US2011314513A1PendingUtilityA1

Role policy management

49
Assignee: CARTER STEPHEN RPriority: Jan 10, 2007Filed: Aug 31, 2011Published: Dec 22, 2011
Est. expiryJan 10, 2027(~0.5 yrs left)· nominal 20-yr term from priority
G06F 21/604G06Q 10/06
49
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In various embodiments, techniques for role management systems/services are provided. According to an embodiment, a method is provided to allow a role management system to be configured, modified, and restricted. Specific roles assignments may be decorated to be meaningful to an application but which are not generally applicable to an original role specification. A Policy Enforcement Point (PEP) role request response may be modified by an augmentation service, which evaluates a resource association to identify an appropriate resource profile. Resource decorations are identified by the selected profile and are applied to the role request response.

Claims

exact text as granted — not AI-modified
1 . A method implemented in a non-transitory computer-readable storage medium for execution on a machine, comprising:
 evaluating, by the machine, a resource association in response to a role request and a role assignment for a principal in order to identify a resource profile for the principal;   applying one or more resource decorations to the role assignment to produce a modified role assignment based on the resource profile; and   sending the modified role assignment to a policy enforcement service for enforcement, the modified role assignment extends the role assignment and role functionality for an existing role management system without affecting other uses of the existing role management system and without affecting other legacy applications, legacy services, and legacy systems the use the existing role management system.   
     
     
         2 . The method of claim  0 , wherein evaluating further includes identifying the principal as an automated application. 
     
     
         3 . The method of  claim 1 , wherein evaluating further includes identifying the principal as a user. 
     
     
         4 . The method of claim  0 , wherein evaluating further includes considering with the resource profile a relationship defined for the principal, the role request, the role assignment, and the policy enforcement service. 
     
     
         5 . The method of claim  0 , wherein evaluating further includes using the role request to identify the policy enforcement service. 
     
     
         6 . The method of  claim 1 , applying further includes assigning access restrictions and/or permissions to the role assignment based on the resource profile. 
     
     
         7 . The method of claim  0 , wherein applying further includes acquiring from each resource decoration a specific processing context for a relationship among the principal, the role request, the role assignment, and the policy enforcement service. 
     
     
         8 . A method implemented in a non-transitory computer-readable storage medium for execution on a machine as a proxy, comprising:
 receiving, by the proxy, a role request from a first resource on behalf of a second resource;   acquiring, by the proxy, an original response that associates one or more roles with the second resource;   forwarding, by the proxy, the role request and the original response to an augmentation service;   receiving, by the proxy, a modified response from the augmentation service, the modified response is customized for the second resource by applying resource decorations to the original response; and   sending, by the proxy, the modified response to the first resource, the first resource enforces the access restriction defined in the modified response against the second resource, the modified response extends role functionality of an existing role management system without affecting other legacy applications, legacy services, and legacy systems that use the existing role management system.   
     
     
         9 . The method of  claim 8  further including, recognizing, by the proxy, the first resource as a Policy Enforcement Point (PEP) service and the second resource as a principal. 
     
     
         10 . The method of  claim 8  further including, implementing the proxy as a plug-in to a Role Calculation Engine (RCE). 
     
     
         11 . The method of  claim 8  further including, implementing the proxy as modifications within a Role Calculation Engine (RCE). 
     
     
         12 . The method of  claim 8 , wherein forwarding further includes using the augmentation service as a augmentation calculator that identifies a resource profile for the second resource and maps the resource profile to context specific access permissions and adds the resource decorations, the resource decorations include additional access permissions or access restrictions. 
     
     
         13 . The method of  claim 8 , wherein receiving the modified response further includes identifying, by the augmentation service, the resource decorations based on an identified resource profile. 
     
     
         14 . The method of  claim 8 , wherein receiving the modified response further includes identifying, by the augmentation service, the resource decorations based on a relationship among the role request, the first resource, and role assignments associated with the second resource. 
     
     
         15 . The method of  claim 8 , wherein in sending further includes interacting with the first resource, the first resource is a policy enforcement point (PEP) service for the second resource. 
     
     
         16 . A method implemented in a non-transitory computer-readable storage medium for execution on a machine as a policy enforcement point (PEP) service, comprising:
 receiving, by the PEP service, a role request from an application on behalf of a principal;   forwarding, by the PEP service, the role request to a role calculation engine (RCE);   receiving a modified response from an augmentation service that interacts with the RCE, the augmentation service customizes an RCE response for the application and the principal by applying resource decorations; and   enforcing the access rights defined in the modified response against the application and the principal by extending role functionality of an existing role management system without affecting other uses of the existing role management system and without affecting other legacy applications, legacy services, and legacy systems that use the existing role management system.   
     
     
         17 . The method of  claim 16 , wherein receiving the modified response further includes providing, by the RCE, a resource profile to the augmentation service for customizing the RCE response. 
     
     
         18 . The method of claim  0  further including, selecting the resource decorations, by the augmentation service, in response to the resource profile. 
     
     
         19 . The method of claim  0 , wherein receiving the modified response further includes, forwarding, by the augmentation service, the RCE response to multiple additional augmentation services for additional nested customization. 
     
     
         20 . The method of  claim 16 , wherein receiving the modified response further includes identifying the resource decorations as specific processing contexts that include additional access permissions and/or additional access restrictions for the application and the principal beyond what is provided in the existing role management system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.