further, the PEP service 420 is adapted to receive customized role request responses from an augmentation service 440 and enforce access permissions and restrictions included in the responses against processing actions of the requesting resource.
  • a given PEP service may handle role requests for multiple resources and enforce role policy decisions, including access restrictions and permissions, against multiple resources.
  • Resources 410 may be applications, services, devices, principals, or applications acting on behalf of principals.
  • An Application Programming Interface (API) may be associated with the PEP service 420 .
  • a resource 410 may configure the PEP service through the API or chain multiple PEP services together with one another.
  • API Application Programming Interface
  • the augmentation service 440 was described in detail above, especially with reference to role extension service represented by the method 100 of the FIG. 1 .
  • the augmentation service 440 has access to resource decorations, resource associations, and resource profiles. Additionally, the augmentation service 440 may have communication channels between the RCE 430 , the PEP service 420 , and other augmentation services 450 .
  • the augmentation service 440 is adapted to receive role requests and role responses from the RCE 430 .
  • the role requests and role responses may be “intercepted” by the augmentation service 440 unbeknownst to the RCE.
  • Role responses may include role assignments made by the RCE.
  • the augmentation service 440 is adapted to customize an RCE response for the PEP service 420 , for resources 410 , or for other applications or principals.
  • the augmentation calculator modifies the role response according to the resource decorations, resource associations, and resource profiles that form part of the augmentation service.
  • the augmentation service 440 customizes the response for the requesting resource, adjusting access permissions and restrictions as necessary and may also apply a processing context to the response to fulfill formatting or syntax requirements of the requesting resource (e.g. to accommodate a legacy application, etc.).
  • the augmentation service 440 is further adapted to send the customized response to the PEP service 420 .
  • the customized response need not pass back through the RCE, it is possible to configure the augmentation service, including the resource decorations, resource associations, and resource profiles, to allow multiple, disparate systems/services that are related by the role specifications to add role functionality without affecting other systems/services using a role management system/service.
  • One or more augmentation services 450 may be connected to the augmentation service 440 .
  • Augmentation services 450 operate in a manner similar to that described above with respect to augmentation service 440 .
  • the augmentation services 440 , 450 may send responses to and receive responses from one another or from other augmentation services (not shown in FIG. 4 ) that are chained together. In this manner, augmentation services may dynamically consult one another and pre- or post modify a role request response.
  • FIG. 5 is a diagram of example interactions for an architecture associated with the methods depicted in FIGS. 1-3 , according to an example embodiment.
  • the diagram includes a variety of resources and interactions that these resources have with one another for purposes of extending generic role definitions without altering existing uses of the RBAC system.
  • the components depicted above the dashed line may in some cases represent an existing RBAC system/service.
  • the components below the dashed line represent mechanisms for extending role functionality without impacting an existing role management system/service.
  • an augmentation service is shown comprising an augmentation calculator, a resource decoration module, a resource association module, and application config module.
  • An application config module is synonymous with a resource profile module in this context.
  • the functionality and operation of these resources has been described in detail above. Interactions between the resources are labeled with uppercase alphabetic characters A-E.
  • the character A represents the transmission of a role request from PEP X on behalf of application 2 to the RCE where one or more roles are assigned.
  • the RCE transmits the role request and role assignments via channel B to an augmentation module for modification.
  • the modified response is sent over C to the requesting PEP, in this case PEP X.
  • the augmentation calculator may pass the response via D to another augmentation module before the response is returned to PEP X.
  • the response may be further transmitted via E to additional augmentation modules.
  • the techniques presented herein provide mechanisms necessary to allow multiple, disparate systems that are related only by the role specifications to add role functionality without affecting other applications, services, or systems using a role management system/service.
  • the methods and systems described above provide PEP and application specific role extensions to coarse-grain role definitions that leave the general role definition intact.
  • enterprises may now more easily convert to a role management system/service in and better administer role management systems/services as user diversity is exposed by new applications, departments, or users being added to the enterprise.
  • provisioning fine-grained access permissions which reflect constantly changing user responsibilities within a more manageable processing environment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Computer Security & Cryptography (AREA)
  • Educational Administration (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

In various embodiments, techniques for role management systems/services are provided. According to an embodiment, a method is provided to allow a role management system to be configured, modified, and restricted. Specific roles assignments may be decorated to be meaningful to an application but which are not generally applicable to an original role specification. A Policy Enforcement Point (PEP) role request response may be modified by an augmentation service, which evaluates a resource association to identify an appropriate resource profile. Resource decorations are identified by the selected profile and are applied to the role request response.

Description

    RELATED APPLICATIONS
  • The present Application is co-pending with, is a Continuation of, and claims Priority to U.S. patent application Ser. No. 11/621,762, entitled: “Role Policy Management,” filed on Jan. 10, 2007, and which presently stands allowed; and the disclosure of which is incorporated by reference herein in its entirety.
    • FIELD
  • The invention relates generally to security and more particularly to administering resource access using role policy management techniques.
    • BACKGROUND
  • Increasingly enterprises are faced with numerous internal users having different access requirements that span a large number of applications, networks, and systems. Maintaining the security of such modern dynamic enterprises is a critical and challenging task. In some industries, such as banking, the federal government has promulgated rules and regulations that require a certain degree of security. Thus, enterprises are not only concerned with their reputation but face potential civil liability for security breaches. The challenge lies in efficiently and securely provisioning system access to reflect constantly changing user responsibilities and computing environments.
  • Historic methods of manually granting individual user access on a resource by resource basis long ago proved administratively infeasible for organizations of even moderate size. Role Based Access Control (RBAC) systems advanced the art by attempting to secure and streamline user administration via constructing and maintaining a formal model of user privileges grouped into roles.
  • However, such models have scaled poorly because many users are unique; thus, resulting in role proliferation. For example, user diversity is often represented using new applications, departments, or systems, which are added to the enterprise security model. Where fine-grain role approaches are required, the number of roles may equal the number of users (or even exceed the number of user if users have many roles); therefore, the advantage of grouping is often lost. Application of policy rules as a complement to roles has allowed for greater flexibility and fewer generalized static role definitions. Nonetheless, the combination of increasingly complex Information Technology (IT) infrastructures, more diversified users requiring fine granularity access privileges, and growing numbers of users (including employees, subcontractors, partners, vendors, etc.) have shown that these conventional tools and processes to manage security are breaking down.
  • Consequently, what was considered a valuable security model for an enterprise has now become an administration and maintenance challenge.
  • Also problematic is the task of converting an enterprise to a role management system in the first place. Traditional role management systems are not conducive to the integration of existing systems to use roles nor do they provide the mechanisms necessary to allow multiple, disparate systems that are related only by the role definitions to add role functionality without affecting other applications using the role management system.
  • Accordingly, what is needed are mechanisms to better provision fine-grained role extensions without impacting existing role management systems.
    • SUMMARY
  • In various embodiments, techniques for role management systems are provided. More specifically, and in an embodiment, a method is provided for extending a generalized role definition. A role request and role assignment are received. The role request identifies a principal and a Policy Enforcement Point (PEP) service that acts on behalf of the principal. The role assignment represents permissible roles of the principal. Next, a resource association is evaluated in response to the role request and in response to the role assignment in order to identify a resource profile. One or more resource decorations are applied in response to the identified resource profile. The modified role assignment is sent to the PEP service for enforcement.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram of a method for extending a generic role definition, according to an example embodiment.
  • FIG. 2 is a diagram of a method for modifying a role request response, according to an example embodiment.
  • FIG. 3 is a diagram of a method for receiving and enforcing fine-grained access restrictions against an application and a principal, according to an example embodiment.
  • FIG. 4 is a diagram of a role extension system, according to an example embodiment.
  • FIG. 5 is a diagram of example interactions for an architecture associated with the methods depicted in FIGS. 1-3, according to an example embodiment.
    •  DETAILED DESCRIPTION
  • The term “resource” as used herein refers to an electronic entity, an application or set of applications, a data store, a proxy, a directory, a service, or physical devices such as computers or peripherals etc. Resources may represent physical or logical entities.
  • A “principal” is a type of resource designation identifying a resource that requests access to or communicates with other resources. For example, a principal may be a user, an automated application, or an automated service that attempts to access another resource, such as a website, etc.
  • In various embodiments of the invention, the term “identity” is used. An identity refers to an electronic identifier, attribute, or representation for a resource (e.g., physical and logical). An identity may be assigned to a resource after authentication. An identity is authenticated via various techniques (e.g., challenge and response interaction, cookies, assertions, etc.) that use various identifying information (e.g., identifiers with passwords, biometric data, digital certificates, digital signatures, etc.). A “true identity” is one that is unique to a resource across any context that the resource may engage in over a network (e.g., Internet, Intranet, etc.). However, each resource may have and manage a variety of identities, where each of these identities may only be unique within a given context (given service interaction, given processing environment, given virtual processing environment, etc.).
  • “Role Based Access Control” (RBAC) is a technique that specifies role relations, interactions, and restrictions as a part of a role object model. Stated another way, RBAC is a security model to administer system access rights based on role assignments and rules (role policy).
  • As used herein, a “Role Config” is a data store or data structure having a collection of role definitions and which may also include specification information, separation of duties, rights, and privileges, inheritance specification, hierarchical location etc. Sometimes, role definitions include privileges associated with their hierarchical subordinates.
  • A “Policy Enforcement Point” (PEP) service is a module that dynamically enforces policy, including access restrictions and permissions, for resources within its purview. Policy decisions may be provided from a Policy Distribution Point (PDP) or decided by the PEP itself. Additionally, PEP modules submit access requests on behalf of principals or resources to a Role Calculation Engine (RCE).
  • A “PEP Config” is a data store or data structure that provides a PDP with PEP specific processing context information. This may include proxy, connection state, IP subnet, domain information, etc.
  • A PDP service supplies role policy and specifications associated with a resource to a RCE or PEP service. A PDP may also deliver this same information to an augmentation service.
  • “Role Policy” defines the relationship between a resource and one or more roles. Role Policy may augment the use of a generic role by specifying activation, deactivation, and/or usage restraints. For example, role policy may dictate that a particular role may only be assigned to a principal if specific conditions are met (e.g., time of day (temporal restraint), subnet (network constraints), memory or processor capacity (hardware configuration), etc.).
  • A “Resource Decoration” defines a processing context to an augmentation service. The processing context may include additional access restrictions or permissions, formatting and syntax requirements (i.e. to accommodate legacy applications).
  • A “Resource Association” defines and identifies relationships between resources, including role requests and role assignments, and maps particular relationships to resource profiles. The profiles map to context specific access permissions or restrictions.
  • A “Resource Config” includes one or more resource profiles or specifications. Each resource profile identifies one or more resource decorations that may be applied to a given role assignment or resource association. In other words, the resource config details the restrictions that may be imposed on a particular resource or processing context for that resource.
  • An “Augmentation service” is used as an augmentation calculator that accepts as inputs one or more roles, policies associated with those roles, role requests, or role assignments supplied by a PDP service or RCE and uses the identified resource associations in connection with the resource config to select a resource profile and acquire the appropriate resource decorations. Another way to view the operation of the augmentation service is that, as will be described in greater detail below, it essentially permits more granular (fine-grain) roles to be realized by further adding access restrictions or permissions being calculated for a given role assignment. The output of the augmentation service is in the same or similar format as the inputs supplied by the PDP service or RCE, such that multiple instances of the augmentation service can be chained together based on configuration setups to further granularize the access permissions and restrictions. The augmentation calculation module may be a generalized, reusable module or logic specific to a given application.
  • Finally, the “Role Calculator” associates one or more roles to a requesting resource and evaluates access requests for the resource by application of role policy to that resource's role assignments. The Role Calculator is part of the Role Calculation Engine (RCE).
  • As used below, the terms role, decoration, association, and interaction may refer to specific instances, patterns, or templates.
  • Various embodiments of this invention can be implemented in existing network architectures and RBAC systems. For example, in some embodiments the techniques presented herein are implemented in whole or in part in the Novelle® network, proxy server products, operating system products, data center products, and/or directory services products distributed by Novelle®, Inc. of Provo, Utah. More specifically, embodiments of the invention may be implemented in the Novelle® Access Manager, Identity Manager, and Bandit products among others.
  • Of course, the embodiments of the invention can be implemented in a variety of architectural platforms, operating and server systems, devices, systems, or applications. Any particular architectural layout or implementation presented herein is provided for purposes of illustration and comprehension only and is not intended to limit aspects of the invention.
  • It is within this context, that various embodiments of the invention are now presented with reference to the FIGS. 1-5.
  • FIG. 1 is a diagram of a method 100 for creating more granular (fine-grained) roles by extending a generic role definition without affecting other uses of the existing role management system, according to an example embodiment. The method 100 (hereinafter “role extension service”) is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform the processing depicted in the FIG. 1. The role extension service is also operational over and performs within a network. The network may be wired, wireless, or a combination of wired and wireless.
  • As will be more fully described herein and below, the role extension service permits a generic role assignment to be modified with access permissions or restrictions specific to a given PEP, application, and/or principal via an augmentation service. The phrase “decorating a role assignment” is synonymous with modifying the access permissions of a given role assignment.
  • At 110, the role extension service receives a role request and role assignment. The role request identifies a requesting PEP service and the principal that the PEP service is representing. The role assignment represents one or more permissible roles of the principal. A role request represents a principal's desire to access one or more resources. In some situations, it may be necessary that a principal be assigned more than one role to receive access to a particular resource. According to an embodiment, the role request and role assignment are sent from a RCE that previously made the role assignment in response to the role request. More than one role assignment may be associated with a given role request. The role extension service may receive the role request and role assignment by “intercepting” a transmission originally intended for a PEP service. Where an application makes a role request on behalf of a principal the role request may include information identifying the application and principal. Optionally, at 111, the role extension service identifies the requesting principal and/or an application being used by the principal.
  • At 120, the role extension service evaluates a resource association in response to the role request and role assignment to identify a resource profile within the resource config module. To evaluate a resource association the augmentation processing may consider the identified relationship between one or more of the following: the true identity of the principal, the role request, the role assignment, the PEP service, the application, membership inheritance requirements, dynamic membership exclusions based on temporal restraints, etc. After selecting the resource profile at 120, the role extension service applies the resource decorations identified in the selected resource profile to the role assignment at 130. In this manner, generalized role definitions may be modified and extended through decorating a role assignment without burdening the generic role specification. One result is that fine-grain security requirements for specific applications, PEPs, and principals may now be resolved without affecting other uses of a security management system. Further, specific roles and role hierarchies may be decorated or associations specified that are meaningful to the application but not generally applicable to a general role specification case.
  • By way of example, resource decorations may implement the limitation that membership inheritance from the role hierarchy for a given application be restricted to only one level whereas another application must inherit from each available level. Such a situation may arise where manager A, a second level manager, supervises first level managers B and C. Manager B oversees only regular salaried employees and manager C oversees outside contract workers. Manager A, in her role as second level manager, should be able to access all the information about manager B, manager C, and the subordinates of manager C (all regular salaried employees) but not the confidential information relating to the outside contract workers that manger B supervises.
  • Returning to the discussion of the FIG. 1, at 131 and according to an embodiment, the role extension service applies access restrictions and/or permissions to the role assignment. Optionally, at 132 the role extension service generates PEP specific role extensions for a generalized role definition associated with the role assignment. At 133, and as previously noted above, the role extension service leaves the generalized role definition unchanged so that other systems/services interacting with or using a traditional RBAC system may continue to function normally and unabated. In an embodiment, at 134 the role extension service formats the role request response to accommodate formatting and syntax requirements of any legacy application, service, or system.
  • At 140, the role extension service sends the modified role assignments to the PEP service for enforcement against subsequent processing actions of the requesting principal.
  • In this way, a coarse-grain role definition may be extended to create one or more fine-grain role extensions and without affecting how other applications, services, systems, and resources use the coarse-grain role.
  • FIG. 2 is a diagram of a method 200 for modifying a role request response, according to an example embodiment. The method 200 (hereinafter “proxy service”) is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform the functions depicted in the FIG. 2. The processing is also operational over and performs within a network. The network may be wired, wireless, or a combination of wired and wireless.
  • At 210, the proxy service receives a role request from a first resource on behalf of a second resource. It may also be the case, at 211, that the proxy service recognizes the first resource as a PEP service and the second resource as a principal. The role request may be sent from a PEP service directly or arrive at the proxy service indirectly.
  • At 220, the proxy service acquires a response that associates one or more roles with the second resource. The response may be acquired from a role calculator. The roles, which are associated with the second resource, may include each available role or may include just a subset of roles of the second resource's permissible roles, depending on the access rights sought by the second resource. Environmental conditions such as hardware limitations, network constraints, software configurations, time of day, location, etc. may also determine which roles are associated with the second resource. For example, some roles may not be accessible to the second resource if the second resource is requesting access in a remote physical environment, such as through a virtual connection. Alternatively, at 221 the proxy service may generate the response itself by dynamically associating one or more roles with the second resource.
  • The proxy service forwards the role request and the response to an augmentation service at 230. Optionally, at 231, the augmentation service selects resource decorations according to a resource profile, in a manner similar to the detailed description provided at 120 above with respect to method 100 of the FIG. 1. According to an embodiment, at 232, the augmentation service identifies the resource profile in response to an identified relationship among the role request, the first resource, and role assignments associated with the second resource. Thus, the relationship between the role request, the first resource, and the roles associated with the second resource determine which resource profile is selected. The proxy service may select more than one resource profile; additionally, a selected resource profile may be used to select additional resource profiles.
  • At 240, the proxy service receives a modified response from the augmentation service. The modified response is customized for the second resource by application of resource decorations to the original response. This may include changing access permissions and/or restrictions of the active roles associated with the second resource. Additionally, the customization may include altering the format and syntax of the response.
  • At 250, the proxy service sends the modified response to the first resource. The first resource enforces the access permissions and restrictions contained in the response against the second resource.
  • In one embodiment, at 251, the method 200 may be implemented as a plug-in to a RCE. In another embodiment, at 252, the method 200 may be implemented as modifications within an RCE. According to yet another embodiment, at 253 the method 200 may by implemented as a proxy service that interacts with a RCE and PEP service.
  • FIG. 3 is a diagram of a method 300 for receiving and enforcing fine-grained access restrictions against an application and a principal, according to an example embodiment. The method 300 (hereinafter “PEP service”) is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform the functions depicted in the FIG. 3. The processing is also operational over and performs within a network. The network may be wired, wireless, or a combination of wired and wireless.
  • At 310, the PEP service receives a role request from an application on behalf of a principal. The same PEP service may administer service dispositions for more than one application or principal.
  • At 320, the PEP service forwards the role request to a RCE. An RCE generates a response by assigning one or more roles associated with the principal or with the application and forwards the response to an augmentation service for customization. Alternatively, the RCE may forward the response to another PEP service and the response may be “intercepted” by an augmentation service.
  • Two or more augmentation services may be “chained” together via their augmentation calculators. Optionally, at 321, the RCE response may be forwarded from one augmentation service to another augmentation service as necessary for customization. Some augmentation services may be logic specific for particular applications.
  • According to an embodiment, consumer and maintenance Application Programming Interfaces (API) are associated with the PEPservice. Further flexibility is created by allowing applications to change PEP services and PEP chaining associated with API and management functions. For example, this allows an application to specify that, after a particular application decoration has been associated with a role, the role may not be further modified without the PEP service that represents the application ensuring that the modification is acceptable.
  • Continuing with the discussion of the FIG. 3, in an embodiment, at 322, an augmentation service evaluates a resource association against the role request and one or more role assignments to select a resource profile. The augmentation service may also select a resource profile based on the identity of the principal and require that the principal authenticate a true identity. In still another embodiment, at 323, the augmentation service selects the resource decorations in response to the identified resource profile. The augmentation service applies the resource decorations to the response, customizing the response for the requesting application and principal. At 324, the augmentation service's activities leave the RCE processing unchanged so that other uses of the RBAC system are not impacted.
  • At 330, the PEP service receives a modified response from the augmentation service. The augmentation service has already customized the RCE response, as described in detail above, for the application and the principal by applying resource decorations. At 340, the PEP service enforces the access rights and/or restrictions contained in the modified response against the application and principal. In this manner, fine-grain access restrictions may be realized. Such grainular security may even be used to ensure governmental regulations are being satisfied with respect to security.
  • FIG. 4 is a diagram of a role extension system 400 that allows disparate systems to add role functionality without impacting other systems/services using a role management system/service, according to an example embodiment. The role extension system 400 is implemented as instructions in a machine-accessible and readable medium. The instructions when executed by a machine perform, among other things, the processing depicted in FIGS. 1-3. The role extension system 400 is also operational over a network and the network may be wired, wireless, or a combination of wired and wireless.
  • The role extension system 400 includes a PEP service 420 and an augmentation service 440; each of which are discussed in more detail below. In some cases, the role extension system 400 may also include one or more resources 410, a RCE 430, and additional augmentation services 450.
  • The PEP service 420 was described in detail above, especially with reference to the method 200 of the FIG. 2. The PEP service 420 is an intermediary adapted to receive role requests from one or more resources, often applications or principals, and forward those requests to a RCE 430. Further, the PEP service 420 is adapted to receive customized role request responses from an augmentation service 440 and enforce access permissions and restrictions included in the responses against processing actions of the requesting resource. A given PEP service may handle role requests for multiple resources and enforce role policy decisions, including access restrictions and permissions, against multiple resources. Resources 410 may be applications, services, devices, principals, or applications acting on behalf of principals. An Application Programming Interface (API) may be associated with the PEP service 420. A resource 410 may configure the PEP service through the API or chain multiple PEP services together with one another.
  • The augmentation service 440 was described in detail above, especially with reference to role extension service represented by the method 100 of the FIG. 1. The augmentation service 440 has access to resource decorations, resource associations, and resource profiles. Additionally, the augmentation service 440 may have communication channels between the RCE 430, the PEP service 420, and other augmentation services 450. The augmentation service 440 is adapted to receive role requests and role responses from the RCE 430. The role requests and role responses may be “intercepted” by the augmentation service 440 unbeknownst to the RCE. Role responses may include role assignments made by the RCE.
  • The augmentation service 440 is adapted to customize an RCE response for the PEP service 420, for resources 410, or for other applications or principals. The augmentation calculator modifies the role response according to the resource decorations, resource associations, and resource profiles that form part of the augmentation service. The augmentation service 440 customizes the response for the requesting resource, adjusting access permissions and restrictions as necessary and may also apply a processing context to the response to fulfill formatting or syntax requirements of the requesting resource (e.g. to accommodate a legacy application, etc.).
  • The augmentation service 440 is further adapted to send the customized response to the PEP service 420. Thus, because the customized response need not pass back through the RCE, it is possible to configure the augmentation service, including the resource decorations, resource associations, and resource profiles, to allow multiple, disparate systems/services that are related by the role specifications to add role functionality without affecting other systems/services using a role management system/service.
  • One or more augmentation services 450 may be connected to the augmentation service 440. Augmentation services 450 operate in a manner similar to that described above with respect to augmentation service 440. The augmentation services 440, 450 may send responses to and receive responses from one another or from other augmentation services (not shown in FIG. 4) that are chained together. In this manner, augmentation services may dynamically consult one another and pre- or post modify a role request response.
  • FIG. 5 is a diagram of example interactions for an architecture associated with the methods depicted in FIGS. 1-3, according to an example embodiment. The diagram includes a variety of resources and interactions that these resources have with one another for purposes of extending generic role definitions without altering existing uses of the RBAC system. The components depicted above the dashed line may in some cases represent an existing RBAC system/service. The components below the dashed line represent mechanisms for extending role functionality without impacting an existing role management system/service. Namely, an augmentation service is shown comprising an augmentation calculator, a resource decoration module, a resource association module, and application config module. An application config module is synonymous with a resource profile module in this context. The functionality and operation of these resources has been described in detail above. Interactions between the resources are labeled with uppercase alphabetic characters A-E.
  • The character A represents the transmission of a role request from PEP X on behalf of application 2 to the RCE where one or more roles are assigned. The RCE transmits the role request and role assignments via channel B to an augmentation module for modification. The modified response is sent over C to the requesting PEP, in this case PEP X. Optionally, the augmentation calculator may pass the response via D to another augmentation module before the response is returned to PEP X. The response may be further transmitted via E to additional augmentation modules.
  • The techniques presented herein provide mechanisms necessary to allow multiple, disparate systems that are related only by the role specifications to add role functionality without affecting other applications, services, or systems using a role management system/service. The methods and systems described above provide PEP and application specific role extensions to coarse-grain role definitions that leave the general role definition intact. Among other benefits, enterprises may now more easily convert to a role management system/service in and better administer role management systems/services as user diversity is exposed by new applications, departments, or users being added to the enterprise. Thus, provisioning fine-grained access permissions, which reflect constantly changing user responsibilities within a more manageable processing environment.
  • The above description is illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description. The scope of embodiments should therefore be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
  • The Abstract is provided to comply with 37 C.F.R. §1.72(b) and will allow the reader to quickly ascertain the nature and gist of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
  • In the foregoing description of the embodiments, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting that the claimed embodiments have more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby incorporated into the Description of the Embodiments, with each claim standing on its own as a separate exemplary embodiment.

Claims (20)

1. A method implemented in a non-transitory computer-readable storage medium for execution on a machine, comprising:
evaluating, by the machine, a resource association in response to a role request and a role assignment for a principal in order to identify a resource profile for the principal;
applying one or more resource decorations to the role assignment to produce a modified role assignment based on the resource profile; and
sending the modified role assignment to a policy enforcement service for enforcement, the modified role assignment extends the role assignment and role functionality for an existing role management system without affecting other uses of the existing role management system and without affecting other legacy applications, legacy services, and legacy systems the use the existing role management system.
2. The method of claim 0, wherein evaluating further includes identifying the principal as an automated application.
3. The method of claim 1, wherein evaluating further includes identifying the principal as a user.
4. The method of claim 0, wherein evaluating further includes considering with the resource profile a relationship defined for the principal, the role request, the role assignment, and the policy enforcement service.
5. The method of claim 0, wherein evaluating further includes using the role request to identify the policy enforcement service.
6. The method of claim 1, applying further includes assigning access restrictions and/or permissions to the role assignment based on the resource profile.
7. The method of claim 0, wherein applying further includes acquiring from each resource decoration a specific processing context for a relationship among the principal, the role request, the role assignment, and the policy enforcement service.
8. A method implemented in a non-transitory computer-readable storage medium for execution on a machine as a proxy, comprising:
receiving, by the proxy, a role request from a first resource on behalf of a second resource;
acquiring, by the proxy, an original response that associates one or more roles with the second resource;
forwarding, by the proxy, the role request and the original response to an augmentation service;
receiving, by the proxy, a modified response from the augmentation service, the modified response is customized for the second resource by applying resource decorations to the original response; and
sending, by the proxy, the modified response to the first resource, the first resource enforces the access restriction defined in the modified response against the second resource, the modified response extends role functionality of an existing role management system without affecting other legacy applications, legacy services, and legacy systems that use the existing role management system.
9. The method of claim 8 further including, recognizing, by the proxy, the first resource as a Policy Enforcement Point (PEP) service and the second resource as a principal.
10. The method of claim 8 further including, implementing the proxy as a plug-in to a Role Calculation Engine (RCE).
11. The method of claim 8 further including, implementing the proxy as modifications within a Role Calculation Engine (RCE).
12. The method of claim 8, wherein forwarding further includes using the augmentation service as a augmentation calculator that identifies a resource profile for the second resource and maps the resource profile to context specific access permissions and adds the resource decorations, the resource decorations include additional access permissions or access restrictions.
13. The method of claim 8, wherein receiving the modified response further includes identifying, by the augmentation service, the resource decorations based on an identified resource profile.
14. The method of claim 8, wherein receiving the modified response further includes identifying, by the augmentation service, the resource decorations based on a relationship among the role request, the first resource, and role assignments associated with the second resource.
15. The method of claim 8, wherein in sending further includes interacting with the first resource, the first resource is a policy enforcement point (PEP) service for the second resource.
16. A method implemented in a non-transitory computer-readable storage medium for execution on a machine as a policy enforcement point (PEP) service, comprising:
receiving, by the PEP service, a role request from an application on behalf of a principal;
forwarding, by the PEP service, the role request to a role calculation engine (RCE);
receiving a modified response from an augmentation service that interacts with the RCE, the augmentation service customizes an RCE response for the application and the principal by applying resource decorations; and
enforcing the access rights defined in the modified response against the application and the principal by extending role functionality of an existing role management system without affecting other uses of the existing role management system and without affecting other legacy applications, legacy services, and legacy systems that use the existing role management system.
17. The method of claim 16, wherein receiving the modified response further includes providing, by the RCE, a resource profile to the augmentation service for customizing the RCE response.
18. The method of claim 0 further including, selecting the resource decorations, by the augmentation service, in response to the resource profile.
19. The method of claim 0, wherein receiving the modified response further includes, forwarding, by the augmentation service, the RCE response to multiple additional augmentation services for additional nested customization.
20. The method of claim 16, wherein receiving the modified response further includes identifying the resource decorations as specific processing contexts that include additional access permissions and/or additional access restrictions for the application and the principal beyond what is provided in the existing role management system.
US13/222,258 2007-01-10 2011-08-31 Role policy management Abandoned US20110314513A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/222,258 US20110314513A1 (en) 2007-01-10 2011-08-31 Role policy management

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/621,762 US8032558B2 (en) 2007-01-10 2007-01-10 Role policy management
US13/222,258 US20110314513A1 (en) 2007-01-10 2011-08-31 Role policy management

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/621,762 Continuation US8032558B2 (en) 2007-01-10 2007-01-10 Role policy management

Publications (1)

Publication Number Publication Date
US20110314513A1 true US20110314513A1 (en) 2011-12-22

Family

ID=39189331

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/621,762 Active 2027-08-18 US8032558B2 (en) 2007-01-10 2007-01-10 Role policy management
US13/222,258 Abandoned US20110314513A1 (en) 2007-01-10 2011-08-31 Role policy management

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/621,762 Active 2027-08-18 US8032558B2 (en) 2007-01-10 2007-01-10 Role policy management

Country Status (2)

Country Link
US (2) US8032558B2 (en)
EP (1) EP1944718A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130198814A1 (en) * 2012-01-31 2013-08-01 Oracle International Corporation Method and system for implementing an advanced mobile authentication solution
US20230401260A1 (en) * 2022-06-13 2023-12-14 Snowflake Inc. Projection constraints in a query processing system

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8789159B2 (en) * 2008-02-11 2014-07-22 Microsoft Corporation System for running potentially malicious code
US20110231847A1 (en) 2009-10-28 2011-09-22 Lategan Christopher F Management of multiple instances of legacy application tasks
US9218501B2 (en) * 2010-08-06 2015-12-22 Oracle International Corporation Secure access management against volatile identity stores
US20120174205A1 (en) * 2010-12-31 2012-07-05 International Business Machines Corporation User profile and usage pattern based user identification prediction
US20120240194A1 (en) * 2011-03-18 2012-09-20 eClaris Software, Inc. Systems and Methods for Controlling Access to Electronic Data
US9105009B2 (en) 2011-03-21 2015-08-11 Microsoft Technology Licensing, Llc Email-based automated recovery action in a hosted environment
US20130159049A1 (en) * 2011-12-15 2013-06-20 Sayekumar Arumugam Automatic risk calibration of roles in computer systems
US9635029B2 (en) * 2012-01-27 2017-04-25 Honeywell International Inc. Role-based access control permissions
JP5799855B2 (en) * 2012-03-02 2015-10-28 富士通株式会社 Service providing method, program, and information processing apparatus
US9460303B2 (en) * 2012-03-06 2016-10-04 Microsoft Technology Licensing, Llc Operating large scale systems and cloud services with zero-standing elevated permissions
US9081950B2 (en) * 2012-05-29 2015-07-14 International Business Machines Corporation Enabling host based RBAC roles for LDAP users
WO2014034119A1 (en) * 2012-08-30 2014-03-06 Nec Corporation Access control system, access control method, and program
US9331952B2 (en) * 2013-01-02 2016-05-03 International Business Machines Corporation Modifying an assignment of nodes to roles in a computing environment
US9430665B2 (en) 2013-07-22 2016-08-30 Siemens Aktiengesellschaft Dynamic authorization to features and data in JAVA-based enterprise applications
FR3014583A1 (en) * 2013-12-05 2015-06-12 Orange METHOD OF ESTABLISHING A TRUSTED RELATIONSHIP BETWEEN TWO TENANTS IN A CLOUD NETWORK
US9762585B2 (en) 2015-03-19 2017-09-12 Microsoft Technology Licensing, Llc Tenant lockbox
US20160328279A1 (en) * 2015-05-07 2016-11-10 Ebay Inc. Method and System for Providing a Framework as a Service
US10931682B2 (en) 2015-06-30 2021-02-23 Microsoft Technology Licensing, Llc Privileged identity management
US20170300673A1 (en) * 2016-04-19 2017-10-19 Brillio LLC Information apparatus and method for authorizing user of augment reality apparatus
US10491584B2 (en) * 2017-05-22 2019-11-26 General Electric Company Role-based resource access control
DE102018127949A1 (en) 2018-11-08 2020-05-14 Samson Aktiengesellschaft Control of access rights in a networked system with data processing
US11314856B2 (en) * 2019-04-29 2022-04-26 ColorTokens, Inc. Generating rule-based access control policies using a bytecode instrumentation system
US11456917B2 (en) * 2020-06-01 2022-09-27 Cisco Technology, Inc. Analyzing deployed networks with respect to network solutions

Family Cites Families (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0697662B1 (en) * 1994-08-15 2001-05-30 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
US6023765A (en) * 1996-12-06 2000-02-08 The United States Of America As Represented By The Secretary Of Commerce Implementation of role-based access control in multi-level secure systems
US6434607B1 (en) * 1997-06-19 2002-08-13 International Business Machines Corporation Web server providing role-based multi-level security
US6088679A (en) * 1997-12-01 2000-07-11 The United States Of America As Represented By The Secretary Of Commerce Workflow management employing role-based access control
GB9912494D0 (en) 1999-05-28 1999-07-28 Hewlett Packard Co Configuring computer systems
FI110565B (en) * 1999-06-08 2003-02-14 Nokia Corp Procedure and arrangement for a telephone exchange system
US6785822B1 (en) * 1999-09-16 2004-08-31 International Business Machines Corporation System and method for role based dynamic configuration of user profiles
US6751657B1 (en) * 1999-12-21 2004-06-15 Worldcom, Inc. System and method for notification subscription filtering based on user role
US6775658B1 (en) * 1999-12-21 2004-08-10 Mci, Inc. Notification by business rule trigger control
US6732100B1 (en) * 2000-03-31 2004-05-04 Siebel Systems, Inc. Database access method and system for user role defined access
US6871231B2 (en) * 2001-01-03 2005-03-22 Ipac Acquisition Subsidiary I, Llc Role-based access to image metadata
JP2002304476A (en) * 2001-04-05 2002-10-18 Hitachi Ltd Role management type cooperative learning support system
US20020178119A1 (en) 2001-05-24 2002-11-28 International Business Machines Corporation Method and system for a role-based access control model with active roles
WO2003015342A1 (en) * 2001-08-08 2003-02-20 Trivium Systems Inc. Dynamic rules-based secure data access system for business computer platforms
US7124192B2 (en) * 2001-08-30 2006-10-17 International Business Machines Corporation Role-permission model for security policy administration and enforcement
US6950825B2 (en) * 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US7591000B2 (en) * 2003-02-14 2009-09-15 Oracle International Corporation System and method for hierarchical role-based entitlements
US6917975B2 (en) * 2003-02-14 2005-07-12 Bea Systems, Inc. Method for role and resource policy management
US7653930B2 (en) * 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US20050044097A1 (en) * 2003-08-19 2005-02-24 Jaime Singson Method and apparatus for facilitating data stewardship for metadata in an ETL and data warehouse system
FR2859061B1 (en) 2003-08-19 2005-12-02 Cit Alcatel METHOD AND DEVICE FOR GENERATING ROLES FOR ELEMENTS OF A COMMUNICATIONS NETWORK, BASED ON ROLE MODELS
US7644432B2 (en) * 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
US20060218394A1 (en) * 2005-03-28 2006-09-28 Yang Dung C Organizational role-based controlled access management system
US9231911B2 (en) * 2006-10-16 2016-01-05 Aruba Networks, Inc. Per-user firewall

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130198814A1 (en) * 2012-01-31 2013-08-01 Oracle International Corporation Method and system for implementing an advanced mobile authentication solution
US9326140B2 (en) * 2012-01-31 2016-04-26 Oracle International Corporation Method and system for implementing an advanced mobile authentication solution
US20230401260A1 (en) * 2022-06-13 2023-12-14 Snowflake Inc. Projection constraints in a query processing system
US11928157B2 (en) * 2022-06-13 2024-03-12 Snowflake Inc. Projection constraints in a query processing system
US11995126B2 (en) 2022-06-13 2024-05-28 Snowflake Inc. Projection constraints enforced in a database system

Also Published As

Publication number Publication date
EP1944718A1 (en) 2008-07-16
US20080168532A1 (en) 2008-07-10
US8032558B2 (en) 2011-10-04

Similar Documents

Publication Publication Date Title
US8032558B2 (en) Role policy management
CN107046530B (en) Coordination management system for heterogeneous agile information technology environment
US9053302B2 (en) Obligation system for enterprise environments
Shen et al. An attribute-based access control model for web services
US9473499B2 (en) Federated role provisioning
EP1988486B1 (en) Virtualized federated role provisioning
US7827598B2 (en) Grouped access control list actions
US7954135B2 (en) Techniques for project lifecycle staged-based access control
US20090205018A1 (en) Method and system for the specification and enforcement of arbitrary attribute-based access control policies
EP1933264A1 (en) Policy enforcement via attestations
CA2771485C (en) Authorized data access based on the rights of a user and a location
US11621961B2 (en) Method for managing a cloud computing system
Haibo et al. A context-aware role-based access control model for web services
Ferraiolo et al. Composing and combining policies under the policy machine
Gupta et al. Enabling attribute-based access control in NoSQL databases
Chandersekaran et al. Use case based access control
CN115348027A (en) Permission control method, system and device based on block chain and readable storage medium
Gkioulos et al. Enhancing usage control for performance: An architecture for systems of systems
US20100043049A1 (en) Identity and policy enabled collaboration
CN112733185A (en) Method and system for controlling resources based on attribute access
Xu et al. Research on mandatory access control model for application system
US20090259757A1 (en) Securely Pushing Connection Settings to a Terminal Server Using Tickets
US20090048888A1 (en) Techniques for claim staking in a project stage-based environment
He Role security access control of the distributed object systems
WO2019218020A1 (en) A security gateway and method for controlling user interaction with one or more databases

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION