Network layer claims based access control
First Claim
1. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
- receiving from the computer a request for one or more requester claims;
providing the one or more requester claims to the computer in a first communication formatted to comply with the network layer security protocol, at least one of the one or more requester claims comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer;
receiving from the network resource a request for one or more resource claims, at least one of the resource claims comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;
providing the one or more resource claims to the network resource in a second communication formatted to comply with the network layer security protocol;
receiving a request for an access control policy decision, the request for the access control policy decision providing information included in the one or more requester claims and the one or more resource claims; and
issuing the requested access control policy decision based at least in part on the provided information.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).
-
Citations
20 Claims
-
1. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
-
receiving from the computer a request for one or more requester claims; providing the one or more requester claims to the computer in a first communication formatted to comply with the network layer security protocol, at least one of the one or more requester claims comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer; receiving from the network resource a request for one or more resource claims, at least one of the resource claims comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage; providing the one or more resource claims to the network resource in a second communication formatted to comply with the network layer security protocol; receiving a request for an access control policy decision, the request for the access control policy decision providing information included in the one or more requester claims and the one or more resource claims; and issuing the requested access control policy decision based at least in part on the provided information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
-
-
8. At least one computer-storage device having instructions stored thereon comprising:
-
computer-executable instructions to receive first information associated with a computer requesting access to a network resource and included in a first communication formatted to comply with the network layer security protocol and comprises attributes associated with one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of the user of the computer; computer-executable instructions to receive second information associated with the network resource and included in a second communication formatted to comply with the network layer security protocol and comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage; computer-executable instructions to issue a decision to either grant or deny access by the computer to the network resource based at least in part on the first information and the second information. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A system, comprising:
-
a processing system comprising one or more processors, wherein the one or more processors are coupled to memory, configured to; receive from a computer a first request, included in a first communication formatted to comply with a network layer security protocol, for one or more requester claims, the first request comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer; receive from the network resource a second request, included in a second communication formatted to comply with a network layer security protocol, for one or more resource claims, the second communication comprises attributes associated with at least whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage; receive a third request, included in a third communication formatted to comply with a network layer security protocol, for an access control policy decision, the third request providing information included in the one or more requester claims and the one or more resource claims; and issue the requested access control policy decision by the computer to the network resource based at least in part on the provided information. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
-
receiving, from the computer, a request for first information associated with the computer; providing the first information to the computer in a first communication formatted to comply with the network layer security protocol, the first information comprises attributes associated with one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of the user of the computer; receiving from the network resource a request for second information associated with the network resource, the second information comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage; providing the first information to the network resource in a second communication formatted to comply with the network layer security protocol; receiving a request for an access control policy decision, the request for the access control policy decision providing information that is included in the first information and the second information; and issuing the requested access control policy decision based at least in part on the provided information.
-
Specification