Browse Prior Art Database

Mechanism for Peforming Role Assigment and Authorization Simoultaneously

IP.com Disclosure Number: IPCOM000015897D
Original Publication Date: 2002-Aug-12
Included in the Prior Art Database: 2003-Jun-21
Document File: 1 page(s) / 75K

Publishing Venue

IBM

Abstract

A program is disclosed that performs role assignment and authorization simultaneously for role-based authorization systems. Traditional methods first assign roles to an authenticated identity, then perform authorization based on the roles. On the other hand, the program performs authorization, roles contained in authorization rules are assigned to the identity. The following figure depicts an overview of the program. 1 R equest User ID

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 92% of the total text.

Page 1 of 1

Mechanism for Peforming Role Assigment and Authorization Simoultaneously

   A program is disclosed that performs role assignment and authorization simultaneously for role-based authorization systems. Traditional methods first assign roles to an authenticated identity, then perform authorization based on the roles. On the other hand, the program performs authorization, roles contained in authorization rules are assigned to the identity.

The following figure depicts an overview of the program.

1

R equest<O peration,Resource> User ID

2

4

A uthentication

 User Registry

3

A user sends a request consisting of a target resource and an operation on it, showing his/her User ID (1). Authentication module (2) establishes the identity referring User Registry (3). Authorization&Role Assignment module (4) performs authorization based on Authorization Rules
(5) provided with Application (6). Authorization rules are described in the following syntax:

<Role, Resource, Operation, Condition> This indicates that an identity with Role can perform Operation on Resource if Condition is satisfied. The module 4 finds an authorization rule based on the given resource and operation pair, then checks its condition. If the condition is satisfied, the role of the rule is assigned to the identity. Unlike traditional methods, roles are assigned when authorization rules are evaluated. Enforcement Module (8) performs Operation (9) on Resource (7).

1

  Authorization& Role A ssignm ent

8

E nforcem ent

Mo...