AUTHENTICATION SYSTEM, AUTHENTICATION METHOD, AND STORAGE MEDIUM FOR REALIZING A MULTITENANT SERVICE
First Claim
Patent Images
1. An authentication system comprising:
- a management unit configured to manage whether a screen corresponding to a URL can be provided based on role information, manage application program interface (API) execution authority based on role information, and manage whether data is distributed based on role information;
a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and an authentication token;
a determination unit configured to determine role information associated with the authentication token received by the reception unit;
a URL verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is a URL resource, whether access is permitted based on the role information determined by the determination unit and role information of the URL resource based on a management content of the management unit;
a provision unit configured to provide a screen corresponding to the URL resource if the access is permitted by the URL verification unit;
an API verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is execution of an API, whether access is permitted based on the role information determined by the determination unit and role information of execution authority of the API based on a management content of the management unit;
an execution unit configured to execute the API if it is determined that the access is permitted by the API verification unit; and
a data distribution verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is distribution of data, whether access is permitted based on the role information determined by the determination unit and role information of distribution of the data based on a management content of the management unit; and
a distribution unit configured to distribute the data if it is determined that the access is permitted by the data distribution verification unit.
1 Assignment
0 Petitions
Accused Products
Abstract
In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.
43 Citations
12 Claims
-
1. An authentication system comprising:
-
a management unit configured to manage whether a screen corresponding to a URL can be provided based on role information, manage application program interface (API) execution authority based on role information, and manage whether data is distributed based on role information; a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and an authentication token; a determination unit configured to determine role information associated with the authentication token received by the reception unit; a URL verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is a URL resource, whether access is permitted based on the role information determined by the determination unit and role information of the URL resource based on a management content of the management unit; a provision unit configured to provide a screen corresponding to the URL resource if the access is permitted by the URL verification unit; an API verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is execution of an API, whether access is permitted based on the role information determined by the determination unit and role information of execution authority of the API based on a management content of the management unit; an execution unit configured to execute the API if it is determined that the access is permitted by the API verification unit; and a data distribution verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is distribution of data, whether access is permitted based on the role information determined by the determination unit and role information of distribution of the data based on a management content of the management unit; and a distribution unit configured to distribute the data if it is determined that the access is permitted by the data distribution verification unit. - View Dependent Claims (2, 3)
-
-
4. An authentication system comprising:
-
a management unit configured to manage role management information where a role is managed for each of a plurality of requested resource types; a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and an authentication token; a first determination unit configured to determine role information associated with the authentication token received by the reception unit; an acquisition unit configured to acquire the role management information where role information of each resource type corresponding to the access allowance or denial confirmation received by the reception unit is managed by the management unit; and a second determination unit configured to determine whether access to the resource type is to be permitted or not by the role information corresponding to each resource type acquired by the acquisition unit and the role information determined by the first determination unit.
-
-
5. An authentication method comprising:
-
managing whether a screen corresponding to a URL is provided by role information, application program interface (API) execution authority based on role information, and whether data is to be distributed based on role information; receiving an access allowance or denial confirmation with respect to a resource and an authentication token; determining role information associated with the received authentication token; verifying, if a resource type corresponding to the received access allowance or denial confirmation is a URL resource, whether access is to be permitted based on the determined role information and role information of the URL resource based on management content; providing a screen corresponding to the URL resource if it is determined that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is execution of an API, whether access is to be permitted based on the determined role information and role information of execution authority of the API based on management content; executing the API if it is determined that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is distribution of data, whether access is to be permitted based on the determined role information and role information of distribution of the data based on management content; and distributing the data if it is determined that the access is permitted. - View Dependent Claims (6, 7)
-
-
8. An authentication method comprising:
-
managing role management information where a role is managed for each of a plurality of requested resource types; receiving an access allowance or denial confirmation with respect to a resource and an authentication token; determining role information associated with the received authentication token; acquiring the role management information where role information of each resource type corresponding to the received access allowance or denial confirmation is managed; and determining whether access to the resource type is to be permitted or not based on the acquired role information corresponding to each acquired resource type and the determined role information.
-
-
9. A storage medium storing a computer-executable program for causing a computer to execute operations comprising:
-
managing whether a screen corresponding to a URL is provided by role information, application program interface (API) execution authority based on role information, and whether data is to be distributed based on role information; receiving an access allowance or denial confirmation with respect to a resource and an authentication token; determining role information associated with the received authentication token; verifying, if a resource type corresponding to the received access allowance or denial confirmation is a URL resource, whether access is to be permitted based on the determined role information and role information of the URL resource based on management content; providing a screen corresponding to the URL resource if it is determined that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is execution of an API, whether access is to be permitted based on the determined role information and role information of execution authority of the API based on management content; executing the API if it is determined that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is distribution of data, whether access is to be permitted based on the determined role information and role information of distribution of the data based on management content; and distributing the data if it is determined that the access is permitted. - View Dependent Claims (10, 11)
-
-
12. A storage medium storing a computer-executable program for causing a computer to execute operations comprising:
-
managing role management information where a role is managed for each of a plurality of requested resource types; receiving an access allowance or denial confirmation with respect to a resource and an authentication token; determining role information associated with the received authentication token; acquiring the role management information where role information of each resource type corresponding to the received access allowance or denial confirmation is managed; and determining whether access to the resource type is to be permitted or not based on the acquired role information corresponding to each acquired resource type and the determined role information.
-
Specification