System and method for authentication

US 10,333,939 B2
Filed: 08/30/2016
Issued: 06/25/2019
Est. Priority Date: 09/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user in an application system, the method comprising:

receiving, at a server, an authentication request, the authentication request including user information and candidate permission point information;

confirming, by the server, at least one piece of upper layer subject information associated with the user information, the upper layer subject comprising one of a tenant or project;

acquiring, by the server, a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information, the first set of permission point information controlling user access to computing resources managed by the server;

acquiring, by the server, a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information, the second set of permission point information controlling upper layer subject access to the computing resources managed by the server;

determining, by the server, an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, the intersection comprising a set of permission point information authorized for the user and authorized for the upper layer subject information; and

determining, by the server, that the authentication is successful if the candidate permission point information is in the authentication set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and a method allow for authentication of user information in an application system. The method includes receiving an authentication request, the authentication request including user information and candidate permission point information, and confirming at least one piece of upper layer subject information associated with the user information. The method also includes acquiring a first set of permission point information associated with the user information, and acquiring a second set of permission point information associated with the at least one upper layer subject information. The method continues with determining an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, and determining that the authentication is successful if the candidate permission point information is in the authentication set.

Citations

20 Claims

1. A method for authenticating a user in an application system, the method comprising:
- receiving, at a server, an authentication request, the authentication request including user information and candidate permission point information;
  
  confirming, by the server, at least one piece of upper layer subject information associated with the user information, the upper layer subject comprising one of a tenant or project;
  
  acquiring, by the server, a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information, the first set of permission point information controlling user access to computing resources managed by the server;
  
  acquiring, by the server, a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information, the second set of permission point information controlling upper layer subject access to the computing resources managed by the server;
  
  determining, by the server, an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, the intersection comprising a set of permission point information authorized for the user and authorized for the upper layer subject information; and
  
  determining, by the server, that the authentication is successful if the candidate permission point information is in the authentication set.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the user information includes at least two pieces of upper layer subject information and wherein the acquiring the second set of permission point information comprises:
    - acquiring, by the server, permission sets associated with the at least two pieces of the upper layer subject information; and
      
      determining, by the server, an intersection of the permission sets as the second set of permission point information.
  - 3. The method according to claim 1, wherein the at least one piece of upper layer subject information includes tenant information and project information, wherein the confirming at least one piece of upper layer subject information comprises:
    - confirming, by the server, tenant information associated with the user information; and
      
      confirming, by the server, project information associated with the tenant information and associated with the user information, andwherein acquiring the second set of permission point information comprises;
      
      acquiring, by the server, a permission set associated with the tenant information and including at least one piece of permission point information;
      
      acquiring, by the server, a permission set associated with the project information and including at least one piece of permission point information; and
      
      determining, by the server, an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
  - 4. The method according to claim 1, wherein acquiring the first set of permission point information includes querying first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by the at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
  - 5. The method according to claim 1, wherein acquiring the second set of permission point information includes querying at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.

6. A method for authenticating a user in an application system, the method comprising:
- receiving, by a server, an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information;
  
  confirming, by the server, at least one piece of upper layer subject information associated with the user information, the upper layer subject comprising one of a tenant or project;
  
  acquiring, by the server, a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, the first set of permission point information controlling user access to computing resources managed by the server;
  
  acquiring, by the server, a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information, the second set of permission point information controlling upper layer subject access to the computing resources managed by the server;
  
  determining, by the server, an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, the intersection comprising a set of permission point information authorized for the user and authorized for the upper layer subject information; and
  
  determining, by the server, a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6, wherein the user information includes at least two pieces of upper layer subject information and wherein the acquiring the second set of permission point information comprises:
    - acquiring, by the server, permission sets associated with the at least two pieces of the upper layer subject information; and
      
      determining, by the server, an intersection of the permission sets as the second set of permission point information.
  - 8. The method according to claim 6, wherein confirming at least one piece of upper layer subject information comprises:
    - confirming, by the server, tenant information associated with the user information; and
      
      confirming, by the server, project information associated with the tenant information and associated with the user information, andwherein acquiring the second set, when the upper layer subject information includes tenant information and project information, comprises;
      
      acquiring, by the server, a permission set associated with the tenant information and including at least one piece of permission point information;
      
      acquiring, by the server, a permission set associated with the project information and including at least one piece of permission point information; and
      
      determining, by the server, an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
  - 9. The method according to claim 6, wherein the acquiring the first set of permission point information comprises querying first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
  - 10. The method according to claim 6, wherein acquiring the second set of permission point information comprises querying at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.

11. An apparatus for authenticating a user in an application system, the apparatus comprising:
- a processor; and
  
  a non-transitory memory storing computer-executable instructions therein that, when executed by the processor, cause the apparatus to;
  
  receive an authentication request, the authentication request including user information and candidate permission point information;
  
  confirm at least one piece of upper layer subject information associated with the user information, the upper layer subject comprising one of a tenant or project;
  
  acquire a first set of permission point information associated with the user information, the first set of permission point information including at least one piece of permission point information associated with the user information, the first set of permission point information controlling user access to computing resources managed by the server;
  
  acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information, the second set of permission point information controlling upper layer subject access to the computing resources managed by the server;
  
  determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, the intersection comprising a set of permission point information authorized for the user and authorized for the upper layer subject information; and
  
  determine that the authentication is successful if the candidate permission point information is in the authentication set.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus according to claim 11, wherein the user information includes at least two pieces of upper layer subject information and wherein the instruction to acquire a second set of permission point information further causes the apparatus to:
    - acquire permission sets associated with the at least two pieces of the upper layer subject information; and
      
      determine an intersection of the permission sets as the second set of permission point information.
  - 13. The apparatus according to claim 11, wherein the at least one piece of upper layer subject information includes tenant information and project information, wherein the instruction to confirm at least one piece of upper layer subject information further causes the apparatus to:
    - confirm tenant information associated with the user information; and
      
      confirm project information associated with the tenant information and associated with the user information, andwherein the instruction to acquire the second set of permission point information further causes the apparatus to;
      
      acquire a permission set associated with the tenant information and including at least one piece of permission point information;
      
      acquire a permission set associated with the project information and including at least one piece of permission point information; and
      
      determine an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
  - 14. The apparatus according to claim 11, wherein the instruction to acquire the first set of permission point information further causes the apparatus to query first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by the at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
  - 15. The apparatus according to claim 11, wherein the instruction to acquire the second set of permission point information further causes the apparatus to query at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.

16. An apparatus for authenticating a user in an application system, the apparatus comprising:
- a processor; and
  
  a non-transitory memory storing computer-executable instructions therein that, when executed by the processor, cause the apparatus to;
  
  receive an authentication request including user information and a candidate information set, the candidate information set including at least one piece of candidate permission point information;
  
  confirm at least one piece of upper layer subject information associated with the user information, the upper layer subject comprising one of a tenant or project;
  
  acquire a first set of permission point information associated with the user information and including at least one piece of permission point information associated with the user information, the first set of permission point information controlling user access to computing resources managed by the server;
  
  acquire a second set of permission point information associated with the at least one upper layer subject information, the second set of permission point information including at least one piece of permission point information associated with the at least one piece of upper layer subject information, the second set of permission point information controlling upper layer subject access to the computing resources managed by the server;
  
  determine an authentication set based on an intersection of the first set of permission point information and the second set of permission point information, the intersection comprising a set of permission point information authorized for the user and authorized for the upper layer subject information; and
  
  determine a third set of permission point information associated with the authentication request as passing authentication if the candidate information set intersects with the authentication set.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus according to claim 16, wherein the user information includes at least two pieces of upper layer subject information wherein the instruction to acquire a second set of permission point information further causes the apparatus to:
    - acquire permission sets associated with the at least two pieces of the upper layer subject information; and
      
      determine an intersection of the permission sets as the second set of permission point information.
  - 18. The apparatus according to claim 16, wherein the upper layer subject information includes tenant information and project information, wherein the instruction to confirm at least one piece of upper layer subject information further causes the apparatus to:
    - confirm tenant information associated with the user information; and
      
      confirm project information associated with the tenant information and associated with the user information, andwherein the instruction to acquire the second set of permission point information further causes the apparatus to;
      
      acquire a permission set associated with the tenant information and including at least one piece of permission point information;
      
      acquire a permission set associated with the project information and including at least one piece of permission point information; and
      
      determine an intersection of the permission set associated with the tenant information and the permission set associated with the project information as the second set of permission point information.
  - 19. The apparatus according to claim 16, wherein the instruction to acquire the first set of permission point information further causes the apparatus to query first role information mapped to the user information, the first role information identifying a role associated with the user information in an upper layer subject identified by at least one piece of upper layer subject information, and wherein the first set of permission point information is mapped to the first role information.
  - 20. The apparatus according to claim 16, wherein the instruction to acquire the second set of permission point information further causes the apparatus to query at least one piece of second role information mapped to the at least one piece of upper layer subject information, the second role information identifying a role of an upper layer subject for each piece of upper layer subject information in the application system, and wherein the second set is mapped to the second role information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Guo, Dong, Yuan, Panfeng, Liu, Xin, Chen, Tingliang
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/251,336
Publication Number

US 20170063862A1
Time in Patent Office

1,029 Days
Field of Search

726 4, 726 5, 713165, 713182
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

System and method for authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links