Not Applicable.
The invention relates generally to a method and system for managing access to resources over a computer network. More particularly, the method and system for managing access utilizes entitlement expressions that refer to membership maps and unique accessor identification indices into the membership maps to determine a user""s entitlement to a resource.
As more business is done on computers, and particularly as more business is done and information is exchanged across computer networks, access controls for determining which computer users and software applications may obtain access to which data or other computerized resources across these computer networks becomes increasingly important. Access controls, for example, can control access to pages on the World Wide Web, allowing differential content to be provided to different groups of people, whether they are paying customers who pay for differing levels of access, or to different groups of people who may have rights to differing levels of confidential information. Access controls can also provide differing levels of database access and transaction authorization as well as controlling the flow of information that is broadcast or xe2x80x9cpushedxe2x80x9d over a computer network such as in electronic publishing and message forwarding.
Traditional systems for managing access to system resources typically use archaic syntax to specify recipients who are entitled to use of or access to information or other resources in a computer system. Reprogramming these systems to adapt to new conditions, such as new levels of access or new groups to whom access is granted, is cumbersome. The need to learn a particular syntax also results in time consuming training and xe2x80x9ctrial and errorxe2x80x9d periods for new users of these systems to learn how to use the systems efficiently.
Other systems utilize access control lists (ACLs). In general, ACLs associate names and lists of names with objects for access purposes. In general, inclusion on a list or a list specified in some other list constitutes entitlement. This style of entitlement requires complex list administration in order to represent complex conditions of entitlement, conditions, for instance, where a user characteristic is superceded by some other characteristic.
One problem with access control lists is that they can only represent simple entitlement rules and the ACL approach typically does not allow use of arbitrary functions or conditions when specifying access to or control of a resource. Accordingly, ACLs are not rich enough for sophisticated applications. Access control list systems also cause server performance to degrade when the numbers of users or objects or lists become large, requiring multiple time consuming database select and join operations to be performed serially in order to determine access entitlements. As sites on the World Wide Web become more complex and attract more users, all expecting prompt service from the Web site, the problem of determining user entitlement to an object becomes more acute.
In addition, ACLs generally are not available in encapsulated (object-oriented) implementations, making implementation and maintenance of the ACL software difficult. For these and other reasons, ACL implementations are typically specific to platform operating system or web server implementations.
It would, therefore, be desirable to provide a system that can arbitrate access to particular resources in a system while avoiding or mitigating the problems of prior art systems. Such a system would preferably improve performance where the number of users is large, possibly by requiring only simple database operations that can be performed in parallel. The system should also allow for simple maintenance and update of databases containing access information while at the same time utilizing plain text message entitlement rules and allowing arbitrary functions or conditions to specify access to or control of a resource. The system should also be available in an encapsulated format that is readily deployable on any of a single computer, special purpose embedded applications, a wide or local area network, intranets, the Internet or other networks or systems where user entitlement to resources must be determined.
The invention described herein provides a platform independent, fast, scalable and standards compliant entitlement manager that enables the practical implementation of sophisticated, personalized access control. With the entitlement management system of the invention, simple expressive representations of complex entitlement rules are provided in an easy to administer format. The efficient data structures and techniques used result in high performance even with large numbers of objects, users and lists and the scalable algorithms and techniques of the system provide built-in support for growth. The invention also provides accessor, accessor group and object registry builder tools that are easy to set up and allow for ongoing maintenance.
A method according to the invention, applied in a system having a plurality of accessors desiring access to one or more resources and at least one resource, determines accessor entitlement to a resource in response to an accessor request for access to that resource. The method includes associating an entitlement expression with the resource, and associating a unique identifier with the accessor. The entitlement expression includes a reference to at least one membership map having membership information for the accessor, and the accessor""s unique identifier acts as an index into the membership maps. The method includes evaluating the entitlement expression for the resource to determine the entitlement of the requesting accessor to the resource where the evaluation includes looking up the accessor""s membership information in the at least one membership map referred to in the entitlement expression using the accessor""s unique identifier.
The system may further include at least one accessor group where each group has a name, zero or more accessors that are members of the group, and a membership map for determining whether a particular accessor is a member of the group. The entitlement expression then references at least one membership map by including at least one group name corresponding to a group having a membership map in the entitlement expression. The entitlement expression may also include more than one group name, and may include operators such as boolean operators, for example, for operating on the group names to evaluate an entitlement request. For example, such an entitlement expression might be xe2x80x9call U.S. citizens minus males under the age of 25xe2x80x9d where xe2x80x9call U.S. citizensxe2x80x9d and xe2x80x9cmales under the age of 25xe2x80x9d are groups of accessors and xe2x80x9cminusxe2x80x9d is an operator. In evaluating this entitlement expression for an accessor, the system uses the accessor""s identifier as an index into membership maps to determine whether the accessor is a member of either of the two groups, then evaluates the expression to determine whether the accessor meets the entitlement requirements.
In one embodiment, each membership map is a bit map and the accessor""s unique identifier is an index to a position in each bit map wherein the bit at that position indicates whether the accessor is a member of the group corresponding to the bit map. The membership bit maps can be conveniently stored in paged data structures.
The invention also includes a system for determining accessor entitlement to a resource having a first means for storing a plurality of accessors and a unique identifier associated with each accessor and a second means for storing a plurality of unique accessor group names. Each of the plurality of accessor group names has an associated membership map with the accessor identifier acting as an index into the accessor group membership maps for determining whether an accessor is a member of an accessor group. The system further includes a processor means for determining whether an accessor is entitled to a resource in response to an accessor request for the resource by evaluating an entitlement expression for the resource wherein the entitlement expression include a reference to at least one accessor group. The system may also have a third means for storing at least one unique resource name corresponding to a resource and an entitlement expression associated with each resource name.
The system may be implemented as a server process responsive to one or more client processes representing accessor requests for access to a resource. In one embodiment, the processor means may be implemented as a plurality of threads executing on a server computer for accessing the first and second means and for evaluating accessor entitlement requests based on information retrieved from the first and second means.
The entitlement manager system of the invention provides a new approach to access control in complex systems and provides a dramatic advance over access control lists by providing high speed resolution of dynamic access control rules. The entitlement manager system thereby enables reliable charging of fees for content or services in new ways without driving readers away by evaluating a user characteristic at run time to determine entitlement to the content or services in real time.
The system of the invention can be provided in a portable implementation and thus a user can preserve his or her investment in the system even as deployment or application of the system changes. The system also provides support for common distributed object models which allows for easy integration into a wide variety of operating environments. The entitlement manager system can further be made available as middleware and as webware and can be implemented as an embedded component for managing access to any object. In short, the entitlement manager system of the invention can be deployed anywhere that a system needs an answer to the question, xe2x80x9cIs this user allowed access to this object?xe2x80x9d