User managed access scope specific obligation policy for authorization

US 9,906,558 B2
Filed: 06/24/2015
Issued: 02/27/2018
Est. Priority Date: 06/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set;

receiving, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;

(i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;

modifying the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant;

modifying the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and

controlling access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set;

wherein;

the request for a first delegated authorization grant data set includes a first obligation correlation token, andthe first delegated authorization grant data set includes the first obligation correlation token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set.

Citations

18 Claims

1. A method comprising:
- sending, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set;
  
  receiving, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
  
  (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;
  
  modifying the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant;
  
  modifying the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and
  
  controlling access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set;
  
  wherein;
  
  the request for a first delegated authorization grant data set includes a first obligation correlation token, andthe first delegated authorization grant data set includes the first obligation correlation token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the sending of the request for the first delegated authorization grant data set occurs at one of the following junctures:
    - (i) before the delegatee seeks initial access to the first resource, (ii) each time the delegatee entity seeks to access the first resource, and (iii) at juncture(s) defined by the first delegation authorization grant.
  - 3. The method of claim 1 wherein the first scope variable value relates to at least one of the following aspects of scope of a delegated authorization grant:
    - (i) whether a password is required;
      
      (ii) number of times a password can be used;
      
      (iii) time or date limit on access to the first resource;
      
      (iv) limit on amount of usage or rate of usage of the first resource;
      
      or (v) limit on usage of data derived from access of the resource subject to delegated authorization grant.
  - 4. The method of claim 1 wherein the delegation grant scope user interface is incorporated into a first standard for delegated authorization grants from delegator entities to delegatee entities.
  - 5. The method of claim 4 wherein the first standard is an open source standard.
  - 6. The method of claim 1 further comprising:
    - storing the first delegated authorization grant data set, and the scope specific obligation policy, on the authorization server module.
  - 7. The method of claim 1 further comprising:
    - evaluating, by a policy decision point module, resource owner scope specific obligation policy preferences.
  - 8. The method of claim 1 further comprising:
    - receiving, by an obligation handler agent running on the delegator'"'"'s device, the request for a first delegated authorization data set.

9. A computer program product comprising a computer readable storage medium that is not a transitory signal per se having stored thereon:
- first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set;
  
  second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
  
  (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;
  
  third program instructions programmed to modify the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant;
  
  fourth program instruction programmed to modify the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and
  
  fifth program instructions programmed to control access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set;
  
  wherein;
  
  the request for a first delegated authorization grant data set includes a first obligation correlation token, andthe first delegated authorization grant data set includes the first obligation correlation token.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The product of claim 9 wherein the first program instructions are further programmed to send the request for the first delegated authorization grant data set at one of the following junctures:
    - (i) before the delegatee seeks initial access to the first resource, (ii) each time the delegatee entity seeks to access the first resource, and (iii) at juncture(s) defined by the first delegation authorization grant.
  - 11. The product of claim 9 wherein the first scope variable value relates to at least one of the following aspects of scope of a delegated authorization grant:
    - (i) whether a password is required;
      
      (ii) number of times a password can be used;
      
      (iii) time or date limit on access to the first resource;
      
      (iv) limit on amount of usage or rate of usage of the first resource;
      
      or (v) limit on usage of data derived from access of the resource subject to delegated authorization grant.
  - 12. The product of claim 9 wherein the delegation grant scope user interface is incorporated into a first standard for delegated authorization grants from delegator entities to delegatee entities.
  - 13. The product of claim 12 wherein the first standard is an open source standard.

14. A computer system comprising:
- a processor(s) set; and
  
  a computer readable storage medium that is not a transitory signal per se;
  
  wherein;
  
  the processor set is structured, located, connected or programmed to run program instructions stored on the computer readable storage medium; and
  
  the program instructions include;
  
  first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set,second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
  
  (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy,third program instructions programmed to modify the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant,fourth program instruction programmed to modify the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy, andfifth program instructions programmed to control access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set;
  
  wherein;
  
  the request for a first delegated authorization grant data set includes a first obligation correlation token, andthe first delegated authorization grant data set includes the first obligation correlation token.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14 wherein the first program instructions are further programmed to send the request for the first delegated authorization grant data set at one of the following junctures:
    - (i) before the delegatee seeks initial access to the first resource, (ii) each time the delegatee entity seeks to access the first resource, and (iii) at juncture(s) defined by the first delegation authorization grant.
  - 16. The system of claim 14 wherein the first scope variable value relates to at least one of the following aspects of scope of a delegated authorization grant:
    - (i) whether a password is required;
      
      (ii) number of times a password can be used;
      
      (iii) time or date limit on access to the first resource;
      
      (iv) limit on amount of usage or rate of usage of the first resource;
      
      or (v) limit on usage of data derived from access of the resource subject to delegated authorization grant.
  - 17. The system of claim 14 wherein the delegation grant scope user interface is incorporated into a first standard for delegated authorization grants from delegator entities to delegatee entities.
  - 18. The system of claim 17 wherein the first standard is an open source standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Moore, David P., Pearson, Craig
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/748,300
Publication Number

US 20160381021A1
Time in Patent Office

979 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

User managed access scope specific obligation policy for authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

User managed access scope specific obligation policy for authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links