Authentication system, authentication method, and storage medium for realizing a multitenant service
First Claim
Patent Images
1. An authentication system comprising:
- a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and receive an authentication token associated with user identification information;
an identification unit configured to identify role information associated with the user identification information based on the authentication token received by the reception unit;
a Uniform Resource Locator (URL) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is a URL resource, whether access is permitted based on the role information identified by the identification unit and role information of the URL resource;
a provision unit configured to provide a screen corresponding to the URL resource if the access is permitted by the URL verification unit;
an application program interface (API) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is execution of an API, whether access is permitted based on the role information identified by the identification unit and role information of execution authority of the API;
an execution unit configured to execute the API if it is determined that the access is permitted by the API verification unit;
a data distribution verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is distribution of data, whether access is permitted based on the role information identified by the identification unit and role information of distribution of the data; and
a distribution unit configured to distribute the data if it is identified that the access is permitted by the data distribution verification unit,wherein the authentication system including the URL verification unit, the API verification unit and the data distribution verification unit executes three verifications, which are a verification of whether a screen corresponding to a URL can be provided, a verification of whether an API can be executed, and a verification of whether data can be distributed based on the role information associated with the user identification information.
1 Assignment
0 Petitions
Accused Products
Abstract
In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.
22 Citations
13 Claims
-
1. An authentication system comprising:
-
a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and receive an authentication token associated with user identification information; an identification unit configured to identify role information associated with the user identification information based on the authentication token received by the reception unit; a Uniform Resource Locator (URL) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is a URL resource, whether access is permitted based on the role information identified by the identification unit and role information of the URL resource; a provision unit configured to provide a screen corresponding to the URL resource if the access is permitted by the URL verification unit; an application program interface (API) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is execution of an API, whether access is permitted based on the role information identified by the identification unit and role information of execution authority of the API; an execution unit configured to execute the API if it is determined that the access is permitted by the API verification unit; a data distribution verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is distribution of data, whether access is permitted based on the role information identified by the identification unit and role information of distribution of the data; and a distribution unit configured to distribute the data if it is identified that the access is permitted by the data distribution verification unit, wherein the authentication system including the URL verification unit, the API verification unit and the data distribution verification unit executes three verifications, which are a verification of whether a screen corresponding to a URL can be provided, a verification of whether an API can be executed, and a verification of whether data can be distributed based on the role information associated with the user identification information. - View Dependent Claims (2, 3)
-
-
4. An authentication system comprising:
-
a reception unit configured to receive an access allowance or denial confirmation with respect to a resource and receive an authentication token associated with user identification information; an identification unit configured to identify role information associated with the user identification information based on the authentication token received by the reception unit; an acquisition unit configured to acquire role information of each resource type corresponding to the access allowance or denial confirmation received by the reception unit; and a verification unit configured to verify whether access to the resource type is to be permitted or not by the role information corresponding to each resource type acquired by the acquisition unit and the role information identified by the first identification unit, wherein the authentication system executes three verifications, which are a verification of whether a screen corresponding to a Uniform Resource Locator (URL) can be provided, a verification of whether an application program interface (API) can be executed, and a verification of whether data can be distributed based on the role information associated with the user identification information.
-
-
5. An authentication method comprising:
-
receiving an access allowance or denial confirmation with respect to a resource and receiving an authentication token associated with user identification information; identifying role information associated with the user identification information based on the received authentication token; verifying, if a resource type corresponding to the received access allowance or denial confirmation is a Uniform Resource Locator (URL) resource, whether access is to be permitted based on the identified role information and role information of the URL resource; providing a screen corresponding to the Uniform Resource Locator (URL) resource if it is identified that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is execution of an application program interface (API), whether access is to be permitted based on the identified role information and role information of execution authority of the API; executing the API if it is identified that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is distribution of data, whether access is to be permitted based on the identified role information and role information of distribution of the data; and distributing the data if it is identified that the access is permitted, wherein the authentication method including all the verifying steps execute three verifications, which are a verification of whether a screen corresponding to a URL can be provided, a verification of whether an API can be executed, and a verification of whether data can be distributed based on the role information associated with user identification information. - View Dependent Claims (6, 7)
-
-
8. An authentication method comprising:
-
receiving an access allowance or denial confirmation with respect to a resource and receiving an authentication token associated with user identification information; identifying role information associated with the user identification information based on the received authentication token; acquiring role information of each resource type corresponding to the received access allowance or denial confirmation; determining whether access to the resource type is to be permitted or not based on the acquired role information corresponding to each acquired resource type and the identified role information; and executing a verification of whether a screen corresponding to a Uniform Resource Locator (URL) can be provided, a verification of whether an application program interface (API) can be executed, and a verification of whether data can be distributed based on the role information associated with the user identification information.
-
-
9. A storage medium storing a computer-executable program for causing a computer to execute operations comprising:
-
receiving an access allowance or denial confirmation with respect to a resource and receiving an authentication token associated with user identification information; identifying role information associated with the user identification information based on the received authentication token; verifying, if a resource type corresponding to the received access allowance or denial confirmation is a Uniform Resource Locator (URL) resource, whether access is to be permitted based on the identified role information and role information of the Uniform Resource Locator (URL) resource; providing a screen corresponding to the Uniform Resource Locator (URL) resource if it is identified that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is execution of an application program interface (API), whether access is to be permitted based on the identified role information and role information of execution authority of the (API); executing the application program interface (API) if it is identified that the access is permitted; verifying, if a resource type corresponding to the received access allowance or denial confirmation is distribution of data, whether access is to be permitted based on the identified role information and role information of distribution of the data; and distributing the data if it is identified that the access is permitted, wherein the authentication method including all the verifying steps execute three verifications, which are a verification of whether a screen corresponding to a (URL) can be provided, a verification of whether an (API) can be executed, and a verification of whether data can be distributed based on the role information associated with user identification information. - View Dependent Claims (10, 11)
-
-
12. A storage medium storing a computer-executable program for causing a computer to execute operations comprising:
-
receiving an access allowance or denial confirmation with respect to a resource and receiving an authentication token associated with user identification information; identifying role information associated with the user identification information based on the received authentication token; acquiring role information of each resource type corresponding to the received access allowance or denial confirmation; and determining whether access to the resource type is to be permitted or not based on the acquired role information corresponding to each acquired resource type and the identified role information; and executing a verification of whether a screen corresponding to a Uniform Resource Locator (URL) can be provided, a verification of whether an application program interface (API) can be executed, and a verification of whether data can be distributed based on the role information associated with user identification information.
-
-
13. A system including an authentication system and a client comprising:
-
a transmission unit configured to transmit an access allowance or denial confirmation with respect to a resource and an authentication token to the authentication system; a reception unit configured to receive from the client the access allowance or denial confirmation with respect to the resource and receive the authentication token associated with user identification information; an identification unit configured to identify role information associated with the user identification information based on the authentication token received by the reception unit; a Uniform Resource Locator (URL) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is a (URL) resource, whether access is permitted based on the role information identified by the identification unit and role information of the (URL) resource; a provision unit configured to provide a screen corresponding to the (URL) resource if the access is permitted by the (URL) verification unit; an application program interface (API) verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is execution of an (API), whether access is permitted based on the role information identified by the identification unit and role information of execution authority of the (API); an execution unit configured to execute the (API) if it is identified that the access is permitted by the (API) verification unit; a data distribution verification unit configured to verify, if a resource type corresponding to the access allowance or denial confirmation received by the reception unit is distribution of data, whether access is permitted based on the role information identified by the identification unit and role information of distribution of the data; and a distribution unit configured to distribute the data if it is identified that the access is permitted by the data distribution verification unit, wherein the authentication system including the (URL) verification unit, the (API) verification unit and the data distribution verification unit executes three verifications, which are a verification of whether a screen corresponding to a (URL) can be provided, a verification of whether an (API) can be executed, and a verification of whether data can be distributed based on the role information associated with the user identification information.
-
Specification