(75) http://www.freenic net/rfes/rfc 1400/rfe 1457.html,©FreeNIC.NET,Inventor: Clifford E. Kahn, Lexington, MA (US)
`
`:
`.
`:
`Network Information Center, R. Ilousley, May 1993, 13 pages.
`(73) Assignee: EMC Corporation, Hopkinton, MA
`A User-Centered, Modular Authorization Service Built on an RBAC
`(US)
`Foundation, Zurko, et al., 14 pages.
`Netegrity™ , Secure User Management for Intranet and Extranet
`Web Sites, Netegrity White Paper, Jan. 1999, Revision: Jan. 21,
`1999, 31 pages.
`the
`for
`Securant Technologies; Understanding ClearTrust
`Businessperson; _http://www.securant.com/products/bus__focus/in-
`dex.html; Jan. 10, 2001;
`1 page.
`(Continued)
`
`(*) Notice:
`
`,
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 887 days
`ee
`(21) Appl. No.: 09/611,913
`.
`Filed:
`
`US007185192B1
`
`a2) United States Patent
`US 7,185,192 B1
`(0) Patent No.:
`Feb. 27, 2007
`(45) Date of Patent:
`Kahn
`
`(54) METHODS AND APPARATUS FOR
`CONTROLLING ACCESS TO A RESOURCE
`
`2004/0158744 Al*
`
`8/2004 Deng etal. un... 713/201
`
`OTHER PUBLICATIONS
`
`
`
`(22)
`
`Jul. 7, 2000
`
`Primary Examiner—Nasser Moazzami
`Assistant Examiner—Carl G. Colin
`(74) Attorney, Agent, or Firm—Chapin IP Law, LLC; Barry
`W. Chapin, Esq.
`
`(51)
`
`(56)
`
`Int. Cl.
`(2006.01)
`HO4L 9/00
`(2006.01)
`G06F 7/00
`(52) US. C1. ee eeeeeeee 713/155; 713/167; 726/27;
`726/17; 707/102; 707/9; 707/3; 707/101
`(58) Field of Classification Search ................ 713/155,
`713/200. 201. 211. 154, 166: 707/10, 9
`°
`°
`, 7077/3 102: 7091229
`See application file for complete search histo
`ty:
`PP
`P
`References Cited
`
`ABSTRACT
`(57)
`.
`.
`.
`An input/output interface receives an access request from a
`requester. A processor associated with the input/output inter-
`face appliesa filter operation to select a subset of rules from
`a master set of rules maintained within an authorization
`database. Rules can be selected in this manner using filter
`operations so that all rules in the rule set need not be
`processed. A rule may include a disregard instruction. The
`U.S. PATENT DOCUMENTS
`processor further performsat least one rule operation based
`4,754,410 A *
`6/1988 Leech et al. wesc 706/45
`
`on the subset of rules to produce an access control decision
`...
`5,968,176 A * 10/1999 Nessett et al.
`713/201
`
`in the memory system until eithera rule operation including
`. 707/9
`6,236,996 B1*
`5/2001 Bapat etal...
`a disregard instruction is performedto limit performance of
`6,298,340 B1* 10/2001 Calvignac et al.
`..........4-. 707/3
`rule operations in the selected set of rules or until all rule
`6,385,598 BI"
`5/2002 Giacalone et al.
`.........++ 7006/1
`
`eeiat Bi , ib> Schneider etal.
`.....
`me.a operations in the selected set of rules that are applicable to
`6.473.763 BI* 10/2002 Conletal. gor/1o1
`‘the access control decision are performed.
`6,502,093 B1* 12/2002 Bhatt etal. ow. 707/3
`6,539,394 B1*
`3/2003 Calvignac et al.
`.......... 707/102
`
`30 Claims, 7 Drawing Sheets
`
`
`
`400
`RECEIVE ACCESS REQUEST FROM
`REQUESTOR
`
`
`401
`SELECT, BASED ON THE ACCESS
`
`
`REQUEST,A SELECTED SET OF RULES
`FROM MASTERSET(S) OF RULES
`
`
`
`402
`
`
`PERFORMRULE OPERATION(S) BASED.
`ON SELECTED SET OF RULES
`
`
`DETECT DISREGARD INSTRUCTION, OR THAT NO
`MOREAPPLICABLE RULE OPERATIONSARE TO BE
`
`PERFORMED IN SELECTED SET OF RULES
`
`
`
`DISREGARD
`INSTRUCTION
`
`NO MORE APPLICABLE
`RULE OPERATIONS:
`
`REMAIN
`404
`PERFORMDISREGARD INSTRUCTION
`TO FURTHER LIMIT PERFORMANCE OF
`
`
`APPLICABLE RULE OPERATIONSIN
`THE SELECTED SET OF RULES
`
`PRODUCE ACCESS CONTROL
`
`DECISION
`
`Google Exhibit 1065
`Google v. VirtaMove
`
`Google Exhibit 1065
`Google v. VirtaMove
`
`

`

`US 7,185,192 B1
`Page 2
`
`OTHER PUBLICATIONS
`
`Securant Technologies; Pillar One Access Control; http://www.
`securant.com/products/tech__focus/thetech/8pil/acc_cont-html;
`Jan. 10, 2001; 1 page.
`
`Securant Technologies; For the Engineer Frequently Asked. Ques-
`tions;
`http://www.securant.com/products/tech_focus/tech_faq.
`html; Jan. 10, 2001; 8 pages.
`
`* cited by examiner
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 1 of 7
`
`US 7,185,192 B1
`
`100
`Na
`
`124
`CEO / EXECUTIVE
`
`
`160-N
`
`STORAGE
`RESOURCE
`160-1
`
`
`ROLE/RULE SYSTEMS
`
`
`
`
`
`120
`AUTHORIZATION
`SYSTEM
`
`MANAGEMENT
`
`a
`—
`
`410
`COMPUTER NETWORK
`
`' os,
`}
`
` 121
`ENGINEERING
`
`
`
`122
`ACCOUNTING
`
`FIG. 1
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 2 of 7
`
`US 7,185,192 B1
`
`120-124
`
`REQUESTOR(S)
`
`
` 200
`
`RESOURCE SERVER
`
`
`210
`220
`
`
`
`NETWORK INPUT
` PROCESSOR
`
`/ OUTPUT
`
`INTERFACE
`
`
`
`
`
`208
`
`MEMORY
`
`206
`
`APPLICATION
`
`
`204
`
`RESOURCE SERVER
`
`
`
`300-1
`ROLE-RULE AUTHORIZATION MODULE
`
`260
`
`
`
`230
` 300-2
`
`
`AUTHORIZATION
`RESOURCE
`INPUT / OUTPUT
`INPUT / OUTPUT
`
`
`
`
`
`
`
`
`
`
`
`
`350
`RESOURCE (E.G.,
`
`AUTHORIZATION
`
`DATA)
`
`DATABASES
`
`
`
`FIG. 2
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 3 of 7
`
`US 7,185,192 B1
`
`120-124
`
`Pad ACCESS REQUEST(S) TO RESOURCE(S)
`
`04
`
`REQUESTOR(S) \y
`as
`ROLE IDENTITIES)
`
`USER GROUPS(E.G.
`
`307
`
`AUTHENTICATION
`AUTHORITY
`
`(REQUESTOR, ACCESS, RESOURCE)
`301
`
`
`309
`
`ACCESS
`REQUEST PARSER
`
`
`
` 301 2p, QUERY
`
`
`
`
`
`
`
`
`320
`
`
`
`QUERY
`ENGINE
`
`301-1-~
`
`RESOURCE
`ACCESS
`
`
`
`
`
`
`318
`315
`
`SELECTED
`
`
`RULE
`SET OF
`
`
`ENGINE
`RULES
`
`
`
`
`302-1
`
`
`ACCESS CONTROL
`DECISION
`
`
`
`MANAGED
`RESOURCES
`(E.G., OBJECTS)
`
`MASTER SET OF
`
`
`
`FILTER
`OPERATIONS
`DATABASE
`
`
`RELATIONS /
`
`
` OBJECT GROUPS
`
`FIG. 3
`
`ACCESS
`
`
`
`
`302-2
`QUERY RESULT(S)
`
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 4 of 7
`
`US 7,185,192 B1
`
`MANAGED OBJECT FOR A RESOURCE
`(E.G., DATA STORAGE SYSTEM 160-1)
`
`AVAILABLE, SPACE USED, ETC.)
`
`370
`OBJECT ATTRIBUTES
`(E.G., IP ADDRESS, SERVER
`HOSTNAME, DEPARTMENTAL
`ASSOCIATION,
`CAPACITY, MANUFACTURER,
`TOTAL VOLUMES, SPACE
`
`362
`OBJECT LABEL
`SYMMETRIX 160-1
`
`364
`UNDER ACCESS CONTROL: YES
`
`366
`RELATED OBJECT PARENT(S)
`(E.G., RESOURCE SERVER 200)
`
`368
`RELATED OBJECT CHILDREN
`(E.G., VOLUME-1..VOLUME-M)
`
`FIG. 4
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 5 of 7
`
`US 7,185,192 B1
`
`350-4
`MASTER RULE SET
`
`350-8.1
`
`RULE 1
`FILTER 1.1: IF PAYROLL_MANAGEMENT_APPLICATION USES RESOURCE AND REQUESTOR
`(S A MEMBER OF CEQ_DEPARTMENT: «<(————————_—___—35067
`RULE OP1.1: IF REQUESTOR IS CEO, LET CEO HAVE MODIFY_PERMISSION
`RULE OP 1.2: LET REQUESTOR HAVE MODIFY PERMISSION
`RULE OP 1.3: DISREGARD ALL RULES RELATED TO PAYROLL_DATA
`350-6.2
`
`RULE 2
`FILTER 2.1: IF PAYROLL_MANAGEMENT_APPLICATION USES RESOURCE AND REQUESTOR
`tS A MEMBER OF ACCOUNTING_DEPARTMENT.
`RULE OP 2.1: LET REQUESTOR HAVE READ_PERMISSION
`
`RULE 3
`
`350-6.3
`
`¥
`
`FILTER 3.1: IF PAYROLL_MANAGEMENT_APPLICATION USES RESOURCE.
`RULE OP 3.1: LET PAYROLL_STORAGE_ADMINS HAVE ALL_PERMISSIONS
`RULE OP 3.2: LET PAYROLL_STORAGE_ADMINS HAVE NO_MODIFY_PERMISSION
`RULE OP 3.3: LET PERMISSIONS BE IN EFFECT MONDAY-FRIDAY 8AM-6PM
`RULE OP 3.4: DISREGARD
`
`350-6.4
`
`RULE 4
`
`350-6.6
`
`t—F (RESOURCEIS PAYROLL_DATA_STORAGE) AND (REQUESTORISA mNBER
`FILTER 4.1:
`OF SYSTEMS_MANAGEMENT_DEPARTMENT) AND RESOURCE IS CONNECTED TO
`BACKUP_SERVER AND PAYROLL_DATA_STORAGE.SPACE_AVAILABLE < 10GB:
`RULE OP 4.1: LET REQUESTOR HAVE FORMAT, ALLOCATE, CONNECT,
`READ, BACKUP
`IF REQUESTOR IS SYSTEMS_MANAGER THEN DISRE
`
`RULE OP 4.2:
`
`D
`
`350-6.5
`
`FIG. 5
`
`

`

`
`
`
`
`RECEIVE ACCESS REQUEST FROM
`REQUESTOR
`
`
`
`401
`SELECT, BASED ON THE ACCESS
`
`
`REQUEST, A SELECTED SET OF RULES
`FROM MASTERSET(S) OF RULES
`
`
`
`
`PERFORM RULE OPERATION(S) BASED
`ON SELECTED SET OF RULES
`
`402
`
`
`
`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 6 of 7
`
`US 7,185,192 B1
`
`START
`
`400
`
`
`
`DETECT DISREGARD INSTRUCTION, OR THAT NO
`
`
`MOREAPPLICABLE RULE OPERATIONS ARE TO BE
`
`PERFORMED IN SELECTED SET OF RULES
`
`
`
`DISREGARD
`
`INSTRUCTION
`
`NO MORE APPLICABLE
`
`RULE OPERATIONS
`
`
`404
`REMAIN
`
`
`PERFORM DISREGARD INSTRUCTION
`
`TO FURTHER LIMIT PERFORMANCE OF
`APPLICABLE RULE OPERATIONS IN
`THE SELECTED SET OF RULES
`
`
` 405
`
`PRODUCE ACCESS CONTROL
`DECISION
`
`
`
`FIG. 6
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 7 of 7
`
`US 7,185,192 B1
`
`START
`
`
`
`
`420
`
`DETERMINE IDENTITY OF RESOURCE TO WHICH ACCESS
`IS REQUESTED
`
`421
`
`
`
`
`DETERMINE ROLE IDENTITY OF REQUESTOR
`SUBMITTING THE ACCESS REQUEST
`
`RESOURCE REQUEST
`QUERY ACCESS
`
`422
`
`APPLY AT LEAST ONE FILTER OPERATION, USING THE IDENTITY OF
`THE RESOURCE AND/OR THE ROLEIDENTITY OF THE REQUESTOR,
`FOR RULES IN THE MASTER SET OF RULES TO PRODUCE THE
`SELECTED SET OF RULES UPON WHICH THE ACCESS CONTROL
`DECISION WILL BE BASED
`
`REQUESTOR
`
`423
`
`APPLY AT LEAST ONE FILTER OPERATION, USING THE IDENTITY OF
`THE RESOURCE AND/OR THE ROLE iDENTITY OF THE REQUESTOR,
`FOR RULES IN THE MASTER SET OF RULES TO PROOUCE ALIST OF
`ATION
`RULES WHICH MATCH THE FILTER OPER
`
`424
`PROVIDE INDICATION OF THE AUTHORIZATION STATE OF
`ROLE-RULE-BASED ACCESS CONTROL SYSTEM BASED ON THE LIST
`OF RULES AS RELATED TO THE IDENTITY OF THE RESOURCE TO
`WHICH ACCESS IS REQUESTED AND/OR THE ROLE IDENTITY OF THE
`
`FIG. 7
`
`

`

`US 7,185,192 Bl
`
`1
`METHODS AND APPARATUS FOR
`CONTROLLING ACCESS TO A RESOURCE
`
`FIELD OF THE INVENTION
`
`2
`general “world” classification. The operating system can
`also associate a sct of permissions with cach file or directory
`which specify, for each of the three userclassifications (user,
`group, world), any read “r’, write “w’’, and/or execute “x”
`privileges for that respective classification of users. The
`Unix operating system maintains the appropriate permission
`The present invention generally relates to access control
`for each user classification as a collection ofbits. In a single
`systems, and more particularly, to systems and techniques
`
`which provide enhanced access control to resources in a set of permissionsforafile or directory, there are three fields
`computing system environment.
`(one for user, one for group and one for world) of three bits
`each (one for read, one for write and one for execute). The
`operating system might express such a set of permissions as
`“rwx,rwx,rwx”” wherethe first “rwx” represents the permis-
`sions to that file or directory for a specific user identity, and
`where the second “rwx” represents the permissions to that
`file or directory for a group identity, and where the third
`“rwx” represents the permissionsto that file or directory for
`all other users. Fora particularfile or directory, the user (1.e.,
`the ownerofthatfile or directory) or a systems manager can
`set each “r’ “w” or “x” bit for each of the three user
`
`BACKGROUND OF THE INVENTION
`
`The widespread use of computer systems, especially
`within networked computing environments, has created
`many different classes of computer users and has created a
`need for access control systems to govern how users can
`access such computer systems. As an example, consider a
`local area network (LAN) computing environment such as a
`corporate computer network, commonlyreferred as an intra-
`net. The intranet network may include various computing
`systems such as intranet file servers, intranet web-servers,
`departmental computer systems, database servers, and so
`forth. Each computing system allows users and/or software
`programsto create and maintain directories, files, databases,
`or the like within data storage systems such as one or more
`disk drives coupled to the computing systems. The storage
`systems may contain varying amounts and types of data.
`Various users may control and access the different comput-
`ing systemsat different times of the day or night.
`In such a computing environment, access control is an
`important aspect of system design and provides controlled
`access to files or other resources within the computing
`systems. Most conventional computing systems operate
`using an operating system that provides certain basic access
`control mechanisms. Using such conventional access control
`mechanisms, a computer systems manageror administrator
`(a person responsible for maintaining the computer systems)
`can configure, for example, an operating system such as
`Unix in a computer system to control how that computer
`system allows users to access various directories andfiles
`maintained under control of the operating system.
`In an operating system such as Unix, access control is
`frequently provided via access control lists (ACLs) and/or
`by file and directory permission settings. ACLsare lists of
`users with associated permissions (e.g., read, write) that a
`systems manager can create and associate with a file and/or
`a directory in a filesystem. For instance, an ACL mightlist
`all users for a file that have read access to the file, write
`accessto the file, and execute access to the file. When a user
`requests access to a particular file, the operating system
`checks the ACT, associated with that file to determineif the
`
`user requesting access is listed for the type of access thatis
`requested (e.g., read, write or execute). If the user is listed
`for the requested access, the operating system allows the
`requested access. Otherwise, a protection violation occurs
`and the operating system denies user access as requested.
`Permission settings provide a condensed version of access
`control as compared to ACLs. In permissions settings within
`the Unix operating system, for example,
`there are three
`classifications of computer system users: “users”, “groups”
`and everyone else who is considered, for access control
`purposes, in a “world”classification. The operating system
`associates an ownerto eachfile (or directory). The owneris
`the “user” whocreates or originates creation of that file. In
`addition, the user may belong to a “group” of users who
`share the file and who each need similar access to thefile.
`
`All other users who attempt to access the file are in the
`
`10
`
`15
`
`20
`
`classifications to a value of one (“1”) if access for that user
`classification is allowed for that desired access operation
`(read, write or execute), or to zero (“0”) if access for that
`user classification is not allowed for the desired access
`
`25
`
`operation. In this manner, the operating system requires nine
`bits per file or directory to record protection and access
`control information.
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`When a user logs onto a computer system running an
`operating system such as Unix, the operating system pro-
`vides a unique pre-assigned numerical user identification
`number(uid or user identity) and group identification num-
`ber (gid or group identity) to that user. Generally, programs
`subsequently created by that user inherit that user’s user and
`group identities. When a such a program is executed as a
`process which attempts access to a certain file or directory,
`the operating system uses the user and group identities
`associated with the process to perform access control checks
`using the ACL and/or permission settings associated with
`files and/or directories.
`
`As a specific example, a permission setting for a file of
`“110,100,000” allows the Unix operating system to grant
`read and write access to user and user processes having the
`useridentity (1.e., the user or owner) associated with thatfile,
`but disallows execute access. In this example, the operating
`system might deny execute access since the file might be
`data rather that an executable program. This permission
`setting allows the operating system to grant read access to
`users and user processesthat have a group identity that is the
`same as the group identity associated with the file, but
`disallows write or execute access for users or user processes
`that have group identities within the group associated with
`the file. Finally, this permission setting disallows read, write
`and execute access to all other users or user processes within
`the computer system which attempt to access the file in any
`manner. This example set of permissions thus provides a
`rather secure level of access to the file since the operating
`system provides only the user who ownsthe file (or user
`processes created by that user) the ability to read and write
`to the file, and only members of the group associated with
`the file (or processes that they create) are provided with
`read-only access to thefile.
`While not specifically related to the access control mecha-
`nisms explained above, certain software applications use
`rule processing techniques to direct data to various loca-
`tions. As an example, Microsoft Outlook email processing
`software, manufactured by Microsoft Corporation of Red-
`mond Wash., provides an email client program that can use
`rule processing to direct the placement of email messages
`
`

`

`US 7,185,192 Bl
`
`5
`
`10
`
`15
`
`SUMMARY OF THE INVENTION
`
`3
`within a user’s various mailbox folders. A rule mechanism
`is provided to allow a user to establish rules that can, for
`instance, select an incoming email message, based on a
`source address, and deposit that message into a specific
`mailbox folder. Rule applicability can be conditioned on
`things such as specific words that might appear in an email
`message, or on destination or source email addresses. A user
`may also specify exceptions that define criteria for not
`applying a rule to routing of email messages. Rules in this
`system can also specify an action to be taken on the email
`message, suchas, for example, deleting the email and to stop
`processing other rules once the rule is complete.
`
`4
`security administrator muststill create group files and ACL
`lists for shared resources. It can quickly becomedifficult for
`the administrator to properly maintain the correct permission
`settings, ACL lists and group membership lists to properly
`reflect the intended security policies. Furthermore, once
`permissions and ACL lists are created with the intent of
`reflecting a security policy, there are few reliable waysto test
`and enforce the policy andif the policy requirement change,
`the permissions and ACL lists must be properly updated.
`Further still, many security policies attempt to embody or
`capture policy concerns that have characteristics related to
`physical, organizational and/or
`functional attributes of
`resources, users or other entities in a computing environ-
`ment. In such cases, it may be very difficult to express such
`policy concerns using conventional access control
`tech-
`Conventional computer system access control mecha-
`niques.
`nisms and authorization systems such as those noted above
`The present invention significantly overcomes many of
`the aforementioned drawbacks of conventional authoriza-
`suffer from a variety of shortcomings. For example, ACLs
`can become quite long. It can be a burdensometask for a
`tion and access control mechanisms. The system of this
`systems manageror user to maintain many different ACLs in
`invention providesa flexible authorization system providing
`separate ACL files for many different users, files or direc-
`robust access control to resources in a computing system
`tories. Since the operating system maintains each ACL as a
`environment. The authorization system is typically embod-
`separate file, properly setting up a user with the correct
`ied within a computer system configured to provide access
`permissions for each file can be quite prone to error. Acci-
`control to one or more resources such as data or portions of
`dentally providing an incorrect permission (e.g.,
`read
`a data storage system, though access control to any resource
`access) to a user might be a costly mistake.
`can be provided by this invention.
`While conventional access control mechanisms such as
`Generally, access control
`is provided in the invention
`permission settings provide someflexibility to grant or deny
`using rule set processing. An access control administrator
`access to certain users or processes and not to others, this
`can create and store rules according to this invention in a
`blanket-style access control approach can be limiting or
`master set of rules. Upon receipt of an access request
`problematic in manysituations. For example, when a user
`requesting a type of access by a requestor to a resource, the
`logs into a computer system and begins execution of a
`system of the invention processes one or more filter opera-
`database process,
`this database process generally will
`tionsthat relate to one or more portions of information in the
`execute “under”(i.e., using) the user identity of the user that
`access request (e.g., that relate to the requestor submitting
`created the database process (as discussed above). Such
`the access request, and/or to a type of access requested,
`systemsare thus hierarchical in nature in thata file, directory
`and/or to the resource to which access is requested) to
`and/or a process hierarchically inherits a set of permissions
`determine which rules from the master set of rules might
`associated with its creator irrespective of where the data is
`apply to an access control decision (or a query request)
`placed or whois accessing (e.g., executing or reading) the
`based on the access request. Once the filter operations are
`data. Thus, if a user logs into a computer systems andcreates
`complete, a selected set of rules is producedthat define rule
`a series of directories and sub-directories and files within
`operations that when processed will grant certain access to
`those directories and sub-directories, the permissions asso-
`certain requestors to the requested resource.
`ciated with thosefiles, directories and sub-directories will be
`During the creation of rules, the administrator of access
`inherited based on the permissions associated with that user.
`control can create rule operations based on conditions
`There is little or no regard given to where those files,
`defined by relations or the rules may be unconditional or a
`combination of conditional and unconditional. Once the
`directories and sub-directories are stored (e.g., upon which
`disk or volumein a data storage system) or to what purpose
`system of the invention determinesthe selectedset ofrules,
`of the data, directories or programsserve.
`the system then sequentially processes rule operations from
`As another example of a problem of conventional access
`the first rule that applies (based on thefilter operations) to
`control mechanisms, consider a computer system with thou-
`the last. If a rule contains a disregard instruction, rule
`sands or millions of resources(e.g., files) that require access
`processing can be further altered. A disregard instruction
`control. Conceptually, a site security administrator might
`may cause rule processing to complete and not continue on
`havea policy in mind about who(e.g., what users) should be
`to other rules that were determined to apply based on the
`able to access what resources(e.g., files, directories) in what
`filter operations. Alternatively, a disregard instruction can
`manner(s) (e.g., read and/or write and/or execute). To real-
`cause rule processing to be further limited to only processing
`ize, implementand/or actually enforce suchapolicy, thesite
`certain rules or selected rule operations within the remainder
`securily administrator might establish owner-group-world
`of the unprocessed selected set of rules. In this manner, a
`permission settings or ACLlists for each resource. This task
`rule set creator can create rules which halt the granting of
`would be quite cumbersome. Some computer system assist
`permissions(i.e., enabling of access) in all circumstances or
`in this task by assigning a set of permission settings to new
`whichlimit further rule applications to certain conditions or
`files created by a user that are equivalent to the creators
`circumstances. Thus, if a rule grants certain permissions to
`current default permission settings. In other words, if a user
`a certain requester and includes a disregard instruction, the
`creates a new file or directory, the operating system can
`rule set creator can thus be assuredthat if the system selects
`assign that user’s default permissions to that new file or
`this rule (1.e., is included in the selected set of rules by the
`directory. This is referred to as inheritance.
`processing of the invention) based onfilter operation pro-
`While inheritance allows an operating system to assign
`cessing, when the system processesthe selectedrule (1.e., its
`certain permission settings in an automated manner,
`the
`rule operations), the disregard instruction will either halt all
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`

`US 7,185,192 Bl
`
`5
`further rule operation processing or will limit such process-
`ing to compliance with certain “disregard conditions”. If a
`disregard instruction halts rule processing outright,
`this
`enables a rule set creator to position the rule including such
`a halt disregard instruction ahead or behindotherrules in the
`rule set and if multiple rules appear to apply to an access
`control decision based on the filter operations, the first rule
`containing the disregard instruction will cut-off further rule
`processing.
`If the disregard instruction is conditional, then it might
`cause further rule processing to disregard (i.e., to not pro-
`cess) certain rule operations, while allowing other remaining
`rule operations in the selected set of rule (initially selected
`by the filter operation(s)) to be processed. As an example, a
`disregard instruction might instruct a rule engine (to be
`explained) that performs rule processing to disregard any
`further rule operations relating to payroll data. As rule
`processing continues, the rule engine would thus not process
`rule operations in other rules within the selected set of rules
`that have an effect on payroll data.
`Relations defining one or more conditions can also be
`used within rule operations themselves. For example, a
`relation might precede a disregard instruction, thus allowing
`conditional rule set processing. For example, if a requestor
`(e.g., a user requesting access to some data or other
`resource) were a staff employee, a disregard instruction
`preceded by a condition might state that if the requestor is
`in the staff department, then disregard all rules (or rule
`operations) that relate to granting permissions to payroll
`data. This conditional disregard instruction might be useful
`to limit staff employee access to payroll data. Since rule
`operations (including disregard instructions) can be general
`in nature, as in these and other examples provided herein, the
`access control system of the invention allow a security
`administrator to more generally express a security policy as
`a set of rules which can be applied system wide. Since the
`rules are a more concise representation of an access control
`policy than are a large set of ACLs and/or permissions
`settings for resources,
`the invention makes the security
`administrators job of setting up access control easier and
`makes verification of the security policy more straightfor-
`ward.
`
`Using the rule set structure and processing defined by the
`invention, a rule set creator can essentially program an
`access control scheme using careful rule creation and posi-
`tioning of rules within the rule set. Since rules can include
`disregard instructions, processing may perform less thanall
`rule operations from the selected set of rules. In some
`embodiments, this allows an administrator to create a rule
`hierarchy which canresult in processing only a subset of rule
`operations from the selected set of rules that appear to be
`applicable to the access control decision based on one or
`more initially applied filter operations. Since rules can
`contain nested or deeper conditions than those tested by the
`filter operations, the system allows an administrator to create
`rules that can define unique roles,
`types of access and
`permissions to precisely control access to a resource. In
`other words, filter operations can be usedto filter out a high
`level set of rules based on somecriteria, while conditions
`and disregard instructions can be placed within rules them-
`selves to further define and“filter” the granularity of access
`control (i.e.,
`the granting or denial of permissions to a
`resource) provided by rule processing. Administrators can
`thus create tiered access control schemes the first select
`somerule based on certain factors(viafilter operations), and
`then during application of those rules, can selectively (1.e.,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`conditionally, using relations and disregard instructions)
`further clarify the granting or denial of permissions to
`resources for requesters.
`Morespecifically, in one embodiment, the present inven-
`tion provides a method for providing access control in a
`computing system environment. The method comprises the
`steps of receiving an access request and selecting, based on
`the access request, a selected set of rules containing at least
`one rule from at least one master set of rules. Since certain
`
`rules may be pre-selected in this manner, the system of the
`invention avoids having to completely fully processall rules
`in the access control rule set (i.e., the master set of rules).
`Once the method determines the selected set of rules (either
`all at one or rule by rule), the system then performs at least
`one rule operation in the rule (or rules) in the selected set of
`rules to produce an access control decision until either one
`of a rule operation including a disregard instruction is
`performed to limit performance of rule operations in the
`selected set of rules and/or until all rule operations in the
`selected set of rules that are applicable to the access control
`decision are performed. Since a disregard instruction can
`eitherhalt rule processing, or can cause processing to mark
`or otherwise indicate certain other remaining rule operations
`to be disregarded in further rule processing, even though
`those other rule operations in the selected set of rules have
`not yet been processed, the developer of the rule set can
`create rules that are assured to only grant certain amounts or
`levels of permissions or access. Filter operations can be
`separate from the rules, or may be included as pre-ambles to
`each rule.
`
`According to another configuration, the step of perform-
`ing includes the step of producing an access control decision
`indicating whether to allow access, on behalf of a requestor
`submitting the access request, to an resource in the comput-
`ing system environment. The resource and/or the requester
`providing the access request may both belocal to a resource
`server(e.g., a computer system, workstation, access control
`software application, library, etc.) implementing the access
`control system, or, the access control processing explained
`herein can be performed on a computing system that is
`different than the one containing, providing or serving the
`resource or that supports the requestor. The requestor may be
`a computer user acting in a specific role, or may be a
`software application operating on behalf of such a user, or
`operating in an autonomous or automated manner.
`In another configuration, the step of selecting includes the
`steps of determining an identity of the resource in the
`computing system environment to which access is requested
`in the access request and applying at least onefilter opera-
`tion, using the identity of the resource, for rules in the master
`set of rules to producethe selected set of rules for use in
`determining the access control decision to the resource. In
`this configuration, rule are selected for rule operation pro-
`cessing based on the resource to which access is requested
`in the access request.
`the method includes the
`In yet another configuration,
`operation of determining a role identity of a requestor
`submitting the access request. In this configuration, the step
`of applying applies thefilter operation (one or more), using
`the role identity of the requestor submitting the access
`request in combination with the identity of the resource, for
`rules in the master set of rules to producethe selected set of
`rules for use in determining the access control decision to the
`resource. Thus, rule selection can be based on the resource
`and/or the requestor asking for access to the resource and/or
`the type of access requested.
`
`

`

`7
`The invention also provides configurations in which at
`least one rule in the selected set of rules contains a rule
`
`US 7,185,192 Bl
`
`8
`determine who is requesting access immediately before
`performing a disregard instruction, and if a certain identity
`is requesting, the rule operation processing might be disre-
`garded or limited to processing only certain rules or rule
`operations thereafter, whereas if another requestor (1.e.,
`having a different identity) is requesting access, then rule
`operations may continue without alteration of processing
`(1.e., all rule operations are processed as normal).
`In another configuration, at least one rule in the selected
`set of rules containsa relation that defines a condition based
`
`operations are applied in the event more than one rule is
`selected based on the filter operations. In other configura-
`tions, at least one rule in the selected set of rules contains a
`rule operation including a disregard instruction including
`disregard criteria. In these configurations, the operation or
`step of performing limits performance of rule operations in
`the selecte