DELEGATION IN LOGIC-BASED ACCESS CONTROL
First Claim
1. One or more computer-readable storage media having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
- receiving a template that specifies one or more assertions;
obtaining a first token that satisfies a first one of said one or more assertions;
presenting, to a guard of the resource, (a) a set of one or more tokens that comprises said first token, and (b) an access request for a first principal to access the resource;
receiving access to said resource from said guard; and
accessing said resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.
84 Citations
20 Claims
-
1. One or more computer-readable storage media having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
-
receiving a template that specifies one or more assertions; obtaining a first token that satisfies a first one of said one or more assertions; presenting, to a guard of the resource, (a) a set of one or more tokens that comprises said first token, and (b) an access request for a first principal to access the resource; receiving access to said resource from said guard; and accessing said resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of facilitating access to a resource, the method comprising:
-
receiving, from a first principal, a template that specifies a plurality of assertions and that further specifies a first token that satisfies a first one of said plurality of assertions; determining from the template that a second one of said plurality of assertions can be satisfied by a second token containing an assertion made by a second principal; retrieving or generating said second token; sending the guard of the resource an access request which includes the set of tokens which satisfy the template; and gaining access to the resource based on the request. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more data remembrance components; a template stored in said one or more data remembrance components, said template specifying one or more assertions; one or more executable components that are stored in said one or more data remembrance components and that retrieve or generate a first token that satisfies a first one of said one or more assertions, and that create a first data structure that comprises one or more tokens that, together with an access request, allow a first principal to access a resource to be true under a policy, said one or more tokens comprising said first token; and a guard that evaluates said first data structure and determines whether to allow said first principal access to said resource based on said access request and said one or more tokens. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification