OBLIGATION SYSTEM FOR ENTERPRISE ENVIRONMENTS
First Claim
1. A computer-implemented method comprising:
- receiving, at an authorization system, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class;
wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation;
wherein the holder-permission object specifies additional information in a payload field of the holder-permission object;
wherein the payload field is defined within the basic permission class;
in response to receiving the holder-permission object, the authorization system determining whether one or more policies pertaining to the additional information are satisfied;
based at least in part on a determination of whether the one or more policies are satisfied by the additional information, the authorization system placing, within the holder-permission object, an indication of whether the application is allowed to perform the operation; and
returning, from the authorization system to the application, the holder-permission object containing the indication.
1 Assignment
0 Petitions
Accused Products
Abstract
An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Because the authorization system conforms to the legacy model, legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications. Such obligations can indicate requirements that those applications need to fulfill in conjunction with performing operations on resources.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving, at an authorization system, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class; wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation; wherein the holder-permission object specifies additional information in a payload field of the holder-permission object; wherein the payload field is defined within the basic permission class; in response to receiving the holder-permission object, the authorization system determining whether one or more policies pertaining to the additional information are satisfied; based at least in part on a determination of whether the one or more policies are satisfied by the additional information, the authorization system placing, within the holder-permission object, an indication of whether the application is allowed to perform the operation; and returning, from the authorization system to the application, the holder-permission object containing the indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 15)
-
-
8. A computer-readable storage memory storing particular instructions capable of causing one or more processors to perform specified operations, the particular instructions comprising:
-
instructions to cause an authorization system to receive, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class; wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation; instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the resource are satisfied; wherein the one or more policies specify one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource; instructions to cause the authorization system to place, within the holder-permission object, and based at least in part on a determination that the one or more policies are satisfied, an indication that the application is allowed to perform the operation; instructions to cause the authorization system to place the one or more obligations within a payload field of the holder-permission object based at least in part on a determination that the one or more policies are satisfied; wherein the payload field is defined within the basic permission class; and instructions to cause the authorization system to return, to the application, the holder-permission object containing the indication and the one or more obligations. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
16. A system comprising:
-
one or more processors; and a computer-readable storage memory that stores particular instructions comprising; instructions to cause an authorization system to receive, from an application, a holder-permission object that is an instance of a holder-permission class that extends a basic permission class; wherein the holder-permission object specifies a resource relative to which the application is requesting to perform an operation; wherein the holder-permission object specifies additional information in a payload field of the holder-permission object; instructions to cause the authorization system to determine, in response to receiving the holder-permission object, whether one or more policies pertaining to the additional information are satisfied; wherein the one or more policies specify one or more obligations that indicate one or more requirements that the application is required to fulfill in conjunction with the application performing the operation relative to the resource; instructions to cause the authorization system to place, within the holder-permission object, and based at least in part on a determination that the one or more policies are satisfied by the additional information, an indication that the application is allowed to perform the operation; instructions to cause the authorization system to place the one or more obligations within a payload field of the holder-permission object based at least in part on a determination that the one or more policies are satisfied; wherein the payload field is defined within the basic permission class; and instructions to cause the authorization system to return, to the application, the holder-permission object containing the indication and the one or more obligations. - View Dependent Claims (17, 18, 19, 20)
-
Specification