Delegation-based authorization
First Claim
1. An authorization system, comprising:
- one or more hardware processors configured to provide an authorization node executing an authorization policy; and
a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement, wherein the first entity consents to import a fact from a further entity, wherein the authorization node is arranged to determine whether the further entity consents to export the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement, the authorization node being further arranged to deny the access request received from the first entity in response to the further entity not consenting to export the fact to the first entity, wherein the request and credential statement are SecPAL statements, and the delegation of authority in the credential statement comprises a “
can say”
statement, and the further entity consents to provide the fact to the first entity using a SecPAL “
can listen to”
statement.
2 Assignments
0 Petitions
Accused Products
Abstract
Delegation-based authorization is described. In one example, a reference monitor receives from a first entity a request and a credential statement comprising a delegation of authority over a fact to a further entity. An authorization node then determines whether the further entity consents to provide the fact to the first entity and evaluates the request in accordance with an authorization policy and the credential statement. In another example, an assertion comprising a statement delegating authority over a fact to a further entity is received at an authorization node from a first entity. An authorization policy is then used to determine that the first entity vouches for the fact if each of these conditions are met: i) the first entity consents to import the fact from the further entity, ii) the further entity consents to export the fact to the first entity, and iii) the further entity asserts the fact.
9 Citations
20 Claims
-
1. An authorization system, comprising:
-
one or more hardware processors configured to provide an authorization node executing an authorization policy; and a reference monitor arranged to receive from a first entity a request for access to a resource and a credential statement, wherein the first entity consents to import a fact from a further entity, wherein the authorization node is arranged to determine whether the further entity consents to export the fact to the first entity, and, responsive thereto, evaluate the request for access in accordance with the authorization policy and the credential statement, the authorization node being further arranged to deny the access request received from the first entity in response to the further entity not consenting to export the fact to the first entity, wherein the request and credential statement are SecPAL statements, and the delegation of authority in the credential statement comprises a “
can say”
statement, and the further entity consents to provide the fact to the first entity using a SecPAL “
can listen to”
statement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
-
receiving, by a hardware processor, an assertion from a first entity comprising a credential statement, wherein the first entity consents to import a fact from a further entity; and using the authorization policy, the authorization policy being a SecPAL policy, to evaluate the assertion, the assertion being validated in the case that each of the following are met; i) the first entity consents to import the fact from the further entity, consent comprising a SecPAL “
can say”
statement;ii) the further entity consents to export the fact to the first entity, consent comprising a SecPAL “
can listen to”
statement; andiii) the further entity asserts the fact. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer-implemented authorization method performed at an authorization node executing an authorization policy, comprising:
-
receiving an authorization query and a supporting credential from a first entity, the query and credential statements being SecPAL statements, wherein the first entity consents to import a fact from a further entity; detecting, using a hardware processor, the presence of the delegation statement and inserting an additional condition into the delegation statement to create a modified delegation statement which states that the first entity consents to import a fact if the further entity consents to export the fact to the first entity, the delegation of authority in the credential statement comprising a “
can say”
statement, and the further entity consenting to provide the fact to the first entity using a SecPAL “
can listen to”
statement;evaluating the query, using the hardware processor, against the authorization policy in union with the modified delegation statement, the query being denied if the further entity does not consent to export the fact; and returning the result of the query to the first entity via a communication network. - View Dependent Claims (18, 19, 20)
-
Specification