Obligation enforcement for resource access control
First Claim
Patent Images
1. A system including instructions recorded on a non-transitory computer-readable medium, and executable by at least one processor, the system comprising:
- a request handler configured to cause the at least one processor to receive an enforcement request for enforcement of an obligation required by an access control policy of an access control engine as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system;
an obligation enforcer configured to cause the at least one processor to enforce the obligation at the client system, based on the enforcement request, and including obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the client system; and
a compliance manager configured to cause the at least one processor toobtain the proof of the enforcement of the obligation from the obligation enforcer,provide the proof of the enforcement to a trusted third-party obligation certification service,obtain a certification of execution of the obligation from the trusted third-party obligation certification service, andprovide the certification to the access control engine as a basis for granting a second resource access request for access to a second network resource by the client system, and in accordance with the access control policy.
2 Assignments
0 Petitions
Accused Products
Abstract
A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.
20 Citations
16 Claims
-
1. A system including instructions recorded on a non-transitory computer-readable medium, and executable by at least one processor, the system comprising:
-
a request handler configured to cause the at least one processor to receive an enforcement request for enforcement of an obligation required by an access control policy of an access control engine as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system; an obligation enforcer configured to cause the at least one processor to enforce the obligation at the client system, based on the enforcement request, and including obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the client system; and a compliance manager configured to cause the at least one processor to obtain the proof of the enforcement of the obligation from the obligation enforcer, provide the proof of the enforcement to a trusted third-party obligation certification service, obtain a certification of execution of the obligation from the trusted third-party obligation certification service, and provide the certification to the access control engine as a basis for granting a second resource access request for access to a second network resource by the client system, and in accordance with the access control policy. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for executing instructions stored on a non-transitory computer readable storage medium, the method comprising:
-
providing, by at least one processor, an enforcement request for enforcement of an obligation required by an access control policy as a condition for a previously-granted first resource access request for access to a first network resource by a client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the client system, wherein the enforcement request is associated with permission to access the client system; obtaining, by the at least one processor, a certification of execution of the obligation from a trusted third-party obligation certification service, the certification based on enforcing the obligation at the client system based on the enforcement request, and obtaining data from the client system as proof of enforcement of the obligation associated with the at least one action obtained through the permission to access the client system; and executing, by the at least one processor, an access control decision with respect to a second resource access request for access to a second network resource by the client system, based on the certification and in accordance with the access control policy. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and comprising instructions that, when executed, are configured to cause at least one processor to:
-
receive an enforcement request for enforcement of an obligation required by an access control policy as a condition for a previously-granted first resource access request for access to a first network resource by at least one client system, the obligation mandating at least one of a requirement for, or prohibition of, at least one action by the at least one client system, wherein the enforcement request is associated with permission to access the at least one client system; enforce the obligation at the at least one client system, based on the enforcement request, and including obtaining data from the at least one client system as proof of enforcement of the obligation associated with the at least one action through the permission to access the at least one client system; provide the proof of enforcement of the obligation to a trusted third-party obligation certification service; obtain a certification of execution of the obligation from the trusted third-party obligation certification service; and provide the certification as a basis for granting a second resource access request for access to a second network resource by the at least one client system, and in accordance with the access control policy. - View Dependent Claims (13, 14, 15, 16)
-
Specification