| 发明名称 | Obligation system for enterprise environments | ||
| 摘要 | An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications. Such obligations can indicate requirements that those applications need to fulfill in conjunction with performing operations on resources. | ||
| 申请公布号 | US9053302(B2) | 申请公布日期 | 2015.06.09 |
| 申请号 | US201313838537 | 申请日期 | 2013.03.15 |
| 申请人 | Oracle International Corporation | 发明人 | Sastry Hari VN.;Vepa Sirish V;Srinivasan Uppili;Joshi Vrinda S. |
| 分类号 | G06F21/00;G06F21/30;G06F21/62 | 主分类号 | G06F21/00 |
| 代理机构 | Kilpatrick Townsend & Stockton LLP | 代理人 | Kilpatrick Townsend & Stockton LLP |
| 主权项 | 1. A computer-implemented method comprising: receiving, at an authorization computer system, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class; receiving, at the authorization system, a permission object that is an instance of the basic permission class but not an instance of the holder-permission class, said holder-permission object specifying a resource relative to which the application is requesting to perform an operation; in response to receiving the holder-permission object, the authorization system determining whether one or more policies pertaining to the additional information are satisfied, said one or more policies specifying one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource; based at least in part on a determination of whether the one or more policies are satisfied, the authorization system placing, within the holder-permission object, an indication that the application is allowed to perform the operation; the authorization system placing the one or more obligations within a payload field of the holder-permission object based at least in part on a determination that the one or more policies are satisfied, said payload field being defined within the basic permission class; and returning, from the authorization system to the application, the holder-permission object containing the indication and the one or more obligations. | ||
| 地址 | Redwood Shores CA US | ||