System and method for a facet security model
First Claim
1. A method, comprising:
- receiving a request to issue a first facet;
identifying an endpoint with a resource for which the first facet is valid;
identifying a set of actions capable of being performed on the resource;
creating the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet;
issuing the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions;
creating a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource;
identifying one or more input parameters for the action request; and
preassembling a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method is provided and includes receiving a request to issue a facet; identifying an endpoint with a resource for which the facet is valid; identifying a set of actions capable of being performed on the resource; creating the facet using the set of actions; and issuing the facet. In other embodiments, the method may include receiving an initial request from an entity for the facet; determining whether the entity has authorization to make the initial request; and request a facet server module to issue the facet. In yet other embodiments, the facet has a condition, and the condition is at least one of a count of use, a time duration, and a periodic time duration. Additionally, in certain cases, determining whether the entity has authorization to make the initial request comprises evaluating validity information against a policy.
-
Citations
14 Claims
-
1. A method, comprising:
-
receiving a request to issue a first facet; identifying an endpoint with a resource for which the first facet is valid; identifying a set of actions capable of being performed on the resource; creating the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet; issuing the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions; creating a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource; identifying one or more input parameters for the action request; and preassembling a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising at least one processor and at least one memory, the at least one memory including computer program instructions that, when executed by the at least one processor, cause the apparatus to:
-
receive a request to issue a first facet; identify an endpoint with a resource for which the first facet is valid; identify a set of actions capable of being performed on the resource; create the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a first count of use parameter, a first time duration parameter, and a first periodic time duration parameter that indicate a validity of the first facet; issue the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions; create a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource; identify one or more input parameters for the action request; and preassemble a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information. - View Dependent Claims (7, 8, 9)
-
-
10. A non-transitory computer readable media comprising instructions that, when executed, cause one or more processors to:
-
receive a request to issue a first facet; identify an endpoint with a resource, where the first facet is valid; identify a set of actions capable of being performed on the resource; create the first facet based, at least in part, on the set of actions and first validity information, wherein the first validity information includes a count of use parameter, a time duration parameter, and a periodic time duration parameter that indicate a validity of the first facet; issue the first facet for a first entity, the first facet indicating the resource upon which the first entity is authorized to perform the set of actions; create a URL endpoint uniquely identifying the endpoint and comprising an action request for the resource; identify one or more input parameters for the action request; and preassemble a facet URL based on the URL endpoint, the one or more input parameters, and the first facet, wherein the first facet is delegated from a second facet, the second facet comprising a set of capabilities indicating a plurality of resources upon which a second entity holding the second facet is authorized to perform actions, wherein the first facet includes a subset of the set of capabilities of the second facet, the subset containing fewer capabilities than the set of capabilities of the second facet, wherein the second facet comprises second validity information that indicates a validity of the second facet, wherein at least one parameter of the first validity information is reduced from the second validity information. - View Dependent Claims (11, 12, 13, 14)
-
Specification