Delegation-Based Authorization
First Claim
1. An authorization system, comprising:
- an authorization node executing an authorization policy; and
a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement comprising a delegation of authority over a fact to a further entity,wherein the authorization node is arranged to determine whether the further entity consents to provide the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement.
2 Assignments
0 Petitions
Accused Products
Abstract
Delegation-based authorization is described. In one example, a reference monitor receives from a first entity a request and a credential statement comprising a delegation of authority over a fact to a further entity. An authorization node then determines whether the further entity consents to provide the fact to the first entity and evaluates the request in accordance with an authorization policy and the credential statement. In another example, an assertion comprising a statement delegating authority over a fact to a further entity is received at an authorization node from a first entity. An authorization policy is then used to determine that the first entity vouches for the fact if each of these conditions are met: i) the first entity consents to import the fact from the further entity, ii) the further entity consents to export the fact to the first entity, and iii) the further entity asserts the fact.
90 Citations
20 Claims
-
1. An authorization system, comprising:
-
an authorization node executing an authorization policy; and a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement comprising a delegation of authority over a fact to a further entity, wherein the authorization node is arranged to determine whether the further entity consents to provide the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
-
receiving an assertion from a first entity comprising a statement delegating authority over a fact to a further entity; and using the authorization policy to determine that the first entity vouches for the fact in the case that each of the following are met; i) the first entity consents to import the fact from the further entity; ii) the further entity consents to export the fact to the first entity; and iii) the further entity asserts the fact. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
-
receiving an authorization query and a supporting credential from a first entity, wherein the credential comprises a delegation statement stating that the first entity asserts a fact if a further entity asserts the fact; detecting, using a processor, the presence of the delegation statement and inserting an additional condition into the delegation statement to create a modified delegation statement which states that the first entity asserts a fact if the further entity asserts the fact and if the further entity consents to export the fact to the first entity; evaluating the query, using the processor, against the authorization policy in union with the modified delegation statement; and returning the result of the query to the first entity via a communication network.
-
Specification