Multiparty authorization for controlling resource access
First Claim
Patent Images
1. A method in a computer network or computer system, the method comprising:
- receiving, from a client, a request for an operation on a resource associated with a server to form a requested operation;
upon receiving the request, automatically determining, by an authorization mechanism associated with the server, whether the resource is associated with access control metadata, the access control metadata indicates the resource is multiparty access controlled and a multiparty authorization is required for the requested operation on the resource;
on condition that the resource is not associated with the access control metadata, allowing the requested operation on the resource; and
on condition the resource is associated with the access control metadata, checking a token cache, by an authorization module of the server, to determine whether one or more tokens associated with one or more entities and configured to authorize the requested operation are present in the token cache and valid,on condition that the one or more tokens configured to authorize the requested operation are present in the token cache and valid, granting the multiparty authorization and allowing the requested operation; and
on condition that the one or more tokens configured to authorize the requested operation are not present in the token cache and valid, obtaining the multiparty authorization before allowing the requested operation on the resource.
9 Assignments
0 Petitions
Accused Products
Abstract
The subject disclosure is generally directed towards an automated mechanism in a computer network or system that controls resource access to any resource designated as needing multiparty authorization. In one aspect, a resource that needs multiparty authorization before access is allowed is identified, along with policy that specifies an authorizer (or multiple authorizers) for the resource. An access control list may contain metadata that indicates the need for multiparty authorization. Authorization may be provided via a token, which may be cached for future use.
-
Citations
20 Claims
-
1. A method in a computer network or computer system, the method comprising:
-
receiving, from a client, a request for an operation on a resource associated with a server to form a requested operation; upon receiving the request, automatically determining, by an authorization mechanism associated with the server, whether the resource is associated with access control metadata, the access control metadata indicates the resource is multiparty access controlled and a multiparty authorization is required for the requested operation on the resource; on condition that the resource is not associated with the access control metadata, allowing the requested operation on the resource; and on condition the resource is associated with the access control metadata, checking a token cache, by an authorization module of the server, to determine whether one or more tokens associated with one or more entities and configured to authorize the requested operation are present in the token cache and valid, on condition that the one or more tokens configured to authorize the requested operation are present in the token cache and valid, granting the multiparty authorization and allowing the requested operation; and on condition that the one or more tokens configured to authorize the requested operation are not present in the token cache and valid, obtaining the multiparty authorization before allowing the requested operation on the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 18, 19, 20)
-
-
8. A system comprising:
-
one or more processors; a memory, the memory configured to contain executable code executed by the one or more processors, including code corresponding to authorization logic; and a system bus, the system bus configured to couple the memory to the one or more processors, wherein the one or more processors execute the authorization logic to; determine whether a resource is associated with access control metadata, the access control metadata indicates that the resource is multiparty access controlled and multiparty authorization is required for the requested operation, the resource is associated with a requested operation; on condition that the resource is not associated with the access control metadata, allow the requested operation; and on condition that the resource is associated with the access control metadata, determine whether authorization is not yet obtained from one or more authorizers identified in multiparty authorization policy metadata associated with the resource, wherein the multiparty authorization policy metadata identifies the one or more authorizers to contact to obtain the multiparty authorization for the requested operation, on condition that the authorization is obtained from the one or more authorizers, access the authorization from a token cache to obtain the authorization and grant the multiparty authorization; and on condition that the authorization is not yet obtained from the one or more authorizers, transmit a request for the authorization to the one or more authorizers. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more machine-readable memories having machine-executable instructions, which when executed cause one or more processors to:
-
determine that a resource associated with a storage device to which a user is requesting access is multiparty access controlled based on access control metadata associated with the resource, the access control metadata indicating that the resource is protected under multiparty authorization control and multiparty authorization is required for the requested access; checking a token cache, by an authorization module associated with the storage device, for one or more tokens authorizing access to the resource; on condition that the one or more tokens are stored in the token cache, accessing the token cache to obtain the one or more tokens and grant access to the resource; on condition that the one or more tokens are not stored in the token cache, obtaining the one or more tokens from the one or more authorizers to authorize access to the resource; upon obtaining the one or more tokens, allowing the user to access the resource based upon the one or more tokens; and cache the one or more tokens in the token cache. - View Dependent Claims (16, 17)
-
Specification