TRUSTING SECURITY ATTRIBUTE AUTHORITIES THAT ARE BOTH COOPERATIVE AND COMPETITIVE

US 20100050246A1
Filed: 10/30/2009
Published: 02/25/2010
Est. Priority Date: 12/31/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of authorizing a user of a first domain with access to resources of a second domain, the method comprising the steps of:

assigning first role first and second roles to a user in a first domain;

assigning a specified role in a second domain to the first role only if the user has been assigned the first and second roles in the first domain;

assigning access to a resource in the second domain to the specified role;

receiving a request from the user for the resource; and

providing the user with access to the resource, only if the user has been assigned the first and second roles in the first domain without allowing any user who does not have both of the first and second roles, access to the resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for authorizing a user. The method comprises the steps of assigning a first role to a user in a first domain, assigning a second role in a second domain to the first role, and assigning access to a resource in the second domain to the second role. The method comprises the further steps of receiving a request from the user for the resource; and providing access to the resource, to the user. The invention may be employed by users and services to manage their interaction with those services, including configuring which they trust for what types of information, in what applications, and which subsets of information they can be trusted to provide.

Citations

26 Claims

1. A method of authorizing a user of a first domain with access to resources of a second domain, the method comprising the steps of:
- assigning first role first and second roles to a user in a first domain;
  
  assigning a specified role in a second domain to the first role only if the user has been assigned the first and second roles in the first domain;
  
  assigning access to a resource in the second domain to the specified role;
  
  receiving a request from the user for the resource; and
  
  providing the user with access to the resource, only if the user has been assigned the first and second roles in the first domain without allowing any user who does not have both of the first and second roles, access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 12, 25)
- - 2. A method according to claim 1, wherein said request includes information identifying the roles of the user in the first domain.
  - 3. A method according to claim 2, wherein said request also includes information about the first domain.
  - 4. A method according to claim 1, wherein the receiving step includes the step of passing a secure, trusted token to the second domain identifying the roles of the user in the first domain.
  - 5. A method according to claim 1, wherein:
    - a set of users have roles in the first domain; and
      
      some of said roles in the first domain are defined as users in the second domain.
  - 6. A method according to claim 1, further comprising the step of providing a database that identifies, for each of a set of roles in the first domain, one or more roles in the second domain, and wherein the step of assigning a specified role in a second domain to the first role includes the steps of using said first role as an index into said database to identify said specified role from the database.
  - 7. A method according to claim 1, wherein each of a set of roles in the first domain is mapped to one or more roles in the second domain using a procedure selected from the group comprising:
    - mapping each of said set of roles in the first domain to a respective one role in the second domain, mapping each of said set of roles in the first domain to a plurality of roles in the second domain, and mapping a plurality of roles in the first domain to one, common role in the second domain.
  - 12. A system according to claim 7, wherein:
    - a set of users have roles in the first domain; and
      
      some of said roles in the first domain are defined as users in the second domain.
  - 25. The method according to claim 1, wherein the first role has a plurality of attributes, and the second domain removes selected ones of the attributes from the first role.

8. A system for authorizing a user of a first domain with access to resources of a second domain, the system comprising:
- means for assigning first and second roles to a user in a first domain;
  
  means for assigning a specified role in a second domain to the first role only if the user has been assigned the first and second roles in the first domain;
  
  means for assigning access to a resource in the second domain to the specified role;
  
  means for receiving a request from the user for the resource; and
  
  means for providing the user with access to the resource only if the user has been assigned the first and second roles in the first domain without allowing any user who does not have both of the first and second roles, access to the resource.
- View Dependent Claims (9, 10, 11, 13, 26)
- - 9. A system according to claim 8, wherein said request includes information identifying the roles of the user in the first domain.
  - 10. A system according to claim 9, wherein said request also includes information about the first domain.
  - 11. A system according to claim 8, further comprising:
    - a secure, trusted token identifying the roles of the user in the first domain; and
      
      means for passing the token to the second domain.
  - 13. A system according to claim 8, further comprising a database that identifies, for each of a set of roles in the first domain, one or more roles in the second domain, and wherein the means for assigning the specified role in a second domain to the first role includes means for using said first role as an index into said database to identify said specified role from the database.
  - 26. The system according to claim 8, wherein the first role has a plurality of attributes, and the second domain removes selected ones of the attributes to provide a user of the first domain with access to resources of the second domain.

14. (canceled)

15. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for authorizing a user of a first domain with access to resources of a second domain, said method steps comprising:
- assigning first and second roles to a user in a first domain;
  
  assigning a specified role in a second domain to the first role only if the user has been assigned the first and second roles in the first domain;
  
  assigning access to a resource in the second domain to the specified role;
  
  receiving a request from the user for the resource; and
  
  providing the user with access to the resource only if the user has been assigned the first and second roles in the first domain without allowing any user who does not have both of the first and second roles, access to the resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A program storage device according to claim 15, wherein said request includes information identifying the roles of the user in the first domain.
  - 17. A method according to claim 16, wherein said request also includes information about the first domain.
  - 18. A method according to claim 15, wherein the receiving step includes the step of passing a secure, trusted token to the second domain identifying the role of the user in the first domain.
  - 19. A method according to claim 15, wherein:
    - a set of users have roles in the first domain; and
      
      some of said roles in the first domain are defined as users in the second domain.
  - 20. A program storage device according to claim 15, wherein said method steps further comprise the step of providing a database that identifies, for each of a set of roles in the first domain, one or more roles in the second domain;
    - and the step of assigning a specified role in a second domain to the first role includes the steps of using said first role as an index into said database to identify said specified role from the database.
  - 21. A program storage device according to claim 15, wherein each of a set of roles in the first domain is mapped to one or more roles in the second domain using a procedure selected from the group comprising:
    - mapping each of said set of roles in the first domain to a respective one role in the second domain, mapping each of said set of roles in the first domain to a plurality of roles in the second domain, and mapping a plurality of roles in the first domain to one, common role in the second domain.

22. A method of mapping from an attribute in one domain to an identity in another domain to provide a user of a first domain with access to resources of a second domain, the method comprising the steps of:
- assigning first and second roles to a user in a first domain;
  
  assigning an identity in a second domain to the first role only if the user has been assigned the first and second roles in the first domain;
  
  assigning to the identity access to a resource in the second domain;
  
  receiving a request from the user with the first role for the resource;
  
  mapping the request to the identity in the second domain; and
  
  providing the user with access to the resource only if the user has been assigned the first and second roles in the first domain without allowing any user who does not have both of the first and second roles, access to the resource.
- View Dependent Claims (23, 24)
- - 23. A method according to claim 22, further comprising the step of providing a database that identifies, for each of a set of roles in the first domain, one or more roles in the second domain, and wherein the mapping step includes the steps of using said first role as an index into said database to identify said identity for the first role in the second domain.
  - 24. A method according to claim 22, wherein each of a set of roles in the first domain is mapped to one or more identities in the second domain using a procedure selected from the group comprising:
    - mapping each of said set of roles in the first domain to a respective one identity in the second domain, mapping each of said set of roles in the first domain to a plurality of identities in the second domain, and mapping a plurality of roles in the first domain to one, common identity in the second domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Pescatello, Joseph A., Zurko, Mary Ellen

Application Number

US12/609,493
Publication Number

US 20100050246A1
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/08 for authentication of entit...

TRUSTING SECURITY ATTRIBUTE AUTHORITIES THAT ARE BOTH COOPERATIVE AND COMPETITIVE

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTING SECURITY ATTRIBUTE AUTHORITIES THAT ARE BOTH COOPERATIVE AND COMPETITIVE

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links