IDENTITY AND POLICY ENABLED COLLABORATION

US 20100043049A1
Filed: 08/15/2008
Published: 02/18/2010
Est. Priority Date: 08/15/2008
Status: Abandoned Application

First Claim

Patent Images

1. A machine-implemented method, comprising:

receiving, from a principal, a request to access a resource;

acquiring a principal identity and a policy for the request, wherein the policy includes security restrictions for the principal identity when accessing the resource; and

enforcing the security restrictions when the principal accesses the resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for identity and policy enabled collaboration are provided. Access to assets of an enterprise is governed by identity relationships. A policy defines security restrictions between collaborating network resources based on identities assigned to the network resources. During collaboration, the security restrictions are enforced.

Citations

25 Claims

1. A machine-implemented method, comprising:
- receiving, from a principal, a request to access a resource;
  
  acquiring a principal identity and a policy for the request, wherein the policy includes security restrictions for the principal identity when accessing the resource; and
  
  enforcing the security restrictions when the principal accesses the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein receiving further includes authenticating the principal with credentials supplied by the principal.
  - 3. The method of claim 1, wherein acquiring further includes acquiring a resource identity for the resource, and wherein the security restrictions of the policy also account for the resource identity along with the principal identity.
  - 4. The method of claim 3, wherein acquiring further includes acquiring an environment identity for an environment that includes the resource, and wherein the security restrictions of the policy also account for the environment identity along with the resource identity and the principal identity.
  - 5. The method of claim 1, wherein acquiring further includes acquiring the policy from an environment that includes the resource and acquiring the principal identity from a remote identity service.
  - 6. The method of claim 1, wherein acquiring further includes acquiring the policy and the principal identity from a remote identity service.
  - 7. The method of claim 1, wherein enforcing further includes permitting the principal in accordance with the security restrictions to define subsequent access to the resource via a new policy created by the principal, wherein the new policy defines additional security restrictions to the resource for a different principal that is recognized via a different principal identity within the new policy.

8. A machine-implemented method, comprising:
- receiving a policy from a first principal, wherein the policy includes security restrictions for accessing a resource in response to a second principal identity assigned to a second principal;
  
  configuring an environment that includes the resource with the security restrictions; and
  
  enforcing the security restrictions within the environment when the second principal accesses the resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein receiving further includes authenticating the first principal to a first principal identity associated with another policy that permits the first principal to define the policy for the resource.
  - 10. The method of claim 8, wherein receiving further includes defining via the policy a reference to a resource identity that identifies the resource in relation to a reference to the second principal identity.
  - 11. The method of claim 10, wherein receiving further includes defining via the policy a reference to an environment identity that identifies a context for the resource in relation to the second principal identity.
  - 12. The method of claim 8 further comprising, carrying the policy as metadata associated with the environment.
  - 13. The method of claim 8 further comprising, housing the policy with a remote identity service that subsequently is used to authenticate the second principal and assign the second principal identity when the second principal accesses the resource.
  - 14. The method of claim 8 further comprising:
    - receiving a second policy from the first principal that includes additional security restrictions for the second principal identity when accessing the resource from a second environment that is different from the environment; and
      
      enforcing the additional security restrictions when the second principal accesses the resource from a context associated with the second environment.

15. A machine-implemented system, comprising:
- an identity service implemented in a computer-readable storage medium and to process on a network; and
  
  a security service implemented in a computer-readable storage medium and to process on the network;
  
  wherein the identity service is to authenticate a principal to a principal identity when the principal requests access to a resource, and wherein the security service is to obtain a policy that is specific to the principal identity and the resource, the policy includes security restrictions that are enforced by the security service against the principal during access to the resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15 further comprising, a policy repository implemented in a computer-readable storage medium and accessed over the network by the identity service to supply the policy to the security service.
  - 17. The system of claim 15, wherein the policy is obtained by the security service from metadata associated with the resource.
  - 18. The system of claim 15, wherein the policy is obtained by the security service from metadata associated with an environment that includes the resource.
  - 19. The system of claim 15 further comprising, a local policy repository implemented in a computer-readable storage medium and accessed by the security service to obtain the policy from an environment that includes the resource, wherein the local policy repository is within the environment of the resource and is therefore local to the resource and the environment.
  - 20. The system of claim 15, wherein the identity service consults a second identity service to assist in resolving the principal identity on behalf of the security service.

21. A machine-implemented system comprising:
- a policy-identity collaboration interface implemented in a computer-readable storage medium and to process on a network; and
  
  a security service implemented in a computer-readable storage medium and to process on the network;
  
  wherein the policy-identity collaboration interface is to interact with a principal to define a policy, the policy includes security restrictions for a collaborations that can occur between two or more resources based on identities assigned to those two or more resources, and wherein the security service configures the policy and enforces the policy when the two or more resources collaborate with one another on the network.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, wherein the policy-identity collaboration interface stores the policy in a policy repository that is accessible over the network to an identity service that collaborates with the security service.
  - 23. The system of claim 21, wherein the policy-identity collaboration interface stores the policy in a policy repository that is accessible from within a specific environment that houses a target resource, the policy repository accessed by the security service from within the environment.
  - 24. The system of claim 21, wherein the policy defines the security restrictions in response to a requesting resource identity assigned to a requesting resource, a target resource identity assigned to a target resource, and an environment identity assigned to an environment that includes the target resource.
  - 25. The system of claim 24, wherein the requesting resource identity is a crafted identity provided by an identity service to the requesting resource for accessing the target resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
McClain, Carolyn B., Carter, Stephen R., Burch, Lloyd Leon

Application Number

US12/192,688
Publication Number

US 20100043049A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

IDENTITY AND POLICY ENABLED COLLABORATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY AND POLICY ENABLED COLLABORATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links