US20080005115A1 - Methods and apparatus for scoped role-based access control - Google Patents
Methods and apparatus for scoped role-based access control Download PDFInfo
- Publication number
- US20080005115A1 US20080005115A1 US11/479,356 US47935606A US2008005115A1 US 20080005115 A1 US20080005115 A1 US 20080005115A1 US 47935606 A US47935606 A US 47935606A US 2008005115 A1 US2008005115 A1 US 2008005115A1
- Authority
- US
- United States
- Prior art keywords
- subject
- role
- resource
- permission
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present invention relates to information technology (IT) systems and, more particularly, methods and apparatus for providing role-based access control of a system resource.
- IT information technology
- a resource could represent data such as a file or database, network elements such as routers and switches, or computer systems.
- Access is the ability to manipulate, for example, view, add, modify, or delete, a resource.
- Access control is the means by which the ability to access is explicitly enabled or restricted in some way through system administration. Access controls can prescribe not only who or what process or entity may have access to a specific system resource, but also the type of access that is permitted.
- the traditional Role-Based Access Control is a powerful technique developed for controlling access to resources in a complex system.
- role-based access control access rights are grouped by role name, and the use of resources is restricted to users authorized to assume the associated role.
- the role of system administrator can include operations to perform resource viewing, addition, modification, deletion while the role of librarian can only include operations to view system resources.
- the advantage of having roles with associated groups of subjects is that by changing the permissions of a single role, the access rights of all the subjects in the group are changed.
- Subjects having the same role cannot be assigned access to different resources. Therefore, a subject belonging to a first organization having the same roles and permissions as a subject belonging to a second organization may have access to resources of the second organization. Additionally, there is no mechanism to distinguish a role across organizations in a large scale system where multiple organizations may be operating concurrently. To simplify the management of a large scale modern IT system, it is desirable to have a role that can have different meanings from organization to organization. For example, in a grid computing environment, the access rights of a role, such as librarian, may vary from organization to organization, and the role may have a different set of permissions in each organization, more specifically, organizations can independently assign permissions to roles according to local policies.
- a role such as librarian
- the embodiments of the present invention are directed towards methods and apparatus for scoped role-based access control of a resource by a subject in an access control system.
- a method of providing role-based access control of a resource by a subject in an access control system It is determined if the resource is accessible by the subject. When the resource is accessible by the subject, it is determined if the resource is accessible by a role and an associated permission of the subject. When the resource is accessible by the role and the associated permission of the subject, access control of the resource by the subject is permitted. When the resource is not accessible by the subject or the role and the associated permission of the subject, access control of the resource by the subject is denied.
- a table of one or more subjects that may access the resource comprises the subject. Further, it is determined if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
- a role-based access control system comprising one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles.
- the system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
- the embodiments of the present invention provide a scoped role-based access control system, in which a role is associated with multiple sets of permissions and multiple resources are bound to a permission set.
- a scope is created to associate subjects with resources and another scope is created to associate a set of resources with a role/permission set. This allows multiple subjects having the same role to have different set of permissions associated with their roles against separate sets of resources.
- FIG. 1 is a diagram illustrating a conventional RBAC system
- FIG. 2 is a diagram illustrating a scoped RBAC system, according to an embodiment of the present invention.
- FIG. 3 is a flow diagram illustrating a scoped RBAC methodology, according to an embodiment of the present invention.
- FIG. 4 is a diagram illustrating an illustrative hardware implementation of a computing system in accordance with which one or more components/methodologies of the present invention may be implemented, according to an embodiment of the present invention.
- the embodiments of the present invention introduce techniques for providing scoped role-based access control of a resource by a subject in an access control system.
- FIG. 1 a diagram illustrates a conventional RBAC system.
- Subject- 1 102 and Subject- 2 104 are assigned a role 106 for access to specific resources.
- Role 106 is assigned to a specific set of permissions 108 , and the specific resources 110 are bound to this set of permissions 108 .
- FIG. 2 a diagram illustrates a scoped RBAC system, according to an embodiment of the present invention.
- a role 202 is associated with multiple permission sets 204 , 206 .
- a scope is created to associate a set of resources 208 , 210 with permission set 204 .
- resource 212 is associated with permission set 206 .
- This scope conveys the permission a subject has when accessing the resource under the role associated with the permission set. More specifically, this scope distinguishes a role across organizations in a large scale system where multiple organizations may be operating concurrently. The role may have different meanings from organization to organization.
- Another scope is created to associate a set of subjects with a resource.
- subject- 1 214 and subject- 2 216 may be associated with resource- 1 208
- subject- 3 218 may not be associated with resource- 1 208
- only subject- 1 214 and subject- 2 216 may access resource- 1 208 .
- This scope conveys specific resource access rights to subjects that are granted that scope. Subjects having the same role can be assigned access to different resources. Therefore, even when roles and permission sets are the same in two separate organizations, the subjects from one organization may be prevented from accessing resources from another organization.
- the embodiments of the present invention implement an access control operation that decides whether a subject in a particular role has the permission to perform an action in a given resource, more specifically, deny or allow access.
- each resource maintains a table of subjects that are allowed to access the resource, similar to an access control list. This table maintains the subject-resource scope described above.
- the resource maintains a second table that stores pairs of role-permission entries. This table maintains the role-permission scope for each resource. An entry in the table indicates that any subject with the role of the entry has the permission indicated in the entry. Multiple entries may exist per role and multiple entries may exist per permission.
- a flow diagram illustrates a scoped RBAC methodology, according to an embodiment of the present invention.
- the methodology begins in block 302 , where it is determined if the resource is accessible by the subject. This may be accomplished by determining if the subject is in the access control table of the resource. If the resource is accessible by the subject, it is determined if the resource is accessible by a role and an associated permission of the subject in block 304 . This may be accomplished by determining if the role and permission are in the second table of the resource as described above. If the resource is accessible by the role and the associated permission of the subject, access control of the resource is permitted by the subject in block 306 , terminating the methodology. If the resource is not accessible by the subject or the role and the associated permission of the subject, access control of the resource is denied in block 308 , terminating the methodology.
- Tables may be implemented using distributed relational databases or distributed hashing tables.
- a centralized system can implement the access control operation and the maintenance of the tables can be distributed to the resources.
- a fully centralized system can also be developed by keeping all the tables in a single database maintained by the access control system and not by the resources.
- multiple users in the same role may be allowed access to different resources, and a user in a role may have different permissions according to the resources he or she is trying to access.
- FIG. 4 a block diagram illustrates an exemplary hardware implementation of a computing system in accordance with which one or more components/methodologies of the invention (e.g., components/methodologies described in the context of FIGS. 1-3 ) may be implemented, according to an embodiment of the present invention.
- one or more components/methodologies of the invention e.g., components/methodologies described in the context of FIGS. 1-3 .
- the computer system may be implemented in accordance with a processor 410 , a memory 412 , I/O devices 414 , and a network interface 416 , coupled via a computer bus 418 or alternate connection arrangement.
- processor as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.
- memory as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc.
- input/output devices or “I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, scanner, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., speaker, display, printer, etc.) for presenting results associated with the processing unit.
- input devices e.g., keyboard, mouse, scanner, etc.
- output devices e.g., speaker, display, printer, etc.
- network interface as used herein is intended to include, for example, one or more transceivers to permit the computer system to communicate with another computer system via an appropriate communications protocol.
- Software components including instructions or code for performing the methodologies described herein may be stored in one or more of the associated memory devices (e.g., ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (e.g., into RAM) and executed by a CPU.
- ROM read-only memory
- RAM random access memory
Abstract
Description
- This application is related to: the U.S. Patent Application Attorney Docket No. YOR920060467US1, entitled “Methods and Apparatus for Composite Configuration Item Management in Configuration Management Database;” the U.S. Patent Application Attorney Docket No. YOR920060468US1, entitled “Methods and Apparatus for Global Service Management of Configuration Management Databases;” the U.S. Patent Application Attorney Docket No. YOR920060469US1, entitled “Methods and Apparatus for Automatically Creating Composite Configuration Items in Configuration Management Database;” and the U.S. Patent Application Attorney Docket No. YOR920060478US1, entitled “Methods and Apparatus for Managing Configuration Management Database via Composite Configuration Item Change History” which are filed concurrently herewith and incorporated by reference herein.
- The present invention relates to information technology (IT) systems and, more particularly, methods and apparatus for providing role-based access control of a system resource.
- In IT systems, a technical means for controlling access to computing or information resources must be provided for security purposes. A resource could represent data such as a file or database, network elements such as routers and switches, or computer systems. Access is the ability to manipulate, for example, view, add, modify, or delete, a resource. Access control is the means by which the ability to access is explicitly enabled or restricted in some way through system administration. Access controls can prescribe not only who or what process or entity may have access to a specific system resource, but also the type of access that is permitted.
- The traditional Role-Based Access Control (RBAC) is a powerful technique developed for controlling access to resources in a complex system. With role-based access control access rights are grouped by role name, and the use of resources is restricted to users authorized to assume the associated role. For example, within an IT system the role of system administrator can include operations to perform resource viewing, addition, modification, deletion while the role of librarian can only include operations to view system resources. The advantage of having roles with associated groups of subjects is that by changing the permissions of a single role, the access rights of all the subjects in the group are changed.
- However, there are drawbacks with the traditional RBAC system, especially in large distributed systems because subjects with the same role always have the same set of permissions against the same set of resources.
- Subjects having the same role cannot be assigned access to different resources. Therefore, a subject belonging to a first organization having the same roles and permissions as a subject belonging to a second organization may have access to resources of the second organization. Additionally, there is no mechanism to distinguish a role across organizations in a large scale system where multiple organizations may be operating concurrently. To simplify the management of a large scale modern IT system, it is desirable to have a role that can have different meanings from organization to organization. For example, in a grid computing environment, the access rights of a role, such as librarian, may vary from organization to organization, and the role may have a different set of permissions in each organization, more specifically, organizations can independently assign permissions to roles according to local policies.
- In accordance with the aforementioned and other objectives, the embodiments of the present invention are directed towards methods and apparatus for scoped role-based access control of a resource by a subject in an access control system.
- For example, in one aspect of the present invention a method of providing role-based access control of a resource by a subject in an access control system is provided. It is determined if the resource is accessible by the subject. When the resource is accessible by the subject, it is determined if the resource is accessible by a role and an associated permission of the subject. When the resource is accessible by the role and the associated permission of the subject, access control of the resource by the subject is permitted. When the resource is not accessible by the subject or the role and the associated permission of the subject, access control of the resource by the subject is denied.
- In additional embodiments of the present invention, it is determined if a table of one or more subjects that may access the resource comprises the subject. Further, it is determined if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
- In another aspect of the invention, a role-based access control system is provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
- The embodiments of the present invention provide a scoped role-based access control system, in which a role is associated with multiple sets of permissions and multiple resources are bound to a permission set. A scope is created to associate subjects with resources and another scope is created to associate a set of resources with a role/permission set. This allows multiple subjects having the same role to have different set of permissions associated with their roles against separate sets of resources.
- These and other objects, features and advantages of the present invention will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.
-
FIG. 1 is a diagram illustrating a conventional RBAC system; -
FIG. 2 is a diagram illustrating a scoped RBAC system, according to an embodiment of the present invention; -
FIG. 3 is a flow diagram illustrating a scoped RBAC methodology, according to an embodiment of the present invention; and -
FIG. 4 is a diagram illustrating an illustrative hardware implementation of a computing system in accordance with which one or more components/methodologies of the present invention may be implemented, according to an embodiment of the present invention. - As will be illustrated in detail below, the embodiments of the present invention introduce techniques for providing scoped role-based access control of a resource by a subject in an access control system.
- Referring initially to
FIG. 1 a diagram illustrates a conventional RBAC system. Subject-1 102 and Subject-2 104 are assigned arole 106 for access to specific resources.Role 106 is assigned to a specific set ofpermissions 108, and thespecific resources 110 are bound to this set ofpermissions 108. - Referring now to
FIG. 2 , a diagram illustrates a scoped RBAC system, according to an embodiment of the present invention. Arole 202 is associated withmultiple permission sets 204, 206. Then a scope is created to associate a set ofresources FIG. 2 , two such scopes are shown, in thatresource 212 is associated with permission set 206. This scope conveys the permission a subject has when accessing the resource under the role associated with the permission set. More specifically, this scope distinguishes a role across organizations in a large scale system where multiple organizations may be operating concurrently. The role may have different meanings from organization to organization. - Another scope is created to associate a set of subjects with a resource. For example subject-1 214 and subject-2 216 may be associated with resource-1 208, while subject-3 218 may not be associated with resource-1 208. In such an embodiment, only subject-1 214 and subject-2 216 may access resource-1 208. This scope conveys specific resource access rights to subjects that are granted that scope. Subjects having the same role can be assigned access to different resources. Therefore, even when roles and permission sets are the same in two separate organizations, the subjects from one organization may be prevented from accessing resources from another organization.
- Thus, multiple subjects having the same role are given different permissions against separate resources across organizations in a complex modern computing environment. This extension does not affect the RBAC property that let the subject to role assignment be done independently from role to permission creation.
- The embodiments of the present invention implement an access control operation that decides whether a subject in a particular role has the permission to perform an action in a given resource, more specifically, deny or allow access.
- In accordance with a decentralized embodiment of the present invention, each resource maintains a table of subjects that are allowed to access the resource, similar to an access control list. This table maintains the subject-resource scope described above. In addition to this table, the resource maintains a second table that stores pairs of role-permission entries. This table maintains the role-permission scope for each resource. An entry in the table indicates that any subject with the role of the entry has the permission indicated in the entry. Multiple entries may exist per role and multiple entries may exist per permission.
- Referring now to
FIG. 3 , a flow diagram illustrates a scoped RBAC methodology, according to an embodiment of the present invention. The methodology begins inblock 302, where it is determined if the resource is accessible by the subject. This may be accomplished by determining if the subject is in the access control table of the resource. If the resource is accessible by the subject, it is determined if the resource is accessible by a role and an associated permission of the subject inblock 304. This may be accomplished by determining if the role and permission are in the second table of the resource as described above. If the resource is accessible by the role and the associated permission of the subject, access control of the resource is permitted by the subject inblock 306, terminating the methodology. If the resource is not accessible by the subject or the role and the associated permission of the subject, access control of the resource is denied inblock 308, terminating the methodology. - Tables may be implemented using distributed relational databases or distributed hashing tables. In this case a centralized system can implement the access control operation and the maintenance of the tables can be distributed to the resources. A fully centralized system can also be developed by keeping all the tables in a single database maintained by the access control system and not by the resources.
- In accordance with the embodiments of the present invention multiple users in the same role may be allowed access to different resources, and a user in a role may have different permissions according to the resources he or she is trying to access.
- If two users with access to the same resource under the same role will be allowed different permissions the two scope as described tables above may be combined in a single table. In this case, for each user, if a user can take a given role, there must be a subject-role-permission entry for each permission of the subject able to perform in that role.
- Referring now to
FIG. 4 , a block diagram illustrates an exemplary hardware implementation of a computing system in accordance with which one or more components/methodologies of the invention (e.g., components/methodologies described in the context ofFIGS. 1-3 ) may be implemented, according to an embodiment of the present invention. - As shown, the computer system may be implemented in accordance with a
processor 410, amemory 412, I/O devices 414, and anetwork interface 416, coupled via acomputer bus 418 or alternate connection arrangement. - It is to be appreciated that the term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.
- The term “memory” as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc.
- In addition, the phrase “input/output devices” or “I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, scanner, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., speaker, display, printer, etc.) for presenting results associated with the processing unit.
- Still further, the phrase “network interface” as used herein is intended to include, for example, one or more transceivers to permit the computer system to communicate with another computer system via an appropriate communications protocol.
- Software components including instructions or code for performing the methodologies described herein may be stored in one or more of the associated memory devices (e.g., ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (e.g., into RAM) and executed by a CPU.
- Although illustrative embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various other changes and modifications may be made by one skilled in the art without departing from the scope or spirit of the invention.
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/479,356 US20080005115A1 (en) | 2006-06-30 | 2006-06-30 | Methods and apparatus for scoped role-based access control |
US12/135,535 US8458337B2 (en) | 2006-06-30 | 2008-06-09 | Methods and apparatus for scoped role-based access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/479,356 US20080005115A1 (en) | 2006-06-30 | 2006-06-30 | Methods and apparatus for scoped role-based access control |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/135,535 Continuation US8458337B2 (en) | 2006-06-30 | 2008-06-09 | Methods and apparatus for scoped role-based access control |
Publications (1)
Publication Number | Publication Date |
---|---|
US20080005115A1 true US20080005115A1 (en) | 2008-01-03 |
Family
ID=38877968
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/479,356 Abandoned US20080005115A1 (en) | 2006-06-30 | 2006-06-30 | Methods and apparatus for scoped role-based access control |
US12/135,535 Expired - Fee Related US8458337B2 (en) | 2006-06-30 | 2008-06-09 | Methods and apparatus for scoped role-based access control |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/135,535 Expired - Fee Related US8458337B2 (en) | 2006-06-30 | 2008-06-09 | Methods and apparatus for scoped role-based access control |
Country Status (1)
Country | Link |
---|---|
US (2) | US20080005115A1 (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080082782A1 (en) * | 2006-09-28 | 2008-04-03 | Microsoft Corporation | Location management of off-premise resources |
US20080082490A1 (en) * | 2006-09-28 | 2008-04-03 | Microsoft Corporation | Rich index to cloud-based resources |
US20080183872A1 (en) * | 2006-06-15 | 2008-07-31 | International Business Machines Corporation | Method and System for Authorization and Access Control Delegation in an On Demand Grid Environment |
US20090144804A1 (en) * | 2007-11-29 | 2009-06-04 | Oracle International Corporation | Method and apparatus to support privileges at multiple levels of authentication using a constraining acl |
US20090222881A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Resource state transition based access control system |
US20130145436A1 (en) * | 2006-08-22 | 2013-06-06 | Centurylink Intellectual Property Llc | System and method for restricting access to network performance information |
US9014204B2 (en) | 2006-08-22 | 2015-04-21 | Centurylink Intellectual Property Llc | System and method for managing network communications |
US9065836B1 (en) * | 2012-06-18 | 2015-06-23 | Google Inc. | Facilitating role-based sharing of content segments |
US9094261B2 (en) | 2006-08-22 | 2015-07-28 | Centurylink Intellectual Property Llc | System and method for establishing a call being received by a trunk on a packet network |
US9344906B2 (en) | 2006-08-22 | 2016-05-17 | Centurylink Intellectual Property Llc | System and method for using distributed network performance information tables to manage network communications |
US20170201525A1 (en) * | 2016-01-10 | 2017-07-13 | International Business Machines Corporation | Evidence-based role based access control |
US10812482B1 (en) * | 2018-01-03 | 2020-10-20 | Amazon Technologies, Inc. | Permission vector access control with linear scaling factor |
US11509553B2 (en) * | 2020-10-16 | 2022-11-22 | Atos France | Methods and devices for providing real-time data visualization of IT-based business services |
US20230315739A1 (en) * | 2022-03-31 | 2023-10-05 | Gm Cruise Holdings Llc | System and method for platform-independent access bindings |
US11954238B1 (en) * | 2018-07-24 | 2024-04-09 | Pure Storage, Inc. | Role-based access control for a storage system |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8255419B2 (en) | 2009-06-17 | 2012-08-28 | Microsoft Corporation | Exclusive scope model for role-based access control administration |
US8549289B2 (en) | 2009-06-22 | 2013-10-01 | Microsoft Corporation | Scope model for role-based access control administration |
US9953178B2 (en) * | 2010-02-03 | 2018-04-24 | Os Nexus, Inc. | Role based access control utilizing scoped permissions |
US9081950B2 (en) * | 2012-05-29 | 2015-07-14 | International Business Machines Corporation | Enabling host based RBAC roles for LDAP users |
US9542433B2 (en) | 2012-12-20 | 2017-01-10 | Bank Of America Corporation | Quality assurance checks of access rights in a computing system |
US9489390B2 (en) | 2012-12-20 | 2016-11-08 | Bank Of America Corporation | Reconciling access rights at IAM system implementing IAM data model |
US9189644B2 (en) | 2012-12-20 | 2015-11-17 | Bank Of America Corporation | Access requests at IAM system implementing IAM data model |
US9483488B2 (en) | 2012-12-20 | 2016-11-01 | Bank Of America Corporation | Verifying separation-of-duties at IAM system implementing IAM data model |
US9477838B2 (en) | 2012-12-20 | 2016-10-25 | Bank Of America Corporation | Reconciliation of access rights in a computing system |
US9537892B2 (en) | 2012-12-20 | 2017-01-03 | Bank Of America Corporation | Facilitating separation-of-duties when provisioning access rights in a computing system |
US9495380B2 (en) | 2012-12-20 | 2016-11-15 | Bank Of America Corporation | Access reviews at IAM system implementing IAM data model |
US9529629B2 (en) | 2012-12-20 | 2016-12-27 | Bank Of America Corporation | Computing resource inventory system |
US9147055B2 (en) | 2013-08-29 | 2015-09-29 | Bank Of America Corporation | Entitlement predictions |
US9507609B2 (en) | 2013-09-29 | 2016-11-29 | Taplytics Inc. | System and method for developing an application |
US8875230B1 (en) * | 2013-12-19 | 2014-10-28 | Medidata Solutions, Inc. | Controlling access to a software application |
US10452855B2 (en) | 2014-08-12 | 2019-10-22 | Hewlett Packard Development Company, L.P. | Composite document access |
US9379897B1 (en) | 2015-02-06 | 2016-06-28 | Bank Of America Corporation | Method and apparatus for providing an interactive hierarchical entitlement map |
DE102018127949A1 (en) | 2018-11-08 | 2020-05-14 | Samson Aktiengesellschaft | Control of access rights in a networked system with data processing |
US11928744B1 (en) | 2019-04-08 | 2024-03-12 | Avalara, Inc. | Nexus notification platform |
US11403419B1 (en) | 2020-03-04 | 2022-08-02 | Avalara, Inc. | Online software platform (OSP) querying client data about relationship instances for application of permission digital rules in addition to resource digital rules for the relationship instances |
US11811771B2 (en) * | 2020-11-19 | 2023-11-07 | Tetrate.io | NGAC graph evaluations |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5911143A (en) * | 1994-08-15 | 1999-06-08 | International Business Machines Corporation | Method and system for advanced role-based access control in distributed and centralized computer systems |
US6088679A (en) * | 1997-12-01 | 2000-07-11 | The United States Of America As Represented By The Secretary Of Commerce | Workflow management employing role-based access control |
US6202066B1 (en) * | 1997-11-19 | 2001-03-13 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role/group permission association using object access type |
US20020178119A1 (en) * | 2001-05-24 | 2002-11-28 | International Business Machines Corporation | Method and system for a role-based access control model with active roles |
US20040044655A1 (en) * | 2002-09-04 | 2004-03-04 | International Business Machines Corporation | Row-level security in a relational database management system |
US20040083367A1 (en) * | 2002-10-25 | 2004-04-29 | Praerit Garg | Role-based authorization management framework |
US20050138419A1 (en) * | 2003-12-19 | 2005-06-23 | Pratik Gupta | Automated role discovery |
US6947989B2 (en) * | 2001-01-29 | 2005-09-20 | International Business Machines Corporation | System and method for provisioning resources to users based on policies, roles, organizational information, and attributes |
US6965994B1 (en) * | 2001-01-30 | 2005-11-15 | Microsoft Corporation | Security mechanism for computer processing modules |
US20060047657A1 (en) * | 2004-08-26 | 2006-03-02 | Ophir Frieder | Refined permission constraints using internal and external data extraction in a role-based access control system |
US20060089932A1 (en) * | 2004-10-22 | 2006-04-27 | International Business Machines Corporation | Role-based access control system, method and computer program product |
US7308702B1 (en) * | 2000-01-14 | 2007-12-11 | Secure Computing Corporation | Locally adaptable central security management in a heterogeneous network environment |
US20070294236A1 (en) * | 2004-06-25 | 2007-12-20 | Apple Inc. | Caching permissions information |
US20080016354A1 (en) * | 2003-08-26 | 2008-01-17 | International Business Machines Corporation | System and Method for Secure Remote Access |
Family Cites Families (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5265221A (en) * | 1989-03-20 | 1993-11-23 | Tandem Computers | Access restriction facility method and apparatus |
US5220604A (en) * | 1990-09-28 | 1993-06-15 | Digital Equipment Corporation | Method for performing group exclusion in hierarchical group structures |
GB2301912A (en) * | 1995-06-09 | 1996-12-18 | Ibm | Security for computer system resources |
US5881225A (en) * | 1997-04-14 | 1999-03-09 | Araxsys, Inc. | Security monitor for controlling functional access to a computer system |
US6014666A (en) * | 1997-10-28 | 2000-01-11 | Microsoft Corporation | Declarative and programmatic access control of component-based server applications using roles |
US6044466A (en) * | 1997-11-25 | 2000-03-28 | International Business Machines Corp. | Flexible and dynamic derivation of permissions |
US6460141B1 (en) * | 1998-10-28 | 2002-10-01 | Rsa Security Inc. | Security and access management system for web-enabled and non-web-enabled applications and content on a computer network |
TW451143B (en) * | 1998-11-05 | 2001-08-21 | Ecomagents Inc | Method for controlling access to information |
US7403946B1 (en) * | 1999-10-01 | 2008-07-22 | Accenture Llp | Data management for netcentric computing systems |
US20020026592A1 (en) * | 2000-06-16 | 2002-02-28 | Vdg, Inc. | Method for automatic permission management in role-based access control systems |
US6772167B1 (en) * | 2000-09-07 | 2004-08-03 | International Business Machines Corporation | System and method for providing a role table GUI via company group |
US7302634B2 (en) * | 2001-03-14 | 2007-11-27 | Microsoft Corporation | Schema-based services for identity-based data access |
US7181017B1 (en) * | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
US20020143735A1 (en) * | 2001-03-30 | 2002-10-03 | Akin Ayi | User scope-based data organization system |
EP1298515A3 (en) * | 2001-09-26 | 2004-02-04 | Siemens Aktiengesellschaft | Method for controlling access to resources of a data processing system |
WO2003036609A1 (en) * | 2001-10-24 | 2003-05-01 | Bea Systems, Inc. | Portal administration tool |
CA2364628A1 (en) * | 2001-12-04 | 2003-06-04 | Kevin W. Jameson | Collection role changing gui |
US6950825B2 (en) * | 2002-05-30 | 2005-09-27 | International Business Machines Corporation | Fine grained role-based access to system resources |
US9886309B2 (en) * | 2002-06-28 | 2018-02-06 | Microsoft Technology Licensing, Llc | Identity-based distributed computing for device resources |
US7404203B2 (en) * | 2003-05-06 | 2008-07-22 | Oracle International Corporation | Distributed capability-based authorization architecture |
US20050021977A1 (en) * | 2003-06-25 | 2005-01-27 | Microsoft Corporation | Expression-based access control |
US7653936B2 (en) * | 2003-06-25 | 2010-01-26 | Microsoft Corporation | Distributed expression-based access control |
US7418490B1 (en) * | 2003-12-29 | 2008-08-26 | Sun Microsystems, Inc. | System using multiple sets of device management policies for managing network devices connected on different network interfaces |
US7478421B2 (en) * | 2004-02-04 | 2009-01-13 | Toshiba Corporation | System and method for role based access control of a document processing device |
US7685206B1 (en) * | 2004-02-12 | 2010-03-23 | Microsoft Corporation | Authorization and access control service for distributed network resources |
US7761905B2 (en) * | 2004-12-17 | 2010-07-20 | International Business Machines Corporation | Method and system for assigning access rights in a computer system |
US20060218394A1 (en) * | 2005-03-28 | 2006-09-28 | Yang Dung C | Organizational role-based controlled access management system |
US7523506B1 (en) * | 2005-03-30 | 2009-04-21 | Sun Microsystems, Inc. | Approach for managing functionalities within a system |
US20060259980A1 (en) * | 2005-05-16 | 2006-11-16 | Microsoft Corporation | Method and system for limiting rights of services |
KR100651751B1 (en) * | 2005-10-14 | 2006-12-01 | 한국전자통신연구원 | Method of service access control in ubiquitous platform and securtity middleware thereof |
US8381306B2 (en) * | 2006-05-30 | 2013-02-19 | Microsoft Corporation | Translating role-based access control policy to resource authorization policy |
-
2006
- 2006-06-30 US US11/479,356 patent/US20080005115A1/en not_active Abandoned
-
2008
- 2008-06-09 US US12/135,535 patent/US8458337B2/en not_active Expired - Fee Related
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5911143A (en) * | 1994-08-15 | 1999-06-08 | International Business Machines Corporation | Method and system for advanced role-based access control in distributed and centralized computer systems |
US6202066B1 (en) * | 1997-11-19 | 2001-03-13 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role/group permission association using object access type |
US6088679A (en) * | 1997-12-01 | 2000-07-11 | The United States Of America As Represented By The Secretary Of Commerce | Workflow management employing role-based access control |
US7308702B1 (en) * | 2000-01-14 | 2007-12-11 | Secure Computing Corporation | Locally adaptable central security management in a heterogeneous network environment |
US6947989B2 (en) * | 2001-01-29 | 2005-09-20 | International Business Machines Corporation | System and method for provisioning resources to users based on policies, roles, organizational information, and attributes |
US6965994B1 (en) * | 2001-01-30 | 2005-11-15 | Microsoft Corporation | Security mechanism for computer processing modules |
US20020178119A1 (en) * | 2001-05-24 | 2002-11-28 | International Business Machines Corporation | Method and system for a role-based access control model with active roles |
US20040044655A1 (en) * | 2002-09-04 | 2004-03-04 | International Business Machines Corporation | Row-level security in a relational database management system |
US20040083367A1 (en) * | 2002-10-25 | 2004-04-29 | Praerit Garg | Role-based authorization management framework |
US20080016354A1 (en) * | 2003-08-26 | 2008-01-17 | International Business Machines Corporation | System and Method for Secure Remote Access |
US20050138419A1 (en) * | 2003-12-19 | 2005-06-23 | Pratik Gupta | Automated role discovery |
US20070294236A1 (en) * | 2004-06-25 | 2007-12-20 | Apple Inc. | Caching permissions information |
US20060047657A1 (en) * | 2004-08-26 | 2006-03-02 | Ophir Frieder | Refined permission constraints using internal and external data extraction in a role-based access control system |
US20060089932A1 (en) * | 2004-10-22 | 2006-04-27 | International Business Machines Corporation | Role-based access control system, method and computer program product |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080183872A1 (en) * | 2006-06-15 | 2008-07-31 | International Business Machines Corporation | Method and System for Authorization and Access Control Delegation in an On Demand Grid Environment |
US8935417B2 (en) * | 2006-06-15 | 2015-01-13 | International Business Machines Corporation | Method and system for authorization and access control delegation in an on demand grid environment |
US20130145436A1 (en) * | 2006-08-22 | 2013-06-06 | Centurylink Intellectual Property Llc | System and method for restricting access to network performance information |
US9992348B2 (en) | 2006-08-22 | 2018-06-05 | Century Link Intellectual Property LLC | System and method for establishing a call on a packet network |
US9344906B2 (en) | 2006-08-22 | 2016-05-17 | Centurylink Intellectual Property Llc | System and method for using distributed network performance information tables to manage network communications |
US9241271B2 (en) * | 2006-08-22 | 2016-01-19 | Centurylink Intellectual Property Llc | System and method for restricting access to network performance information |
US9094261B2 (en) | 2006-08-22 | 2015-07-28 | Centurylink Intellectual Property Llc | System and method for establishing a call being received by a trunk on a packet network |
US9014204B2 (en) | 2006-08-22 | 2015-04-21 | Centurylink Intellectual Property Llc | System and method for managing network communications |
US7836056B2 (en) | 2006-09-28 | 2010-11-16 | Microsoft Corporation | Location management of off-premise resources |
US20080082490A1 (en) * | 2006-09-28 | 2008-04-03 | Microsoft Corporation | Rich index to cloud-based resources |
US20080082782A1 (en) * | 2006-09-28 | 2008-04-03 | Microsoft Corporation | Location management of off-premise resources |
US20090144804A1 (en) * | 2007-11-29 | 2009-06-04 | Oracle International Corporation | Method and apparatus to support privileges at multiple levels of authentication using a constraining acl |
US9471801B2 (en) * | 2007-11-29 | 2016-10-18 | Oracle International Corporation | Method and apparatus to support privileges at multiple levels of authentication using a constraining ACL |
US8196187B2 (en) | 2008-02-29 | 2012-06-05 | Microsoft Corporation | Resource state transition based access control system |
US20090222882A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Unified management policy |
US20090222881A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Resource state transition based access control system |
US8353005B2 (en) | 2008-02-29 | 2013-01-08 | Microsoft Corporation | Unified management policy |
US9065836B1 (en) * | 2012-06-18 | 2015-06-23 | Google Inc. | Facilitating role-based sharing of content segments |
US20170201525A1 (en) * | 2016-01-10 | 2017-07-13 | International Business Machines Corporation | Evidence-based role based access control |
US10171471B2 (en) * | 2016-01-10 | 2019-01-01 | International Business Machines Corporation | Evidence-based role based access control |
US10812482B1 (en) * | 2018-01-03 | 2020-10-20 | Amazon Technologies, Inc. | Permission vector access control with linear scaling factor |
US11954238B1 (en) * | 2018-07-24 | 2024-04-09 | Pure Storage, Inc. | Role-based access control for a storage system |
US11509553B2 (en) * | 2020-10-16 | 2022-11-22 | Atos France | Methods and devices for providing real-time data visualization of IT-based business services |
US20230315739A1 (en) * | 2022-03-31 | 2023-10-05 | Gm Cruise Holdings Llc | System and method for platform-independent access bindings |
US11907229B2 (en) * | 2022-03-31 | 2024-02-20 | Gm Cruise Holdings Llc | System and method for platform-independent access bindings |
Also Published As
Publication number | Publication date |
---|---|
US20080243856A1 (en) | 2008-10-02 |
US8458337B2 (en) | 2013-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8458337B2 (en) | Methods and apparatus for scoped role-based access control | |
US11361097B2 (en) | Dynamically generating sharing boundaries | |
US9436843B2 (en) | Automatic folder access management | |
US8959578B2 (en) | Techniques for project lifecycle staged-based access control | |
US20090319529A1 (en) | Information Rights Management | |
US8191115B2 (en) | Method and apparatus for extensible security authorization grouping | |
US20070039045A1 (en) | Dual layered access control list | |
JP6932175B2 (en) | Personal number management device, personal number management method, and personal number management program | |
JP4892179B2 (en) | Zone-based security management for data items | |
US8312515B2 (en) | Method of role creation | |
US20040088563A1 (en) | Computer access authorization | |
US20070022091A1 (en) | Access based file system directory enumeration | |
US11558393B2 (en) | Enforcing granular access control policy | |
KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
US20220374532A1 (en) | Managed metastorage | |
US11115415B2 (en) | Method and system to capture and find information and relationships | |
Gkioulos et al. | Enhancing usage control for performance: An architecture for systems of systems | |
US11616782B2 (en) | Context-aware content object security | |
JP2012027691A (en) | Information management system and information management method | |
JP2008234200A (en) | Security management system, security management method, security management program | |
US20230133938A1 (en) | Real-time modification of application programming interface behavior | |
US20230259643A1 (en) | Dynamic security policy for sharing content in collaborative applications | |
US20090048888A1 (en) | Techniques for claim staking in a project stage-based environment | |
JP7288193B2 (en) | Information processing program, information processing apparatus, and information processing method | |
He | Role security access control of the distributed object systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CORLEY, CAROLE RHOADS;LOBO, JORGE;VASSBERG, LORRAINE PHYLLIS;AND OTHERS;REEL/FRAME:018096/0554;SIGNING DATES FROM 20060717 TO 20060718 Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CORLEY, CAROLE RHOADS;LOBO, JORGE;VASSBERG, LORRAINE PHYLLIS;AND OTHERS;SIGNING DATES FROM 20060717 TO 20060718;REEL/FRAME:018096/0554 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |