Authorization and access control service for distributed network resources
First Claim
1. A method of providing from a centralized location access control to a resource for one or more users, said method comprising:
- receiving at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users as part of an organization model, wherein said authorization data is required by a second entity for allowing the first entity to conditionally access a resource controlled by the second entity;
responsive to the received authorization request, creating a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity;
encrypting the created conditional scope expression;
responsive to the received authorization request, issuing the authorization data from the centralized location to the first entity, wherein the first entity provides the issued authorization data to the second entity to conditionally access the resource controlled by the second entity, said authorization data including the conditional scope expression identifying the resource said authorization data further including validation information;
receiving at the centralized location a validation request from the second entity to validate the issued authorization data provided to the second entity by the first entity;
responsive to the received validation request, validating the issued authorization data based on the validation information included the authorization data; and
responsive to validating the issued authorization data, sending from the centralized location a response to the second entity indicating a determined validation status, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid.
2 Assignments
0 Petitions
Accused Products
Abstract
Providing access to a resource via authorization data that conditionally defines the access by an expression that identifies the resource by name and by at least one property of the resource. An authorization service issues the authorization data (e.g., as a token) and evaluating authorization data received from a client. The authorization service evaluates the expression in the authorization data to identify the resource and determine the rights associated with the user for the resource. The authorization service implements role-based access control to control access to resources in a distributed, multi-site network.
179 Citations
25 Claims
-
1. A method of providing from a centralized location access control to a resource for one or more users, said method comprising:
-
receiving at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users as part of an organization model, wherein said authorization data is required by a second entity for allowing the first entity to conditionally access a resource controlled by the second entity; responsive to the received authorization request, creating a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity; encrypting the created conditional scope expression; responsive to the received authorization request, issuing the authorization data from the centralized location to the first entity, wherein the first entity provides the issued authorization data to the second entity to conditionally access the resource controlled by the second entity, said authorization data including the conditional scope expression identifying the resource said authorization data further including validation information; receiving at the centralized location a validation request from the second entity to validate the issued authorization data provided to the second entity by the first entity; responsive to the received validation request, validating the issued authorization data based on the validation information included the authorization data; and responsive to validating the issued authorization data, sending from the centralized location a response to the second entity indicating a determined validation status, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid. - View Dependent Claims (2, 3, 4, 20, 21, 22, 23, 24, 25)
-
-
5. A method for validating at a centralized location authorization data to provide conditional access to a resource for one or more users, said method comprising:
-
receiving at the centralized location an authorization request from a client to issue authorization data for the one or more users based on roles associated with the users, wherein said authorization data is required by an affiliate server for allowing the client to conditionally access a resource controlled by said affiliate server; responsive to the received authorization request, generating at the centralized location an authorization token having a header field, a source field, and a claim field, said header field representing validation information, said source field representing the identity of the user, said claim field specifying the resource conditionally, said claim field including a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the affiliate server; sending the authorization token from the centralized location to the client, wherein the client provides the authorization token to the affiliate server to conditionally access the resource controlled by the affiliate server; receiving at the centralized location over a secure sockets layer a validation request from the affiliate server to validate the authorization token provided by the client, said receiving the validation request comprises receiving a data packet according to the Simple Object Access Protocol (SOAP), and further comprising extracting the authorization token from the received data packet; responsive to the extracted authorization token, retrieving validation information from the header field of the received authorization token; responsive to the retrieved validation information, evaluating the retrieved validation information to determine a validation status of the received authorization token; and responsive to the determined validation status, sending from the centralized location a response to the affiliate server indicating the determined validation status, said affiliate server granting to the client access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization token is valid. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. One or more computer-readable media having stored thereon computer-executable components to control access to a resource by one or more users from a centralized location, said components comprising:
-
an interface component adapted to receive at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users, wherein said authorization data is required by a second entity for allowing the client to conditionally access a resource controlled by said second entity; an authorization component adapted to issue at the centralized location the requested authorization data for the users based on the roles associated with the users to the first entity, said authorization data including an encrypted conditional scope expression created in response to the received authorization request, said conditional scope expression identifying a resource by a resource name and by at least one property name-property value pair associated with the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity, and said authorization data including the validation information, wherein said interface component is further adapted to receive a validation request from the second entity, said validation request including the authorization data issued to the first entity; a parser component adapted to retrieve validation information from the received authorization data; and a validation component adapted to evaluate the retrieved validation information, wherein the interface component is further adapted to send a response from the centralized location to the second entity indicating a validation status of the received authorization data responsive to said evaluating the retrieved validation information, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid. - View Dependent Claims (16)
-
-
17. An authorization system in a centralized location comprising:
-
a memory area accessible from the centralized location for storing authorization data for use in providing a first entity conditional access to a resource that is controlled by a second entity, said authorization data including an encrypted conditional scope expression created in response to the received authorization request, said conditional scope expression identifying the resource by a resource name and by at least one property associated with the resource, wherein the associated property includes at least one property name-property value pair, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity, and said authorization data including validation information; and a processor configured to execute computer-executable instructions for receiving a validation request from the second entity and issuing from the centralized location to the first entity, responsive to an authorization request from the first entity, the authorization data for a user based on a role associated with the user and for validating, in response to the validation request from the second entity, the authorization data issued to the first entity to provide access to the resource, said validation request including the authorization data issued to the first entity, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid. - View Dependent Claims (18, 19)
-
Specification