Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Method to enforce restricted resource level authorization via logical AND operation with common security role policy

IP.com Disclosure Number: IPCOM000236681D
Publication Date: 2014-May-08
Document File: 2 page(s) / 44K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed are two new security sub-roles applied to the security roles within pre-configured platforms for a Platform as a Service (PaaS) system. Using these roles in combination with resource level access rights (ACLs) enables more granular access control at the resource instance level, providing a finer-grain role based authorization model.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 2

Method to enforce restricted resource level authorization via logical AND operation with common security role policy

Security roles are used in pre-configured platforms for Platform as a Service (PaaS) systems to determine which actions users and user groups are authorized to perform on the many types of system resources that exist in the rack. The scope of access control of each security role is the entire rack. In other words, each security role permits access to all instances of a specific resource type in the rack. It is not possible to use security roles to restrict access to a subset of resource instances of any given system resource type. As an example, this means it is not possible to assign security roles to two different cloud administrators, such that one cloud administrator is not authorized to access cloud groups and the associated resources intended to be managed only by the other cloud administrator.

This novel contribution is the definition of two new security sub-roles, CLOUDGROUP_MANAGER and HARDWARE_MANAGER, which, used in combination with resource level access rights (ACLs), enable more granular access control at the resource instance level. This provides a finer-grain role based authorization model. The new sub-roles are child roles of the existing CLOUDGROUP_ADMIN_WRITER and HARDWARE_ADMIN_WRITER security roles respectively. It is now possible to assign these new security roles to users and user groups and restrict the scope of access control to selected subsets of resource instances of cloud- and hardware-resource types.

A security policy definition exists for each resource type in a pre-configured platform for a PaaS system rack. Each policy definition specifies which security roles a user or user group must possess in order to be authorized to perform each of the create, read, update and delete (CRUD) operations. For example, a security policy specifies that the security role SECURITY_ADMIN_WRITER be required to create users in the platform system. Due to the large n...