Accessing a computer resource using an access control model and policy

US 9,729,531 B2
Filed: 06/24/2014
Issued: 08/08/2017
Est. Priority Date: 06/25/2013
Status: Active Grant

First Claim

Patent Images

1. A processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities, to a computer resource selected from a set of computer resources made available to the client entity by a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by a server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server:

authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;

verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and

if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;

orelse rejecting the access request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment disclosed herein is a method of processing a request made by a terminal of a user to access a resource made available to a client entity by a platform of a cloud computer service supplier. The method is performed by a server situated between the terminal and the platform utilizing distinct instructions for each client entity. The method comprises verifying that the user is authorized to access the computer resource via the terminal by applying to the user and to the resource an access control model and an access control policy corresponding to the model.

Citations

25 Claims

1. A processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities, to a computer resource selected from a set of computer resources made available to the client entity by a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by a server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server:
- authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
  
  orelse rejecting the access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13, 14)
- - 2. A processing method according to claim 1, wherein the verification process further comprises obtaining information about the availability of the computer resource coming from the platform.
  - 3. A processing method according to claim 1, wherein:
    - said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server;
      
      the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request or from an identifier of the user with the help of a said first encryption key held by the terminal; and
      
      the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server.
  - 4. A processing method according to claim 3, wherein:
    - said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform;
      
      the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request or from an identifier of said client entity with the help of a said second encryption key held by the terminal; and
      
      the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
  - 5. A processing method according to claim 4, wherein:
    - said second authentication data is incorporated in said third authentication data;
      
      orsaid third authentication data is generated with the help of said third encryption key from said at least one portion of the access request or from the identifier used to generate said second authentication data.
  - 6. A processing method according to claim 3, wherein said first authentication data comprises or is digital signatures.
  - 7. A supply method for supplying access to a computer resource made available to a client entity by a platform of a cloud computer service supplier, wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, said method being performed by said service supplier platform and comprising:
    - receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity made to said computer resource and resulting from executing the access request processing method according to claim 5, said server being situated between the terminal and the platform;
      
      authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising;
      
      decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
      
      decrypting the second authentication data with the help of a said second encryption key held by the platform; and
      
      supplying the computer resource to the terminal, wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources.
  - 8. A supply method according to claim 7, further comprising, before the process of supplying the computer resource to the terminal, verifying that the client entity is authorized to access said computer resource.
  - 9. A processing method according to claim 1, wherein:
    - said at least one second authentication parameter comprises at least a second encryption key comprising a secret key held by the server and by the platform, or a private and public key pair held respectively by the server and by the platform; and
      
      the request derived from the access request from the terminal includes second authentication data for authenticating the entity with the platform as generated from at least a portion of the access request or of an identifier of the client entity with the help of a said second encryption key held by the server.
  - 10. A processing method according to claim 1, wherein the request derived from the access request from the terminal further includes information representative of the user authentication and verification processes being successful.
  - 13. The method of claim 1, wherein a distinct access control model is utilized for each client entity.
  - 14. The method of claim 13 wherein said distinct access control models are RBAC or OrBAC.

11. A computer having stored thereon instructions, which when executed by said computer, cause a service provider platform to perform a supply method for supplying access to a computer resource made available to a client entity by said service provider platform, wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, said supply method comprising:
- receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity made to said computer resource and resulting from executing an access request processing method, said server being situated between the terminal and the platform;
  
  authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising;
  
  decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
  
  decrypting the second authentication data with the help of a said second encryption key held by the platform; and
  
  supplying the computer resource to the terminal, wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources;
  
  wherein said access request processing method is a processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, to said computer resource selected from a set of computer resources made available to the client entity by said platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by said server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server;
  
  authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
  
  orelse rejecting the access request;
  
  wherein said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server;
  
  the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request or from an identifier of the user with the help of a said first encryption key held by the terminal; and
  
  the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server; and
  
  wherein said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform;
  
  the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request or from an identifier of said client entity with the help of a said second encryption key held by the terminal; and
  
  the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.

12. A non-transitory computer readable data medium having stored thereon a computer program including instructions which when executed by a computer, cause a service provider platform to perform a supply method for supplying access to a computer resource made available to a client entity by said service provider platform wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, said supply method comprising:
- receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity made to said computer resource and resulting from executing an access request processing method, said server being situated between the terminal and the platform;
  
  authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising;
  
  decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
  
  decrypting the second authentication data with the help of a said second encryption key held by the platform; and
  
  supplying the computer resource to the terminal, wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources;
  
  wherein said access request processing method is a processing method for processing an access request from a terminal of a user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, to said computer resource selected from a set of computer resources made available to the client entity by said platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources, said method being performed by said server situated between the terminal and the platform, said processing method comprising, on the access request being received by the server;
  
  authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
  
  orelse rejecting the access request;
  
  wherein said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server;
  
  the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request or from an identifier of the user with the help of a said first encryption key held by the terminal; and
  
  the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server; and
  
  wherein said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform;
  
  the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request or from an identifier of said client entity with the help of a said second encryption key held by the terminal; and
  
  the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.

15. A computer having stored thereon instructions, which when executed by said computer, cause a server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources to perform a processing method for processing an access request from said terminal of said user to a computer resource selected from a set of computer resources made available to said client entity by said platform of a cloud computer service supplier, said processing method comprising, on the access request being received by the server:
- authenticating said user who is one of a plurality of users attached to said client entity which is one of said plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that the user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
  
  orelse rejecting the access request.
- View Dependent Claims (16, 17)
- - 16. The computer of claim 15, wherein a distinct access control model is utilized for each client entity in said processing method.
  - 17. The computer of claim 16 wherein said distinct access control models are RBAC or OrBAC.

18. A non-transitory computer readable data medium having stored thereon a computer program including instructions which, when executed by a computer, cause a server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources to perform a processing method for processing an access request from said terminal of said user to a computer resource selected from a set of computer resources made available to said client entity by said platform of a cloud computer service supplier, said processing method comprising, on the access request being received by the server:
- authenticating said user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that said user is authorized to access said computer resource selected from a set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities;
  
  orelse rejecting the access request.

19. A server situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier, the cloud computer service supplier providing to a plurality of distinct client entities corresponding distinct sets of resources selected from a set of computer resources, said server comprising a processor configured to execute instructions which cause said server to authenticate and authorize said client entity, wherein said instructions, when executed by said processor cause said server to:
- authenticate said user who is one of a plurality of users attached to a client entity which is one of said plurality of client entities on receiving a request from said terminal to access a computer resource made available to said client entity, said authentication using at least a first authentication parameter for authenticating the user with the server;
  
  verify that said user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity;
  
  if the user is authorized to access said computer resource, send to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities; and
  
  reject the access request if the user is not authorized to access said computer resource.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. A server according to claim 19, wherein said access control model used by said verification entity is derived from a metadata file describing elements defining said model and a structure of said elements.
  - 21. A server according to claim 19, wherein said processor is further configured to execute instructions which cause said server to detect a change in said model or said access control policy into a new model or a new access control policy, and to obtain said new model or said new access control policy in order to use it during the verification process.
  - 22. A server according to claim 19, wherein for each client entity:
    - said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server or a private and public key pair held respectively by the terminal and by the server;
      
      said at least one second authentication parameter for authenticating the client entity comprises at least one second encryption key comprising a secret key held by the terminal and by the platform or a private and public key pair held respectively by the terminal and by the platform;
      
      the access request from the terminal includes first authentication data generated from at least a portion of the access request or an identifier of the user with the help of a said first encryption key held by the terminal, and second authentication data generated from at least a portion of the access request or an identifier of the client entity with the help of a second encryption key held by the terminal;
      
      the first authentication data is decrypted with the help of a said first encryption key held by the server; and
      
      the derived request includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
  - 23. A system comprising:
    - a server according to claim 22; and
      
      a platform of a computer service supplier making computer resources available to at least one client entity wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, the platform comprising a processor configured to execute instructions which cause said platform to;
      
      perform a validation process comprising;
      
      receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity requesting access to a said computer resource made available to said client entity, said server being situated between the terminal and the platform; and
      
      perform an authentication process comprising;
      
      decrypting third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
      
      decrypting second authentication data with the help of a said second encryption key held by the platform; and
      
      to supply said computer resource to said terminal wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources;
      
      wherein said server is situated between a terminal of a user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities and said platform of a cloud computer service supplier for making a computer resource selected from said set of computer resources available to at least one client entity which is one of said plurality of client entities, said server comprising a processor configured to execute instructions which cause said server to authenticate and authorize said client entity, wherein said instructions, when executed by said processor cause said server to;
      
      authenticate said user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, on receiving a request from said terminal to access said computer resource selected from said set of computer resources, said authentication using at least a first authentication parameter for authenticating the user with the server;
      
      verify that said user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity;
      
      if the user is authorized to access said computer resource, send to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities; and
      
      reject the access request if the user is not authorized to access said computer resource; and
      
      wherein for each client entity requesting authentication and authorization by said server;
      
      said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server or a private and public key pair held respectively by the terminal and by the server;
      
      said at least one second authentication parameter for authenticating the client entity comprises at least one second encryption key comprising a secret key held by the terminal and by the platform or a private and public key pair held respectively by the terminal and by the platform;
      
      the access request from the terminal includes first authentication data generated from at least a portion of the access request or an identifier of the user with the help of a said first encryption key held by the terminal, and second authentication data generated from at least a portion of the access request or an identifier of the client entity with the help of a second encryption key held by the terminal;
      
      the first authentication data is decrypted with the help of a said first encryption key held by the server; and
      
      the derived request includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
  - 24. A system comprising:
    - a platform of a cloud computer service supplier making computer resources available to at least one client entity; and
      
      a server according to claim 19, situated between said platform of said service supplier and a terminal from which an access request originates requesting access to a said computer resource made available to said client entity by said platform of the service supplier.

25. A platform of a computer service supplier making computer resources available to at least one client entity wherein said computer resource is selected from a set of computer resources and wherein said client entity is one of a plurality of client entities, the platform comprising a processor configured to execute instructions which cause said platform to:
- perform a validation process comprising;
  
  receiving a request derived by a server from an access request from a terminal of a user who is one of a plurality of users attached to said client entity requesting access to a said computer resource made available to said client entity, said server being situated between the terminal and the platform; and
  
  perform an authentication process comprising;
  
  decrypting third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
  
  decrypting second authentication data with the help of a said second encryption key held by the platform; and
  
  to supply said computer resource to said terminal wherein said cloud computer service supplier provides to said plurality of distinct client entities corresponding distinct sets of resources;
  
  wherein said server is situated between a terminal of a user who is one of a plurality of users attached to a client entity which is one of a plurality of client entities and a platform of a cloud computer service supplier for making a computer resource selected from a set of computer resources available to at least one client entity which is one of said plurality of client entities, said server comprising a processor configured to execute instructions which cause said server to authenticate and authorize said client entity, wherein said instructions, when executed by said processor cause said server to;
  
  authenticate said user who is one of a plurality of users attached to said client entity which is one of a plurality of client entities, on receiving a request from said terminal to access said computer resource selected from said set of computer resources, said authentication using at least a first authentication parameter for authenticating the user with the server;
  
  verify that said user is authorized to access said computer resource selected from said set of computer resources via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are supplied to said server by said client entity;
  
  if the user is authorized to access said computer resource, send to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform wherein said server uses distinct authentication and authorization instructions for each client entity from among said plurality of client entities; and
  
  reject the access request if the user is not authorized to access said computer resource; and
  
  wherein for each client entity requesting authentication and authorization by said server;
  
  said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server or a private and public key pair held respectively by the terminal and by the server;
  
  said at least one second authentication parameter for authenticating the client entity comprises at least one second encryption key comprising a secret key held by the terminal and by the platform or a private and public key pair held respectively by the terminal and by the platform;
  
  the access request from the terminal includes first authentication data generated from at least a portion of the access request or an identifier of the user with the help of a said first encryption key held by the terminal, and second authentication data generated from at least a portion of the access request or an identifier of the client entity with the help of a second encryption key held by the terminal;
  
  the first authentication data is decrypted with the help of a said first encryption key held by the server; and
  
  the derived request includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Qian, Xiangjun, He, Ruan
Primary Examiner(s)
Parsons, Theodore C

Application Number

US14/313,993
Publication Number

US 20140380048A1
Time in Patent Office

1,141 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

Accessing a computer resource using an access control model and policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Accessing a computer resource using an access control model and policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links