Unified access control system and method for composed services in a distributed environment
First Claim
1. A method of providing a unified access control for a plurality of composed services in a distributed computing environment, the method comprising:
- acquiring a first role of a user in a first composed service;
sending an invoking request by a processing unit of the first composed service to a second composed service;
receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request;
determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based ondetermining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service;
selecting one of the plurality of the predefined role-role mapping relationships based ona current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, anda priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships;
determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and
sending the determined second role in the second composed service to the second composed service.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, a computer device implemented method, and a computer readable article of manufacture for executing a computer implemented method for a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification. The method includes the steps of: acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships, and determining a second role of the user in the second composed service by a role determining component; and then sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.
-
Citations
20 Claims
-
1. A method of providing a unified access control for a plurality of composed services in a distributed computing environment, the method comprising:
-
acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request; determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based on determining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service; selecting one of the plurality of the predefined role-role mapping relationships based on a current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, and a priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships; determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and sending the determined second role in the second composed service to the second composed service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A unified access control computer device system for providing a unified access control for a plurality of composed services in a distributed computing environment, the system comprising:
-
a role acquiring component configured to acquire a first role of a user in a first composed service; a processing unit of the first composed service configured to send an invoking request to a second composed service; a role determining component configured to determine a second role of the user in a second composed service according to the first role of the user in the first composed service and predefined role-role mapping relationships, based on the invoking request, wherein the role determining component is further configured to determine the second role based on determining that a plurality of the predefined role-role mapping relationships is associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service; selecting one of the plurality of the predefined role-role mapping relationships based on a current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, and a priority ranking associated with the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with each of a remaining set of the plurality of the predefined role-role mapping relationships; determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and a role sending component configured to send the determined second role in the second composed service to the second composed service. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer program product for providing a unified access control for a plurality of composed services in a distributed computing environment, the computer program product comprising:
a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising; acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships based on the invoking request; determining a second role of the user in the second composed service according to the first role of the user in the first composed service and the predefined role-role mapping relationships, wherein the second role is further determined based on determining that is plurality of the predefined role-role mapping relationships are associated with the first role, wherein each of the plurality of the predefined role-role mapping relationships maps the first role of the user in the first composed service to at least two different roles of the user in the second composed service; selecting one of the plurality of the predefined role-role mapping relationships based on a current temporal condition satisfying a temporal constraint associated with the one of the plurality of the predefined role-role mapping relationships, and a priority ranking associated with the one of the plurality of the predefined role-role mapping relationships being higher than a priority ranking associated with a remaining set of the plurality of the predefined role-role mapping relationships; determining the second role from the one of the plurality of the predefined role-role mapping relationships that has been selected; and sending the determined second role in the second composed service to the second composed service.
Specification