Methods and apparatus for scoped role-based access control

Information

  • Patent Application
  • 20080005115
  • Publication Number
    20080005115
  • Date Filed
    June 30, 2006
    18 years ago
  • Date Published
    January 03, 2008
    16 years ago
Abstract
Methods and apparatus for providing role-based access control of a resource by a subject in an access control system are provided. The system comprises one or more roles capable of association with one or more subjects, and a plurality of permission sets. One or more of the plurality of permission sets are associated with each of the one or more roles. The system further comprises a plurality of resources. One or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources is associated with a set of one or more subjects. A given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a diagram illustrating a conventional RBAC system;



FIG. 2 is a diagram illustrating a scoped RBAC system, according to an embodiment of the present invention;



FIG. 3 is a flow diagram illustrating a scoped RBAC methodology, according to an embodiment of the present invention; and



FIG. 4 is a diagram illustrating an illustrative hardware implementation of a computing system in accordance with which one or more components/methodologies of the present invention may be implemented, according to an embodiment of the present invention.





DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

As will be illustrated in detail below, the embodiments of the present invention introduce techniques for providing scoped role-based access control of a resource by a subject in an access control system.


Referring initially to FIG. 1 a diagram illustrates a conventional RBAC system. Subject-1102 and Subject-2104 are assigned a role 106 for access to specific resources. Role 106 is assigned to a specific set of permissions 108, and the specific resources 110 are bound to this set of permissions 108.


Referring now to FIG. 2, a diagram illustrates a scoped RBAC system, according to an embodiment of the present invention. A role 202 is associated with multiple permission sets 204, 206. Then a scope is created to associate a set of resources 208, 210 with permission set 204. In the embodiment of FIG. 2, two such scopes are shown, in that resource 212 is associated with permission set 206. This scope conveys the permission a subject has when accessing the resource under the role associated with the permission set. More specifically, this scope distinguishes a role across organizations in a large scale system where multiple organizations may be operating concurrently. The role may have different meanings from organization to organization.


Another scope is created to associate a set of subjects with a resource. For example subject-1214 and subject-2216 may be associated with resource-1208, while subject-3218 may not be associated with resource-1208. In such an embodiment, only subject-1214 and subject-2216 may access resource-1208. This scope conveys specific resource access rights to subjects that are granted that scope. Subjects having the same role can be assigned access to different resources. Therefore, even when roles and permission sets are the same in two separate organizations, the subjects from one organization may be prevented from accessing resources from another organization.


Thus, multiple subjects having the same role are given different permissions against separate resources across organizations in a complex modern computing environment. This extension does not affect the RBAC property that let the subject to role assignment be done independently from role to permission creation.


The embodiments of the present invention implement an access control operation that decides whether a subject in a particular role has the permission to perform an action in a given resource, more specifically, deny or allow access.


In accordance with a decentralized embodiment of the present invention, each resource maintains a table of subjects that are allowed to access the resource, similar to an access control list. This table maintains the subject-resource scope described above. In addition to this table, the resource maintains a second table that stores pairs of role-permission entries. This table maintains the role-permission scope for each resource. An entry in the table indicates that any subject with the role of the entry has the permission indicated in the entry. Multiple entries may exist per role and multiple entries may exist per permission.


Referring now to FIG. 3, a flow diagram illustrates a scoped RBAC methodology, according to an embodiment of the present invention. The methodology begins in block 302, where it is determined if the resource is accessible by the subject. This may be accomplished by determining if the subject is in the access control table of the resource. If the resource is accessible by the subject, it is determined if the resource is accessible by a role and an associated permission of the subject in block 304. This may be accomplished by determining if the role and permission are in the second table of the resource as described above. If the resource is accessible by the role and the associated permission of the subject, access control of the resource is permitted by the subject in block 306, terminating the methodology. If the resource is not accessible by the subject or the role and the associated permission of the subject, access control of the resource is denied in block 308, terminating the methodology.


Tables may be implemented using distributed relational databases or distributed hashing tables. In this case a centralized system can implement the access control operation and the maintenance of the tables can be distributed to the resources. A fully centralized system can also be developed by keeping all the tables in a single database maintained by the access control system and not by the resources.


In accordance with the embodiments of the present invention multiple users in the same role may be allowed access to different resources, and a user in a role may have different permissions according to the resources he or she is trying to access.


If two users with access to the same resource under the same role will be allowed different permissions the two scope as described tables above may be combined in a single table. In this case, for each user, if a user can take a given role, there must be a subject-role-permission entry for each permission of the subject able to perform in that role.


Referring now to FIG. 4, a block diagram illustrates an exemplary hardware implementation of a computing system in accordance with which one or more components/methodologies of the invention (e.g., components/methodologies described in the context of FIGS. 1-3) may be implemented, according to an embodiment of the present invention.


As shown, the computer system may be implemented in accordance with a processor 410, a memory 412, I/O devices 414, and a network interface 416, coupled via a computer bus 418 or alternate connection arrangement.


It is to be appreciated that the term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.


The term “memory” as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc.


In addition, the phrase “input/output devices” or “I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, scanner, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., speaker, display, printer, etc.) for presenting results associated with the processing unit.


Still further, the phrase “network interface” as used herein is intended to include, for example, one or more transceivers to permit the computer system to communicate with another computer system via an appropriate communications protocol.


Software components including instructions or code for performing the methodologies described herein may be stored in one or more of the associated memory devices (e.g., ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (e.g., into RAM) and executed by a CPU.


Although illustrative embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various other changes and modifications may be made by one skilled in the art without departing from the scope or spirit of the invention.

Claims
  • 1. A method of providing role-based access control of a resource by a subject in an access control system comprising the steps of: determining if the resource is accessible by the subject;determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; anddenying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
  • 2. The method of claim 1, wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of one or more subjects that may access the resource comprise the subject.
  • 3. The method of claim 2, wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
  • 4. The method of claim 2, wherein, in the step of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
  • 5. The method of claim 1, wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
  • 6. The method of claim 5, wherein, in the step of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
  • 7. The method of claim 5, wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of role-permission pairs are implemented using at least one of a distributed relation database and a distributed hashing table.
  • 8. The method of claim 5, wherein, in the step of determining if a table of one or more role-permission pairs comprises the role and the associated permission, the table of one or more role-permission pairs is maintained by at least one of the access control system and the resource.
  • 9. The method of claim 1, wherein the step of determining if the resource is accessible by the subject comprises the step of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.
  • 10. Apparatus for providing role-based access control of a resource by a subject in an access control system, comprising: a memory; andat least one processor coupled to the memory and operative to: (i) determine if the resource is accessible by the subject; (ii) determine if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject; (iii) permit access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; and (iv) deny access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
  • 11. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of one or more subjects that may access the resource comprise the subject.
  • 12. The apparatus of claim 11, wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects are implemented using at least one of a distributed relation database and a distributed hashing table.
  • 13. The apparatus of claim 11, wherein, in the operation of determining if a table of one or more subjects comprises the subject, the table of one or more subjects is maintained by at least one of the access control system and the resource.
  • 14. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by a role and an associated permission of the subject comprises the operation of determining if a table of one or more role-permission pairs that may access the resource comprise the role and the associated permission of the subject.
  • 15. The apparatus of claim 14, wherein, in the operation of determining if a table of role-one or more permission pairs comprise the role and the associated permission, each role-permission pair defines at least one action performable by an associated subject on the resource.
  • 16. The apparatus of claim 10, wherein the operation of determining if the resource is accessible by the subject comprises the operation of determining if a table of subject-role-permission sets comprise the subject, and wherein the step of determining if the resource is accessible by a role and an associated permission of the subject comprises the step of determining if a table of subject-role-permission sets comprise the role and the associated permission of the subject.
  • 17. An article of manufacture for providing role-based access control of a resource by a subject in an access control system, comprising a machine readable medium containing one or more programs which when executed implement the steps of: determining if the resource is accessible by the subject;determining if the resource is accessible by a role and an associated permission of the subject, when the resource is accessible by the subject;permitting access control of the resource by the subject when the resource is accessible by the role and the associated permission of the subject; anddenying access control of the resource by the subject when the resource is not accessible by the subject or the role and the associated permission of the subject.
  • 18. A role-based access control system comprising: one or more roles capable of association with one or more subjects;a plurality of permission sets, wherein one or more of the plurality of permission sets are associated with each of the one or more roles;a plurality of resources, wherein one or more of the plurality of resources are associated with each of the one or more permission sets, and each of the plurality of resources are associated with set of one or more subjects;wherein a given subject in a set of one or more subjects for a given resource and having a role-permission association with the given resource is provided access control of the given resource.
  • 19. The role-based access control system of claim 18, wherein each of the plurality of permission sets comprise one or more actions that may be performed on a resource.
  • 20. The role-based access control system of claim 18, wherein a first subject of the one or more subjects and a second subject of the one or more subjects are associated with an identical role of the one or more roles and differing permission sets of the plurality of permission sets.
CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to: the U.S. Patent Application Attorney Docket No. YOR920060467US1, entitled “Methods and Apparatus for Composite Configuration Item Management in Configuration Management Database;” the U.S. Patent Application Attorney Docket No. YOR920060468US1, entitled “Methods and Apparatus for Global Service Management of Configuration Management Databases;” the U.S. Patent Application Attorney Docket No. YOR920060469US1, entitled “Methods and Apparatus for Automatically Creating Composite Configuration Items in Configuration Management Database;” and the U.S. Patent Application Attorney Docket No. YOR920060478US1, entitled “Methods and Apparatus for Managing Configuration Management Database via Composite Configuration Item Change History” which are filed concurrently herewith and incorporated by reference herein.