US2008209507A1PendingUtilityA1

Mobile authorization using policy based access control

51
Assignee: GOH SWEEFENPriority: Jun 13, 2005Filed: May 7, 2008Published: Aug 28, 2008
Est. expiryJun 13, 2025(expired)· nominal 20-yr term from priority
H04L 63/104
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Claims

exact text as granted — not AI-modified
1 . A method, in a data processing system, for mobile authorization using policy based access control, the method comprising:
 collecting one or more policies for a remote device based on membership of one or more users and membership of one or more resources to be downloaded to the remote device to form a set of collected policies;   transforming the set of collected policies for the remote device to form a set of simplified policies; and   sending the set of simplified policies to the remote device.   
   
   
       2 . The method of  claim 1 , wherein a given policy within the one or more policies includes a policy action group specifying a set of actions, and wherein collecting the one or more policies includes filtering out the given policy if the set of actions is not available on the remote device. 
   
   
       3 . The method of  claim 1 , wherein a given policy within the one or more policies includes a policy member group, and wherein collecting the one or more policies includes:
 determining a set of remote device users associated with the remote device; and   filtering out the given policy if no users within the set of remote device users are in the policy member group.   
   
   
       4 . The method of  claim 1 , wherein a given policy within the one or more policies includes a policy resource group, and wherein collecting the one or more policies includes filtering out the given policy if one or more resources available to the remote device are not members of the policy resource group. 
   
   
       5 . The method of  claim 1 , wherein a given policy within the one or more policies specifies a relationship between a user and a resource, and wherein collecting the one or more policies includes filtering out the given policy if a user of the remote device does not have the specified relationship with a resource available to the remote device. 
   
   
       6 . The method of  claim 1 , further comprising:
 performing reachability analysis to identify all policies within the one or more policies where conditions to satisfy a policy are reachable on the remote device from an initial set of resources downloaded to the remote device, given operations possible on the remote device   
   
   
       7 . The method of  claim 1 , further comprising:
 receiving, at the remote device, one or more simplified policies for the remote device and one or more resources;   responsive to a request to perform an action during an off-line mode at the remote device, checking the user, the resource, and the action against the one or more simplified policies; and   granting the action at the remote device if the user, the resource, and the action pass the check.   
   
   
       8 . The method of  claim 7 , further comprising:
 denying the action at the remote device if the user, the resource and the action fail the check.   
   
   
       9 . The method of  claim 7 , further comprising:
 responsive to a request to perform an action during an off-line mode at the remote device, checking a relationship between the user and the resource against the one or more simplified policies; and   granting the action at the remote device if the user, the resource, and the action pass the check.   
   
   
       10 . A mobile authorization data processing system, comprising:
 a filtering component in a server that collects one or more policies for a remote device based on membership of one or more users and membership of one or more resources to be downloaded to the remote device to form a set of collected policies;   a transformation component in the server that transforms the set of collected policies for the remote device to form a set of simplified policies; and   a communication component in the server sending the set of simplified policies to the remote device.   
   
   
       11 . The mobile authorization data processing system of  claim 10 , further comprising:
 an authorization engine in the remote device that receives one or more simplified policies for the remote device and one or more resources, checks the user, the resource, and the action against the one or more simplified policies responsive to a request to perform an action during an off-line mode at the remote device, and grants the action at the remote device if the user, the resource, and the action pass the check.   
   
   
       12 . A computer program product for mobile authorization using policy based access control, the computer program product comprising:
 a computer usable medium having computer usable program code for mobile authorization using policy based access control, the computer program product including:   computer usable program code for collecting one or more policies for a remote device based on membership of one or more users and membership of one or more resources to be downloaded to the remote device to form a set of collected policies;   computer usable program code for transforming the set of collected policies for the remote device to form a set of simplified policies; and   computer usable program code for sending the set of simplified policies to the remote device.   
   
   
       13 . The computer program product of  claim 12 , wherein a given policy within the one or more policies includes a policy action group specifying a set of actions, and wherein the computer usable program code for collecting the one or more policies includes computer usable program code for filtering out the given policy if the set of actions is not available on the remote device. 
   
   
       14 . The computer program product of  claim 12 , wherein a given policy within the one or more policies includes a policy member group, and wherein the computer usable program code for collecting the one or more policies includes:
 computer usable program code for determining a set of remote device users associated with the remote device; and   computer usable program code for filtering out the given policy if no users within the set of remote device users are in the policy member group.   
   
   
       15 . The computer program product of  claim 12 , wherein a given policy within the one or more policies includes a policy resource group, and wherein the computer usable program code for collecting the one or more policies includes computer usable program code for filtering out the given policy if one or more resources available to the remote device are not members of the policy resource group. 
   
   
       16 . The computer program product of  claim 12 , wherein a given policy within the one or more policies specifies a relationship between a user and a resource, and wherein the computer usable program code for collecting the one or more policies includes computer usable program code for filtering out the given policy if a user of the remote device does not have the specified relationship with a resource available to the remote device. 
   
   
       17 . The computer program product of  claim 12 , wherein the computer program product including further includes:
 computer usable program code for performing reachability analysis to identify all policies within the one or more policies where conditions to satisfy a policy are reachable on the remote device from an initial set of resources downloaded to the remote device, given operations possible on the remote device   
   
   
       18 . The computer program product of  claim 12 , wherein the computer program product including further includes:
 computer usable program code for receiving, at the remote device, one or more simplified policies for the remote device and one or more resources;   computer usable program code for checking the user, the resource, and the action against the one or more simplified policies responsive to a request to perform an action during an off-line mode at the remote device; and   computer usable program code for granting the action at the remote device if the user, the resource, and the action pass the check.   
   
   
       19 . The computer program product of  claim 18 , wherein the computer program product including further includes:
 computer usable program code for denying the action at the remote device if the user, the resource and the action fail the check.   
   
   
       20 . The computer program product of  claim 18 , wherein the computer program product including further includes:
 computer usable program code for checking a relationship between the user and the resource against the one or more simplified policies responsive to a request to perform an action during an off-line mode at the remote device; and   computer usable program code for granting the action at the remote device if the user, the resource, and the action pass the check.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.