Policy and attribute based access to a resource
First Claim
1. A method implemented in a non-transitory computer-readable medium and for executing on a proxy server the method for policy and attribute based access to a resource, comprising:
- receiving, at the proxy server, a session request for access to a resource, the session request is sent from a service and includes alias identity information for a principal, the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for identity information, the identity information identifies a true identity for the principal;
mapping, by the proxy server, the alias identity information to the identity information of the principal, the identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the identity information and the true identity of the principal is available to the proxy server but not the service or the resource;
authenticating, by the proxy server, the identity information;
acquiring, by the proxy server, a service contract for the principal, the service, and the resource, the service contract is derived from an identity configuration for the principal and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses to gain access to the resource;
obtaining from the service contract selective resource access policies and attributes which are permissibly used by the service when accessing the resource on behalf of the principal;
defining, via the service contract, a tripartite relationship among the principal, the service, and the resource, the service contract is derived from an identity configuration of the principal, the service contract including security strictures for the tripartite relationship including the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource;
establishing, by the proxy server, a session with the service, the session is controlled by the service contract, the service interacts through the proxy server with a Lightweight Directory Access Protocol (LDAP) legacy interface for the resource to make access requests for the principal in a format that is handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests, the access requests are in accordance with the service contract; and
managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource.
11 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract.
95 Citations
14 Claims
-
1. A method implemented in a non-transitory computer-readable medium and for executing on a proxy server the method for policy and attribute based access to a resource, comprising:
-
receiving, at the proxy server, a session request for access to a resource, the session request is sent from a service and includes alias identity information for a principal, the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for identity information, the identity information identifies a true identity for the principal; mapping, by the proxy server, the alias identity information to the identity information of the principal, the identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the identity information and the true identity of the principal is available to the proxy server but not the service or the resource; authenticating, by the proxy server, the identity information; acquiring, by the proxy server, a service contract for the principal, the service, and the resource, the service contract is derived from an identity configuration for the principal and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses to gain access to the resource; obtaining from the service contract selective resource access policies and attributes which are permissibly used by the service when accessing the resource on behalf of the principal; defining, via the service contract, a tripartite relationship among the principal, the service, and the resource, the service contract is derived from an identity configuration of the principal, the service contract including security strictures for the tripartite relationship including the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource; establishing, by the proxy server, a session with the service, the session is controlled by the service contract, the service interacts through the proxy server with a Lightweight Directory Access Protocol (LDAP) legacy interface for the resource to make access requests for the principal in a format that is handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests, the access requests are in accordance with the service contract; and managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A policy and attribute based resource session manager, residing in a non-transitory computer-accessible medium and for executing on a proxy server, comprising instructions for establishing a session with a resource, the instructions when executed performing the method of:
-
receiving, at the proxy server, alias identity information from a service, the alias identity information is associated with a principal, and the alias identity information includes a random password and a random principal identification, the alias identity information is randomly generated for principal identity information of the principal and the principal identity information identifies a true identity of the principal; requesting, by the proxy server, a mapping of the alias identity information to the principal identity information, the principal identity information associated with the true identity of the principal whereas the alias identity information is the random password and the random principal identification and the principal identity information and the true identity of the principal is available to the proxy server but not the service or the resource; requesting, by the proxy server, authenticating of the identity information;
requesting, by the proxy server, a service contract for the principal, the service and a resource, the service contract includes selective resource access policies and attributes, the service contract is derived from an identity configuration and the identity configuration represents aggregated access policies and attributes for the principal with respect to the resource and all known services that are available to the principal, each service is an application or system that the principal uses for gaining access to the resource;defining, via, the service contract a tripartite relationship among the principal, the service, and the resource, the service contract including security strictures for the tripartite relationship including the selective resource access policies and the attributes, the access policies define operations that the service can and cannot perform on behalf of the principal against the attributes of the resource the attributes define specific data fields defined within the resource; establishing, by the proxy server, a session with the service and the resource, the session is controlled by the service contract and the service makes access requests to a Lightweight Directory Access Protocol (LDAP) legacy interface of the resource on behalf of the principal, the access requests made in a format handled by the LDAP legacy interface and the LDAP legacy interface is not modified to handle the access requests; and managing, at the proxy server, the session by acting as an intermediary between the service and the legacy LDAP interface which has access privileges to the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification