Method for application-to-application authentication via delegation

US 8,510,796 B2
Filed: 01/25/2008
Issued: 08/13/2013
Est. Priority Date: 01/25/2008
Status: Active Grant

First Claim

Patent Images

1. A computer controlled method for delegation-based application-to-application access control, the method comprising:

receiving, by a service application on a computer, an operation request, from a requesting application;

identifying a user of the requesting application based on the operation request, wherein identifying the user involves determining that the operation request is valid for the identified user, and wherein the identified user is a principal of the operation;

gaining access to a delegated-rights repository that stores a set of delegated rights, wherein a respective delegated right specifics access-control rights delegated to the service application by an associated user;

retrieving a delegated right specific to the identified user from the delegated-rights repository;

activating the retrieved delegated right, wherein activating the retrieved delegated right involves accessing, by the service application, a delegated-to principle representing the retrieved delegated right; and

allowing the service application to perform the operation on behalf of the identified user based on the retrieved delegated right.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, methods, and computer program products are disclosed that present a delegated-right to a delegation system by a service-application provisioned with the delegation system. The delegated-right enables the service-application to perform an operation/access on behalf of a delegator-user. The method then attempts to perform the operation/access.

Citations

29 Claims

1. A computer controlled method for delegation-based application-to-application access control, the method comprising:
- receiving, by a service application on a computer, an operation request, from a requesting application;
  
  identifying a user of the requesting application based on the operation request, wherein identifying the user involves determining that the operation request is valid for the identified user, and wherein the identified user is a principal of the operation;
  
  gaining access to a delegated-rights repository that stores a set of delegated rights, wherein a respective delegated right specifics access-control rights delegated to the service application by an associated user;
  
  retrieving a delegated right specific to the identified user from the delegated-rights repository;
  
  activating the retrieved delegated right, wherein activating the retrieved delegated right involves accessing, by the service application, a delegated-to principle representing the retrieved delegated right; and
  
  allowing the service application to perform the operation on behalf of the identified user based on the retrieved delegated right.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer controlled method of claim 1, further comprising:
    - generating a delegated-to principal representing a right of the identified user to perform the operation; and
      
      providing said delegated-to principal to said service application.
  - 3. The computer controlled method of claim 1, further comprising removing said delegated-to principal from a set of delegated-to principals.
  - 4. The computer controlled method of claim 1, further comprising modifying said delegated-to principal.
  - 5. The computer controlled method of claim 1, further comprising accessing, by said service application, a second delegated-to principal from said set of delegated-to principals.
  - 6. The computer controlled method of claim 5, wherein said second delegated-to principal represents a delegated right of a second user to perform said operation.
  - 7. The computer controlled method of claim 5, wherein said second delegated-to principal represents a second delegated right of said user to perform a second operation.
  - 8. The computer controlled method of claim 1, further comprising performing said operation responsive to said service application and recording said operation as performed on behalf of said identified user.
  - 9. The computer controlled method of claim 1, further comprising:
    - detecting that said operation is an out-of-right operation;
      
      denying said operation; and
      
      recording that said out-of-right operation was attempted by said service application on behalf of said user.
  - 10. The computer controlled method of claim 1, wherein said identified user is an individual user, a group, an enterprise, or a role.
  - 11. The computer controlled method of claim 1, wherein activating the retrieved delegated right further involves precluding the service application from retrieving a different delegated right than the delegated right specific to the identified user.

12. An apparatus for delegation-based application-to-application access control, comprising:
- a processor;
  
  a delegated-rights repository configured to store a set of delegated rights, wherein a respective delegated right specifics access-control rights delegated to the service application by an associated user;
  
  a service application logic; and
  
  a provisioning logic;
  
  wherein the provisioning logic is configured to provision the service application with a service right to access the delegated-rights repository; and
  
  wherein the service application logic is configured to;
  
  receive an operation request from a requesting application;
  
  identify a user of the requesting application based on the operation request, wherein identifying the user involves determining that the operation request is valid for the identified user, and wherein the identified user is a principal of the operation;
  
  retrieve a delegated right specific to the identified user from the delegated-rights repository;
  
  activate the retrieved delegated right, wherein activating the retrieved delegated right involves accessing, by the service application, a delegated-to principle representing the retrieved delegated right; and
  
  perform the operation of behalf of the user based on the retrieved delegated right.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The apparatus of claim 12, further comprising:
    - a rights evaluation logic configured to detect that said operation is an out-of-right operation and to deny said operation; and
      
      an audit logic, responsive to the rights evaluation logic, configured to record that said out-of-right operation was attempted by said service application on behalf of said identified user.
  - 14. The apparatus of claim 12, wherein said identified user is a individual user, a group, an enterprise, or a role.
  - 15. The apparatus of claim 12, further comprising:
    - a principal generation logic configured to generate a delegated-to principal representing a right of said identified user to perform said operation; and
      
      a principal delegation logic configured to provide said delegated-to principal to the service application logic.
  - 16. The apparatus of claim 15, further comprising a principal modification logic configured to modify said delegated-to principal.
  - 17. The apparatus of claim 12, wherein the service-application logic is also configured to access a second delegated-to principal from a set of delegated-to principals.
  - 18. The apparatus of claim 17, wherein said second delegated-to principal represents a delegated right of a second delegator-user to perform said operation.
  - 19. The apparatus of claim 17, wherein said second delegated-to principal represents a second delegated right of said user to perform a second operation.
  - 20. The apparatus of claim 12, wherein the access logic further comprises an audit logic configured to record said operation as performed on behalf of said identified user.
  - 21. The apparatus of claim 12, wherein while activating the retrieved delegated right, the service-application logic is precluded from retrieving a different delegated right than the delegated right specific to the identified user.

22. A computer program product comprising:
- a non-transitory computer-usable data carrier providing instructions that, when executed by a computer, cause said computer to perform a method for delegation-based application-to-application access control, the method comprising;
  
  receiving, by a service application on a computer, an operation request, from a requesting application;
  
  identifying a user of the requesting application based on the operation request, wherein identifying the user involves determining that the operation request is valid for the identified user, and wherein the identified user is a principal of the operation;
  
  gaining access to a delegated-rights repository that stores a set of delegated rights, wherein a respective delegated right specifics access-control rights delegated to the service application by an associated user;
  
  retrieving a delegated right specific to the identified user from the delegated-right repository;
  
  activating the retrieved delegated right, wherein activating the retrieved delegated right involves accessing, by the service application, a delegated-to principle representing the retrieved delegated right; and
  
  allowing the service application to perform the operation on behalf of the identified user based on the retrieved delegated right.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The computer program product of claim 22, wherein method further comprises:
    - generating a delegated-to principal representing a right of said identified user to perform said operation; and
      
      providing said delegated-to principal to said service application.
  - 24. The computer program product of claim 22, wherein said identified user is a user, a group, an enterprise, or a role.
  - 25. The computer program product of claim 22, wherein activating the retrieved delegated right further involves precluding the service application from retrieving a different delegated right than the delegated right specific to the identified user.
  - 26. The computer program product of claim 22, further comprising accessing, by said service-application, a second delegated-to principal from a set of delegated-to principals.
  - 27. The computer program product of claim 26, wherein said second delegated-to principal represents a delegated-right of a second delegator-user to perform said operation.
  - 28. The computer program product of claim 26, wherein said second delegated-to principal represents a second delegated right of said user to perform a second operation.
  - 29. The computer program product of claim 22, wherein the method further comprises:
    - detecting that said operation is an out-of-right operation;
      
      denying said operation; and
      
      recording that said out-of-right operation was attempted by said service application on behalf of said user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srivastava, Alok, Ahad, Rafiul
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US12/020,203
Publication Number

US 20090193499A1
Time in Patent Office

2,027 Days
Field of Search

726 2- 6, 726/21, 713168-172, 713/2, 713/164
US Class Current

726/2
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06Q 10/06 Resources, workflows, human...

Method for application-to-application authentication via delegation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method for application-to-application authentication via delegation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links