Accessing a computer resource using an access control model and policy
First Claim
1. A processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities, to a computer resource selected from a set of computer resources made available to the client entity by a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by a server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server:
- authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment disclosed herein is a method of processing a request made by a terminal of a user to access a resource made available to a client entity by a platform of a cloud computer service supplier. The method is performed by a server situated between the terminal and the platform utilizing distinct instructions for each client entity. The method comprises verifying that the user is authorized to access the computer resource via the terminal by applying to the user and to the resource an access control model and an access control policy corresponding to the model.
-
Citations
25 Claims
-
1. A processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities, to a computer resource selected from a set of computer resources made available to the client entity by a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by a server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server:
-
authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server; verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13, 14)
-
-
11. A computer having stored thereon instructions, which when executed by said computer, cause a service provider platform to perform a supply method for supplying access to a computer resource made available to a client entity by said service provider platform, wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, said supply method comprising:
-
receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity made to said computer resource and resulting from executing an access request processing method, said server being situated between the terminal and the platform; authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising; decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and decrypting the second authentication data with the help of a said second encryption key held by the platform; and supplying the computer resource to the terminal, wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources; wherein said access request processing method is a processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, to said computer resource selected from a set of computer resources made available to the client entity by said platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by said server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server; authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server; verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request; wherein said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server; the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request or from an identifier of the user with the help of a said first encryption key held by the terminal; and the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server; and wherein said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform; the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request or from an identifier of said client entity with the help of a said second encryption key held by the terminal; and the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
-
-
12. A non-transitory computer readable data medium having stored thereon a computer program including instructions which when executed by a computer, cause a service provider platform to perform a supply method for supplying access to a computer resource made available to a client entity by said service provider platform wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, said supply method comprising:
-
receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity made to said computer resource and resulting from executing an access request processing method, said server being situated between the terminal and the platform; authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising; decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and decrypting the second authentication data with the help of a said second encryption key held by the platform; and supplying the computer resource to the terminal, wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources; wherein said access request processing method is a processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, to said computer resource selected from a set of computer resources made available to the client entity by said platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by said server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server; authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server; verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request; wherein said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server; the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request or from an identifier of the user with the help of a said first encryption key held by the terminal; and the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server; and wherein said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform; the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request or from an identifier of said client entity with the help of a said second encryption key held by the terminal; and the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
-
-
15. A computer having stored thereon instructions, which when executed by said computer, cause a server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources to perform a processing method for processing an access request from said terminal of said user to a computer resource selected from a set of computer resources made available to said client entity by said platform of a cloud computer service supplier, said processing method comprising, on the access request being received by the server:
-
authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server; verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request. - View Dependent Claims (16, 17)
-
-
18. A non-transitory computer readable data medium having stored thereon a computer program including instructions which, when executed by a computer, cause a server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources to perform a processing method for processing an access request from said terminal of said user to a computer resource selected from a set of computer resources made available to said client entity by said platform of a cloud computer service supplier, said processing method comprising, on the access request being received by the server:
-
authenticating said user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server; verifying that said user is authorized to access said computer resource selected from a set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
orelse rejecting the access request.
-
-
19. A server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources selected from a set of computer resources, said server comprising a processor configured to execute instructions which cause said server to authenticate and authorize said client entity, wherein said instructions, when executed by said processor cause said server to:
-
authenticate said user who is one of a plurality of users attached to a client entity which is one of said plurality of client entities on receiving a request from said terminal to access a computer resource made available to said client entity, said authentication using at least a first authentication parameter for authenticating the user with the server; verify that said user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; if the user is authorized to access said computer resource, send to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities; and reject the access request if the user is not authorized to access said computer resource. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A platform of a computer service supplier making computer resources available to at least one client entity wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, the platform comprising a processor configured to execute instructions which cause said platform to:
-
perform a validation process comprising; receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity requesting access to a said computer resource made available to said client entity, said server being situated between the terminal and the platform; and perform an authentication process comprising; decrypting third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and decrypting second authentication data with the help of a said second encryption key held by the platform; and to supply said computer resource to said terminal wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources; wherein said server is situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier for making a computer resource selected from a set of computer resources available to at least one client entity which is one of said plurality of client entities, said server comprising a processor configured to execute instructions which cause said server to authenticate and authorize said client entity, wherein said instructions, when executed by said processor cause said server to; authenticate said user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, on receiving a request from said terminal to access said computer resource selected from said set of computer resources, said authentication using at least a first authentication parameter for authenticating the user with the server; verify that said user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; if the user is authorized to access said computer resource, send to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities; and reject the access request if the user is not authorized to access said computer resource; and
wherein for each client entity requesting authentication and authorization by said server;said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server or a private and public key pair held respectively by the terminal and by the server; said at least one second authentication parameter for authenticating the client entity comprises at least one second encryption key comprising a secret key held by the terminal and by the platform or a private and public key pair held respectively by the terminal and by the platform; the access request from the terminal includes first authentication data generated from at least a portion of the access request or an identifier of the user with the help of a said first encryption key held by the terminal, and second authentication data generated from at least a portion of the access request or an identifier of the client entity with the help of a second encryption key held by the terminal; the first authentication data is decrypted with the help of a said first encryption key held by the server; and the derived request includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
-
Specification