Fine-grained attribute access control
First Claim
1. An attribute provider service (APS), comprising:
- a processor;
a request processing mechanism (RPM), when executed by the processor, configured to;
receive a request for an attribute from a consumer,forward the request to an attribute provider mechanism (APM) for processing,receive, from the APM, a response to the request, andprovide the response to the consumer;
the APM, when executed by the processor, configured to;
receive the request from the RPM,invoke, in response to the request, a policy evaluator to determine whether the consumer is allowed to access the attribute,receive a response from the policy evaluator indicating whether access to the attribute by the consumer is allowed,obtain an attribute value corresponding to the attribute from an attribute repository based on the response from the policy evaluator, andprovide the response to the request to the RPM, wherein the response comprises the attribute value when the response from the policy evaluator indicates that access to the attribute by the consumer is allowed; and
the policy evaluator, when executed by the processor, configured to;
identify an attribute level policy corresponding to the attribute, wherein the attribute level policy comprises at least one condition used to determine whether access to the attribute is allowed by the consumer wherein the attribute level policy is associated with application criteria, and wherein the application criteria comprises an attribute specification specifying the attribute, a subject parameter which identifies the consumer, a resource parameter which specifies a service that provides the attribute, and an action parameter which specifies an action that the consumer is allowed to perform on the attribute value, anddetermine, using the attribute level policy, whether to allow access to the attribute by the consumer.
2 Assignments
0 Petitions
Accused Products
Abstract
A mechanism is disclosed for enabling an attribute provider service (APS), which provides access to one or more attributes, to control access to the attributes at the attribute level. In one implementation, a request is received, which specifies a particular attribute that is desired to be accessed from an attribute repository. In response to this request, a policy that applies to the particular attribute is accessed. The policy is then processed to determine whether access to the particular attribute is to be allowed or denied. With the above mechanism, it is possible to control access to attributes at the attribute level rather than at the service level. Because access control is exercised at such a low level, an administrator can exercise much tighter and precise control over how attributes provided by an APS are accessed.
47 Citations
8 Claims
-
1. An attribute provider service (APS), comprising:
-
a processor; a request processing mechanism (RPM), when executed by the processor, configured to; receive a request for an attribute from a consumer, forward the request to an attribute provider mechanism (APM) for processing, receive, from the APM, a response to the request, and provide the response to the consumer; the APM, when executed by the processor, configured to; receive the request from the RPM, invoke, in response to the request, a policy evaluator to determine whether the consumer is allowed to access the attribute, receive a response from the policy evaluator indicating whether access to the attribute by the consumer is allowed, obtain an attribute value corresponding to the attribute from an attribute repository based on the response from the policy evaluator, and provide the response to the request to the RPM, wherein the response comprises the attribute value when the response from the policy evaluator indicates that access to the attribute by the consumer is allowed; and the policy evaluator, when executed by the processor, configured to; identify an attribute level policy corresponding to the attribute, wherein the attribute level policy comprises at least one condition used to determine whether access to the attribute is allowed by the consumer wherein the attribute level policy is associated with application criteria, and wherein the application criteria comprises an attribute specification specifying the attribute, a subject parameter which identifies the consumer, a resource parameter which specifies a service that provides the attribute, and an action parameter which specifies an action that the consumer is allowed to perform on the attribute value, and determine, using the attribute level policy, whether to allow access to the attribute by the consumer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification