Unified access control system and method for composed services in a distributed environment

US 8,769,653 B2
Filed: 04/29/2009
Issued: 07/01/2014
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method of providing a unified access control for a plurality of composed services in a distributed computing environment, the method comprising:

acquiring a first role of a user in a first composed service;

sending an invoking request by a processing unit of the first composed service to a second composed service;

receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request;

determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based ondetermining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service;

selecting one of the plurality of the predefined role-role mapping relationships based ona current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, anda priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships;

determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and

sending the determined second role in the second composed service to the second composed service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, a computer device implemented method, and a computer readable article of manufacture for executing a computer implemented method for a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification. The method includes the steps of: acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships, and determining a second role of the user in the second composed service by a role determining component; and then sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.

Citations

20 Claims

1. A method of providing a unified access control for a plurality of composed services in a distributed computing environment, the method comprising:
- acquiring a first role of a user in a first composed service;
  
  sending an invoking request by a processing unit of the first composed service to a second composed service;
  
  receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request;
  
  determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based ondetermining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service;
  
  selecting one of the plurality of the predefined role-role mapping relationships based ona current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, anda priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships;
  
  determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and
  
  sending the determined second role in the second composed service to the second composed service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprisingverifying an identity and the first role of the user in the first composed service based on an access request of the user to the first composed service.
  - 3. The method of claim 2, wherein the verifying further comprises:
    - checking the identity and the first role of the user based on user identity information and user role assignment information respectively, wherein the user identity information comprises a user identifier and a corresponding login password, and the user role assignment information comprises the user identifier and a corresponding role.
  - 4. The method of claim 2, further comprising:
    - generating a token comprising role information of the user in the first composed service based on the user passing the identity and role verification;
      
      transferring the token to the first composed service;
      
      saving a copy of the generated token; and
      
      setting a status of the token to be active.
  - 5. The method of claim 4, wherein the token further comprises a token identifier, a user identifier associated with the user, and a login password associated with the user.
  - 6. The method of claim 5, wherein the determining further comprisesreceiving the token identifier;
    - querying the saved token copy corresponding to the token identifier, wherein the token identifier is sent to the second composed service when the first composed service requests to invoke the second composed service;
      
      checking the status of the token according to the saved token copy that has been queried;
      
      reading the first role information from the saved token copy if the status of the token is active; and
      
      determining the second role of the user in the second composed service by matching the read role information and the role-role mapping relationships.
  - 7. The method of claim 4, further comprising:
    - setting the status of the token to be inactive based on the user logging off the first composed service or time expiring.
  - 8. The method of claim 7, further comprising:
    - confirming that the user has a right for the access and generating a new token based on a request from the user to access the first composed service again;
      
      updating the saved copy of the token by using a copy of the new token; and
      
      re-setting a token status of the new token to be active.

9. A unified access control computer device system for providing a unified access control for a plurality of composed services in a distributed computing environment, the system comprising:
- a role acquiring component configured to acquire a first role of a user in a first composed service;
  
  a processing unit of the first composed service configured to send an invoking request to a second composed service;
  
  a role determining component configured to determine a second role of the user in a second composed service according to the first role of the user in the first composed service and predefined role-role mapping relationships, based on the invoking request, wherein the role determining component is further configured to determine the second role based ondetermining that a plurality of the predefined role-role mapping relationships is associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service;
  
  selecting one of the plurality of the predefined role-role mapping relationships based ona current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, anda priority ranking associated with the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with each of a remaining set of the plurality of the predefined role-role mapping relationships;
  
  determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and
  
  a role sending component configured to send the determined second role in the second composed service to the second composed service.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The system of claim 9, further comprising:
    - a service registration component configured to register the composed services that use the system to perform security verification;
      
      a role management component configured to manage the roles in the registered composed services; and
      
      a mapping list management component configured to create and manage a mapping list recording the role-role mapping relationships.
  - 11. The system of claim 10, further comprising:
    - a security verification component configured to verify an identity and the first role of the user in the first composed service based on an access request of the user to the first composed service.
  - 12. The system of claim 11, wherein the security verification component is further configured to check the identity and the first role of the user based on user identity information and user role assignment information, wherein the user identity information comprises a user identifier and a login password, and wherein the user role assignment information comprises the user identifier and the user role assignment information.
  - 13. The system of claim 10, wherein the role management component is further configured to assign special roles having higher priorities other than a priority of an ordinary user role to users in advance, and assign an ordinary user role to a user without a special role when the user requests to access the service for a first time.
  - 14. The system of claim 11, further comprising:
    - a token management component configured togenerate a token comprising the first role of the user in the first composed service based on the identity and the first role of the user being verified,transfer the token to the first composed service, andsave a copy of the generated token and setting a status of the token to be active.
  - 15. The system of claim 14, wherein the token further comprises a token identifier, a user identifier associated with the user, and a login password associated with the user.
  - 16. The system of claim 15, wherein the token management component is further configured toreceive the token identifier sent by the second composed service,query a saved token copy corresponding to the token identifier, andread the role information from the token copy, wherein the token identifier is sent to the second composed service when the first composed service requests to invoke the second composed service.
  - 17. The system of claim 16, wherein the role determining component is further configured to query the mapping list according to the role information read by the token management component to determine the second role of the user in the second composed service.
  - 18. The system of claim 10, further comprising:
    - a user management component configured to record data resources of the user to indicate which database the user is from when the user requests to access any of the composed services registered in the service registration component.
  - 19. The system of claim 18, further comprising:
    - a user group management component configured to establish a static user group or dynamic user group definition according to a request from the user to access any of the composed services registered in the service registration component.

20. A computer program product for providing a unified access control for a plurality of composed services in a distributed computing environment, the computer program product comprising:
- a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  acquiring a first role of a user in a first composed service;
  
  sending an invoking request by a processing unit of the first composed service to a second composed service;
  
  receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request;
  
  determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based ondetermining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service;
  
  selecting one of the plurality of the predefined role-role mapping relationships based ona current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, anda priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships;
  
  determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and
  
  sending the determined second role in the second composed service to the second composed service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cao, Bao Hua, Wang, Jian, Wang, Li, Zhu, Jun
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/431,909
Publication Number

US 20090276840A1
Time in Patent Office

1,889 Days
Field of Search

726 4- 10
US Class Current

726/9
CPC Class Codes

H04L 9/3213 using tickets or tokens, e....

H04L 9/3226 using a predetermined code,...

Unified access control system and method for composed services in a distributed environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Unified access control system and method for composed services in a distributed environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links