Delegation-based authorization

US 9,160,738 B2
Filed: 05/27/2010
Issued: 10/13/2015
Est. Priority Date: 05/27/2010
Status: Active Grant

First Claim

Patent Images

1. An authorization system, comprising:

one or more hardware processors configured to provide an authorization node executing an authorization policy; and

a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement, wherein the first entity consents to import a fact from a further entity, wherein the authorization node is arranged to determine whether the further entity consents to export the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement, the authorization node being further arranged to deny the access request received from the first entity in response to the further entity not consenting to export the fact to the first entity, wherein the request and credential statement are SecPAL statements, and the delegation of authority in the credential statement comprises a “

can say”

statement, and the further entity consents to provide the fact to the first entity using a SecPAL “

can listen to”

statement.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Delegation-based authorization is described. In one example, a reference monitor receives from a first entity a request and a credential statement comprising a delegation of authority over a fact to a further entity. An authorization node then determines whether the further entity consents to provide the fact to the first entity and evaluates the request in accordance with an authorization policy and the credential statement. In another example, an assertion comprising a statement delegating authority over a fact to a further entity is received at an authorization node from a first entity. An authorization policy is then used to determine that the first entity vouches for the fact if each of these conditions are met: i) the first entity consents to import the fact from the further entity, ii) the further entity consents to export the fact to the first entity, and iii) the further entity asserts the fact.

9 Citations

View as Search Results

20 Claims

1. An authorization system, comprising:
- one or more hardware processors configured to provide an authorization node executing an authorization policy; and
  
  a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement, wherein the first entity consents to import a fact from a further entity, wherein the authorization node is arranged to determine whether the further entity consents to export the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement, the authorization node being further arranged to deny the access request received from the first entity in response to the further entity not consenting to export the fact to the first entity, wherein the request and credential statement are SecPAL statements, and the delegation of authority in the credential statement comprises a “
  
  can say”
  
  statement, and the further entity consents to provide the fact to the first entity using a SecPAL “
  
  can listen to”
  
  statement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A system according to claim 1, wherein if the further entity consents to provide the fact to the first entity, then the delegation succeeds and the credential statement imports the fact from the further entity.
  - 3. A system according to claim 1, wherein if the further entity does not consent to provide the fact to the first entity, then the delegation fails and the credential statement does not import the fact from the further entity.
  - 4. A system according to claim 1, wherein the authorization node is arranged to provide an evaluation result to the reference monitor.
  - 5. A system according to claim 4, wherein the reference monitor is further arranged to grant or deny the first entity access to the resource in dependence on the evaluation result.
  - 6. A system according to claim 1, wherein the reference monitor is further arranged to detect the presence of the delegation of authority and insert an additional condition requiring that the further entity consents to provide the fact to the first entity into the delegation of authority.
  - 7. A system according to claim 1, wherein the authorization node is arranged to evaluate the request for access by determining the union of the authorization policy and the credential statement.
  - 8. A system according to claim 1, wherein the reference monitor receives the request for access and credential statement from a first entity over a communication network.
  - 9. A system according to claim 1, wherein the reference monitor is further arranged to formulate a query from the request, and provide the query and the credential statement to the authorization node.
  - 10. A system according to claim 1, wherein the credential statement is provided by the first entity in support of the request.

11. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
- receiving, by a hardware processor, an assertion from a first entity comprising a credential statement, wherein the first entity consents to import a fact from a further entity; and
  
  using the authorization policy, the authorization policy being a SecPAL policy, to evaluate the assertion, the assertion being validated in the case that each of the following are met;
  
  i) the first entity consents to import the fact from the further entity, consent comprising a SecPAL “
  
  can say”
  
  statement;
  
  ii) the further entity consents to export the fact to the first entity, consent comprising a SecPAL “
  
  can listen to”
  
  statement; and
  
  iii) the further entity asserts the fact.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. A method according to claim 11, further comprising the step of, subsequent to receiving the assertion, detecting the credential statement delegating authority and automatically inserting condition ii) into the statement delegating authority.
  - 13. A method according to claim 11, further comprising the step of using the authorization policy to determine that the first entity cannot vouch for the fact in the case that either one or both of condition i) and ii) are not met.
  - 14. A method according to claim 11, further comprising the step of receiving a query in association with the assertion.
  - 15. A method according to claim 14, further comprising the step of evaluating the query in accordance with the authorization policy and the assertion to determine a result.
  - 16. A method according to claim 15, further comprising the step of using the result to grant or deny the first entity access to a resource.

17. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
- receiving an authorization query and a supporting credential from a first entity, the query and credential statements being SecPAL statements, wherein the first entity consents to import a fact from a further entity;
  
  detecting, using a hardware processor, the presence of the delegation statement and inserting an additional condition into the delegation statement to create a modified delegation statement which states that the first entity consents to import a fact if the further entity consents to export the fact to the first entity, the delegation of authority in the credential statement comprising a “
  
  can say”
  
  statement, and the further entity consenting to provide the fact to the first entity using a SecPAL “
  
  can listen to”
  
  statement;
  
  evaluating the query, using the hardware processor, against the authorization policy in union with the modified delegation statement, the query being denied if the further entity does not consent to export the fact; and
  
  returning the result of the query to the first entity via a communication network.
- View Dependent Claims (18, 19, 20)
- - 18. A method according to claim 17, wherein the hardware processor is arranged to receive the authorization query and supporting credential from a reference monitor.
  - 19. A method according to claim 18, wherein the reference monitor receives a request for access and credential statement from the first entity over a communication network.
  - 20. A method according to claim 19, wherein the reference monitor is arranged to formulate the query from the request, and provide the query and the credential statement to the hardware processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Becker, Moritz
Primary Examiner(s)
SHAW, PETER C

Application Number

US12/789,277
Publication Number

US 20110296497A1
Time in Patent Office

1,965 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/1408 by monitoring network traff...

Delegation-based authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Delegation-based authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others