U.S. patent application number 11/479356 was filed with the patent office on 2008-01-03 for methods and apparatus for scoped role-based access control.
This patent application is currently assigned to International Business Machines Corporation. Invention is credited to Carole Rhoads Corley, Jorge Lobo, Lorraine Phyllis Vassberg, Xiping Wang.
Application Number | 20080005115 11/479356 |
Document ID | / |
Family ID | 38877968 |
Filed Date | 2008-01-03 |
United States Patent
Application |
20080005115 |
Kind Code |
A1 |
Corley; Carole Rhoads ; et
al. |
January 3, 2008 |
Methods and apparatus for scoped role-based access control
Abstract
Methods and apparatus for providing role-based access control of
a resource by a subject in an access control system are provided.
The system comprises one or more roles capable of association with
one or more subjects, and a plurality of permission sets. One or
more of the plurality of permission sets are associated with each
of the one or more roles. The system further comprises a plurality
of resources. One or more of the plurality of resources are
associated with each of the one or more permission sets, and each
of the plurality of resources is associated with a set of one or
more subjects. A given subject in a set of one or more subjects for
a given resource and having a role-permission association with the
given resource is provided access control of the given
resource.
Inventors: |
Corley; Carole Rhoads;
(Cedar Park, TX) ; Lobo; Jorge; (New York, NY)
; Vassberg; Lorraine Phyllis; (Austin, TX) ; Wang;
Xiping; (Putnam Valley, NY) |
Correspondence
Address: |
Ryan, Mason & Lewis, LLP
90 Forest Avenue
Locust Valley
NY
11560
US
|
Assignee: |
International Business Machines
Corporation
Armonk
NY
|
Family ID: |
38877968 |
Appl. No.: |
11/479356 |
Filed: |
June 30, 2006 |
Current U.S.
Class: |
1/1 ;
707/999.009 |
Current CPC
Class: |
G06F 2221/2141 20130101;
G06F 21/6209 20130101; H04L 63/102 20130101 |
Class at
Publication: |
707/9 |
International
Class: |
G06F 17/30 20060101
G06F017/30 |
Claims
1. A method of providing role-based access control of a resource by
a subject in an access control system comprising the steps of:
determining if the resource is accessible by the subject;
determining if the resource is accessible by a role and an
associated permission of the subject, when the resource is
accessible by the subject; permitting access control of the
resource by the subject when the resource is accessible by the role
and the associated permission of the subject; and denying access
control of the resource by the subject when the resource is not
accessible by the subject or the role and the associated permission
of the subject.
2. The method of claim 1, wherein the step of determining if the
resource is accessible by the subject comprises the step of
determining if a table of one or more subjects that may access the
resource comprise the subject.
3. The method of claim 2, wherein, in the step of determining if a
table of one or more subjects comprises the subject, the table of
one or more subjects are implemented using at least one of a
distributed relation database and a distributed hashing table.
4. The method of claim 2, wherein, in the step of determining if a
table of one or more subjects comprises the subject, the table of
one or more subjects is maintained by at least one of the access
control system and the resource.
5. The method of claim 1, wherein the step of determining if the
resource is accessible by a role and an associated permission of
the subject comprises the step of determining if a table of one or
more role-permission pairs that may access the resource comprise
the role and the associated permission of the subject.
6. The method of claim 5, wherein, in the step of determining if a
table of role-one or more permission pairs comprise the role and
the associated permission, each role-permission pair defines at
least one action performable by an associated subject on the
resource.
7. The method of claim 5, wherein, in the step of determining if a
table of one or more role-permission pairs comprises the role and
the associated permission, the table of role-permission pairs are
implemented using at least one of a distributed relation database
and a distributed hashing table.
8. The method of claim 5, wherein, in the step of determining if a
table of one or more role-permission pairs comprises the role and
the associated permission, the table of one or more role-permission
pairs is maintained by at least one of the access control system
and the resource.
9. The method of claim 1, wherein the step of determining if the
resource is accessible by the subject comprises the step of
determining if a table of subject-role-permission sets comprise the
subject, and wherein the step of determining if the resource is
accessible by a role and an associated permission of the subject
comprises the step of determining if a table of
subject-role-permission sets comprise the role and the associated
permission of the subject.
10. Apparatus for providing role-based access control of a resource
by a subject in an access control system, comprising: a memory; and
at least one processor coupled to the memory and operative to: (i)
determine if the resource is accessible by the subject; (ii)
determine if the resource is accessible by a role and an associated
permission of the subject, when the resource is accessible by the
subject; (iii) permit access control of the resource by the subject
when the resource is accessible by the role and the associated
permission of the subject; and (iv) deny access control of the
resource by the subject when the resource is not accessible by the
subject or the role and the associated permission of the
subject.
11. The apparatus of claim 10, wherein the operation of determining
if the resource is accessible by the subject comprises the
operation of determining if a table of one or more subjects that
may access the resource comprise the subject.
12. The apparatus of claim 11, wherein, in the operation of
determining if a table of one or more subjects comprises the
subject, the table of one or more subjects are implemented using at
least one of a distributed relation database and a distributed
hashing table.
13. The apparatus of claim 11, wherein, in the operation of
determining if a table of one or more subjects comprises the
subject, the table of one or more subjects is maintained by at
least one of the access control system and the resource.
14. The apparatus of claim 10, wherein the operation of determining
if the resource is accessible by a role and an associated
permission of the subject comprises the operation of determining if
a table of one or more role-permission pairs that may access the
resource comprise the role and the associated permission of the
subject.
15. The apparatus of claim 14, wherein, in the operation of
determining if a table of role-one or more permission pairs
comprise the role and the associated permission, each
role-permission pair defines at least one action performable by an
associated subject on the resource.
16. The apparatus of claim 10, wherein the operation of determining
if the resource is accessible by the subject comprises the
operation of determining if a table of subject-role-permission sets
comprise the subject, and wherein the step of determining if the
resource is accessible by a role and an associated permission of
the subject comprises the step of determining if a table of
subject-role-permission sets comprise the role and the associated
permission of the subject.
17. An article of manufacture for providing role-based access
control of a resource by a subject in an access control system,
comprising a machine readable medium containing one or more
programs which when executed implement the steps of: determining if
the resource is accessible by the subject; determining if the
resource is accessible by a role and an associated permission of
the subject, when the resource is accessible by the subject;
permitting access control of the resource by the subject when the
resource is accessible by the role and the associated permission of
the subject; and denying access control of the resource by the
subject when the resource is not accessible by the subject or the
role and the associated permission of the subject.
18. A role-based access control system comprising: one or more
roles capable of association with one or more subjects; a plurality
of permission sets, wherein one or more of the plurality of
permission sets are associated with each of the one or more roles;
a plurality of resources, wherein one or more of the plurality of
resources are associated with each of the one or more permission
sets, and each of the plurality of resources are associated with
set of one or more subjects; wherein a given subject in a set of
one or more subjects for a given resource and having a
role-permission association with the given resource is provided
access control of the given resource.
19. The role-based access control system of claim 18, wherein each
of the plurality of permission sets comprise one or more actions
that may be performed on a resource.
20. The role-based access control system of claim 18, wherein a
first subject of the one or more subjects and a second subject of
the one or more subjects are associated with an identical role of
the one or more roles and differing permission sets of the
plurality of permission sets.
Description
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application is related to: the U.S. Patent Application
Attorney Docket No. YOR920060467US1, entitled "Methods and
Apparatus for Composite Configuration Item Management in
Configuration Management Database;" the U.S. Patent Application
Attorney Docket No. YOR920060468US1, entitled "Methods and
Apparatus for Global Service Management of Configuration Management
Databases;" the U.S. Patent Application Attorney Docket No.
YOR920060469US1, entitled "Methods and Apparatus for Automatically
Creating Composite Configuration Items in Configuration Management
Database;" and the U.S. Patent Application Attorney Docket No.
YOR920060478US1, entitled "Methods and Apparatus for Managing
Configuration Management Database via Composite Configuration Item
Change History" which are filed concurrently herewith and
incorporated by reference herein.
FIELD OF THE INVENTION
[0002] The present invention relates to information technology (IT)
systems and, more particularly, methods and apparatus for providing
role-based access control of a system resource.
BACKGROUND OF THE INVENTION
[0003] In IT systems, a technical means for controlling access to
computing or information resources must be provided for security
purposes. A resource could represent data such as a file or
database, network elements such as routers and switches, or
computer systems. Access is the ability to manipulate, for example,
view, add, modify, or delete, a resource. Access control is the
means by which the ability to access is explicitly enabled or
restricted in some way through system administration. Access
controls can prescribe not only who or what process or entity may
have access to a specific system resource, but also the type of
access that is permitted.
[0004] The traditional Role-Based Access Control (RBAC) is a
powerful technique developed for controlling access to resources in
a complex system. With role-based access control access rights are
grouped by role name, and the use of resources is restricted to
users authorized to assume the associated role. For example, within
an IT system the role of system administrator can include
operations to perform resource viewing, addition, modification,
deletion while the role of librarian can only include operations to
view system resources. The advantage of having roles with
associated groups of subjects is that by changing the permissions
of a single role, the access rights of all the subjects in the
group are changed.
[0005] However, there are drawbacks with the traditional RBAC
system, especially in large distributed systems because subjects
with the same role always have the same set of permissions against
the same set of resources.
[0006] Subjects having the same role cannot be assigned access to
different resources. Therefore, a subject belonging to a first
organization having the same roles and permissions as a subject
belonging to a second organization may have access to resources of
the second organization. Additionally, there is no mechanism to
distinguish a role across organizations in a large scale system
where multiple organizations may be operating concurrently. To
simplify the management of a large scale modern IT system, it is
desirable to have a role that can have different meanings from
organization to organization. For example, in a grid computing
environment, the access rights of a role, such as librarian, may
vary from organization to organization, and the role may have a
different set of permissions in each organization, more
specifically, organizations can independently assign permissions to
roles according to local policies.
SUMMARY OF THE INVENTION
[0007] In accordance with the aforementioned and other objectives,
the embodiments of the present invention are directed towards
methods and apparatus for scoped role-based access control of a
resource by a subject in an access control system.
[0008] For example, in one aspect of the present invention a method
of providing role-based access control of a resource by a subject
in an access control system is provided. It is determined if the
resource is accessible by the subject. When the resource is
accessible by the subject, it is determined if the resource is
accessible by a role and an associated permission of the subject.
When the resource is accessible by the role and the associated
permission of the subject, access control of the resource by the
subject is permitted. When the resource is not accessible by the
subject or the role and the associated permission of the subject,
access control of the resource by the subject is denied.
[0009] In additional embodiments of the present invention, it is
determined if a table of one or more subjects that may access the
resource comprises the subject. Further, it is determined if a
table of one or more role-permission pairs that may access the
resource comprise the role and the associated permission of the
subject.
[0010] In another aspect of the invention, a role-based access
control system is provided. The system comprises one or more roles
capable of association with one or more subjects, and a plurality
of permission sets. One or more of the plurality of permission sets
are associated with each of the one or more roles. The system
further comprises a plurality of resources. One or more of the
plurality of resources are associated with each of the one or more
permission sets, and each of the plurality of resources is
associated with a set of one or more subjects. A given subject in a
set of one or more subjects for a given resource and having a
role-permission association with the given resource is provided
access control of the given resource.
[0011] The embodiments of the present invention provide a scoped
role-based access control system, in which a role is associated
with multiple sets of permissions and multiple resources are bound
to a permission set. A scope is created to associate subjects with
resources and another scope is created to associate a set of
resources with a role/permission set. This allows multiple subjects
having the same role to have different set of permissions
associated with their roles against separate sets of resources.
[0012] These and other objects, features and advantages of the
present invention will become apparent from the following detailed
description of illustrative embodiments thereof, which is to be
read in connection with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] FIG. 1 is a diagram illustrating a conventional RBAC
system;
[0014] FIG. 2 is a diagram illustrating a scoped RBAC system,
according to an embodiment of the present invention;
[0015] FIG. 3 is a flow diagram illustrating a scoped RBAC
methodology, according to an embodiment of the present invention;
and
[0016] FIG. 4 is a diagram illustrating an illustrative hardware
implementation of a computing system in accordance with which one
or more components/methodologies of the present invention may be
implemented, according to an embodiment of the present
invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0017] As will be illustrated in detail below, the embodiments of
the present invention introduce techniques for providing scoped
role-based access control of a resource by a subject in an access
control system.
[0018] Referring initially to FIG. 1 a diagram illustrates a
conventional RBAC system. Subject-1 102 and Subject-2 104 are
assigned a role 106 for access to specific resources. Role 106 is
assigned to a specific set of permissions 108, and the specific
resources 110 are bound to this set of permissions 108.
[0019] Referring now to FIG. 2, a diagram illustrates a scoped RBAC
system, according to an embodiment of the present invention. A role
202 is associated with multiple permission sets 204, 206. Then a
scope is created to associate a set of resources 208, 210 with
permission set 204. In the embodiment of FIG. 2, two such scopes
are shown, in that resource 212 is associated with permission set
206. This scope conveys the permission a subject has when accessing
the resource under the role associated with the permission set.
More specifically, this scope distinguishes a role across
organizations in a large scale system where multiple organizations
may be operating concurrently. The role may have different meanings
from organization to organization.
[0020] Another scope is created to associate a set of subjects with
a resource. For example subject-1 214 and subject-2 216 may be
associated with resource-1 208, while subject-3 218 may not be
associated with resource-1 208. In such an embodiment, only
subject-1 214 and subject-2 216 may access resource-1 208. This
scope conveys specific resource access rights to subjects that are
granted that scope. Subjects having the same role can be assigned
access to different resources. Therefore, even when roles and
permission sets are the same in two separate organizations, the
subjects from one organization may be prevented from accessing
resources from another organization.
[0021] Thus, multiple subjects having the same role are given
different permissions against separate resources across
organizations in a complex modern computing environment. This
extension does not affect the RBAC property that let the subject to
role assignment be done independently from role to permission
creation.
[0022] The embodiments of the present invention implement an access
control operation that decides whether a subject in a particular
role has the permission to perform an action in a given resource,
more specifically, deny or allow access.
[0023] In accordance with a decentralized embodiment of the present
invention, each resource maintains a table of subjects that are
allowed to access the resource, similar to an access control list.
This table maintains the subject-resource scope described above. In
addition to this table, the resource maintains a second table that
stores pairs of role-permission entries. This table maintains the
role-permission scope for each resource. An entry in the table
indicates that any subject with the role of the entry has the
permission indicated in the entry. Multiple entries may exist per
role and multiple entries may exist per permission.
[0024] Referring now to FIG. 3, a flow diagram illustrates a scoped
RBAC methodology, according to an embodiment of the present
invention. The methodology begins in block 302, where it is
determined if the resource is accessible by the subject. This may
be accomplished by determining if the subject is in the access
control table of the resource. If the resource is accessible by the
subject, it is determined if the resource is accessible by a role
and an associated permission of the subject in block 304. This may
be accomplished by determining if the role and permission are in
the second table of the resource as described above. If the
resource is accessible by the role and the associated permission of
the subject, access control of the resource is permitted by the
subject in block 306, terminating the methodology. If the resource
is not accessible by the subject or the role and the associated
permission of the subject, access control of the resource is denied
in block 308, terminating the methodology.
[0025] Tables may be implemented using distributed relational
databases or distributed hashing tables. In this case a centralized
system can implement the access control operation and the
maintenance of the tables can be distributed to the resources. A
fully centralized system can also be developed by keeping all the
tables in a single database maintained by the access control system
and not by the resources.
[0026] In accordance with the embodiments of the present invention
multiple users in the same role may be allowed access to different
resources, and a user in a role may have different permissions
according to the resources he or she is trying to access.
[0027] If two users with access to the same resource under the same
role will be allowed different permissions the two scope as
described tables above may be combined in a single table. In this
case, for each user, if a user can take a given role, there must be
a subject-role-permission entry for each permission of the subject
able to perform in that role.
[0028] Referring now to FIG. 4, a block diagram illustrates an
exemplary hardware implementation of a computing system in
accordance with which one or more components/methodologies of the
invention (e.g., components/methodologies described in the context
of FIGS. 1-3) may be implemented, according to an embodiment of the
present invention.
[0029] As shown, the computer system may be implemented in
accordance with a processor 410, a memory 412, I/O devices 414, and
a network interface 416, coupled via a computer bus 418 or
alternate connection arrangement.
[0030] It is to be appreciated that the term "processor" as used
herein is intended to include any processing device, such as, for
example, one that includes a CPU (central processing unit) and/or
other processing circuitry. It is also to be understood that the
term "processor" may refer to more than one processing device and
that various elements associated with a processing device may be
shared by other processing devices.
[0031] The term "memory" as used herein is intended to include
memory associated with a processor or CPU, such as, for example,
RAM, ROM, a fixed memory device (e.g., hard drive), a removable
memory device (e.g., diskette), flash memory, etc.
[0032] In addition, the phrase "input/output devices" or "I/O
devices" as used herein is intended to include, for example, one or
more input devices (e.g., keyboard, mouse, scanner, etc.) for
entering data to the processing unit, and/or one or more output
devices (e.g., speaker, display, printer, etc.) for presenting
results associated with the processing unit.
[0033] Still further, the phrase "network interface" as used herein
is intended to include, for example, one or more transceivers to
permit the computer system to communicate with another computer
system via an appropriate communications protocol.
[0034] Software components including instructions or code for
performing the methodologies described herein may be stored in one
or more of the associated memory devices (e.g., ROM, fixed or
removable memory) and, when ready to be utilized, loaded in part or
in whole (e.g., into RAM) and executed by a CPU.
[0035] Although illustrative embodiments of the present invention
have been described herein with reference to the accompanying
drawings, it is to be understood that the invention is not limited
to those precise embodiments, and that various other changes and
modifications may be made by one skilled in the art without
departing from the scope or spirit of the invention.
* * * * *