ROLE-BASED ACCESS CONTROL TO COMPUTING RESOURCES IN AN INTER-ORGANIZATIONAL COMMUNITY

US 20080313716A1
Filed: 06/11/2008
Published: 12/18/2008
Est. Priority Date: 06/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node and at least one authentication server, said method comprising the steps of:

responsive to receiving a certificate request from a computing resource requester belonging to a first organization of said plurality of organizations, said application role server conditionally, upon successfully authenticating said computing resource requester by querying an authentication server belonging to said first organization, issuing a digital certificate to said computing resource requester; and

responsive to a first access control node receiving a resource access request from said computing resource requester, said resource access request requesting access to a computing resource, said first access control node performing a step selected from the group consisting of;

forwarding said resource access request to a second access control node;

granting to said computing resource requester access to said computing resource upon ascertaining access privileges of said computing resource requester.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a plurality of computing resources in a distributed computing environment can comprise the steps of: an application role server, responsive to receiving a certificate request, authenticating the requester and issuing a digital certificate to the requester; an access control node, responsive to receiving a resource access request, granting access to the computing resource to the requester upon ascertaining the requestor'"'"'s access privileges, or forwarding the resource access request to another access control node.

204 Citations

55 Claims

1. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node and at least one authentication server, said method comprising the steps of:
- responsive to receiving a certificate request from a computing resource requester belonging to a first organization of said plurality of organizations, said application role server conditionally, upon successfully authenticating said computing resource requester by querying an authentication server belonging to said first organization, issuing a digital certificate to said computing resource requester; and
  
  responsive to a first access control node receiving a resource access request from said computing resource requester, said resource access request requesting access to a computing resource, said first access control node performing a step selected from the group consisting of;
  
  forwarding said resource access request to a second access control node;
  
  granting to said computing resource requester access to said computing resource upon ascertaining access privileges of said computing resource requester.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said resource access request includes said digital certificate.
  - 3. The method of claim 1, wherein said step of said first access control node granting access to said computing resource is performed conditionally, upon successfully authenticating said computing resource requester.
  - 4. The method of claim 1, wherein said step of granting access includes forwarding to said computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for said computing resource;
      
      a second URL and an authorization token.
  - 5. The method of claim 1, wherein said step of granting access to said computing resource includes forwarding said computing resource to said computing resource requester.
  - 6. The method of claim 1, wherein said computing resource is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 7. The method of claim 1, wherein said digital certificate includes role assignment information for said computing resource requester.
  - 8. The method of claim 1, wherein said digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.
  - 9. The method of claim 1, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 10. The method of claim 1, wherein said step of ascertaining access privileges includes querying a permission role assignment table, said permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role.

11. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node, said method comprising the steps of:
- responsive to receiving a certificate request from a computing resource requester belonging to a first organization of said plurality of organizations, said application role server conditionally, upon successfully authenticating said computing resource requester, issuing a digital certificate to said computing resource requestor; and
  
  responsive to a first access control node receiving a resource access request requesting access to a computing resource, said first access control node performing a step selected from the group consisting of;
  
  forwarding said resource access request to a second access control node;
  
  granting to said computing resource requester access to said computing resource upon ascertaining access privileges of said computing resource requester;
  
  wherein said first access control node belongs to said first organization.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein said resource access request includes said digital certificate.
  - 13. The method of claim 11, wherein said step of said first access control node granting access to said computing resource is performed conditionally, upon successfully authenticating said computing resource requester.
  - 14. The method of claim 11, wherein said step of granting access includes forwarding to said computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for said computing resource;
      
      a second URL and an authorization token.
  - 15. The method of claim 11, wherein said step of granting access to said computing resource includes forwarding said computing resource to said computing resource requester.
  - 16. The method of claim 11, wherein said computing resource is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 17. The method of claim 11, wherein said digital certificate includes role assignment information for said computing resource requester.
  - 18. The method of claim 11, wherein said digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.
  - 19. The method of claim 11, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 20. The method of claim 11, wherein said step of ascertaining access privileges includes querying a permission role assignment table, said permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role.

21. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of access control nodes, said method comprising the steps of:
- responsive to receiving a certificate request from a computing resource requester, said application role server conditionally, upon successfully authenticating said computing resource requester, issuing a digital certificate to said computing resource requester;
  
  responsive to receiving a resource search request by a first access control node, said first access control node conditionally, upon successfully authenticating said computing resource requester, performing resource search; and
  
  responsive to said first access control node receiving a resource access request requesting access to a computing resource to said computing resource requester, said first access control node performing a step selected from the group consisting of;
  
  forwarding said resource access request to a second access control node;
  
  granting to said computing resource requester access to said computing resource upon ascertaining access privileges of said computing resource requester.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21, wherein said resource access request includes said digital certificate.
  - 23. The method of claim 21, wherein said step of said first access control node granting access to said computing resource is performed conditionally, upon successfully authenticating said computing resource requester.
  - 24. The method of claim 21, wherein said step of granting access includes forwarding to said computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for said computing resource;
      
      a second URL and an authorization token.
  - 25. The method of claim 21, wherein said step of granting access to said computing resource includes forwarding said computing resource to said computing resource requester.
  - 26. The method of claim 21, wherein said computing resource is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 27. The method of claim 21, wherein said digital certificate includes a role assignment information for said computing resource requester.
  - 28. The method of claim 21, wherein said digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.
  - 29. The method of claim 21, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 30. The method of claim 21, wherein said step of ascertaining access privileges includes querying a permission role assignment table, said permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role.

31. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of access control nodes, said method comprising the steps of:
- responsive to receiving a resource search request by a first access control node, said first access control node requesting role assignment information for said computing resource requester from said application role server;
  
  responsive to receiving a role assignment information request, said application role server conditionally, upon successfully authenticating said computing resource requester, forwarding a role assignment information for said computing resource requester to said first access control node;
  
  responsive to receiving by said first access control node said role assignment information from said application role server, said first access control node performing resource search; and
  
  responsive to receiving by a first access control node a resource access request requesting access to a computing resource, said first access control node performing a step selected from the group consisting of;
  
  forwarding said resource access request to a second access control node;
  
  granting access to said computing resource to said computing resource requester upon ascertaining access privileges of said computing resource requester.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The method of claim 31, wherein said resource access request includes a digital certificate.
  - 33. The method of claim 31, wherein said step of application role server forwarding role assignment information is followed by the step of:
    - said first access control node forwarding said resource search request to one or more peer access control nodes.
  - 34. The method of claim 31, wherein said step of granting access includes forwarding to said computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for said computing resource;
      
      a second URL and an authorization token.
  - 35. The method of claim 31, wherein said step of granting access to said computing resource includes forwarding said computing resource to said computing resource requester.
  - 36. The method of claim 31, wherein said computing resource is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 37. The method of claim 31, wherein said distributed computing environment comprises a plurality of organizations;
    - and wherein said first access control node and said computing resource requester belong to the same organization.
  - 38. The method of claim 31, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 39. The method of claim 31, wherein said step of ascertaining access privileges includes querying a permission role assignment table, said permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role.

40. A method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node, said method comprising the steps of:
- responsive to a first access control node receiving a request to access a computing resource from a computing resource requester, said computing resource requester belonging to a first organization of said plurality of organizations, said first access control node requesting role assignment information for said computing resource requester from said application role server;
  
  responsive to receiving a role assignment information request, said application role server conditionally, upon successfully authenticating said computing resource requester, forwarding role assignment information for said computing resource requester to said first access control node; and
  
  responsive to said first access control node receiving said role assignment information from said application role server, said first access control node performing a step selected from the group consisting of;
  
  forwarding said resource access request to a second access control node;
  
  granting to said computing resource requester access to said computing resource requester upon ascertaining access privileges of said computing resource requester;
  
  wherein said first access control node belongs to said first organization.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The method of claim 40, wherein said resource access request includes a digital certificate.
  - 42. The method of claim 40, wherein said step of application role server forwarding role assignment information is followed by the step of:
    - said first access control node forwarding said resource search request to one or more peer access control nodes.
  - 43. The method of claim 40, wherein said step of granting access includes forwarding to said computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for said computing resource;
      
      a second URL and an authorization token.
  - 44. The method of claim 40, wherein said step of granting access to said computing resource includes forwarding said computing resource to said computing resource requester.
  - 45. The method of claim 40, wherein said computing resource is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 46. The method of claim 40, wherein said distributed computing environment comprises a plurality of organizations;
    - and wherein said first access control node and said computing resource requester belong to the same organization.
  - 47. The method of claim 40, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 48. The method of claim 40, wherein each organization of said plurality of organizations includes an authentication server;
    - wherein said computing resource requester belongs to a first organization of said plurality of organizations; and
      
      wherein said step of said application role server authenticating said computing resource requester is performed by querying an authentication server belonging to said first organization.
  - 49. The method of claim 40, wherein said step of ascertaining access privileges includes querying a permission role assignment table, said permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role.

50. A method of joining a multi-organizational resource sharing community by a joining organization, said resource sharing community comprising a plurality of organizations and an application role server, said joining organization having an organizational network interconnecting a plurality of computing resources and an authentication server, said method comprising the steps of:
- provisioning at least one access control node for said joining organization;
  
  providing user role assignment information for at least one computing resource requester associated with said joining organization; and
  
  registering said authentication server with said application role server.
- View Dependent Claims (51, 52, 53, 54, 55)
- - 51. The method of claim 50, wherein said user role assignment information includes at least one user role assignment record, said record assigning a role to a computing resource requester.
  - 52. The method of claim 50, wherein said step of provisioning at least one access control node includes providing a resource description table including a description of at least one computing resource controlled by said joining organization.
  - 53. The method of claim 50, wherein said step of provisioning at least one access control node includes providing a permission role assignment table including at least one permission role assignment record, said permission role assignment record specifying at least one of:
    - an access permission corresponding to a combination of a computing resource identifier and a role, a service level corresponding to a combination of a computing resource identifier and a role
  - 54. The method of claim 50, wherein said step of registering said authentication server is provided by at least one of:
    - registering a name said authentication server with said application role server;
      
      providing network connectivity by said application role server to said authentication server; and
      
      creating an account for said application role server on said authentication server.
  - 55. The method of claim 50, wherein said computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syracuse University
Original Assignee
Syracuse University
Inventors
Park, Joon S.

Granted Patent

US 9,769,177 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/104   Grouping of entities

H04L 63/126   the source of the received ...

ROLE-BASED ACCESS CONTROL TO COMPUTING RESOURCES IN AN INTER-ORGANIZATIONAL COMMUNITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

204 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

ROLE-BASED ACCESS CONTROL TO COMPUTING RESOURCES IN AN INTER-ORGANIZATIONAL COMMUNITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others