Persistent authorization context based on external authentication
First Claim
Patent Images
1. A method for providing a first user with controlled access to a local computing resource without requiring that the first user have a unique user account associated with the local computing resource, the method comprising:
- receiving an identifier of the first user from a second user that has a unique user account associated with the local computing resource;
associating a security identifier (SID) of the first user with the local computing resource based on the identifier received from the second user;
when the first user attempts to access to the local computing resource, receiving a pair wise unique identifier (PUID) associated with the first user that is to be provided access to said local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on an electronic mail (e-mail) address associated with the first user;
translating said PUID into a corresponding security identifier (SID) by providing said PUID to an application programming interface (API) and in return receiving the corresponding SID from said API;
determining when the corresponding SID matches the associated SID using an access control mechanism associated with said local computing resource; and
providing the first user controlled access to the local computing resource based on the determination.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided to allow users that are authenticated by a trusted external service to gain controlled levels of access to selected local computing resources without requiring the user to also have conventional access control capabilities for the resources.
-
Citations
31 Claims
-
1. A method for providing a first user with controlled access to a local computing resource without requiring that the first user have a unique user account associated with the local computing resource, the method comprising:
-
receiving an identifier of the first user from a second user that has a unique user account associated with the local computing resource; associating a security identifier (SID) of the first user with the local computing resource based on the identifier received from the second user; when the first user attempts to access to the local computing resource, receiving a pair wise unique identifier (PUID) associated with the first user that is to be provided access to said local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on an electronic mail (e-mail) address associated with the first user; translating said PUID into a corresponding security identifier (SID) by providing said PUID to an application programming interface (API) and in return receiving the corresponding SID from said API; determining when the corresponding SID matches the associated SID using an access control mechanism associated with said local computing resource; and providing the first user controlled access to the local computing resource based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable medium having computer-executable instructions for performing acts comprising:
-
associating a security identifier (SID) of a first user with a local computing resource based on an electronic mail (e-mail) address associated with the first user that is provided by a second user having a user account to access the local computing resource; accepting a pair wise unique identifier (PUID) associated with the first user that is to be provided controlled access to the local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on the first user providing the electronic mail (e-mail) address associated with the user to the external computing resource; converting said PUID into a corresponding security identifier (SID) by outputting said PUID to an application programming interface (API) and, in return, receiving the corresponding SID from said API; verifying that the corresponding SID matches the associated using an access control mechanism associated with said local computing resource; and allowing controlled access to the local computing resource responsive to the act of verifying and without requiring that the first user have a unique user account associated with the local computing resource. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium having computer-executable instructions for performing acts comprising:
-
associating a security identifier (SID) of a first user with a local computing resource based on an electronic mail (e-mail) address associated with the first user that is input by a second user having a user account to access the local computing resource; receiving a pair wise unique identifier (PUID) associated with an authentication context of the first user with an external resource; translating said PUID into a corresponding security identifier (SID) associated with the authentication context by subdividing said PUID into at least one sub authority identifier portion and at least one member identifier portion, and arranging said at least one sub authority identifier portion and said at least one member identifier portion as said SID; and selectively providing the first user controlled access to the local computing resource based on a comparison of the corresponding SID to the SID associated with the local computing resource. - View Dependent Claims (20, 21)
-
-
22. A system for controlling access to at least one computing resource, the system comprising:
-
memory; and logic operatively coupled to said memory and configurable to; associate a security identifier (SID) of a first user with said at least one computing resource based on an electronic mail (e-mail) address associated with the first user that is input by a second user having access to said at least one computing resource, the first user to be provided controlled access to said at least one computing resource by the second user; receive a unique identifier associated with the first user through an electronic mail (e-mail) address for the first user, said unique identifier being associated with another computing resource that has authenticated the first user based on the e-mail address for the first user, said logic being further operatively configured to translate said unique identifier into a corresponding security identifier (SID), and allowing said first user to access said at least one computing resource if said corresponding SID matches said SID associated with said at least one computing resource that is stored in said memory and without requiring that the first user have a unique user account associated with said at least one computing resource. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
Specification