Entitlements determination via access control lists

摘要

Entitlements to resources can be determined by using access rules that are organized as respective ranges in an entitlement space. An access rule can represent a range between two rational numbers in the entitlement space; the range can be represented by a single rational number. Due to the way the rational numbers are chosen, a child rule is completely covered by its parent, and a parent has remaining room in the entitlement space for unlimited additional children. Entitlement checking for a large batch of resources can be performed quickly based on reusing calculated permitted ranges in the entitlement space. Implied permissions can be supported. Content can easily be added, and the access rules can be modified without unduly impacting the underlying tree structure, if at all.

主权项

1. A method implemented at least in part by a computer, the method comprising:
receiving, in the computer, one or more respective resource identifiers identifying one or more respective resources; generating, in the computer, one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space, and wherein a rule range for an access rule is represented by one or more unique rational numbers; and storing, in the computer, for a set of given security identifiers, the entitlement space as a union of a plurality of permitted ranges from the one or more unique rational numbers representing respective rule ranges, wherein the plurality of permitted ranges comprises access rules filtered based on the given security identifiers, the union of the plurality of permitted ranges represents a subset of the access rules, the subset of the access rules has fewer than all of the access rules, and at least two of the plurality of permitted ranges are not adjacent to each other.