Composable Security Policies
First Claim
Patent Images
1. A method comprising:
- receiving a resource request that is directed to a resource;
retrieving a trust policy that is authored by principal A, the trust policy associated with the resource;
retrieving a resource access policy that is authored by principal B, the resource authorization policy associated with the resource;
combining the trust policy and the resource access policy into a composed effective policy; and
making an authorization decision responsive to the resource request and based on the composed effective policy.
2 Assignments
0 Petitions
Accused Products
Abstract
Composable security policies enable multiple authorization policies to be combined into a composed effective authorization policy such that policy authoring rights may be arbitrarily and flexibly delegated. In an example implementation, making an authorization decision based on a composed effective policy is described. In another example implementation, the delegation of policy authoring rights using an assertion in accordance with a security language is described. In yet another example implementation, a security authorization system is described that includes a mechanism enabling an administrator to explicitly grant all or a part of policy authoring rights to another administrator.
123 Citations
20 Claims
-
1. A method comprising:
-
receiving a resource request that is directed to a resource; retrieving a trust policy that is authored by principal A, the trust policy associated with the resource; retrieving a resource access policy that is authored by principal B, the resource authorization policy associated with the resource; combining the trust policy and the resource access policy into a composed effective policy; and making an authorization decision responsive to the resource request and based on the composed effective policy. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
delegating, by an entity to an administrator A, a portion PA of policy authoring rights with respect to a resource; and delegating, by the entity to an administrator B, a portion PB of the policy authoring rights with respect to the resource; wherein each delegating is effected using at least one assertion issued by the entity in accordance with a security language, the at least one assertion including a delegation-directive verb. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A security authorization system comprising policy authoring rights on at least one resource and a security language;
- wherein the security language includes a mechanism enabling an administrator to explicitly grant all or a part of the policy authoring rights to another administrator so as to allow the other administrator to make policy assertions about the at least one resource; and
wherein the mechanism comprises a delegation-directive verb. - View Dependent Claims (16, 17, 18, 19, 20)
- wherein the security language includes a mechanism enabling an administrator to explicitly grant all or a part of the policy authoring rights to another administrator so as to allow the other administrator to make policy assertions about the at least one resource; and
Specification