CN1842785A - 用于基于分层角色的权限的系统和方法 - Google Patents

用于基于分层角色的权限的系统和方法 Download PDF

Info

Publication number
CN1842785A
CN1842785A CNA2004800098678A CN200480009867A CN1842785A CN 1842785 A CN1842785 A CN 1842785A CN A2004800098678 A CNA2004800098678 A CN A2004800098678A CN 200480009867 A CN200480009867 A CN 200480009867A CN 1842785 A CN1842785 A CN 1842785A
Authority
CN
China
Prior art keywords
role
litigant
resource
strategy
item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2004800098678A
Other languages
English (en)
Inventor
菲利普·B·格里芬
马尼什·德夫甘
亚历克斯·图圣
罗德·麦考利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEA Systems Inc
Original Assignee
BEA Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEA Systems Inc filed Critical BEA Systems Inc
Publication of CN1842785A publication Critical patent/CN1842785A/zh
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

一种用于自适应地控制对资源的访问的授权系统和方法,包括步骤:提供当事人到至少一个角色的映射,其中所述至少一个角色与资源在分层上相关;基于所述至少一个角色提供对策略的评估;和基于对策略的评估,提供是否授权当事人访问资源的确定。

Description

用于基于分层角色的权限的系统和方法
版权声明
本专利文档的部分公开包含受到版权保护的资料。当专利文档或专利公开中的任一个出现在专利和商标局专利文件或记录中时,版权所有者不反对对其进行传真复制,否则保留所有版权权利。
相关申请的交叉引用
本申请涉及下面的同时待审决的申请,其全部内容援引于此以供参考:2003年2月14日提交的、发明人为Philip B.Griffin等的、美国申请序列号为第10/367,462号的“METHOD FOR ROLE AND RESOURCE POLICYMANAGEMENT”;2003年2月14日提交的、发明人为Philip B.Griffin等的、美国申请序列号为第10/367,190号的“METHOD FOR DELEGATEDADMINISTRATION”;和2003年2月14日提交的、发明人为Philip B.Griffin等的、美国申请序列号为第10/366,778号的“METHOD FOR ROLE ANDRESOURCE POLICY MANAGEMENT OPTIMIZATION”。
技术领域
本发明公开涉及在企业应用中对资源的授权和控制。
背景技术
企业应用可以提高货物和服务对于机构内外的客户的可利用性。伴随着企业应用的运用而来的一个问题是授权或访问控制。客户和系统管理员都需要被给予特权,以便执行特定的操作(例如,修改客户帐户)或者获得对特定内容的访问。典型的授权系统可能实施和维护起来复杂且费时,尤其是如果它们与企业应用中的商业逻辑紧密结合时。
附图说明
图1说明根据本发明的一个实施例的示范性资源分层。
图2是进一步说明角色和安全策略的、图1的示范性分层。
图3是根据本发明的一个实施例的授权系统的图。
图4说明根据本发明的一个实施例的委托角色分层。
图5说明本发明的一个实施例中的示范性委托安全策略。
具体实施方式
通过示例的方式而非限制的方式在附图中说明本发明,其中附图中相同的附图标记指示相同的元件。应当注意的是,在本公开中,“一个(“an”或“one”)”实施例不一定指的是同一实施例,并且这样的引用意指至少一个。
在一个实施例中,企业应用包括有助于执行商业、科学或其他功能和任务的一个或多个资源。在另一实施例中,企业应用可以是将Web Application(万维网应用)、Enterprise JavaTM Bean(企业JavaTM豆)和Resource Adaptor(资源适配器)一起捆绑成单个可运用单元(deployable unit)的JavaTM2企业版本(J2EE)运用单元。JavaTM编程语言及其运行程序库(run-time library)和环境可以从加利福尼亚圣克拉拉的Sun Microsystems,Inc.得到。企业应用可以包括软件、固件和硬件元件。软件、固件和硬件可以任意组合或被分成单独的逻辑部件。此外,本领域技术人员应当清楚,不管这些部件如何组合或划分,它们都可以在同样的计算机上执行或者可以任意分布在通过一个或多个网络连接的不同计算机中。
在一个实施例中,资源可以对应于任何人、地点或事物,包括对象或实体(例如,网络、计算机、计算机用户、银行帐户、电子邮件消息、诸如虚拟内存、线程和文件存储的计算机操作系统的方面等)、方法或过程(例如,结算支票簿、安装设备驱动器、分配虚拟内存、删除文件等)、事件的发生或未发生(例如,用户尝试登录到计算机上、状态改变等)和资源的组织或关联(例如,列表、树、映射、分层等)。
在一个实施例中,可以将资源分类为分层的分类(hierarchical taxonomy)(其自身可以是资源)。作为非限制性的示例,在企业应用中,可能需要查阅诸如目录单(booklet)之类的特定资源。为了查阅目录单,需要知道它在哪个网页上,网页属于哪个入口,哪个万维网应用拥有该网页,以及该万维网应用属于哪个域。这些组成部分的每个都被认为是资源,并且可以被描述为资源路径(例如,由斜线分开的组成部分的序列):
domain/web_app/portal/desktop/page/booklet
第一资源是位于资源分层的“顶部”的domain(域)。沿着分层向下,下一组成部分是web_app(万维网应用)。web_app是domain的“孩子”或“后代”,而domain是web_app的“父母”。domain高于web_app,而web_app低于domain。类似地,portal(入口)是web_app的孩子、desktop(桌面)的父母。page(页面)是desktop的孩子,而booklet(目录单)是page的孩子。资源的深度是其路径中的组成部分的数量。例如,booklet的深度是6(假设我们从1开始计数),而portal的深度是3。在一个实施例中,资源的深度可以是无限的。在一个实施例中,资源可以具有属性或能力。作为非限制性的示例,目录单资源可以具有由最终用户定制的能力。该能力可以如下被附加到分层:
domain/web_app/portal/desktop/page/booket.customize
图1说明根据本发明的一个实施例的示范性资源分层。作为非限制性的示例,该分层可以表示企业应用内的资源。Web App 1和Web App 2是万维网应用。万维网应用资源是可在万维网(world wide web)上访问的企业应用的一部分。Portal 1和Portal 2是入口资源并且是Web App 1的孩子。Portal 3是Web App 2的孩子。在一个实施例中,Web App 1和Web App 2可以是一个或多个企业应用(未示出)的孩子,所述企业应用可以是一个或多个域(未示出)的孩子。入口是对数据和应用的访问点,其提供了信息和资源的统一的且潜在个性化的视图(view)。典型地,入口被实施为网站上的一个或多个页面(Page 1、Page 2、Page A、Page B、Page X和Page Y)。入口页面可以集成许多元素,例如应用、现场数据送入、静态信息和多媒体展示。
Desktop A、Desktop B和Desktop C包含为特定用户或用户组定制的入口的一个或多个视图。每个桌面内的页面可以包括小入口程序(portlet)(PortletA、Portlet B和Portlet C)和目录单(Booklet 1和Booklet 2)。小入口程序是在入口页面上自己提供的独立应用。在一个实施例中,目录单是一个或多个页面或目录单的集合。资源Web App 1/Portal 1/Desktop A/Page 2/Booklet1/Page A具有能力Cap 3。类似地,Web App 1/Portal 1/Desktop A/Page 2/Booklet1/Booklet 2具有能力Cap 4,而Web App 1/Portal 1/Desktop A/Page 2/Booklet1/Booklet 2/Page Y/Portlet A具有能力Cap 1和Cap 2。
企业应用可以通过使用权限来控制对它们的资源和/或能力的访问。在一个实施例中,权限的评估包括:通过动态地将一个或多个角色(role)与当事人(principal)相关联来确定安全策略。在一个实施例中,角色可以基于考虑到如下信息的规则,该信息包括关于当事人的知识、关于通信会话的知识、系统的当前状态和/或任何其他相关信息。
在一个实施例中,用户表示使用企业应用的人。组可以是用户的任意集合。在一个实施例中,组的成员分享共同的特性,诸如职别等。过程可以是软件或固件计算机程序或其任何粒度的部分(例如,任务、线程、低权进程、分布式对象、企业JavaTM豆或任何其他计算操作)。可以认为用户、组和过程是主体。可以根据提供足够证据(例如,密码、社会安全号等)给鉴别系统来鉴别主体。一旦被鉴别,可以认为主体是用于评估权限目的的当事人。当事人是作为鉴别结果分配给用户、组或过程的身份。当事人也可以表示匿名用户、组或过程(例如,未被鉴别的主体)。
在一个实施例中,角色定义包含一个或多个表达式,当在给定的上下文(context)中对给定的当事人进行评估时,评估表达式为真或假。在另一实施例中,表达式可以评估对资源的访问应被授权的确定性的程度。表达式可以相互嵌套,并且可以包含函数、算数或逻辑运算符等。在一个实施例中,(例如,使用诸如“与”、“或”和“非”之类的布尔运算符)合并表达式形成布尔表达式来评估真或假。如果角色评估为真,则认为所讨论的当事人满足该角色。
可以动态评估尝试访问给定的上下文中的资源的当事人的角色表达式。上下文可以包括与确定当事人是否应归入一个角色有关的任何信息。作为非限制性的示例,上下文可以包括当事人的任何属性(例如,姓名、年龄、地址等)和/或关于通信会话的信息。在另一实施例中,上下文可以包括来自超文本传输协议(“HTTP”)或超文本传输协议(安全)(HTTPS)请求的信息。该信息可以是关于字符编码、远程用户、授权方案、内容长度、服务器端口、上下文路径、请求URL、请求方法、方案、小服务程序(servlet)路径、内容类型、远程主机、请求协议、场所、服务器名、远程地址、查询串、路径信息等。本领域技术人员将明白:上下文可以包括与评估表达式相关的任何信息。
在一个实施例中,表达式可以包括谓项(predicate)。这里公开的本发明不限于当前讨论的谓项。如果所讨论的当事人是作为自变量(argument)提供给谓项的当事人,则user谓项评估为真。如果所讨论的当事人是指定组的成员,则group谓项评估为真。
  角色   表达式
  匿名   所有当事人都满足
  银行经理   (User=Donna)
  客户服务   (User=Michael或Peter)或(Group=BankTellers)
  信贷员   (Group=Associate)与(Group=TrainingLevel2)与非(User=Bob)
  银行经理   (User=Donna)与((10/14/02<=currentDate<=10/25/02)或(11/14/02<=currentDate<=11/25/02))
  软件   (Segment=JavaDeveloper)
  系统管理员   ((User=Donna)与((10/14/02<=currentDate<=10/25/02)或(11/14/02<=currentDate<=11/25/02)))或(Segment=systemAdministrator)
表1:示范性角色
表1示出了7个示范性角色及其伴随的表达式。在一个实施例中,角色“匿名”(Anonymous)是总是被满足的一个特殊角色。在另一实施例中,未经鉴别的当事人满足角色“匿名”。被鉴别为用户“Donna”的当事人满足角色“银行经理”。被鉴别为“Michael”或“Peter”、或者属于“BankTellers”组的当事人满足“客户服务”的角色。是“Associate”组和“TrainingLevel2”组这两个组的成员并且不是“Bob”的当事人满足“信贷员”的角色。角色也可以是动态的。作为非限制性的示例,角色可以依赖于日期和/或时间。在一个实施例中,可以使用“currentData”谓项指定时间段。“Donna”只能在2002年10月14日到2002年10月25日之间或2002年11月14日到2002年11月25日之间,满足“银行经理”的角色。本领域技术人员将理解可能有许多这样的日期或时间谓项(例如,基于日期和时间的谓项或仅基于时间的谓项等)。
除了上面讨论的谓项,在角色定义中还可以包括segment(段)谓项(下面称为“段”)。如果所讨论的当事人满足段的标准,则段评估为真。可以根据一个或多个表达式或条件来定义段,其中表达式或条件可以相互嵌套,并且包括逻辑运算符、数学运算符、方法调用、外部系统调用、函数调用等。
在另一实施例中,可以以明语来指定段。作为非限制性的示例:
When all of these conditions apply,the principal is a
JavaDeveloper:
      Developer is equal to True
      Skill level is equal to‘High’
      Preferred language is equal to‘Java’
在这个例子中,所描述的段是“ExperiencedJavaDeveloper(有经验的Java开发者)”。当上下文中包含的或通过上下文引用的信息指示所讨论的当事人是一个机构的软件开发部门中的用户时,条件“Developer is equal to True(开发者等于真)”评估为真。同样,可以使用来自上下文或通过上下文引用的信息类似地评估其他条件(“Skill level is equal to‘High’(技能等级等于‘高’)”,“Preferred language is equal to‘Java’(首选语言等于‘Java’)”)。在另一实施例中,条件可能与关于通信会话的信息有关。本领域技术人员应当明白,条件可以是基于任何信息,而不管该信息是否与特定当事人有关。如果段作为整体评估为真,则称当事人满足了段。在表1中,作为非限制性的示例,满足“JavaDeveloper”段的当事人满足“软件”的角色。
作为又一个非限制性的示例:
When all of these conditions apply,the principal is a
SystemAdministrator:
      TimeofDay is between 12:00am and 7:00am
      SystemLoad is‘Low’
      AdminSkillLevel is at least 5
在本例中,两个条件(“TimeofDay is between 12:00am and 7:00am”(时间在12:00am和7:00am之间),以及“SystemLoad is‘Low’”(系统负载为‘低’))是基于与特定当事人无关的信息。如果时间是半夜、系统不忙并且当事人具有5级的管理技能,则对于所讨论的当事人,该段评估为真。在表1中,作为非限制性的示例,只有在2002年10月14日到2002年10月25日之间或2002年11月14日到2002年11月25日之间的“Donna”、或者满足“SystemAdministrator”段的当事人满足“系统管理员”的角色。
在一个实施例中,段可以使用可扩展标记语言(XML)。XML是用于表示结构化的文档的、与平台无关的语言。由于包含XML文档的文本必须被解析,因此检索存储在XML文档中的信息可能是费时的。为了节省时间,在另一实施例中,一旦表示段的XML文档被解析,从那里提取出的信息被高速缓存以免需要再次解析文件。
图2是进一步说明角色和安全策略的、图1的示范性分层。角色用字母‘R’后跟着一个或多个角色的插入列表来指定。同样,策略用字母‘P’后跟着包括一角色集和对其应用策略的可选能力的插入列表来指定。如果不存在能力,则策略应用到整个资源。在一个实施例中,角色的范围可以被认为是全局的,或者与特定的资源相关。全局角色被认为在任何资源的范围内。在一个实施例中,与资源相关的角色在该资源的范围内。在另一实施例中,该角色在该资源及其所有后代的范围内。在再一个实施例中,该角色在该资源及其所有后代的范围内,除非具有相同名称的角色与一后代相关。这样,“更局部”(more local)的角色屏蔽了该名称的“更不局部”(less local)的角色。
在图2中,角色“Anonymous”与资源Web App 1相关联。在一个实施例中,“Anonymous”在Web App 1和在分层中位于其下的所有资源的范围内。角色G与资源Desktop A相关联,因此它在Desktop A及其后代的范围内。角色S与资源Page A相关联。由于Page A没有孩子(即,属性Cap 3不计作孩子),因此角色S的范围限制于Page A。资源Booklet 2与角色T和U相关联。在一个实施例中,角色T在Booklet 2及其所有后代的范围内,但对角色U,这不为真。由于Booklet 2的后代(即,Page Y)与相同名称的另一角色相关联,因此与Booklet 2相关联的角色U仅仅在Booklet 2和Page X的范围内。然而,在一个实施例中,与Page Y相关联的角色U在Page Y的所有后代(即,Portlet A、Portlet B和Portlet C)的范围内。角色V和W在Portlet A的范围内。
在一个实施例中,安全策略(下面称为“策略”)是资源、一角色集和可选能力之间的关联。一般而言,对于其该组角色评估为真的所有当事人,策略授权访问资源。在一个实施例中,如果对于给定的当事人,其任何角色评估为真,则满足策略。在另一实施例中,如果对于给定的当事人,其所有角色评估为真,则满足策略。在另一实施例中,安全策略集成系统可以防止移除或删除具有依赖于角色的策略的角色。尽管本领域技术人员将认识到:存在许多方式来实施这样的系统,但一个途径是通过使用参考计数来跟踪依赖于特定角色的策略的数量。只有当参考计数等于0时才可以将特定角色移除。
在再一个实施例中,策略的角色集可以是包括布尔运算符、集合运算符以及用于操作数的角色的表达式。策略可以表示为元组<resource,roles,[capability]>,其中resource指定资源的名称,roles指定角色集,而capability是可选能力。策略以一个或多个角色为基础,同时角色以用户和组为基础。因此,本领域技术人员将理解:策略实质上以用户、组和/或段为基础。作为图解,图2中示出四种策略:
P1=<Web App 1,{Anonymous}>
P2=<Web App 1/Portal 1/Desktop A/Page 2,{G}>
P3=<Web App 1/…/Page Y/Portlet A,{W,T},Cap 1>
P4=<Web App 1/…/Page Y/Portlet A,{U,G,Anonymous},Cap 2>
作为非限制性的示例,假设当事人p试图访问资源Cap 1。为此,关于Cap 1的安全策略P3要求p满足角色W或T。在一个实施例中,为p确定Cap1范围内的所有角色(即,Anonymous,G,T,U,V,和W)。如果p满足的任何角色与W或T匹配,则同样满足P3,从而授权p访问Cap 1。
作为又一非限制性的示例,假设当事人p试图访问资源Portlet A的能力Cap 2。为此,关于Cap 2的安全策略P4要求p满足角色U、G或Anonymous之一。在一个实施例中,为p确定Portlet A范围内的所有角色(即Anonymous、G、T、U、V和W)。要注意的是,在一个实施例中,与资源Booklet 2相关联的角色U不在Portal A的范围内。相反,具有相同名称但与更“局部”的资源Page Y相关联的角色屏蔽了它。因此,如果p满足的任何角色与U、G或Anonymous匹配,则满足P4,从而授权p访问Cap 2。然而,由于在一个实施例中,每个当事人都满足角色Anonymous,因此总是满足P4
作为又一非限制性的示例,假设p试图访问与资源Booklet 2相关的能力Cap 4。该资源没有策略。在一个实施例中,将拒绝访问。在另一实施例中,将授权访问。在再一个实施例中,如果p满足Booklet 2的父母资源中的策略,则授权反问。表2非限制性示出使用图2的资源分层的父母策略搜索。然而值得注意的是,具体的搜索顺序或搜索方法与该公开的目的无关。在再一个实施例中,没有显式策略的资源可以包含关于其父母策略的信息,从而避开了搜索的需要。
  搜索步骤   当前资源   能力   找到策略?
  1   Web App 1/Portal 1/Desktop   Cap 4   否
  A/Page 2/Booklet 1/Booklet 2
  2   Web App 1/Portal 1/DesktopA/Page 2/Booklet 1/Booklet 2   否
  3   Web App 1/Portal 1/DesktopA/Page 2/Booklet 1   Cap 4   否
  4   Web App 1/Portal 1/DesktopA/Page 2/Booklet 1   否
  5   Web App 1/Portal 1/DesktopA/Page 2   Cap 4   否
  6   Web App 1/Portal 1/DesktopA/Page 2   是
表2:示范性策略搜索
在一个实施例中,策略搜索如下进行。搜索的起始点是具有当事人试图访问的能力(即,Cap 4)的资源(即,Booklet 2)。这是当前资源。如果对于指定能力,当前资源不存在策略,则在步骤2,我们确定是否存在仅仅关于资源自身的策略。如果没有发现策略,则在步骤3将当前资源设为等于其父母(即,Booklet 1)。如果对于Cap 4,当前资源没有策略,则我们确定是否有关于Booklet 1自身的策略。如果没有发现策略,则在步骤5将当前资源设为等于其父母(即,Page 2)。如果在当前资源没有找到用于Cap 4的策略,则我们在步骤6确定是否存在关于Page 2自身的策略。由于是这种情况,因此搜索在步骤6停止。Web App 1/Portal 1/Desktop A/Page 2具有策略P2。因此,如果p满足角色G,则授权p访问Cap 4。
在另一实施例中,能力与特定资源类型相关联。例如,目录单可以具有与其他资源类型(例如,页面或桌面)不兼容或其他资源类型没有的能力类型(例如,Cap 4)。因此,当如在表2中那样搜索策略时,如果能力与当前资源不兼容,则在搜索中可以忽略该资源。在再一个实施例中,如果对于给定的资源类型,没有找到策略,则可以查阅全局库来确定是否存在任何可应用的全局策略。
在另一个实施例中,除了主(primary)资源分层之外,角色和策略还可以位于它们自己的分层中。对于不需要将角色和/或策略与主分层中的资源相关联的应用,这种方式可以允许浅的角色和/或策略树,也许只有一级。搜索较小的分层可以潜在地减少查找范围内的所有角色以及定位策略所花费的时间。
图3是根据本发明的一个实施例的授权系统的方框图。尽管该图按照功能区别而描绘了对象,但这些描绘仅仅用于说明目的。本领域技术人员将明白图3中绘出的对象可以被任意组合或拆分成单独的软件、固件或元件组成部分。此外,本领域技术人员还应当明白的是,不管如何组合或拆分,这些组成部分都可以在同一计算机上执行或者可以任意分布在通过一个或多个网络连接的不同的计算机中。
在一个实施例中,安全框架300是具有公开的接口的模块化安全架构,该接口允许插入式组成部分。作为非限制性的示例,框架可以是库、接口集、分布式对象、或者软件、固件和/或硬件组成部分的任何其他部件以相互通信。一个或多个角色映射部分(mapper)组成部分(302-306)连接到框架。角色映射部分根据资源分层和上下文将当事人映射(例如,确定哪个角色是合适的)到一个或多个角色。在这点上,每个角色映射部分可以实现它自己特定的算法,并且使用框架提供的信息和资源之外的信息和资源。一个或多个授权部分(authorizer)(308-310)也连接到框架。授权部分负责根据当事人是否满足资源策略来确定是否可以授权访问资源。在这点上,每个授权部分可以实现它自己特定的算法,并且使用框架提供的信息和资源之外的信息和资源。最后,判决部分(adjudicator)314解决在授权模块之间结果的任何差异,并且返回最终结果(例如,“授权”、“拒绝”或“弃权”)。在一个实施例中,判决部分可以对最终结果采用逻辑“或”,这样如果任何一个结果是“授权”,则判决结果是“授权”。在另一实施例中,判决部分可以对最终结果采用逻辑“与”,这样如果任何一个结果是“拒绝”,则判决结果是“拒绝”。在再一个实施例中,判决部分可以使用加权平均值或其他统计方式来确定最终结果。
进程(process)可以以本领域技术人员明白的多种方式与框架交互。在一个实施例中,调用进程向框架300提供资源访问请求。该请求可以包括关于当事人、请求访问的资源的信息以及任何上下文信息。在另一实施例中,该请求可以包含对该信息的引用。然后框架将该信息提供给一个或多个映射部分。每个角色映射部分根据它们自己的标准确定那些角色适合该当事人。在另一实施例中,每个角色映射部分可以实施高速缓存以加快搜索角色的速度。每个角色映射部分可以根据包括所请求访问的资源和当事人的关键,缓存之前从资源树检索到的角色,而不用遍历资源树来找到范围内的所有角色。在对资源树进行初始检索之后,对于给定的资源-当事人组合,可以从高速缓存中直接得到随后的角色。
然后在中将满足的角色集返回给框架。在中框架可以提供来自的信息给授权部分模块。授权模块根据该信息及其自己的标准,单独地确定是否满足策略。在另一实施例中,每个授权部分可以实施高速缓存以加快搜索策略的速度。每个授权部分可以根据包括所请求访问的资源和当事人的关键,缓存之前从资源树检索到的策略,而不用遍历资源树来找到范围内的策略。在对资源树进行初始检索之后,对于给定的资源-当事人组合,可以从高速缓存直接得到随后的策略。授权部分结果(例如,关于授权或拒绝决定)在中被提供给框架,而在中被提供给判决部分。判决部分做出最终决定,并在中将其提供给框架。然后,在中框架将该决定提供给调用进程。
随着企业应用变得庞大且复杂,管理任务的数量也变得繁多。一个减少系统管理员负责的任务数量的方法是在多个管理员之间分布任务。被委托的管理允许角色的分层来管理管理能力。作为非限制性的示例,管理能力可以包括管理客户帐户的能力、委托管理能力的能力、定制或个性化用户接口单元(例如,入口、目录单、桌面、小入口程序等)的能力、执行管理企业应用的能力等。在另一实施例中,可以委托任何能力或属性。在一个实施例中,委托是这样的行为:处于一个角色的当事人使得另一低层角色能够具有管理能力和/或进一步委托管理能力。在一个实施例中,委托角色与角色相同,并且因此可以使用谓项(例如,用户、组、当前日期、段等)来定义。
图4说明根据本发明一个实施例的委托角色分层。在一个实施例中,委托角色可以被组织成委托分层来控制委托的程度。在一个实施例中,委托角色可以与单个顶层资源(例如,企业应用)相关联,并且委托角色分层可以与资源分层分开维护。安全策略可以与企业应用相关联以便限制:允许那些当事人改变角色定义和单独维护的角色分层。在另一实施例中,可以使用镜像任意的委托角色分层的虚构资源分层,其中每个委托角色与对应于委托角色在分层中的适当位置的资源相关联。安全策略可以与每个资源相关联来控制哪个当事人可以修改相关的角色。在分层的根处的安全策略可以限制:允许哪些当事人修改虚构的分层自身。
再次参照图4,角色Admin_Role在委托角色分层的顶部。在一个实施例中,处于该角色的当事人的管理能力或委托权限没有限制。作为非限制性的示例,处于Admin_Role的当事人可以修改委托角色的定义和委托分层。在一个实施例中,处于一个委托角色中的当事人只可以将管理能力委托给在委托分层中位于其下的角色。Admin_Role有两个孩子,A_Role和B_Role。A_Role有一个孩子C_Role,C_Role有两个孩子:D_Role和E_Role。作为非限制性的示例,Admin_Role可以委托给在委托分层中位于其下的所有其他角色。同样,A_Role可以委托给C_Role、D_Role和E_Role。而C_Role只能委托给D_Role和E_Role。树的叶D_Role、E_Role和B_Role由于没有孩子,因此不能委托。在另一实施例中,分层中的一个节点可以与多于一个父母相关。这允许多于一个高层角色委托给低层角色。
在一个实施例中,可以用安全策略来表示委托。该策略与委托的资源/能力相关联,并且是基于资源/能力所委托给的角色。图5说明本发明一个实施例中的示范性委托安全策略。在该例中假设图4的委托分层成立。注意图5中的根资源Enterprise App 1与下面角色相关联:Admin_Role、A_Role、B_Role、C_Role、D_Role和E_Role。图5中绘出的分层可以包括其他资源、角色和策略,但是限于说明的目的。在一个实施例中,委托创建关于其能力被委托的资源的策略。例如,资源Web App 1具有Admin能力和相关的安全策略P(D_Role)。处于角色C_Role、A_Role或Admin_Role的当事人通过将Web App 1的Admin能力委托给D_Role来创建该策略。(本领域技术人员应当明白,可以委托任何能力;即不仅仅是Admin。)这样,满足D_Role的当事人可以执行Web App 1的管理。然而,由于Web App 1没有委托能力,因此满足D_Role的当事人无法进一步委托Web App 1的Admin能力。
资源Desktop A具有两个能力Admin和Delegate,其每一个都具有一个策略。附加到这两者的策略P(A_Role)指示处于角色Admin_Role的当事人将管理Desktop A以及进一步委托该能力的能力委托给Role_A。因此,处于Role_A的当事人可以进一步将Admin和Delegate能力委托给低层的委托角色(即,C_Role、D_Role和E_Rleo)。例如,资源Desktop B具有能力Admin,后者具有策略P(C_Role)。处于A_Role或Admin_Role角色的当事人将该策略置于适当的位置。处于角色C_Role的当事人将能够管理Desktop B,但将不能进一步委托该能力。
在一个实施例中,不允许对已经被处于高层委托角色的当事人委托的节点进行委托。参照图4和5,作为非限制性的示例,如果资源Portal 2具有策略P(A_Role),则处于角色C_Role的当事人将不能委托Portal 2,这是由于它已经被委托给比C_Role高的角色(即,A_Role)。
在另一实施例中,可以委托用户组管理的方面。作为非限制性的示例,可以通过将用户组看作企业应用资源的孩子来将它们组织成分层。可以委托的能力包括:用户简档管理、浏览组的成员的能力以及创建、更新和移除用户和组的能力。
可以使用根据本公开的教学编程的常规通用或专用数字计算机或微处理器来实施一个实施例,这对于计算机领域的技术人员应该是清楚的。熟练的程序员可以根据本公开的教学容易地准备好适当的软件编码,这对于软件领域的技术人员应该是清楚的。本发明还可以通过准备集成电路或者通过互连适当的常规部件电路的网络来实现,这对于本领域技术人员是容易明白的。
一个实施例包括计算机程序产品,它是具有存储于其上/其中的指令的存储介质,这些指令可以用于编程计算机来执行这里所述的任何特征。存储介质可以包括但不限于,任何类型的盘,包括:软盘、光盘、DVD、CD-ROM、微驱动器(microdrive)和磁光盘、ROM、RAM、EPROM、EEPROM、DRAM、VRAM、闪速存储设备、磁性或光学卡、纳米系统(包括分子存储器IC),或者任何适合存储指令和/或数据的介质或设备。
存储在任何一种计算机可读介质上的本发明包括软件,用于控制通用/专用计算机或微处理器的硬件,以及用于使得计算机或微处理器与人类用户或其他利用本发明结果的机制交互。该软件可以包括但不限于:设备驱动、操作系统、执行环境/容器以及用户应用等。
说明和描述的目的提供对本发明的优选实施例的上述描述。这并非旨在穷举本发明或将本发明限制为所公开的确切形式。许多修改和变型对于本领域专业技术人员是清楚的。选择并描述实施例以便最好地描述本发明的原理及其实践应用,从而使得本领域其他技术人员能够理解本发明、设想各种实施例以及适于特定用途的各种修改。本发明的范围意图由下面的权利要求书及其等效物来限定。

Claims (60)

1.一种用于自适应控制对资源的访问的授权方法,包括步骤:
提供当事人到至少一个角色的映射,其中所述至少一个角色与资源在分层上相关;
基于所述至少一个角色,提供对策略的评估;和
基于对策略的评估,提供对是否授权当事人访问资源的确定。
2.如权利要求1所述的方法,包括步骤:
允许当事人是经鉴别的用户、组或进程。
3.如权利要求1所述的方法,其中:
所述提供映射的步骤包括:确定当事人是否满足所述至少一个角色。
4.如权利要求1所述的方法,包括步骤:
确定在上下文中,所述至少一个角色对于当事人是真还是假。
5.如权利要求1所述的方法,其中:
所述至少一个角色是布尔表达式,其包括(1)另一布尔表达式和(2)谓项中的至少一个。
6.如权利要求5所述的方法,其中:
所述谓项是用户、组、时间和段之一。
7.如权利要求5所述的方法,其中:
根据当事人和上下文,评估所述谓项。
8.如权利要求5所述的方法,其中:
所述谓项是以明语指定的段。
9.如权利要求1所述的方法,其中:
所述策略是资源和角色集之间的关联。
10.如权利要求9所述的方法,包括步骤:
如果至少一个角色处于该角色集中,则授权访问资源。
11.一种用于自适应控制对资源的访问的授权方法,包括步骤:
基于可应用于试图访问资源的当事人的至少一个角色,提供对策略的评估;
基于评估提供对访问资源的授权;以及
其中资源、策略和所述至少一个角色在分层上相关。
12.如权利要求11所述的方法,包括步骤:
允许当事人是经鉴别的用户、组或进程。
13.如权利要求11所述的方法,其中:
如果当事人满足所述至少一个角色,则所述至少一个角色可应用于当事人。
14.如权利要求11所述的方法,包括步骤:
评估在上下文中所述至少一个角色对于当事人是真还是假。
15.如权利要求11所述的方法,其中:
所述至少一个角色是布尔表达式,其包括(1)另一布尔表达式和(2)谓项中的至少一个。
16.如权利要求15所述的方法,其中:
所述谓项是用户、组、时间和段之一。
17.如权利要求15所述的方法,包括步骤:
根据当事人和上下文,评估所述谓项。
18.如权利要求16所述的方法,其中:
所述段谓项以明语指定。
19.如权利要求11所述的方法,其中:
所述策略是资源和角色集之间的关联。
20.如权利要求19所述的方法,包括步骤:
如果至少一个角色处于该角色集中,则授权访问资源。
21.一种用于自适应控制对资源的访问的授权方法,包括步骤:
将关于当事人和资源的信息提供给安全框架;
使用安全框架,根据通过将至少一个角色与当事人相关联来评估至少一个安全策略,提供授权结果;以及
其中资源、安全策略和所述至少一个角色是在分层上相关的。
22.如权利要求21所述的方法,包括步骤:
允许当事人是经鉴别的用户、组或进程。
23.如权利要求21所述的方法,其中:
将至少一个角色与当事人相关联包括:确定当事人是否满足所述至少一个角色。
24.如权利要求21所述的方法,包括步骤:
评估在上下文中所述至少一个角色对于当事人是真还是假。
25.如权利要求21所述的方法,其中:
所述至少一个角色是布尔表达式,其包括(1)另一布尔表达式和(2)谓项中的至少一个。
26.如权利要求25所述的方法,其中:
所述谓项是用户、组、时间和段之一。
27.如权利要求25所述的方法,包括步骤:
根据当事人和上下文,评估所述谓项。
28.如权利要求25所述的方法,其中:
所述谓项是段,并且以明语指定所述谓项。
29.如权利要求21所述的方法,其中:
所述策略是资源和角色集之间的关联。
30.如权利要求29所述的方法,包括步骤:
如果至少一个角色处于该角色集中,则授权访问资源。
31.一种适用于控制对资源的访问的授权系统,包括:
至少一个角色映射部分,用于将当事人映射到至少一个角色,其中所述至少一个角色与资源在分层上相关;
至少一个授权部分,其与至少一个角色映射部分相连,所述至少一个授权部分基于所述至少一个角色,确定是否满足策略;和
与至少一个授权部分相连的判决部分,所述判决部分基于所述至少一个授权部分的确定,提供最终决定。
32.如权利要求31所述的系统,其中:
当事人是经鉴别的用户、组或进程。
33.如权利要求31所述的系统,其中:
所述映射包括:确定当事人是否满足所述至少一个角色。
34.如权利要求31所述的系统,其中:
在上下文中评估所述至少一个角色对于当事人是真还是假。
35.如权利要求31所述的系统,其中:
所述至少一个角色是布尔表达式,其包括另一布尔表达式和谓项中的至少一个。
36.如权利要求35所述的系统,其中:
所述谓项是用户、组、时间和段之一。
37.如权利要求35所述的系统,其中:
根据当事人和上下文,评估所述谓项。
38.如权利要求36所述的系统,其中:
段谓项以明语指定。
39.如权利要求31所述的系统,其中:
所述策略是资源和角色集之间的关联。
40.如权利要求39所述的系统,其中:
如果至少一个角色处于该角色集中,则授权访问资源。
41.一种其上存储有指令的机器可读介质,当处理器执行该指令时使得系统:
将当事人映射到至少一个角色,其中所述至少一个角色与资源在分层上相关;
基于所述至少一个角色评估策略;和
基于对策略的评估,确定是否授权访问资源。
42.如权利要求41所述的机器可读介质,还包括指令,当执行该指令时使得系统:
允许当事人是经鉴别的用户、组或进程。
43.如权利要求41所述的机器可读介质,其中:
所述映射包括:确定当事人是否满足所述至少一个角色。
44.如权利要求41所述的机器可读介质,还包括指令,当执行该指令时使得系统:
评估在上下文中所述至少一个角色对于当事人是真还是假。
45.如权利要求41所述的机器可读介质,其中:
所述至少一个角色是布尔表达式,其包括另一布尔表达式和谓项中的至少一个。
46.如权利要求45所述的机器可读介质,其中:
所述谓项是用户、组、时间和段之一。
47.如权利要求45所述的机器可读介质,其中:
根据当事人和上下文,评估所述谓项。
48.如权利要求46所述的机器可读介质,其中:
段谓项以明语指定。
49.如权利要求41所述的机器可读介质,其中:
所述策略是资源和角色集之间的关联。
50.如权利要求49所述的机器可读介质,还包括指令,当执行该指令时使得系统:
如果至少一个角色处于该角色集中,则授权访问资源。
51.一种用于在企业应用中自适应控制对资源的访问的授权方法,包括步骤:
提供当事人到至少一个角色的映射,其中所述至少一个角色与资源在分层上相关;
基于所述至少一个角色,提供对策略的评估;和
基于对策略的评估,提供对是否授权当事人访问资源的确定;并且
其中所述至少一个角色、策略和资源是企业应用的部分。
52.如权利要求51所述的方法,包括步骤:
允许当事人是经鉴别的用户、组或进程。
53.如权利要求51所述的方法,其中:
所述提供映射的步骤包括:确定当事人是否满足所述至少一个角色。
54.如权利要求51所述的方法,包括步骤:
确定在上下文中所述至少一个角色对于当事人是真还是假。
55.如权利要求51所述的方法,其中:
所述至少一个角色是布尔表达式,其包括(1)另一布尔表达式和(2)谓项中的至少一个。
56.如权利要求55所述的方法,其中:
所述谓项是用户、组、时间和段之一。
57.如权利要求55所述的方法,其中:
根据当事人和上下文,评估所述谓项。
58.如权利要求55所述的方法,其中:
所述谓项是以明语指定的段。
59.如权利要求51所述的方法,其中:
所述策略是资源和角色集之间的关联。
60.如权利要求59所述的方法,包括步骤:
如果至少一个角色处于该角色集中,则授权访问资源。
CNA2004800098678A 2003-02-14 2004-02-12 用于基于分层角色的权限的系统和方法 Pending CN1842785A (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/367,177 US7591000B2 (en) 2003-02-14 2003-02-14 System and method for hierarchical role-based entitlements
US10/367,177 2003-02-14

Publications (1)

Publication Number Publication Date
CN1842785A true CN1842785A (zh) 2006-10-04

Family

ID=32849917

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2004800098678A Pending CN1842785A (zh) 2003-02-14 2004-02-12 用于基于分层角色的权限的系统和方法

Country Status (6)

Country Link
US (2) US7591000B2 (zh)
EP (1) EP1593024B1 (zh)
JP (1) JP4787149B2 (zh)
CN (1) CN1842785A (zh)
AU (1) AU2004214449A1 (zh)
WO (1) WO2004074993A2 (zh)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951377A (zh) * 2010-09-21 2011-01-19 用友软件股份有限公司 分层授权管理方法和装置
CN105051749A (zh) * 2013-03-15 2015-11-11 瑞典爱立信有限公司 基于策略的数据保护
CN105224678A (zh) * 2015-10-19 2016-01-06 浪潮软件集团有限公司 一种电子文档管理的方法及装置
CN106326760A (zh) * 2016-08-31 2017-01-11 清华大学 一种用于数据分析的访问控制规则描述方法
CN106446666A (zh) * 2016-09-18 2017-02-22 珠海格力电器股份有限公司 一种权限配置方法及装置
CN112036774A (zh) * 2020-10-09 2020-12-04 北京嘀嘀无限科技发展有限公司 服务策略的评估方法、装置、设备及存储介质

Families Citing this family (71)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2003276819A1 (en) 2002-06-13 2003-12-31 Engedi Technologies, Inc. Out-of-band remote management station
US7325140B2 (en) 2003-06-13 2008-01-29 Engedi Technologies, Inc. Secure management access control for computers, embedded and card embodiment
US7653930B2 (en) * 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US8831966B2 (en) * 2003-02-14 2014-09-09 Oracle International Corporation Method for delegated administration
US7591000B2 (en) 2003-02-14 2009-09-15 Oracle International Corporation System and method for hierarchical role-based entitlements
US6917975B2 (en) * 2003-02-14 2005-07-12 Bea Systems, Inc. Method for role and resource policy management
US20040230679A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for portal and web server administration
US7519826B2 (en) * 2003-10-01 2009-04-14 Engedi Technologies, Inc. Near real-time multi-party task authorization access control
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US7644432B2 (en) * 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050102536A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Dynamically configurable distributed security system
US8140691B2 (en) * 2003-12-12 2012-03-20 International Business Machines Corporation Role-based views access to a workflow weblog
US8423394B2 (en) * 2003-12-12 2013-04-16 International Business Machines Corporation Method for tracking the status of a workflow using weblogs
US8417682B2 (en) * 2003-12-12 2013-04-09 International Business Machines Corporation Visualization of attributes of workflow weblogs
US9032076B2 (en) * 2004-10-22 2015-05-12 International Business Machines Corporation Role-based access control system, method and computer program product
CN1773413B (zh) * 2004-11-10 2010-04-14 中国人民解放军国防科学技术大学 角色定权方法
US7958161B2 (en) * 2004-11-30 2011-06-07 Siebel Systems, Inc. Methods and apparatuses for providing hosted tailored vertical applications
US20070226031A1 (en) * 2004-11-30 2007-09-27 Manson Nicholas R Methods and apparatuses for grouped option specification
US7841011B2 (en) * 2004-11-30 2010-11-23 Siebel Systems, Inc. Methods and apparatuses for tiered option specification
US8751328B2 (en) * 2004-11-30 2014-06-10 Siebel Systems, Inc. Methods and apparatuses for providing provisioned access control for hosted tailored vertical applications
US8086615B2 (en) * 2005-03-28 2011-12-27 Oracle International Corporation Security data redaction
US20060218394A1 (en) * 2005-03-28 2006-09-28 Yang Dung C Organizational role-based controlled access management system
US20060236408A1 (en) * 2005-04-14 2006-10-19 International Business Machines Corporation Method and apparatus for device dependent access control for device independent web content
US7748027B2 (en) * 2005-05-11 2010-06-29 Bea Systems, Inc. System and method for dynamic data redaction
US20070044151A1 (en) * 2005-08-22 2007-02-22 International Business Machines Corporation System integrity manager
US7818344B2 (en) 2005-09-26 2010-10-19 Bea Systems, Inc. System and method for providing nested types for content management
US7917537B2 (en) 2005-09-26 2011-03-29 Oracle International Corporation System and method for providing link property types for content management
US7752205B2 (en) 2005-09-26 2010-07-06 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US7953734B2 (en) 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
JP2007293859A (ja) * 2006-04-21 2007-11-08 Pantech Co Ltd ユーザードメインの管理方法
US8769604B2 (en) * 2006-05-15 2014-07-01 Oracle International Corporation System and method for enforcing role membership removal requirements
US7836489B2 (en) * 2006-06-15 2010-11-16 Microsoft Corporation Selecting policy for compatible communication
US8336078B2 (en) * 2006-07-11 2012-12-18 Fmr Corp. Role-based access in a multi-customer computing environment
US9112874B2 (en) 2006-08-21 2015-08-18 Pantech Co., Ltd. Method for importing digital rights management data for user domain
US8463852B2 (en) 2006-10-06 2013-06-11 Oracle International Corporation Groupware portlets for integrating a portal with groupware systems
US8452873B2 (en) * 2006-11-01 2013-05-28 International Business Machines Corporation Provisioning of resources in a computer network
US8032558B2 (en) * 2007-01-10 2011-10-04 Novell, Inc. Role policy management
US8156516B2 (en) * 2007-03-29 2012-04-10 Emc Corporation Virtualized federated role provisioning
US8719894B2 (en) * 2007-03-29 2014-05-06 Apple Inc. Federated role provisioning
US8635618B2 (en) * 2007-11-20 2014-01-21 International Business Machines Corporation Method and system to identify conflicts in scheduling data center changes to assets utilizing task type plugin with conflict detection logic corresponding to the change request
US8122484B2 (en) * 2008-01-09 2012-02-21 International Business Machines Corporation Access control policy conversion
US8296820B2 (en) * 2008-01-18 2012-10-23 International Business Machines Corporation Applying security policies to multiple systems and controlling policy propagation
US8805774B2 (en) * 2008-02-19 2014-08-12 International Business Machines Corporation Method and system for role based situation aware software
US20090235167A1 (en) * 2008-03-12 2009-09-17 International Business Machines Corporation Method and system for context aware collaborative tagging
US8645843B2 (en) * 2008-08-29 2014-02-04 International Business Machines Corporation Supporting role-based access control in component-based software systems
CN101673358B (zh) * 2008-09-10 2012-01-25 中兴通讯股份有限公司 基于权限组件对工作流组件中的权限管理的方法及装置
US8676847B2 (en) * 2009-04-07 2014-03-18 International Business Machines Corporation Visibility control of resources
US8495703B2 (en) * 2009-06-18 2013-07-23 Oracle International Corporation Security policy verification system
US8489685B2 (en) 2009-07-17 2013-07-16 Aryaka Networks, Inc. Application acceleration as a service system and method
US8713056B1 (en) * 2011-03-30 2014-04-29 Open Text S.A. System, method and computer program product for efficient caching of hierarchical items
US20130275241A1 (en) * 2012-04-16 2013-10-17 Wal-Mart Stores, Inc. Processing Online Transactions
US9607166B2 (en) 2013-02-27 2017-03-28 Microsoft Technology Licensing, Llc Discretionary policy management in cloud-based environment
US9507609B2 (en) 2013-09-29 2016-11-29 Taplytics Inc. System and method for developing an application
US10122717B1 (en) 2013-12-31 2018-11-06 Open Text Corporation Hierarchical case model access roles and permissions
US10521601B2 (en) 2014-04-30 2019-12-31 Sailpoint Technologies, Israel Ltd. System and method for data governance
US9516504B2 (en) * 2014-05-19 2016-12-06 Verizon Patent And Licensing Inc. Intelligent role based access control based on trustee approvals
US9489532B2 (en) * 2014-05-28 2016-11-08 Siemens Product Lifecycle Management Software Inc. Fast access rights checking of configured structure data
US10032124B1 (en) 2014-07-31 2018-07-24 Open Text Corporation Hierarchical permissions model for case management
CN105608366B (zh) * 2014-11-18 2019-07-12 华为软件技术有限公司 用户权限控制方法和装置
US9680649B2 (en) * 2015-03-19 2017-06-13 Oracle International Corporation Policy-based key sharing
US10757128B2 (en) 2017-06-29 2020-08-25 Amazon Technologies, Inc. Security policy analyzer service and satisfiability engine
US10922423B1 (en) * 2018-06-21 2021-02-16 Amazon Technologies, Inc. Request context generator for security policy validation service
US11107022B2 (en) * 2018-09-26 2021-08-31 CBRE, Inc. Role-based access control with building information data model for managing building resources
CN109344569B (zh) * 2018-09-28 2020-09-18 北京赛博贝斯数据科技有限责任公司 软件使用的授权方法及系统
US11483317B1 (en) * 2018-11-30 2022-10-25 Amazon Technologies, Inc. Techniques for analyzing security in computing environments with privilege escalation
US11461677B2 (en) 2020-03-10 2022-10-04 Sailpoint Technologies, Inc. Systems and methods for data correlation and artifact matching in identity management artificial intelligence systems
US11416574B2 (en) * 2020-07-21 2022-08-16 Content Square SAS System and method for identifying and scoring in-page behavior
CN112511569B (zh) * 2021-02-07 2021-05-11 杭州筋斗腾云科技有限公司 网络资源访问请求的处理方法、系统及计算机设备
US11308186B1 (en) 2021-03-19 2022-04-19 Sailpoint Technologies, Inc. Systems and methods for data correlation and artifact matching in identity management artificial intelligence systems

Family Cites Families (323)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5335345A (en) 1990-04-11 1994-08-02 Bell Communications Research, Inc. Dynamic query optimization using partial information
AU639802B2 (en) 1990-08-14 1993-08-05 Oracle International Corporation Methods and apparatus for providing dynamic invocation of applications in a distributed heterogeneous environment
AU628264B2 (en) * 1990-08-14 1992-09-10 Oracle International Corporation Methods and apparatus for providing a client interface to an object-oriented invocation of an application
US5173939A (en) * 1990-09-28 1992-12-22 Digital Equipment Corporation Access control subsystem and method for distributed computer system using compound principals
US5426747A (en) 1991-03-22 1995-06-20 Object Design, Inc. Method and apparatus for virtual memory mapping and transaction management in an object-oriented database system
US5237614A (en) 1991-06-07 1993-08-17 Security Dynamics Technologies, Inc. Integrated network security system
US5347653A (en) 1991-06-28 1994-09-13 Digital Equipment Corporation System for reconstructing prior versions of indexes using records indicating changes between successive versions of the indexes
US5481700A (en) * 1991-09-27 1996-01-02 The Mitre Corporation Apparatus for design of a multilevel secure database management system based on a multilevel logic programming system
US5355474A (en) 1991-09-27 1994-10-11 Thuraisngham Bhavani M System for multilevel secure database management using a knowledge base with release-based and other security constraints for query, response and update modification
JPH05233549A (ja) * 1992-02-14 1993-09-10 Nec Corp システムの利用者管理方式
US5557747A (en) 1993-06-22 1996-09-17 Rogers; Lawrence D. Network policy implementation system for performing network control operations in response to changes in network state
JPH0798669A (ja) 1993-08-05 1995-04-11 Hitachi Ltd 分散データベース管理システム
US5369702A (en) 1993-10-18 1994-11-29 Tecsec Incorporated Distributed cryptographic object method
US5544322A (en) 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
EP0697662B1 (en) 1994-08-15 2001-05-30 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring
US5864683A (en) 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
EP1643340B1 (en) * 1995-02-13 2013-08-14 Intertrust Technologies Corp. Secure transaction management
US5872928A (en) 1995-02-24 1999-02-16 Cabletron Systems, Inc. Method and apparatus for defining and enforcing policies for configuration management in communications networks
US5889953A (en) 1995-05-25 1999-03-30 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
US5757669A (en) * 1995-05-31 1998-05-26 Netscape Communications Corporation Method and apparatus for workgroup information replication
EP0752652B1 (en) * 1995-07-03 1998-12-16 Sun Microsystems, Inc. System and method for implementing a hierarchical policy for computer system administration
US6026368A (en) * 1995-07-17 2000-02-15 24/7 Media, Inc. On-line interactive system and method for providing content and advertising information to a targeted set of viewers
US5941947A (en) 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
US5825883A (en) 1995-10-31 1998-10-20 Interval Systems, Inc. Method and apparatus that accounts for usage of digital applications
JP3023949B2 (ja) * 1995-12-12 2000-03-21 株式会社村田製作所 誘電体フィルタ
JPH09226933A (ja) * 1996-02-27 1997-09-02 Yazaki Corp コネクタ供給方法およびその装置
US5826000A (en) 1996-02-29 1998-10-20 Sun Microsystems, Inc. System and method for automatic configuration of home network computers
JPH10105472A (ja) * 1996-09-30 1998-04-24 Toshiba Corp メモリのアクセス管理方法
US5826268A (en) 1996-04-12 1998-10-20 Ontos, Inc. Secure multilevel object oriented database management system
US5848396A (en) 1996-04-26 1998-12-08 Freedom Of Information, Inc. Method and apparatus for determining behavioral profile of a computer user
US6216231B1 (en) 1996-04-30 2001-04-10 At & T Corp. Specifying security protocols and policy constraints in distributed systems
US5987469A (en) 1996-05-14 1999-11-16 Micro Logic Corp. Method and apparatus for graphically representing information stored in electronic media
US5918210A (en) * 1996-06-07 1999-06-29 Electronic Data Systems Corporation Business query tool, using policy objects to provide query responses
US5956400A (en) 1996-07-19 1999-09-21 Digicash Incorporated Partitioned information storage systems with controlled retrieval
US6055515A (en) * 1996-07-30 2000-04-25 International Business Machines Corporation Enhanced tree control system for navigating lattices data structures and displaying configurable lattice-node labels
US5950195A (en) 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6055637A (en) * 1996-09-27 2000-04-25 Electronic Data Systems Corporation System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
US6029182A (en) * 1996-10-04 2000-02-22 Canon Information Systems, Inc. System for generating a custom formatted hypertext document by using a personal profile to retrieve hierarchical documents
US6154844A (en) 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6058392A (en) 1996-11-18 2000-05-02 Wesley C. Sampson Revocable Trust Method for the organizational indexing, storage, and retrieval of data according to data pattern signatures
US6023765A (en) * 1996-12-06 2000-02-08 The United States Of America As Represented By The Secretary Of Commerce Implementation of role-based access control in multi-level secure systems
US6292900B1 (en) 1996-12-18 2001-09-18 Sun Microsystems, Inc. Multilevel security attribute passing methods, apparatuses, and computer program products in a stream
US5987611A (en) 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US6241608B1 (en) * 1997-01-15 2001-06-05 Lawrence J. Torango Progressive wagering system
KR20000064776A (ko) 1997-01-24 2000-11-06 이데이 노부유끼 도형 데이터 생성 장치, 도형 데이터 생성 방법 및 그 매체
US7272625B1 (en) 1997-03-10 2007-09-18 Sonicwall, Inc. Generalized policy server
US6408336B1 (en) 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6226745B1 (en) * 1997-03-21 2001-05-01 Gio Wiederhold Information sharing system and method with requester dependent sharing and security rules
US5867667A (en) 1997-03-24 1999-02-02 Pfn, Inc. Publication network control system using domain and client side communications resource locator lists for managing information communications between the domain server and publication servers
US6275941B1 (en) 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
US5991877A (en) 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
US6029196A (en) 1997-06-18 2000-02-22 Netscape Communications Corporation Automatic client configuration system
US6434607B1 (en) 1997-06-19 2002-08-13 International Business Machines Corporation Web server providing role-based multi-level security
US6185587B1 (en) * 1997-06-19 2001-02-06 International Business Machines Corporation System and method for building a web site with automated help
US6684369B1 (en) * 1997-06-19 2004-01-27 International Business Machines, Corporation Web site creator using templates
US6029144A (en) 1997-08-29 2000-02-22 International Business Machines Corporation Compliance-to-policy detection method and system
US6158007A (en) 1997-09-17 2000-12-05 Jahanshah Moreh Security system for event based middleware
US6005571A (en) 1997-09-30 1999-12-21 Softline, Inc. Graphical user interface for managing security in a database system
US6006194A (en) 1997-10-01 1999-12-21 Merel; Peter A. Computer-implemented system for controlling resources and policies
US5954798A (en) 1997-10-06 1999-09-21 Ncr Corporation Mechanism for dependably managing web synchronization and tracking operations among multiple browsers
US6317868B1 (en) 1997-10-24 2001-11-13 University Of Washington Process for transparently enforcing protection domains and access control as well as auditing operations in software components
US6014666A (en) * 1997-10-28 2000-01-11 Microsoft Corporation Declarative and programmatic access control of component-based server applications using roles
US6157924A (en) 1997-11-07 2000-12-05 Bell & Howell Mail Processing Systems Company Systems, methods, and computer program products for delivering information in a preferred medium
US6202066B1 (en) * 1997-11-19 2001-03-13 The United States Of America As Represented By The Secretary Of Commerce Implementation of role/group permission association using object access type
US6385627B1 (en) * 1997-11-24 2002-05-07 International Business Machines Corporation Method, apparatus and computer program product for providing document user role indication
IL122314A (en) 1997-11-27 2001-03-19 Security 7 Software Ltd Method and system for enforcing a communication security policy
US6088679A (en) 1997-12-01 2000-07-11 The United States Of America As Represented By The Secretary Of Commerce Workflow management employing role-based access control
US6654747B1 (en) 1997-12-02 2003-11-25 International Business Machines Corporation Modular scalable system for managing data in a heterogeneous environment with generic structure for control repository access transactions
US5966707A (en) 1997-12-02 1999-10-12 International Business Machines Corporation Method for managing a plurality of data processes residing in heterogeneous data repositories
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
US6035423A (en) * 1997-12-31 2000-03-07 Network Associates, Inc. Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6360363B1 (en) * 1997-12-31 2002-03-19 Eternal Systems, Inc. Live upgrade process for object-oriented programs
US6202207B1 (en) 1998-01-28 2001-03-13 International Business Machines Corporation Method and a mechanism for synchronized updating of interoperating software
JP3609599B2 (ja) 1998-01-30 2005-01-12 富士通株式会社 ノード代理システム、ノード監視システム、それらの方法、及び記録媒体
CA2228687A1 (en) 1998-02-04 1999-08-04 Brett Howard Secured virtual private networks
US6484261B1 (en) 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6108687A (en) * 1998-03-02 2000-08-22 Hewlett Packard Company System and method for providing a synchronized display to a plurality of computers over a global computer network
US6304881B1 (en) 1998-03-03 2001-10-16 Pumatech, Inc. Remote data access and synchronization
US6321336B1 (en) 1998-03-13 2001-11-20 Secure Computing Corporation System and method for redirecting network traffic to provide secure communication
US6141686A (en) 1998-03-13 2000-10-31 Deterministic Networks, Inc. Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control
US6182226B1 (en) * 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6073242A (en) 1998-03-19 2000-06-06 Agorics, Inc. Electronic authority server
US6618806B1 (en) 1998-04-01 2003-09-09 Saflink Corporation System and method for authenticating users in a computer network
US6285985B1 (en) 1998-04-03 2001-09-04 Preview Systems, Inc. Advertising-subsidized and advertising-enabled software
US6295607B1 (en) 1998-04-06 2001-09-25 Bindview Development Corporation System and method for security control in a data processing system
US6182277B1 (en) * 1998-04-15 2001-01-30 Oracle Corporation Methods and apparatus for declarative programming techniques in an object oriented environment
US6965999B2 (en) 1998-05-01 2005-11-15 Microsoft Corporation Intelligent trust management method and system
US6339826B2 (en) * 1998-05-05 2002-01-15 International Business Machines Corp. Client-server system for maintaining a user desktop consistent with server application user access permissions
US6148333A (en) 1998-05-13 2000-11-14 Mgi Software Corporation Method and system for server access control and tracking
US6122647A (en) 1998-05-19 2000-09-19 Perspecta, Inc. Dynamic generation of contextual links in hypertext documents
US6167407A (en) 1998-06-03 2000-12-26 Symantec Corporation Backtracked incremental updating
US6083276A (en) * 1998-06-11 2000-07-04 Corel, Inc. Creating and configuring component-based applications using a text-based descriptive attribute grammar
US6253321B1 (en) 1998-06-19 2001-06-26 Ssh Communications Security Ltd. Method and arrangement for implementing IPSEC policy management using filter code
US6735701B1 (en) 1998-06-25 2004-05-11 Macarthur Investments, Llc Network policy management and effectiveness system
US6285366B1 (en) 1998-06-30 2001-09-04 Sun Microsystems, Inc. Hierarchy navigation system
US6182142B1 (en) * 1998-07-10 2001-01-30 Encommerce, Inc. Distributed access management of information resources
US6615218B2 (en) 1998-07-17 2003-09-02 Sun Microsystems, Inc. Database for executing policies for controlling devices on a network
US6209101B1 (en) 1998-07-17 2001-03-27 Secure Computing Corporation Adaptive security system having a hierarchy of security servers
US6170009B1 (en) 1998-07-17 2001-01-02 Kallol Mandal Controlling devices on a network through policies
US6141010A (en) 1998-07-17 2000-10-31 B. E. Technology, Llc Computer interface method and apparatus with targeted advertising
AU5465099A (en) * 1998-08-04 2000-02-28 Rulespace, Inc. Method and system for deriving computer users' personal interests
US6397222B1 (en) 1998-08-07 2002-05-28 Paul Zellweger Method and apparatus for end-user management of a content menu on a network
US6466932B1 (en) 1998-08-14 2002-10-15 Microsoft Corporation System and method for implementing group policy
US6473791B1 (en) 1998-08-17 2002-10-29 Microsoft Corporation Object load balancing
US6397231B1 (en) * 1998-08-31 2002-05-28 Xerox Corporation Virtual documents generated via combined documents or portions of documents retrieved from data repositories
US20020062451A1 (en) * 1998-09-01 2002-05-23 Scheidt Edward M. System and method of providing communication security
US6412070B1 (en) * 1998-09-21 2002-06-25 Microsoft Corporation Extensible security system and method for controlling access to objects in a computing environment
US6377973B2 (en) * 1998-09-30 2002-04-23 Emrys Technologies, Ltd. Event management in a system with application and graphical user interface processing adapted to display predefined graphical elements resides separately on server and client machine
US6341352B1 (en) 1998-10-15 2002-01-22 International Business Machines Corporation Method for changing a security policy during processing of a transaction request
US6477543B1 (en) 1998-10-23 2002-11-05 International Business Machines Corporation Method, apparatus and program storage device for a client and adaptive synchronization and transformation server
US6167445A (en) 1998-10-26 2000-12-26 Cisco Technology, Inc. Method and apparatus for defining and implementing high-level quality of service policies in computer networks
US6460141B1 (en) 1998-10-28 2002-10-01 Rsa Security Inc. Security and access management system for web-enabled and non-web-enabled applications and content on a computer network
US6158010A (en) * 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US7673323B1 (en) 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
JP3856969B2 (ja) * 1998-11-02 2006-12-13 株式会社日立製作所 オブジェクト分析設計支援方法
US6530024B1 (en) * 1998-11-20 2003-03-04 Centrax Corporation Adaptive feedback security system and method
US6574736B1 (en) * 1998-11-30 2003-06-03 Microsoft Corporation Composable roles
US6728748B1 (en) * 1998-12-01 2004-04-27 Network Appliance, Inc. Method and apparatus for policy based class of service and adaptive service level management within the context of an internet and intranet
US6301613B1 (en) 1998-12-03 2001-10-09 Cisco Technology, Inc. Verifying that a network management policy used by a computer system can be satisfied and is feasible for use
US6327618B1 (en) 1998-12-03 2001-12-04 Cisco Technology, Inc. Recognizing and processing conflicts in network management policies
AU2377200A (en) 1998-12-21 2000-07-12 Jj Mountain, Inc. Methods and systems for providing personalized services to users in a network environment
US6381579B1 (en) * 1998-12-23 2002-04-30 International Business Machines Corporation System and method to provide secure navigation to resources on the internet
US6393474B1 (en) 1998-12-31 2002-05-21 3Com Corporation Dynamic policy management apparatus and method using active network devices
US6668354B1 (en) * 1999-01-05 2003-12-23 International Business Machines Corporation Automatic display script and style sheet generation
US6510513B1 (en) * 1999-01-13 2003-01-21 Microsoft Corporation Security services and policy enforcement for electronic data
US6412077B1 (en) 1999-01-14 2002-06-25 Cisco Technology, Inc. Disconnect policy for distributed computing systems
US7111321B1 (en) 1999-01-25 2006-09-19 Dell Products L.P. Portable computer system with hierarchical and token-based security policies
US6327594B1 (en) 1999-01-29 2001-12-04 International Business Machines Corporation Methods for shared data management in a pervasive computing environment
US6542993B1 (en) * 1999-03-12 2003-04-01 Lucent Technologies Inc. Security management system and method
US6308163B1 (en) 1999-03-16 2001-10-23 Hewlett-Packard Company System and method for enterprise workflow resource management
US6260050B1 (en) * 1999-03-23 2001-07-10 Microstrategy, Inc. System and method of adapting automatic output of service related OLAP reports to disparate output devices
US6715077B1 (en) * 1999-03-23 2004-03-30 International Business Machines Corporation System and method to support varying maximum cryptographic strength for common data security architecture (CDSA) applications
US6154766A (en) * 1999-03-23 2000-11-28 Microstrategy, Inc. System and method for automatic transmission of personalized OLAP report output
US6446200B1 (en) 1999-03-25 2002-09-03 Nortel Networks Limited Service management
US6757698B2 (en) * 1999-04-14 2004-06-29 Iomega Corporation Method and apparatus for automatically synchronizing data from a host computer to two or more backup data storage locations
US20030069874A1 (en) * 1999-05-05 2003-04-10 Eyal Hertzog Method and system to automate the updating of personal information within a personal information management application and to synchronize such updated personal information management applications
GB9912494D0 (en) 1999-05-28 1999-07-28 Hewlett Packard Co Configuring computer systems
US7472349B1 (en) * 1999-06-01 2008-12-30 Oracle International Corporation Dynamic services infrastructure for allowing programmatic access to internet and other resources
US6961897B1 (en) 1999-06-14 2005-11-01 Lockheed Martin Corporation System and method for interactive electronic media extraction for web page generation
JP2001005727A (ja) * 1999-06-22 2001-01-12 Kyocera Communication Systems Co Ltd アクセス管理装置
US6988138B1 (en) * 1999-06-30 2006-01-17 Blackboard Inc. Internet-based education support system and methods
GB2352370B (en) 1999-07-21 2003-09-03 Int Computers Ltd Migration from in-clear to encrypted working over a communications link
US6769095B1 (en) 1999-07-23 2004-07-27 Codagen Technologies Corp. Hierarchically structured control information editor
US6519647B1 (en) * 1999-07-23 2003-02-11 Microsoft Corporation Methods and apparatus for synchronizing access control in a web server
US6581054B1 (en) * 1999-07-30 2003-06-17 Computer Associates Think, Inc. Dynamic query model and method
US6834284B2 (en) 1999-08-12 2004-12-21 International Business Machines Corporation Process and system for providing name service scoping behavior in java object-oriented environment
JP2004527805A (ja) 1999-08-23 2004-09-09 アセラ,インコーポレイティド 部品の標準化されたセットから注文により構成可能なビジネスのアプリケーションを提供する方法および装置
US6339423B1 (en) 1999-08-23 2002-01-15 Entrust, Inc. Multi-domain access control
US6587876B1 (en) 1999-08-24 2003-07-01 Hewlett-Packard Development Company Grouping targets of management policies
US6934934B1 (en) 1999-08-30 2005-08-23 Empirix Inc. Method and system for software object testing
DE60027776D1 (de) 1999-10-01 2006-06-08 Infoglide Corp System und verfahren zum umwandlen einer relationalen datenbank in eine hierarchische datenbank
US7051316B2 (en) * 1999-10-05 2006-05-23 Borland Software Corporation Distributed computing component system with diagrammatic graphical representation of code with separate delineated display area by type
US6789202B1 (en) 1999-10-15 2004-09-07 Networks Associates Technology, Inc. Method and apparatus for providing a policy-driven intrusion detection system
US6430556B1 (en) * 1999-11-01 2002-08-06 Sun Microsystems, Inc. System and method for providing a query object development environment
US7124413B1 (en) 1999-11-03 2006-10-17 Accenture Llp Framework for integrating existing and new information technology applications and systems
US6865549B1 (en) * 1999-11-15 2005-03-08 Sun Microsystems, Inc. Method and apparatus for concurrency control in a policy-based management system
JP3963417B2 (ja) * 1999-11-19 2007-08-22 株式会社東芝 データ同期処理のための通信方法および電子機器
US6721888B1 (en) * 1999-11-22 2004-04-13 Sun Microsystems, Inc. Mechanism for merging multiple policies
US6792537B1 (en) 1999-11-22 2004-09-14 Sun Microsystems, Inc. Mechanism for determining restrictions to impose on an implementation of a service
US6487594B1 (en) 1999-11-30 2002-11-26 Mediaone Group, Inc. Policy management method and system for internet service providers
WO2001044894A2 (en) 1999-12-06 2001-06-21 Warp Solutions, Inc. System and method for dynamic content routing
US6418448B1 (en) 1999-12-06 2002-07-09 Shyam Sundar Sarkar Method and apparatus for processing markup language specifications for data and metadata used inside multiple related internet documents to navigate, query and manipulate information from a plurality of object relational databases over the web
US6587849B1 (en) * 1999-12-10 2003-07-01 Art Technology Group, Inc. Method and system for constructing personalized result sets
JP3546787B2 (ja) * 1999-12-16 2004-07-28 インターナショナル・ビジネス・マシーンズ・コーポレーション アクセス制御システム、アクセス制御方法、及び記憶媒体
AU2582401A (en) * 1999-12-17 2001-06-25 Dorado Network Systems Corporation Purpose-based adaptive rendering
US7552069B2 (en) 1999-12-23 2009-06-23 Concept Shopping, Inc. Techniques for optimizing promotion delivery
US6584454B1 (en) 1999-12-31 2003-06-24 Ge Medical Technology Services, Inc. Method and apparatus for community management in remote system servicing
US6633855B1 (en) * 2000-01-06 2003-10-14 International Business Machines Corporation Method, system, and program for filtering content using neural networks
US6484177B1 (en) 2000-01-13 2002-11-19 International Business Machines Corporation Data management interoperability methods for heterogeneous directory structures
EP1117220A1 (en) 2000-01-14 2001-07-18 Sun Microsystems, Inc. Method and system for protocol conversion
US6694336B1 (en) 2000-01-25 2004-02-17 Fusionone, Inc. Data transfer and synchronization system
US20040205473A1 (en) * 2000-01-27 2004-10-14 Gwyn Fisher Method and system for implementing an enterprise information portal
US20040230546A1 (en) 2000-02-01 2004-11-18 Rogers Russell A. Personalization engine for rules and knowledge
US7251666B2 (en) 2000-02-01 2007-07-31 Internet Business Information Group Signature loop authorizing method and apparatus
ATE353353T1 (de) 2000-02-01 2007-02-15 Ciba Sc Holding Ag Verfahren zum inhaltschutz mit dauerhaften uv- absorber
WO2001059623A2 (en) * 2000-02-08 2001-08-16 Onepage, Inc. System and method for dynamic aggregation of content distributed over a computer network
US7051071B2 (en) * 2000-02-16 2006-05-23 Bea Systems, Inc. Workflow integration system for enterprise wide electronic collaboration
US6901403B1 (en) * 2000-03-02 2005-05-31 Quovadx, Inc. XML presentation of general-purpose data sources
AU2001245406A1 (en) 2000-03-03 2001-09-17 Merinta, Inc. Persistent portal for a browser
US7013485B2 (en) 2000-03-06 2006-03-14 I2 Technologies U.S., Inc. Computer security system
AU2001251195A1 (en) * 2000-03-30 2001-10-15 Cygent, Inc. System and method for establishing electronic business systems for supporting communications services commerce
US6751659B1 (en) 2000-03-31 2004-06-15 Intel Corporation Distributing policy information in a communication network
US6880005B1 (en) * 2000-03-31 2005-04-12 Intel Corporation Managing policy rules in a network
US6681383B1 (en) 2000-04-04 2004-01-20 Sosy, Inc. Automatic software production system
US6735624B1 (en) * 2000-04-07 2004-05-11 Danger, Inc. Method for configuring and authenticating newly delivered portal device
US7278153B1 (en) * 2000-04-12 2007-10-02 Seachange International Content propagation in interactive television
US6697805B1 (en) * 2000-04-14 2004-02-24 Microsoft Corporation XML methods and systems for synchronizing multiple computing devices
JP2001313718A (ja) * 2000-04-27 2001-11-09 Tamura Electric Works Ltd 管理システム
AU2001261084A1 (en) * 2000-04-27 2001-11-07 Brio Technology, Inc. Method and apparatus for processing jobs on an enterprise-wide computer system
AU2001257450A1 (en) * 2000-05-04 2001-11-12 Kickfire, Inc. An information repository system and method for an itnernet portal system
JP2002041347A (ja) * 2000-05-17 2002-02-08 Hitachi Software Eng Co Ltd 情報提供システムおよび装置
US6327628B1 (en) * 2000-05-19 2001-12-04 Epicentric, Inc. Portal server that provides a customizable user Interface for access to computer networks
WO2001090908A1 (en) * 2000-05-22 2001-11-29 Sap Portals Inc. Snippet selection
US7089584B1 (en) 2000-05-24 2006-08-08 Sun Microsystems, Inc. Security architecture for integration of enterprise information system with J2EE platform
US6931549B1 (en) 2000-05-25 2005-08-16 Stamps.Com Method and apparatus for secure data storage and retrieval
US7496637B2 (en) 2000-05-31 2009-02-24 Oracle International Corp. Web service syndication system
US6757822B1 (en) 2000-05-31 2004-06-29 Networks Associates Technology, Inc. System, method and computer program product for secure communications using a security service provider manager
US20020019827A1 (en) * 2000-06-05 2002-02-14 Shiman Leon G. Method and apparatus for managing documents in a centralized document repository system
US6779002B1 (en) 2000-06-13 2004-08-17 Sprint Communications Company L.P. Computer software framework and method for synchronizing data across multiple databases
US20020194267A1 (en) 2000-06-23 2002-12-19 Daniel Flesner Portal server that provides modification of user interfaces for access to computer networks
US7185192B1 (en) * 2000-07-07 2007-02-27 Emc Corporation Methods and apparatus for controlling access to a resource
US7134137B2 (en) 2000-07-10 2006-11-07 Oracle International Corporation Providing data to applications from an access system
US7093261B1 (en) 2000-07-28 2006-08-15 Fair Isaac Corporation Message integration framework for multi-application systems
US7039176B2 (en) * 2000-08-14 2006-05-02 Telephony@Work Call center administration manager with rules-based routing prioritization
US7599851B2 (en) * 2000-09-05 2009-10-06 Renee Frengut Method for providing customized user interface and targeted marketing forum
US6477575B1 (en) 2000-09-12 2002-11-05 Capital One Financial Corporation System and method for performing dynamic Web marketing and advertising
US6581071B1 (en) * 2000-09-12 2003-06-17 Survivors Of The Shoah Visual History Foundation Surveying system and method
US6754672B1 (en) * 2000-09-13 2004-06-22 American Management Systems, Inc. System and method for efficient integration of government administrative and program systems
AU2001292692A1 (en) * 2000-09-15 2002-03-26 Wonderware Corporation A method and system for administering a concurrent user licensing agreement on amanufacturing/process control information portal server
US6856999B2 (en) * 2000-10-02 2005-02-15 Microsoft Corporation Synchronizing a store with write generations
US6912538B2 (en) * 2000-10-20 2005-06-28 Kevin Stapel System and method for dynamic generation of structured documents
AU2002241770A1 (en) 2000-10-20 2002-06-11 Accenture Services Limited Method for implementing service desk capability
US6970939B2 (en) * 2000-10-26 2005-11-29 Intel Corporation Method and apparatus for large payload distribution in a network
KR100398711B1 (ko) * 2000-11-08 2003-09-19 주식회사 와이즈엔진 동적 데이터를 포함한 멀티미디어 콘텐츠의 실시간 통합및 처리 기능을 갖는 콘텐츠 출판 시스템 및 그 방법
US7647387B2 (en) * 2000-12-01 2010-01-12 Oracle International Corporation Methods and systems for rule-based distributed and personlized content delivery
US6769118B2 (en) 2000-12-19 2004-07-27 International Business Machines Corporation Dynamic, policy based management of administrative procedures within a distributed computing environment
AUPR230700A0 (en) 2000-12-22 2001-01-25 Canon Kabushiki Kaisha A method for facilitating access to multimedia content
US6889222B1 (en) * 2000-12-26 2005-05-03 Aspect Communications Corporation Method and an apparatus for providing personalized service
US7467212B2 (en) 2000-12-28 2008-12-16 Intel Corporation Control of access control lists based on social networks
US6671689B2 (en) 2001-01-19 2003-12-30 Ncr Corporation Data warehouse portal
US6947989B2 (en) 2001-01-29 2005-09-20 International Business Machines Corporation System and method for provisioning resources to users based on policies, roles, organizational information, and attributes
US7669212B2 (en) 2001-02-02 2010-02-23 Opentv, Inc. Service platform suite management system
US20020107913A1 (en) * 2001-02-08 2002-08-08 Rivera Gustavo R. System and method for rendering documents in a user-familiar format
US7136912B2 (en) 2001-02-08 2006-11-14 Solid Information Technology Oy Method and system for data management
KR100393273B1 (ko) 2001-02-12 2003-07-31 (주)폴리픽스 사설통신망 상의 온라인정보 교환시스템 및 그 교환방법
US6985915B2 (en) * 2001-02-28 2006-01-10 Kiran Somalwar Application independent write monitoring method for fast backup and synchronization of files
JP3702800B2 (ja) * 2001-03-12 2005-10-05 日本電気株式会社 組織ポータルシステム
WO2002076077A1 (en) * 2001-03-16 2002-09-26 Leap Wireless International, Inc. Method and system for distributing content over a wireless communications system
US6904454B2 (en) 2001-03-21 2005-06-07 Nokia Corporation Method and apparatus for content repository with versioning and data modeling
US20020135617A1 (en) 2001-03-23 2002-09-26 Backweb Technologies Ltd. Proactive desktop portal
US7062490B2 (en) 2001-03-26 2006-06-13 Microsoft Corporation Serverless distributed file system
US20020173971A1 (en) 2001-03-28 2002-11-21 Stirpe Paul Alan System, method and application of ontology driven inferencing-based personalization systems
US7080000B1 (en) * 2001-03-30 2006-07-18 Mcafee, Inc. Method and system for bi-directional updating of antivirus database
US20020152279A1 (en) 2001-04-12 2002-10-17 Sollenberger Deborah A. Personalized intranet portal
US7007244B2 (en) * 2001-04-20 2006-02-28 Microsoft Corporation Method and system for displaying categorized information on a user interface
US7003578B2 (en) * 2001-04-26 2006-02-21 Hewlett-Packard Development Company, L.P. Method and system for controlling a policy-based network
US20020161903A1 (en) 2001-04-30 2002-10-31 Besaw Lawrence M. System for secure access to information provided by a web application
US7047522B1 (en) * 2001-04-30 2006-05-16 General Electric Capital Corporation Method and system for verifying a computer program
US6970876B2 (en) 2001-05-08 2005-11-29 Solid Information Technology Method and arrangement for the management of database schemas
US20020169893A1 (en) 2001-05-09 2002-11-14 Li-Han Chen System and method for computer data synchronization
US8141144B2 (en) 2001-05-10 2012-03-20 Hewlett-Packard Development Company, L.P. Security policy management for network devices
DE50101548D1 (de) 2001-05-17 2004-04-01 Presmar Peter Virtuelle Datenbank heterogener Datenstrukturen
JP2002342143A (ja) * 2001-05-21 2002-11-29 Nippon Telegr & Teleph Corp <Ntt> アクセス制御システム及びその処理プログラムと記録媒体
US20020178119A1 (en) 2001-05-24 2002-11-28 International Business Machines Corporation Method and system for a role-based access control model with active roles
US7099885B2 (en) 2001-05-25 2006-08-29 Unicorn Solutions Method and system for collaborative ontology modeling
JP4518789B2 (ja) * 2001-06-08 2010-08-04 ユニバーシティ・オブ・メイン 広帯域変調および統計的推定手法を用いる分光計
US7392546B2 (en) * 2001-06-11 2008-06-24 Bea Systems, Inc. System and method for server security and entitlement processing
US6970445B2 (en) 2001-06-14 2005-11-29 Flarion Technologies, Inc. Methods and apparatus for supporting session signaling and mobility management in a communications system
US6879972B2 (en) * 2001-06-15 2005-04-12 International Business Machines Corporation Method for designing a knowledge portal
US6873988B2 (en) * 2001-07-06 2005-03-29 Check Point Software Technologies, Inc. System and methods providing anti-virus cooperative enforcement
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
US7546629B2 (en) 2002-03-06 2009-06-09 Check Point Software Technologies, Inc. System and methodology for security policy arbitration
US20030014442A1 (en) * 2001-07-16 2003-01-16 Shiigi Clyde K. Web site application development method using object model for managing web-based content
US6957261B2 (en) 2001-07-17 2005-10-18 Intel Corporation Resource policy management using a centralized policy data structure
CA2354443A1 (en) 2001-07-31 2003-01-31 Ibm Canada Limited-Ibm Canada Limitee Method and system for visually constructing xml schemas using an object-oriented model
US20040030746A1 (en) * 2001-08-13 2004-02-12 Sathyanarayanan Kavacheri Hierarchical client detection in a wireless portal server
US20030033356A1 (en) * 2001-08-13 2003-02-13 Luu Tran Extensible client aware detection in a wireless portal system
US7124192B2 (en) * 2001-08-30 2006-10-17 International Business Machines Corporation Role-permission model for security policy administration and enforcement
US6922695B2 (en) 2001-09-06 2005-07-26 Initiate Systems, Inc. System and method for dynamically securing dynamic-multi-sourced persisted EJBS
US20030146937A1 (en) * 2001-09-11 2003-08-07 Lee Seung Woo Multi-level data management system
CA2460332A1 (en) * 2001-09-12 2003-04-10 Opentv, Inc. A method and apparatus for disconnected chat room lurking in an interactive television environment
US7035944B2 (en) * 2001-09-19 2006-04-25 International Business Machines Corporation Programmatic management of software resources in a content framework environment
AU2002334721B2 (en) 2001-09-28 2008-10-23 Oracle International Corporation An index structure to access hierarchical data in a relational database system
US7765484B2 (en) * 2001-09-28 2010-07-27 Aol Inc. Passive personalization of lists
US7134076B2 (en) * 2001-10-04 2006-11-07 International Business Machines Corporation Method and apparatus for portable universal resource locator and coding across runtime environments
US6854035B2 (en) * 2001-10-05 2005-02-08 International Business Machines Corporation Storage area network methods and apparatus for display and management of a hierarchical file system extension policy
US7552203B2 (en) 2001-10-17 2009-06-23 The Boeing Company Manufacturing method and software product for optimizing information flow
US7496645B2 (en) * 2001-10-18 2009-02-24 Hewlett-Packard Development Company, L.P. Deployment of business logic software and data content onto network servers
US7472342B2 (en) * 2001-10-24 2008-12-30 Bea Systems, Inc. System and method for portal page layout
US6918088B2 (en) * 2001-11-05 2005-07-12 Sun Microsystems, Inc. Service portal with application framework for facilitating application and feature development
US20030126464A1 (en) * 2001-12-04 2003-07-03 Mcdaniel Patrick D. Method and system for determining and enforcing security policy in a communication session
US7219140B2 (en) 2001-12-05 2007-05-15 Dennis Craig Marl Configuration and management systems for mobile and embedded devices
US7054910B1 (en) * 2001-12-20 2006-05-30 Emc Corporation Data replication facility for distributed computing environments
WO2003056449A2 (en) * 2001-12-21 2003-07-10 Xmlcities, Inc. Extensible stylesheet designs using meta-tag and/or associated meta-tag information
US7062511B1 (en) * 2001-12-31 2006-06-13 Oracle International Corporation Method and system for portal web site generation
US7035857B2 (en) * 2002-01-04 2006-04-25 Hewlett-Packard Development Company, L.P. Method and apparatus for increasing the functionality and ease of use of lights out management in a directory enabled environment
US7565367B2 (en) 2002-01-15 2009-07-21 Iac Search & Media, Inc. Enhanced popularity ranking
US20030167315A1 (en) 2002-02-01 2003-09-04 Softwerc Technologies, Inc. Fast creation of custom internet portals using thin clients
US7093283B1 (en) 2002-02-15 2006-08-15 Cisco Technology, Inc. Method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network
US7146307B2 (en) 2002-03-22 2006-12-05 Sun Microsystems, Inc. System and method for testing telematics software
US20030187956A1 (en) 2002-04-01 2003-10-02 Stephen Belt Method and apparatus for providing access control and content management services
US7039923B2 (en) 2002-04-19 2006-05-02 Sun Microsystems, Inc. Class dependency graph-based class loading and reloading
AU2003214943A1 (en) * 2002-05-03 2003-11-17 Manugistics, Inc. System and method for sharing information relating to supply chain transactions in multiple environments
US20030216938A1 (en) 2002-05-16 2003-11-20 Shimon Shour Intelligent health care knowledge exchange platform
US20030220963A1 (en) 2002-05-21 2003-11-27 Eugene Golovinsky System and method for converting data structures
CA2486851A1 (en) * 2002-05-22 2003-12-04 Commnav, Inc. Method and system for multiple virtual portals
US20030220913A1 (en) 2002-05-24 2003-11-27 International Business Machines Corporation Techniques for personalized and adaptive search services
US6950825B2 (en) 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US20030229501A1 (en) 2002-06-03 2003-12-11 Copeland Bruce Wayne Systems and methods for efficient policy distribution
US7302488B2 (en) * 2002-06-28 2007-11-27 Microsoft Corporation Parental controls customization and notification
ATE341144T1 (de) * 2002-07-12 2006-10-15 Cit Alcatel Firewall zur dynamishen zugangsgewährung und - verweigerung auf netzwerkressourcen
US7461158B2 (en) 2002-08-07 2008-12-02 Intelliden, Inc. System and method for controlling access rights to network resources
US8631142B2 (en) * 2002-08-07 2014-01-14 International Business Machines Corporation Inserting targeted content into a portlet content stream
DE10237875A1 (de) 2002-08-19 2004-03-04 Siemens Ag Vorrichtung, insbesondere Automatisierungsgerät, mit in Datei gespeicherter Dateiverzeichnisstruktur
US7085755B2 (en) 2002-11-07 2006-08-01 Thomson Global Resources Ag Electronic document repository management and access system
US7254581B2 (en) * 2002-11-13 2007-08-07 Jerry Johnson System and method for creation and maintenance of a rich content or content-centric electronic catalog
US20040098467A1 (en) * 2002-11-15 2004-05-20 Humanizing Technologies, Inc. Methods and systems for implementing a customized life portal
US20040098606A1 (en) * 2002-11-18 2004-05-20 International Business Machines Corporation System, method and program product for operating a grid of service providers based on a service policy
US7035879B2 (en) * 2002-12-26 2006-04-25 Hon Hai Precision Ind. Co., Ltd. System and method for synchronizing data of wireless devices
US6917975B2 (en) * 2003-02-14 2005-07-12 Bea Systems, Inc. Method for role and resource policy management
US7653930B2 (en) * 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US7591000B2 (en) 2003-02-14 2009-09-15 Oracle International Corporation System and method for hierarchical role-based entitlements
US7627891B2 (en) 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US8831966B2 (en) 2003-02-14 2014-09-09 Oracle International Corporation Method for delegated administration
US20040167880A1 (en) 2003-02-20 2004-08-26 Bea Systems, Inc. System and method for searching a virtual repository content
US7562298B2 (en) 2003-02-20 2009-07-14 Bea Systems, Inc. Virtual content repository browser
US20040215650A1 (en) 2003-04-09 2004-10-28 Ullattil Shaji Interfaces and methods for group policy management
US20060085412A1 (en) * 2003-04-15 2006-04-20 Johnson Sean A System for managing multiple disparate content repositories and workflow systems
US20040236760A1 (en) 2003-05-22 2004-11-25 International Business Machines Corporation Systems and methods for extending a management console across applications
US20050021502A1 (en) * 2003-05-23 2005-01-27 Benjamin Chen Data federation methods and system
US7257835B2 (en) 2003-05-28 2007-08-14 Microsoft Corporation Securely authorizing the performance of actions
US7076735B2 (en) * 2003-07-21 2006-07-11 Landmark Graphics Corporation System and method for network transmission of graphical data through a distributed application
US20050050184A1 (en) * 2003-08-29 2005-03-03 International Business Machines Corporation Method, system, and storage medium for providing life-cycle management of grid services
US7552109B2 (en) * 2003-10-15 2009-06-23 International Business Machines Corporation System, method, and service for collaborative focused crawling of documents on a network
US20050188295A1 (en) 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US20050198617A1 (en) 2004-03-04 2005-09-08 Vivcom, Inc. Graphically browsing schema documents described by XML schema
JP4196293B2 (ja) * 2004-08-02 2008-12-17 Smc株式会社 真空調圧用バルブ
US7512966B2 (en) * 2004-10-14 2009-03-31 International Business Machines Corporation System and method for visually rendering resource policy usage information
US7490349B2 (en) 2005-04-01 2009-02-10 International Business Machines Corporation System and method of enforcing hierarchical management policy
US20060277594A1 (en) 2005-06-02 2006-12-07 International Business Machines Corporation Policy implementation delegation
US7953734B2 (en) * 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US7836489B2 (en) 2006-06-15 2010-11-16 Microsoft Corporation Selecting policy for compatible communication

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951377A (zh) * 2010-09-21 2011-01-19 用友软件股份有限公司 分层授权管理方法和装置
CN105051749A (zh) * 2013-03-15 2015-11-11 瑞典爱立信有限公司 基于策略的数据保护
CN105224678A (zh) * 2015-10-19 2016-01-06 浪潮软件集团有限公司 一种电子文档管理的方法及装置
CN105224678B (zh) * 2015-10-19 2018-08-21 浪潮软件集团有限公司 一种电子文档管理的方法及装置
CN106326760A (zh) * 2016-08-31 2017-01-11 清华大学 一种用于数据分析的访问控制规则描述方法
CN106326760B (zh) * 2016-08-31 2019-03-15 清华大学 一种用于数据分析的访问控制规则描述方法
CN106446666A (zh) * 2016-09-18 2017-02-22 珠海格力电器股份有限公司 一种权限配置方法及装置
CN106446666B (zh) * 2016-09-18 2019-03-08 珠海格力电器股份有限公司 一种权限配置方法及装置
US11275823B2 (en) 2016-09-18 2022-03-15 Gree Electric Appliances, Inc. Of Zhuhai Authority configuration method and device
CN112036774A (zh) * 2020-10-09 2020-12-04 北京嘀嘀无限科技发展有限公司 服务策略的评估方法、装置、设备及存储介质

Also Published As

Publication number Publication date
EP1593024A2 (en) 2005-11-09
AU2004214449A1 (en) 2004-09-02
US20100037290A1 (en) 2010-02-11
EP1593024B1 (en) 2018-11-07
AU2004214449A2 (en) 2004-09-02
EP1593024A4 (en) 2011-08-24
US20040162906A1 (en) 2004-08-19
JP4787149B2 (ja) 2011-10-05
WO2004074993A3 (en) 2006-04-13
US7992189B2 (en) 2011-08-02
WO2004074993A2 (en) 2004-09-02
US7591000B2 (en) 2009-09-15
JP2007524884A (ja) 2007-08-30

Similar Documents

Publication Publication Date Title
CN1842785A (zh) 用于基于分层角色的权限的系统和方法
US7809749B2 (en) High run-time performance system
US7653930B2 (en) Method for role and resource policy management optimization
US6917975B2 (en) Method for role and resource policy management
CN1257440C (zh) 带有活动角色的基于角色的访问控制模型的方法和系统
US9455990B2 (en) System and method for role based access control in a content management system
US6654745B2 (en) System and method for control of access to resources
CN100430951C (zh) 向用户/组授予访问控制列表所有权的访问控制系统和方法
US7836078B2 (en) Techniques for managing access to physical data via a data abstraction model
CN1763761A (zh) 基于角色的访问控制系统、方法和计算机程序产品
US7774601B2 (en) Method for delegated administration
US8831966B2 (en) Method for delegated administration
JP2002312220A (ja) ユーザ定義機能を使用したセルレベルのデータアクセス制御
CN100351791C (zh) 控制对由应用程序限定的专用操作的执行的方法
Farooqi et al. Developing a dynamic trust based access control model for xml databases
Kim et al. Context data abstraction framework using RDF
He A role based XML security control
Paton et al. Security in database systems: state of the art
Rahayu et al. A Case Study of Using an Object-Relational Paradigm in Building a Web Database Application
Rahman et al. Faculty of computer science and information systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20061004