Abstract: A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. Components in the enterprise utilizing either Java Platform Security (JPS) or Oracle Access Manager (OAM) can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources.

Abstract: An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications.

Abstract: A system is disclosed that logs access system events. When an access system event occurs, a log entry is created for the access system event. Information from an identity profile is stored in the log entry. The identity profile pertains to a first user. The first user is the entity who caused or was involved with the access system event. In one embodiment, the access system includes identity management and access management functionality.

Abstract: A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. For example, components in the enterprise utilizing either JPS or OAM can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both JSP and OAM environments, such as both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A single unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources.

Abstract: An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Because the authorization system conforms to the legacy model, legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications.

Abstract: A method and apparatus for implementing a corporate directory and service center is described. The method includes and the apparatus performs querying for common characteristics, displaying information in a varied manner of displays and switching between the manners of displaying, maintaining data integrity and changing data, and defining types of data with forms of display or treatments for handling the data. The method may be embodied in various media as instructions which a machine may execute to perform the method.

Abstract: The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

Abstract: A method and apparatus for implementing a corporate directory and service center is described. The method includes and the apparatus performs querying for common characteristics, displaying information in a varied manner of displays and switching between the manners of displaying, maintaining data integrity and changing data, and defining types of data with forms of display or treatments for handling the data. The method may be embodied in various media as instructions which a machine may execute to perform the method.

Abstract: A method and apparatus for implementing a corporate directory and service center is described. The method includes and the apparatus performs querying for common characteristics, displaying information in a varied manner of displays and switching between the manners of displaying, maintaining data integrity and changing data, and defining types of data with forms of display or treatments for handling the data. The method may be embodied in various media as instructions which a machine may execute to perform the method.

Abstract: An access system is disclosed that can provide data to a downstream application. In one embodiment, the data is provided as header variables associated with an HTTP request. Other embodiments can use other protocols and other means for transmitting the data. The data provided to the downstream applications include information about the user accessing the application. In one embodiment, the data provided to the downstream application includes information from an identity profile stored in an LDAP directory structure.

Abstract: The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

Abstract: A method and apparatus for implementing a corporate directory and service center is described. The method includes and the apparatus performs querying for common characteristics, displaying information in a varied manner of displays and switching between the manners of displaying, maintaining data integrity and changing data, and defining types of data with forms of display or treatments for handling the data. The method may be embodied in various media as instructions which a machine may execute to perform the method.

Abstract: A method and apparatus for implementing a corporate directory and service center is described. The method includes and the apparatus performs querying for common characteristics, displaying information in a varied manner of displays and switching between the manners of displaying, maintaining data integrity and changing data, and defining types of data with forms of display or treatments for handling the data. The method may be embodied in various media as instructions which a machine may execute to perform the method.

Abstract: A system is disclosed that logs access system events. When an access system event occurs, a log entry is created for the access system event. Information from an identity profile is stored in the log entry. The identity profile pertains to a first user. The first user is the entity who caused or was involved with the access system event. In one embodiment, the access system includes identity management and access management functionality.

Abstract: The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

Abstract: An access system is disclosed that can provide data to a downstream application. In one embodiment, the data is provided as header variables associated with an HTTP request. Other embodiments can use other protocols and other means for transmitting the data. The data provided to the downstream applications include information about the user accessing the application. In one embodiment, the data provided to the downstream application includes information from an identity profile stored in an LDAP directory structure.