Obligation enforcement for resource access control

US 9,491,198 B2
Filed: 07/10/2014
Issued: 11/08/2016
Est. Priority Date: 07/10/2014
Status: Active Grant

First Claim

Patent Images

1. A system including instructions recorded on a non-transitory computer-readable medium, and executable by at least one processor, the system comprising:

a request handler configured to cause the at least one processor to receive an enforcement request for enforcement of an obligation required by an access control policy of an access control engine as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system;

an obligation enforcer configured to cause the at least one processor to enforce the obligation at the client system, based on the enforcement request, and including obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the client system; and

a compliance manager configured to cause the at least one processor toobtain the proof of the enforcement of the obligation from the obligation enforcer,provide the proof of the enforcement to a trusted third-party obligation certification service,obtain a certification of execution of the obligation from the trusted third-party obligation certification service, andprovide the certification to the access control engine as a basis for granting a second resource access request for access to a second network resource by the client system, and in accordance with the access control policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.

20 Citations

16 Claims

1. A system including instructions recorded on a non-transitory computer-readable medium, and executable by at least one processor, the system comprising:
- a request handler configured to cause the at least one processor to receive an enforcement request for enforcement of an obligation required by an access control policy of an access control engine as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system;
  
  an obligation enforcer configured to cause the at least one processor to enforce the obligation at the client system, based on the enforcement request, and including obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the client system; and
  
  a compliance manager configured to cause the at least one processor toobtain the proof of the enforcement of the obligation from the obligation enforcer,provide the proof of the enforcement to a trusted third-party obligation certification service,obtain a certification of execution of the obligation from the trusted third-party obligation certification service, andprovide the certification to the access control engine as a basis for granting a second resource access request for access to a second network resource by the client system, and in accordance with the access control policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the request handler is further configured to cause the at least one processor to receive the enforcement request from the access control engine having authority to grant or deny the first resource access request and the second resource access request.
  - 3. The system of claim 1, wherein the obligation enforcer is further configured to cause the at least one processor to perform, based on the permission, monitoring of the client system from which the first resource access request and the second resource access request are received, and determine that the client system has complied with the obligation, based on the monitoring.
  - 4. The system of claim 1, wherein the obligation enforcer is further configured to cause the at least one processor to access, based on the permission, the client system from which the first resource access request and the second resource access request are received, and execute the obligation on the client system, using the access.
  - 5. The system of claim 1, wherein the obligation enforcer is further configured to cause the at least one processor to perform, based on the permission, monitoring of the client system from which the first resource access request is received, detect a trigger event defined as triggering the obligation, and cause the action complying with and fulfilling the obligation, based on the trigger event.
  - 6. The system of claim 1, wherein the certification is implemented using a token-based signature scheme managed by the trusted third-party obligation certification service.

7. A computer-implemented method for executing instructions stored on a non-transitory computer readable storage medium, the method comprising:
- providing, by at least one processor, an enforcement request for enforcement of an obligation required by an access control policy as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system;
  
  obtaining, by the at least one processor, a certification of execution of the obligation from a trusted third-party obligation certification service, the certification based on enforcing the obligation at the client system based on the enforcement request, and obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action obtained through the permission to access the client system; and
  
  executing, by the at least one processor, an access control decision with respect to a second resource access request for access to a second network resource by the client system, based on the certification and in accordance with the access control policy.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the obtaining the certification comprises:
    - performing, based on the permission, monitoring of the client system from which the first resource access request and the second resource access request are received; and
      
      determining that the client system has complied with the obligation, based on the monitoring.
  - 9. The method of claim 7, wherein the obtaining the certification comprises:
    - accessing, based on the permission, the client system from which the first resource access request and the second resource access request are received; and
      
      executing the obligation on the client system, using the access.
  - 10. The method of claim 7, wherein the obtaining the certification comprises:
    - performing, based on the permission, monitoring of the client system from which the first resource access request is received;
      
      detecting a trigger event defined as triggering the obligation; and
      
      causing the action complying with and fulfilling the obligation, based on the trigger event.
  - 11. The method of claim 7, wherein the certification is implemented using a token-based signature scheme managed by the trusted third-party obligation certification service.

12. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and comprising instructions that, when executed, are configured to cause at least one processor to:
- receive an enforcement request for enforcement of an obligation required by an access control policy as a condition for a previously-granted first resource access request for access to a first network resource by at least one client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the at least one client system, wherein the enforcement request is associated with permission to access the at least one client system;
  
  enforce the obligation at the at least one client system, based on the enforcement request, and including obtaining data from the at least one client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the at least one client system;
  
  provide the proof of enforcement of the obligation to a trusted third-party obligation certification service;
  
  obtain a certification of execution of the obligation from the trusted third-party obligation certification service; and
  
  provide the certification as a basis for granting a second resource access request for access to a second network resource by the at least one client system, and in accordance with the access control policy.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer program product of claim 12, wherein the instructions, when executed, are further configured to cause the at least one processor to:
    - perform, based on the permission, monitoring of the at least one client system; and
      
      determine that the client system has complied with the obligation, based on the monitoring.
  - 14. The computer program product of claim 12, wherein the instructions, when executed, are further configured to cause the at least one processor to:
    - access the at least one client system, based on the permission; and
      
      execute the obligation on the client system, using the access.
  - 15. The computer program product of claim 12, wherein the instructions, when executed, are further configured to cause the at least one processor to:
    - perform, based on the permission, monitoring of the at least one client system from which the first resource access request is received;
      
      detect a trigger event defined as triggering the obligation; and
      
      cause the action complying with and fulfilling the obligation, based on the trigger event.
  - 16. The computer program product of claim 12, wherein the certification is implemented using a token-based signature scheme managed by the trusted third-party obligation certification service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Gomez, Laurent, Trabelsi, Slim
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US14/328,505
Publication Number

US 20160014157A1
Time in Patent Office

852 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Obligation enforcement for resource access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Obligation enforcement for resource access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links