Delegation-Based Authorization

US 20110296497A1
Filed: 05/27/2010
Published: 12/01/2011
Est. Priority Date: 05/27/2010
Status: Active Grant

First Claim

Patent Images

1. An authorization system, comprising:

an authorization node executing an authorization policy; and

a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement comprising a delegation of authority over a fact to a further entity,wherein the authorization node is arranged to determine whether the further entity consents to provide the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Delegation-based authorization is described. In one example, a reference monitor receives from a first entity a request and a credential statement comprising a delegation of authority over a fact to a further entity. An authorization node then determines whether the further entity consents to provide the fact to the first entity and evaluates the request in accordance with an authorization policy and the credential statement. In another example, an assertion comprising a statement delegating authority over a fact to a further entity is received at an authorization node from a first entity. An authorization policy is then used to determine that the first entity vouches for the fact if each of these conditions are met: i) the first entity consents to import the fact from the further entity, ii) the further entity consents to export the fact to the first entity, and iii) the further entity asserts the fact.

90 Citations

View as Search Results

20 Claims

1. An authorization system, comprising:
- an authorization node executing an authorization policy; and
  
  a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement comprising a delegation of authority over a fact to a further entity,wherein the authorization node is arranged to determine whether the further entity consents to provide the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A system according to claim 1, wherein if the further entity consents to provide the fact to the first entity, then the delegation succeeds and the credential statement imports the fact from the further entity.
  - 3. A system according to claim 1, wherein if the further entity does not consent to provide the fact to the first entity, then the delegation fails and the credential statement does not import the fact from the further entity.
  - 4. A system according to claim 1, wherein the authorization node is arranged to provide an evaluation result to the reference monitor.
  - 5. A system according to claim 4, wherein the reference monitor is further arranged to grant or deny the first entity access to the resource in dependence on the evaluation result.
  - 6. A system according to claim 1, wherein the reference monitor is further arranged to detect the presence of the delegation of authority and insert an additional condition requiring that the further entity consents to provide the fact to the first entity into the delegation of authority.
  - 7. A system according to claim 1, wherein the authorization node is arranged to evaluate the request for access by determining the union of the authorization policy and the credential statement.
  - 8. A system according to claim 1, wherein the reference monitor receives the request for access and credential statement from a first entity over a communication network.
  - 9. A system according to claim 1, wherein the reference monitor is further arranged to formulate a query from the request, and provide the query and the credential statement to the authorization node.
  - 10. A system according to claim 1, wherein the credential statement is provided by the first entity in support of the request.
  - 11. A system according to claim 1, wherein the request and credential statement are SecPAL statements, and the delegation of authority in the credential statement comprises a “
    - can say”
      
      statement, and the further entity consents to provide the fact to the first entity using a SecPAL “
      
      can listen to”
      
      statement.

12. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
- receiving an assertion from a first entity comprising a statement delegating authority over a fact to a further entity; and
  
  using the authorization policy to determine that the first entity vouches for the fact in the case that each of the following are met;
  
  i) the first entity consents to import the fact from the further entity;
  
  ii) the further entity consents to export the fact to the first entity; and
  
  iii) the further entity asserts the fact.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A method according to claim 12, further comprising the step of, subsequent to receiving the assertion, detecting the statement delegating authority and automatically inserting condition ii) into the statement delegating authority.
  - 14. A method according to claim 12, further comprising the step of using the authorization policy to determine that the first entity cannot vouch for the fact in the case that either one or both of condition i) and ii) are not met.
  - 15. A method according to claim 12, further comprising the step of receiving a query in association with the assertion.
  - 16. A method according to claim 15, further comprising the step of evaluating the query in accordance with the authorization policy and the assertion to determine a result.
  - 17. A method according to claim 16, further comprising the step of using the result to grant or deny the first entity access to a resource.
  - 18. A method according to claim 12, wherein the assertion is received from the first entity over a communication network.
  - 19. A method according to claim 12, wherein:
    - the authorization policy is a SecPAL policy;
      
      condition i) comprises a SecPAL “
      
      can say”
      
      statement; and
      
      condition ii) comprises a SecPAL “
      
      can listen to”
      
      statement.

20. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
- receiving an authorization query and a supporting credential from a first entity, wherein the credential comprises a delegation statement stating that the first entity asserts a fact if a further entity asserts the fact;
  
  detecting, using a processor, the presence of the delegation statement and inserting an additional condition into the delegation statement to create a modified delegation statement which states that the first entity asserts a fact if the further entity asserts the fact and if the further entity consents to export the fact to the first entity;
  
  evaluating the query, using the processor, against the authorization policy in union with the modified delegation statement; and
  
  returning the result of the query to the first entity via a communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Becker, Moritz

Granted Patent

US 9,160,738 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/1408 by monitoring network traff...

Delegation-Based Authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Delegation-Based Authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links