公开(公告)号：US10949561B2

公开(公告)日：2021-03-16

申请号：US16426916

申请日：2019-05-30

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F16/901 ,  G06F40/47 ,  G06F40/211 ,  G06F40/253 ,  H04L29/06

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

公开(公告)号：US20220138340A1

公开(公告)日：2022-05-05

申请号：US17578976

申请日：2022-01-19

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F16/901 ,  G06F40/47 ,  G06F40/211 ,  G06F40/253

Abstract: Techniques for generating and using reader-friendly policy statements are disclosed. In one or more embodiments, a policy management service receives a request for an authorization policy in a language-localized syntax. The policy management service identifies a syntax graph corresponding to the authorization policy and traverses the syntax graph to obtain at least a requestor variable value associated with the authorization policy, an action variable value associated with the authorization policy, a resource variable value associated with the authorization policy, and a location variable value associated with the authorization policy. The policy authorization service generates a reader-friendly policy statement in the language-localized syntax using the requestor variable value, the action variable value, the resource variable value, and the location variable value. Responsive to the request, the policy authorization service provides the reader-friendly policy statement.

公开(公告)号：US10395050B2

公开(公告)日：2019-08-27

申请号：US15453111

申请日：2017-03-08

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F16/901 ,  G06F17/27 ,  G06F17/28 ,  H04L29/06

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.

公开(公告)号：US10997309B2

公开(公告)日：2021-05-04

申请号：US16426851

申请日：2019-05-30

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F16/901 ,  G06F40/47 ,  G06F40/211 ,  G06F40/253 ,  H04L29/06

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Based on the authorization request including non-denial of the authorization request, the API further processes the authorization request by obtaining a final authorization result based on the complete contextual information associated with the authorization request and, responsive to the authorization request, providing the final authorization result.

公开(公告)号：US10410008B2

公开(公告)日：2019-09-10

申请号：US15453082

申请日：2017-03-08

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62 ,  G06F16/901 ,  G06F17/27 ,  G06F17/28

Abstract: Techniques for evaluating authorization requests using cached policy data are disclosed. In one or more embodiments, a thick client receives an authorization request. The thick client evaluates the authorization request, based on partial contextual information associated with the authorization request and a local policy data cache, to generate a preliminary authorization response. The preliminary authorization response includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Responsive to the preliminary authorization response including non-denial of the authorization request, the thick client submits complete contextual information associated with the authorization request to an authorization service. The authorization service provides a final authorization result, which the thick client uses to grant or deny the authorization request.

公开(公告)号：US11196749B2

公开(公告)日：2021-12-07

申请号：US16395905

申请日：2019-04-26

Applicant: ORACLE INTERNATIONAL CORPORATION

Inventor： Helali Bhuiyan ,  Geoff Hopcraft ,  Gayathri Premachandran ,  Jinai A

IPC: H04L29/06

Abstract: Systems, methods, and other embodiments associated with controlling a multi-tenant service-oriented architecture are described. In one embodiment, a method includes providing a collection of policies based upon who can access information of a user, wherein the information of the user is managed by a second service. A multi-tenant control module determines if a first service is able to contact the second service and obtain access to the user's information through the second service. An authentication service works in conjunction with the first and second services to assist in determining if the first service is able to contact the second service and obtain access to the user's information through the second service.

公开(公告)号：US10410009B2

公开(公告)日：2019-09-10

申请号：US15453085

申请日：2017-03-08

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F17/27 ,  G06F17/28 ,  G06F21/62 ,  H04L29/06 ,  G06F16/901

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Based on the authorization request including non-denial of the authorization request, the API further processes the authorization request by obtaining a final authorization result based on the complete contextual information associated with the authorization request and, responsive to the authorization request, providing the final authorization result.

公开(公告)号：US20170262648A1

公开(公告)日：2017-09-14

申请号：US15453085

申请日：2017-03-08

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62

CPC classification number: G06F21/6218 ,  G06F16/9024 ,  G06F17/271 ,  G06F17/274 ,  G06F17/2836 ,  H04L63/10 ,  H04L63/20

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Based on the authorization request including non-denial of the authorization request, the API further processes the authorization request by obtaining a final authorization result based on the complete contextual information associated with the authorization request and, responsive to the authorization request, providing the final authorization result.

公开(公告)号：US11288390B2

公开(公告)日：2022-03-29

申请号：US16523673

申请日：2019-07-26

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F16/901 ,  G06F40/47 ,  G06F40/211 ,  G06F40/253 ,  H04L29/06

Abstract: Techniques for generating and using reader-friendly policy statements are disclosed. In one or more embodiments, a policy management service receives a request for an authorization policy in a language-localized syntax. The policy management service identifies a syntax graph corresponding to the authorization policy and traverses the syntax graph to obtain at least a requestor variable value associated with the authorization policy, an action variable value associated with the authorization policy, a resource variable value associated with the authorization policy, and a location variable value associated with the authorization policy. The policy authorization service generates a reader-friendly policy statement in the language-localized syntax using the requestor variable value, the action variable value, the resource variable value, and the location variable value. Responsive to the request, the policy authorization service provides the reader-friendly policy statement.

公开(公告)号：US20190278935A1

公开(公告)日：2019-09-12

申请号：US16426916

申请日：2019-05-30

Applicant: Oracle International Corporation

Inventor： Helali Bhuiyan ,  Daniel M. Vogel

IPC: G06F21/62 ,  G06F17/28 ,  G06F16/901 ,  G06F17/27

Abstract: Techniques for generating syntax graphs corresponding to user-defined policy statement are disclosed. In one or more embodiments, a policy management service receives a user-defined policy statement that includes a requestor variable value, an action variable value, a resource variable value, and a location variable value. The user-defined policy statement describes an authorization policy. The policy authorization service converts the user-defined policy statement to a canonical policy statement, which involves: mapping the requestor variable value to a unique system-wide requestor identifier, and mapping the location variable value to a unique system-wide location identifier. The policy management service generates a syntax graph of the canonical policy statement. The syntax graph is traversable to determine whether the authorization policy is satisfied for a particular authorization request. The policy management service stores the syntax graph for use by an authorization service.