News Column

Patent Issued for Supporting Role-Based Access Control in Component-Based Software Systems

February 20, 2014

By a News Reporter-Staff News Editor at Computer Weekly News -- From Alexandria, Virginia, VerticalNews journalists report that a patent by the inventors Chee, Yi-Min (Yorktown Heights, NY); Fang, Ru (Beijing, CN); Liu, Feng (Beijing, CN); Ma, Qian (Beijing, CN); Oppenheim, Daniel V. (Croton on Hudson, NY); Ratakonda, Krishna (Yorktown Heights, NY); Zou, Zhi Le (Beijing, CN), filed on August 29, 2008, was published online on February 4, 2014.

The patent's assignee for patent number 8645843 is International Business Machines Corporation (Armonk, NY).

News editors obtained the following quote from the background information supplied by the inventors: "This invention generally relates to access control in software systems, and more specifically, to role-based access control in component based software systems.

"With the booming of Internet and world economy, people now are in a world where information is shared more equally and freely. This has produced a strong impact over the way people work and communicate. Lots of businesses today are actually carried out and delivered by different collaboration units (CU). For example, according to a recent report, 30 percent of traditional professional IT service jobs will be delivered by people who come from emerging markets, i.e. from different countries all over the world. Therefore, providing effective and appropriate software systems to support today's businesses within a collaborative context is a key issue to the software industry.

"Typically, a software system supporting collaborative work might be used by people in different roles. These people not only have their own responsibilities on business, but also utilize the software system to collaborate with each other. In other words, people in different roles often work through a collaborative process to fulfill the business requirements. However, it is not very difficult to find that the person in each role usually has different considerations and only needs to care about the related functions for his own work. From the management view, this also implies a requirement on the management team to do process control and guarantee security by letting the software system provide only the necessary functions to the person in a corresponding role.

"Furthermore, the function set of a specific role in a collaborative environment is often dynamically changeable. The software systems should provide related functions to the role according to the run time system environment of the collaborative process. Finally, given the complexity of today's software system and the high cost of software development, it may be impossible to offer a separate version of the software system for each role. Therefore, a method to support role-based access control in the software systems under a collaborative context becomes very important and necessary.

"On the other hand, today's software systems are more inclined to be developed using modular components which can be seen as a new programming paradigm beyond the object oriented programming. In other words, a software system is constructed based on the assembly of some well-defined components at run-time. For example, the Eclipse plug-in architecture is a well known representative of the component-based architecture. This kind of modularization achieved through componentization, helps customize the functions in a software system among the users in different roles.

"There are some existing solutions that address access control in a distributed system.

"U.S. Pat. No. 5,339,403 discloses a procedure including a Privilege Attribute Certificate (PAC) that represents the users' access rights. When the user wants to access an application, it passes the PAC to the application, and to a PAC User Monitor (PUM) to validate the PAC to determine whether the user is authorized to access the application. Although this disclosure offers the apparatus to support user authorization in a distributed system, it does not target the role-based access control issue which is typically more complex than this basic idea.

"Role-based access control is going to differentiate the access right of certain roles to the software systems. U.S. Pat. No. 7,222,369 describes a role-based portal to a workplace system, which attempts to provide corresponding data, materials and tools when different roles login the workplace. A role-based filter component is proposed in this reference to use data from an assigned role data file for determining whether the specific tools and information should be accessed by a particular individual. However, this reference does not describe a method for handling dynamic changes to the role-based access mechanism.

"U.S. Pat. No. 6,014,666 discusses considers another important problem in role-based access control. When the user ids and groups in the operating system are used by the application software to do the access control, it is difficult for the application software to decide whether the related user ids and groups already exist in the target operating system. Thus, the reference provides an automatic mapping mechanism to let the application software define the logical user ids and groups and then transform the logical user ids and groups into real user ids and groups when the application software is deployed.

"Resource organization in role-based access control is investigated in U.S. Patent Publication 2003/0229623 A1. This reference describes the hierarchical relationships among the enterprise resources and assigns each role a set of such resources. Forward and reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level.

"U.S. Pat. No. 7,216,125 studies the resource query and selection problem in role-based access control. This reference provides an automated technique to efficiently generate a list of resources to which a user can apply an action when the user passes the authorization step.

"However, the above references do not address the problem of tackling access control in the context of a component-based software system with dynamic roles that may change as defined by a run-time context in a process involving multiple parties."

As a supplement to the background information on this patent, VerticalNews correspondents also obtained the inventors' summary information for this patent: "Embodiments of the invention provide a method, system and computer program product for supporting role-based access control in a collaborative environment, wherein a plurality of users work together in a collaborative process using a software system. The method comprises componentizing the software system into a multitude of software components; and limiting access to specific software components to certain users based on roles assigned to the users as defined by a run-time state of the collaborative process.

"The set of components that a user can access is dynamic, that set can change based on the 'context' or the step where the user is in a collaborative workflow/process. Thus, in comparison with traditional access control mechanisms, an embodiment of the invention combines three different elements: a) the set of components that comprise the application is partitioned in such a way as to make componentized role-based access control feasible, b) a method for specifying inter-component dependencies to enable role-based groups, and c) enabling the modification of the access privileges based on contextual information from a collaborative process.

"Under a collaborative environment, people playing different roles cooperate with each other according to a predefined work process for business. They often install the same kind of software system but just use parts of its functions which relate to their own work. In the component-based software, this kind of function set can be located into a set of components, and hence the function controlling to this software can be seen as the access restriction on the corresponding components to certain roles. Furthermore, the components that a role can access are intrinsic-changed during runtime, since the work which this role should take currently is according to the running step of the collaborative process. In an embodiment of this invention, a model is used for the software system to capture the configurations of its components, the different roles, the collaborative process, and the relationships among them. Based on this model, a profile of component set is provided to each role. This profile not only records what components a specific role can access, but also describes how to change the authorized component set based on the running status of the collaborative process. During runtime, the software system only loads components according to the corresponding role's profile which deactivates other components. Although different roles use the same kind of software system, the usable function set is different among them. This kind of function set is also very easy to be managed through editing each role's profile.

"Embodiments of the invention provide a unified approach to address the following problems collectively: defining the set of components and the dependencies between them in the context of a specific role in order to divide the software system; providing a mechanism to manage the corresponding components for different roles and update the set of components when necessary; and supporting a dynamically changing component set according to the run-time context of a collaborative process."

For additional information on this patent, see: Chee, Yi-Min; Fang, Ru; Liu, Feng; Ma, Qian; Oppenheim, Daniel V.; Ratakonda, Krishna; Zou, Zhi Le. Supporting Role-Based Access Control in Component-Based Software Systems. U.S. Patent Number 8645843, filed August 29, 2008, and published online on February 4, 2014. Patent URL:

Keywords for this news article include: Software, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Computer Weekly News

Story Tools