Substitution of requests or results in access control systems
First Claim
1. A computer implemented method for managing access to data resources, the method comprising:
- receiving a user-defined access control policy for managing access to one or more data resources, the user-defined access control policy specifying one or more conditions and one of;
a substitution result or a substitution request to be applied when the one or more conditions are satisfied;
receiving, from a client, an application programming interface (API) request to access the one or more data resources, the request being associated with an unfiltered result including all available information; and
evaluating the user-defined access control policy by a policy evaluation engine to determine whether the API request satisfies the one or more conditions specified in the user-defined access control policy;
wherein, in response to determining that the API request satisfies the one or more conditions, the policy evaluation engine is configured to;
cause the substitution result specified in the user-defined access control policy to be returned to the client in response to the API request, the substitution result comprising a filtered subset of the unfiltered result, orcause the substitution request, specified in the user-defined access control policy, to be executed instead of the API request and a result of the substitution request to be returned to the client in response to the API request, the result of the substitution request comprising a filtered subset of the unfiltered result; and
return, separate from the filtered subset, an indication to the client in response to the API request, indicating that the API request has completed successfully with all unfiltered information pertinent to the API request.
1 Assignment
0 Petitions
Accused Products
Abstract
Approaches are described for allowing an access control policy to specify that a substitute operation be executed when a request for access matches certain conditions specified in the access control policy (e.g., when the identity of the requestor matches a specified identity in the policy). For example, the access control may specify that a substitute result should be provided to a requestor in response to a request for access or a substitute request should be executed instead of executing the received request and the results of the substitute request should be provided to the requestor in response to the request. The substitute result or the result of the substitute request may appear to the requestor as though their original request for access succeeded but the content of the result may be different than what would have been generated if the access control policy allowed the request to proceed.
16 Citations
20 Claims
-
1. A computer implemented method for managing access to data resources, the method comprising:
-
receiving a user-defined access control policy for managing access to one or more data resources, the user-defined access control policy specifying one or more conditions and one of;
a substitution result or a substitution request to be applied when the one or more conditions are satisfied;receiving, from a client, an application programming interface (API) request to access the one or more data resources, the request being associated with an unfiltered result including all available information; and evaluating the user-defined access control policy by a policy evaluation engine to determine whether the API request satisfies the one or more conditions specified in the user-defined access control policy; wherein, in response to determining that the API request satisfies the one or more conditions, the policy evaluation engine is configured to; cause the substitution result specified in the user-defined access control policy to be returned to the client in response to the API request, the substitution result comprising a filtered subset of the unfiltered result, or cause the substitution request, specified in the user-defined access control policy, to be executed instead of the API request and a result of the substitution request to be returned to the client in response to the API request, the result of the substitution request comprising a filtered subset of the unfiltered result; and return, separate from the filtered subset, an indication to the client in response to the API request, indicating that the API request has completed successfully with all unfiltered information pertinent to the API request. - View Dependent Claims (2)
-
-
3. A computer implemented method, comprising:
-
obtaining an access control policy specifying one or more conditions and one of;
a substitution result or a substitution request to be applied when the one or more conditions are satisfied;receiving, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information; evaluating the access control policy to determine whether the request satisfies the one or more conditions specified in the access control policy; in response to determining that the request satisfies the one or more conditions specified in the access control policy, performing one of; causing the substitution result specified in the access control policy to be returned to the client in response to the request, the substitution result comprising a filtered subset of the unfiltered result;
orcausing the substitution request specified in the access control policy to be executed instead of the request, the result of the substitution request comprising a filtered subset of the unfiltered result; and returning an indication to the client, separate from the filtered subset, that the request was executed successfully with all unfiltered information pertinent to the request. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing device to; obtain an access control policy specifying an identity and a substitute operation; receive, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information; determine an identity of the client; evaluate the access control policy to determine whether the identity of the client matches the identity specified in the access control policy; in response to determining that the identity of the client matches the identity specified in the access control policy, execute the substitute operation specified in the access control policy, a result of the substitute operation comprising a filtered subset of the unfiltered result; and provide to the client an indication, separate from the filtered subset, indicating that the request was executed successfully with all unfiltered information pertinent to the request. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A non-transitory computer readable storage medium storing one or more sequences of instructions executed by one or more processors to:
-
obtain an access control policy specifying an identity and a substitute operation; receive, from a client, a request to access one or more resources, the request being associated with an unfiltered result including all available information; determine an identity of the client; evaluate the access control policy to determine whether the identity of the client matches the identity specified in the access control policy; in response to determining that the identity of the client matches the identity specified in the access control policy, execute the substitute operation specified in the access control policy, a result of the substitute operation comprising a filtered subset of the unfiltered result; and provide to the client an indication, separate from the filtered subset, indicating that the request was executed successfully with all unfiltered information pertinent to the request. - View Dependent Claims (17, 18, 19, 20)
-
Specification