System and method for a facet security model

US 9,825,821 B2
Filed: 09/27/2013
Issued: 11/21/2017
Est. Priority Date: 09/27/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to issue a first facet;

identifying an endpoint with a resource for which the first facet is valid;

identifying a set of actions capable of being performed on the resource;

creating the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet;

issuing the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions;

creating a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource;

identifying one or more input parameters for the action request; and

preassembling a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method is provided and includes receiving a request to issue a facet; identifying an endpoint with a resource for which the facet is valid; identifying a set of actions capable of being performed on the resource; creating the facet using the set of actions; and issuing the facet. In other embodiments, the method may include receiving an initial request from an entity for the facet; determining whether the entity has authorization to make the initial request; and request a facet server module to issue the facet. In yet other embodiments, the facet has a condition, and the condition is at least one of a count of use, a time duration, and a periodic time duration. Additionally, in certain cases, determining whether the entity has authorization to make the initial request comprises evaluating validity information against a policy.

Citations

14 Claims

1. A method, comprising:
- receiving a request to issue a first facet;
  
  identifying an endpoint with a resource for which the first facet is valid;
  
  identifying a set of actions capable of being performed on the resource;
  
  creating the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet;
  
  issuing the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions;
  
  creating a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource;
  
  identifying one or more input parameters for the action request; and
  
  preassembling a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving an initial request from the second entity for the second facet;
      
      determining whether the second entity has authorization to make the initial request; and
      
      request a facet server module to issue the second facet.
  - 3. The method of claim 1, further comprising:
    - determining whether the first entity has authorization to make a request for the first facet based on evaluating the first validity information against a policy.
  - 4. The method of claim 1, further comprising:
    - identifying a capability type for the first facet;
      
      modifying the capability type with values related to the first facet to form a specific capability type; and
      
      adding the capability type to a capability set type, wherein the capability set type is associated with the first facet.
  - 5. The method of claim 1, wherein the set of capabilities of the second facet indicates one or more services.

6. An apparatus comprising at least one processor and at least one memory, the at least one memory including computer program instructions that, when executed by the at least one processor, cause the apparatus to:
- receive a request to issue a first facet;
  
  identify an endpoint with a resource for which the first facet is valid;
  
  identify a set of actions capable of being performed on the resource;
  
  create the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a first count of use parameter, a first time duration parameter, and a first periodic time duration parameter that indicate a validity of the first facet;
  
  issue the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions;
  
  create a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource;
  
  identify one or more input parameters for the action request; and
  
  preassemble a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information.
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6, wherein the memory further includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - receive an initial request from the second entity for the second facet;
      
      determine whether the second entity has authorization to make the initial request; and
      
      request a facet server module to issue the second facet.
  - 8. The apparatus of claim 6, wherein the memory further includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - determine whether the first entity has authorization to make a request for the first facet based on evaluating the first validity information against a policy.
  - 9. The apparatus of claim 6, wherein the memory further includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - identify a capability type for the first facet;
      
      modify the capability type with values related to the first facet to form a specific capability type; and
      
      add the capability type to a capability set type, wherein the capability set type is associated with the first facet.

10. A non-transitory computer readable media comprising instructions that, when executed, cause one or more processors to:
- receive a request to issue a first facet;
  
  identify an endpoint with a resource, where the first facet is valid;
  
  identify a set of actions capable of being performed on the resource;
  
  create the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet;
  
  issue the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions;
  
  create a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource;
  
  identify one or more input parameters for the action request; and
  
  preassemble a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The media of claim 10, wherein the instructions further cause the one or more processors to:
    - receive an initial request from the second entity for the second facet;
      
      determine whether the second entity has authorization to make the initial request; and
      
      request a facet server module to issue the second facet.
  - 12. The media of claim 10, wherein the instructions further cause the one or more processors to:
    - determine whether the first entity has authorization to make a request for the first facet based on evaluating the first validity information against a policy.
  - 13. The media of claim 10, wherein the instructions further cause the one or more processors to:
    - identify a capability type for the first facet;
      
      modify the capability type with values related to the first facet to form a specific capability type; and
      
      add the capability type to a capability set type, wherein the capability set type is associated with the first facet.
  - 14. The media of claim 10, wherein the subset of the set of capabilities of the second entity indicates the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sarkar, Dipankar, Danilov, Oleg, Batra, Alok
Primary Examiner(s)
Barry, Lance Leonard
Assistant Examiner(s)
Mian, Mohammad Yousuf A

Application Number

US14/039,709
Publication Number

US 20150095474A1
Time in Patent Office

1,516 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

System and method for a facet security model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for a facet security model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links