Methods and apparatus for scoped role-based access control
Abstract
Methods and apparatus for providing role-based access control of a resource by a subject in an access control system are provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
Claims
exact text as granted — not AI-modified1 . A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of:
determining if the resource is accessible by the subject; determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject; permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and denying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
2 . The method of claim 1 , wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of one or more subjects that may access the resource comprise the subject.
3 . The method of claim 2 , wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
4 . The method of claim 2 , wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
5 . The method of claim 1 , wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
6 . The method of claim 5 , wherein, in the step of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
7 . The method of claim 5 , wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of role-permission pairs are implemented using at least one of a distributed relation database and a distributed hashing table.
8 . The method of claim 5 , wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of one or more role-permission pairs is maintained by at least one of the access control system and the resource.
9 . The method of claim 1 , wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.
10 . Apparatus for providing role-based access control of a resource by a subject in an access control system, comprising:
a memory; and at least one processor coupled to the memory and operative to: (i) determine if the resource is accessible by the subject; (ii) determine if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject; (iii) permit access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and (iv) deny access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
11 . The apparatus of claim 10 , wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of one or more subjects that may access the resource comprise the subject.
12 . The apparatus of claim 11 , wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
13 . The apparatus of claim 11 , wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
14 . The apparatus of claim 10 , wherein the operation of determining if the resource is accessible by a role and an associated permission of the subject comprises the operation of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
15 . The apparatus of claim 14 , wherein, in the operation of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
16 . The apparatus of claim 10 , wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.
17 . An article of manufacture for providing role-based access control of a resource by a subject in an access control system, comprising a machine readable medium containing one or more programs which when executed implement the steps of:
determining if the resource is accessible by the subject; determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject; permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and denying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
18 . A role-based access control system comprising:
one or more roles capable of association with one or more subjects; a plurality of permission sets, wherein one or more of the plurality of permission sets are associated with each of the one or more roles; a plurality of resources, wherein one or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources are associated with set of one or more subjects; wherein a given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
19 . The role-based access control system of claim 18 , wherein each of the plurality of permission sets comprise one or more actions that may be performed on a resource.
20 . The role-based access control system of claim 18 , wherein a first subject of the one or more subjects and a second subject of the one or more subjects are associated with an identical role of the one or more roles and differing permission sets of the plurality of permission sets.Join the waitlist — get patent alerts
Track US2008005115A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.