Flexible role based authorization model
First Claim
Patent Images
1. A computer machine system comprising one or more computer machines wherein said computer machine system further comprises:
- at least one computer memory comprising a rights database configured to store;
a set of roles, wherein each role is associated with one or more capabilities;
a set of user identifiers, wherein each user identifier is associated with;
a specific user;
one or more roles from said set of roles; and
one or more capabilities from each of said roles;
at least one policy decision point configured to authorize a service request received from a policy enforcement point, wherein;
said policy decision point determines if a first set of capabilities allocated to a first role, wherein said first role is specified in a request header associated with said service request, matches a set of required privileges necessary to perform said service request;
said request header comprises said first role and a second role, wherein said first role is assigned to a first user and said second role is assigned to a second user, and wherein said second user is acting on behalf of said first user;
said policy decision point determines if a second set of capabilities allocated to the first user, wherein said first user is specified in said request header, acting as said first role matches said set of required privileges necessary to perform said service request; and
said policy decision point determines if a third set of capabilities, assigned to said second role and associated with said second user, matches said set of required privileges necessary for said second user to perform said service request on behalf of said first user in said first role.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods described herein relate to role-based authorization systems which allow customization of role templates as well as the ability, using roles, for one user to act on behalf of another user.
-
Citations
8 Claims
-
1. A computer machine system comprising one or more computer machines wherein said computer machine system further comprises:
-
at least one computer memory comprising a rights database configured to store; a set of roles, wherein each role is associated with one or more capabilities; a set of user identifiers, wherein each user identifier is associated with; a specific user; one or more roles from said set of roles; and one or more capabilities from each of said roles; at least one policy decision point configured to authorize a service request received from a policy enforcement point, wherein; said policy decision point determines if a first set of capabilities allocated to a first role, wherein said first role is specified in a request header associated with said service request, matches a set of required privileges necessary to perform said service request; said request header comprises said first role and a second role, wherein said first role is assigned to a first user and said second role is assigned to a second user, and wherein said second user is acting on behalf of said first user; said policy decision point determines if a second set of capabilities allocated to the first user, wherein said first user is specified in said request header, acting as said first role matches said set of required privileges necessary to perform said service request; and said policy decision point determines if a third set of capabilities, assigned to said second role and associated with said second user, matches said set of required privileges necessary for said second user to perform said service request on behalf of said first user in said first role. - View Dependent Claims (2, 3, 4)
-
-
5. A computer machine implemented authorization process comprising:
-
receiving a service request at a policy enforcement point computer machine, from an application, comprising a first request header identifying; a first user and a first role, wherein a first set of capabilities associated with said first user are a subset of a second set of capabilities associated with said first role, and a second user and a second role, wherein the second role corresponds to a selected capacity in which the second user is acting; sending an authorization request to a policy decision point further comprising a second request header identifying; said first user and said first role, and said second user and said second role; receiving, from said policy decision point, an authorization or a denial to perform one or more aspects of said service request wherein said service request may only be granted for a specific set of capabilities defined in a computer memory for both said first user and said first role; and receiving, from said policy decision point, an authorization or denial to perform one or more aspects of said service request wherein said service request may only be granted for a specific set of capabilities defined in a computer memory for some combination of said first and second users and said first and second roles, wherein said second user is acting on behalf of said first user in said first role. - View Dependent Claims (6, 7, 8)
-
Specification