Browse Prior Art Database

Method and Algorithm to Efficiently Evaluate Hierarchical Access Permissions on Objects and Attributes

IP.com Disclosure Number: IPCOM000250461D
Publication Date: 2017-Jul-20

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is an efficient method for hierarchical access control using a Relational database management system (RDBMS) as the Access Control Lists (ACL) data store for application specific object operations and attribute operations.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 21% of the total text.

1

Method and Algorithm to Efficiently Evaluate Hierarchical Access Permissions on Objects and Attributes

Data stores such as Lightweight Directory Access Protocol (LDAP) offer a way to define all aspects of an organization in an hierarchical structure. Applications managing LDAP objects need to ensure that application users have the appropriate privileges before performing operations on specific objects or object attributes. Access privileges are typically defined through Access Control Lists (ACLs). Theoretically, hierarchical ACLs may be stored in LDAP, but data stores such as LDAP do not lend themselves well to ACL evaluations because evaluation requires multiple and expensive searches and traversals of the organizational tree.

The novel solution is an efficient method for hierarchical access control using a Relational database management system (RDBMS) as the ACL data store for application specific object operations and attribute operations.

Application specific permission checking typically requires two distinct steps:

1. Sequence of data store searches across the organizational hierarchy for applicable ACLs

2. Post-processing done in code to evaluate the applicable ACLs in the context of the permission being checked

Inefficient access checks run a risk of degrading the user experience. During a working session, applications frequently check access privileges for logged-in users. If a sequence of inefficient authorization checks is required to operate on an object through a user interface, then the user experiences a perceptible decrease in system responsiveness at almost every moment of the interaction with the system. The improvement discussed here proposes a technique in which all ACLs are stored in RDBMS and individual authorization decision may be obtained through a single fast performing Structured Query Language (SQL) query.

Checking access requires a decision about whether the specified permission on the given protection target is granted to the given system user (ACI principal). Such a decision is derived by searching for ACLs applicable to the user and determining whether to grant or deny the user the given permission. ACL definition may protect objects at the same organizational unit (single-level SCOPE=0) or objects at the same organizational unit and any units below (sub-tree SCOPE=1). TARGET_CLASS contains a name to identify the class of object protected (e.g., an LDAP objectclass name).

One advantage of the technique described here is that it is not coupled to any particular data store containing the objects to be protected. The LDAP server is one example of such a data store. Applications using RDBMS, Object-Oriented Relational DBMS

2

(OORDBMS), and other types of data stores for storing organizational data may be easily adapted to use this technique.

The T_BU and T_BU_HIERARCHY tables shown below relate the organizational unit structure stored in a data store such as LDAP to the corresponding parent-child associations in...