Delegating right to access resource or the like in access management system
First Claim
1. A method for a resource of a first organization to provide access thereto to a requestor of a second organization, the first organization having a first administrator trusted by the resource, the second organization having a second administrator, each of the first and second administrators for issuing credentials to entities, each credential as issued by an administrator to an entity tying the entity to the issuing administrator and evincing a relationship between the entity and the issuing administrator, the method comprising:
- the first administrator issuing to the second administrator a first credential, the issued first credential stating policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator, the second administrator in fact issuing to the requester the second credential on behalf of the first administrator, the issued second credential including the issued first credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential;
the resource receiving from the requestor the request including the issued first credential and the issued second credential;
the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the second administrator, and also to confirm that the policy of the issued first credential allowed the second administrator to issue the second credential to the requestor;
the resource validating the issued second credential to confirm that the issued second credential ties the second administrator to the requestor; and
presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the second administrator, whereby the resource of the first organization can recognize and grant access to the requestor of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization.
2 Assignments
0 Petitions
Accused Products
Abstract
A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.
-
Citations
21 Claims
-
1. A method for a resource of a first organization to provide access thereto to a requestor of a second organization, the first organization having a first administrator trusted by the resource, the second organization having a second administrator, each of the first and second administrators for issuing credentials to entities, each credential as issued by an administrator to an entity tying the entity to the issuing administrator and evincing a relationship between the entity and the issuing administrator, the method comprising:
-
the first administrator issuing to the second administrator a first credential, the issued first credential stating policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator, the second administrator in fact issuing to the requester the second credential on behalf of the first administrator, the issued second credential including the issued first credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential;
the resource receiving from the requestor the request including the issued first credential and the issued second credential;
the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the second administrator, and also to confirm that the policy of the issued first credential allowed the second administrator to issue the second credential to the requestor;
the resource validating the issued second credential to confirm that the issued second credential ties the second administrator to the requestor; and
presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the second administrator, whereby the resource of the first organization can recognize and grant access to the requestor of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for a resource of a first organization to provide access thereto to a requestor of a second organization by way of a third organization, the first organization having a first administrator trusted by the resource, the second organization having a second administrator, the third organization having a third administrator, each administrator for issuing credentials to entities, each credential as issued by an administrator to an entity tying the entity to the issuing administrator and evincing a relationship between the entity and the issuing administrator, the method comprising:
-
the first administrator issuing to the third administrator a first credential, the issued first credential stating policy that the third administrator may issue a second credential to the second administrator on behalf of the first administrator and that the second administrator may issue a third credential to the requestor on behalf of the first administrator, the third administrator in fact issuing to the second administrator the second credential on behalf of the first administrator and the second administrator in fact issuing to the requestor the third credential on behalf of the first administrator, the issued second credential including the issued first credential and the issued third credential including the issued first credential and the issued second credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential and the issued third credential;
the resource receiving from the requestor the request including the issued first credential and the issued second credential and the issued third credential;
the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the third administrator, and also to confirm that the policy of the issued first credential allowed the third administrator to issue the second credential to the second administrator and that the policy of the issued first credential also allowed the second administrator to issue the third credential to the requestor;
the resource validating the issued second credential to confirm that the issued second credential ties the third administrator to the second administrator, and also to confirm that the policy of the issued second credential allowed the second administrator to issue the third credential to the requestor;
the resource validating the issued third credential to confirm that the issued third credential ties the second administrator to the requester; and
presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the third administrator and the second administrator, whereby the resource of the first organization can recognize and grant access to the requester of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for a resource of an organization to provide access thereto to a requestor by way of an intermediary, the organization having an administrator trusted by the resource, the method comprising:
-
the administrator issuing to the intermediary a first credential, the issued first credential stating policy that the intermediary may issue a second credential to the requestor on behalf of the administrator, the intermediary in fact issuing to the requestor the second credential on behalf of the administrator, the issued second credential including the issued first credential, the requestor thereafter requesting access from the resource of the organization and in doing so including with the request the issued first credential and the issued second credential;
the resource receiving from the requestor the request including the issued first credential and the issued second credential;
the resource validating the issued first credential to confirm that the issued first credential ties the trusted administrator to the intermediary, and also to confirm that the policy of the issued first credential allowed the intermediary to issue the second credential to the requestor;
the resource validating the issued second credential to confirm that the issued second credential ties the intermediary to the requestor; and
presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted administrator to the requestor by way of the intermediary, whereby the resource of the organization can recognize and grant access to the requestor, even though such requester is not issued any credential by the trusted administrator of the organization. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification