Policy and attribute based access to a resource

US 8,015,301 B2
Filed: 09/30/2003
Issued: 09/06/2011
Est. Priority Date: 09/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a non-transitory computer-readable medium and for executing on a proxy server the method for policy and attribute based access to a resource, comprising:

receiving, at the proxy server, a session request for access to a resource, the session request is sent from a service and includes alias identity information for a principal, the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for identity information, the identity information identifies a true identity for the principal;

mapping, by the proxy server, the alias identity information to the identity information of the principal, the identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the identity information and the true identity of the principal is available to the proxy server but not the service or the resource;

authenticating, by the proxy server, the identity information;

acquiring, by the proxy server, a service contract for the principal, the service, and the resource, the service contract is derived from an identity configuration for the principal and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses to gain access to the resource;

obtaining from the service contract selective resource access policies and attributes which are permissibly used by the service when accessing the resource on behalf of the principal;

defining, via the service contract, a tripartite relationship among the principal, the service, and the resource, the service contract is derived from an identity configuration of the principal, the service contract including security strictures for the tripartite relationship including the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource;

establishing, by the proxy server, a session with the service, the session is controlled by the service contract, the service interacts through the proxy server with a Lightweight Directory Access Protocol (LDAP) legacy interface for the resource to make access requests for the principal in a format that is handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests, the access requests are in accordance with the service contract; and

managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract.

95 Citations

View as Search Results

14 Claims

1. A method implemented in a non-transitory computer-readable medium and for executing on a proxy server the method for policy and attribute based access to a resource, comprising:
- receiving, at the proxy server, a session request for access to a resource, the session request is sent from a service and includes alias identity information for a principal, the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for identity information, the identity information identifies a true identity for the principal;
  
  mapping, by the proxy server, the alias identity information to the identity information of the principal, the identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the identity information and the true identity of the principal is available to the proxy server but not the service or the resource;
  
  authenticating, by the proxy server, the identity information;
  
  acquiring, by the proxy server, a service contract for the principal, the service, and the resource, the service contract is derived from an identity configuration for the principal and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses to gain access to the resource;
  
  obtaining from the service contract selective resource access policies and attributes which are permissibly used by the service when accessing the resource on behalf of the principal;
  
  defining, via the service contract, a tripartite relationship among the principal, the service, and the resource, the service contract is derived from an identity configuration of the principal, the service contract including security strictures for the tripartite relationship including the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource;
  
  establishing, by the proxy server, a session with the service, the session is controlled by the service contract, the service interacts through the proxy server with a Lightweight Directory Access Protocol (LDAP) legacy interface for the resource to make access requests for the principal in a format that is handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests, the access requests are in accordance with the service contract; and
  
  managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising accessing, by the proxy server, the identity configuration for the principal in order to acquire the selective resource access policies and attributes included within the service contract.
  - 3. The method of claim 1 further comprising denying, by the proxy sever, access attempts made by the service during the session when the access attempts are not included within the service contract.
  - 4. The method of claim 1 further comprising terminating, by the proxy server, the session when an event is detected that indicates the service contract is compromised or has expired.
  - 5. The method of claim 1 further comprising establishing, by the proxy sever, the service contract with the principal prior to receiving the session request.
  - 6. The method of claim 5 further comprising reusing, by the proxy sever, the service contract to establish one or more additional sessions with the service, wherein the one or more additional sessions are associated with one or more additional session requests made by the service.
  - 7. The method of claim 5 wherein the establishing further includes establishing the service contract with the principal in response to a redirection operation performed by a proxy that intercepts a browser request issued from the principal to the service for purposes of accessing the resource.

8. A policy and attribute based resource session manager, residing in a non-transitory computer-accessible medium and for executing on a proxy server, comprising instructions for establishing a session with a resource, the instructions when executed performing the method of:
- receiving, at the proxy server, alias identity information from a service, the alias identity information is associated with a principal, and the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for principal identity information of the principal and the principal identity information identifies a true identity of the principal;
  
  requesting, by the proxy server, a mapping of the alias identity information to the principal identity information, the principal identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the principal identity information and the true identity of the principal is available to the proxy server but not the service or the resource;
  
  requesting, by the proxy server, authenticating of the identity information;
  
  requesting, by the proxy server, a service contract for the principal, the service and a resource, the service contract includes selective resource access policies and attributes, the service contract is derived from an identity configuration and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses for gaining access to the resource;
  
  defining, via, the service contract a tripartite relationship among the principal, the service, and the resource, the service contract including security strictures for the tripartite relationshipincluding the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource;
  
  establishing, by the proxy server, a session with the service and the resource, the session is controlled by the service contract and the service makes access requests to a Lightweight Directory Access Protocol (LDAP) legacy interface of the resource on behalf of the principal, the access requests made in a format handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests; and
  
  managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The policy and attribute based resource session manager of claim 8 having instructions further comprising, permitting, at the proxy server, the service to indirectly access an identity store which represents the resource, and wherein the identity store includes secure information related to the principal.
  - 10. The policy and attribute based resource session manager of claim 8 having instructions further comprising terminating, at the proxy server, the session when the service contract expires or is compromised.
  - 11. The policy and attribute based resource session manager of claim 8, wherein the requesting of the mapping further includes interacting with an alias translator.
  - 12. The policy and attribute based resource session manager of claim 8, wherein the requesting of authentication further includes interacting with an identification authenticator.
  - 13. The policy and attribute based resource session manager of claim 8 at wherein the receiving further includes intercepting a session request that is issued from the service for the legacy LDAP interface, wherein the session request includes the alias identity information.
  - 14. The policy and attribute based resource session manager of claim 13 having instructions further comprising managing, at the proxy server, the session with respect to the service as if the policy based resource session manager were the legacy LDAP interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen R, Burch, Lloyd Leon
Primary Examiner(s)
Blair; Douglas B

Application Number

US10/676,231
Publication Number

US 20050068983A1
Time in Patent Office

2,898 Days
Field of Search

709227-229, 726/4, 726/5
US Class Current

709/229
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/102 Entity profiles

Policy and attribute based access to a resource

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Policy and attribute based access to a resource

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links