System and method for zone access control

US 9,923,905 B2
Filed: 05/06/2016
Issued: 03/20/2018
Est. Priority Date: 02/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a first web service request for accessing a first resource of a first web service, the first web service request corresponding to a first user and comprising a first access token, first action data identifying a first action being requested to be applied to the first resource, and first resource data identifying the first resource;

identifying a first zone for the first web service request;

identifying a first security token provider based on the first access token;

identifying one or more trusted token providers for the identified first zone;

comparing the first identified security token provider to the identified one or more trusted token providers for the identified first zone;

generating, by a machine having a memory and at least one processor, a determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;

denying the first web service request based on the determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;

receiving a second web service request for accessing the first resource of the first web service, the second web service request comprising a second access token, the first action data identifying the first action being requested to be applied to the first resource, and the first resource data identifying the first resource;

identifying the first zone based on the second web service request;

identifying a second security token provider based on the second access token;

identifying the one or more trusted token providers for the identified first zone;

comparing the second identified security token provider of the second access token to the identified one or more trusted token providers for the identified first zone;

generating a determination that the identified second security token provider of the second access token matches one of the identified one or more trusted token providers for the identified first zone; and

permitting the second web service request based on the determination that the identified second security token provider matches one of the identified one or more trusted token providers for the identified first zone.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some example embodiments, a method comprises receiving a web service request for accessing a resource of a web service, with the web service request corresponding to a user and comprising an access token, identifying a zone for the web service request, identifying a security token provider based on the access token, identifying one or more trusted token providers for the zone, comparing the security token provider to the trusted token provider(s) for the zone, generating a determination that the security token provider does not match any of the trusted token provider(s) for the zone, and denying the web service request based on the determination that the security token provider does not match any of the trusted token provider(s) for the zone.

Citations

17 Claims

1. A computer-implemented method comprising:
- receiving a first web service request for accessing a first resource of a first web service, the first web service request corresponding to a first user and comprising a first access token, first action data identifying a first action being requested to be applied to the first resource, and first resource data identifying the first resource;
  
  identifying a first zone for the first web service request;
  
  identifying a first security token provider based on the first access token;
  
  identifying one or more trusted token providers for the identified first zone;
  
  comparing the first identified security token provider to the identified one or more trusted token providers for the identified first zone;
  
  generating, by a machine having a memory and at least one processor, a determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  denying the first web service request based on the determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  receiving a second web service request for accessing the first resource of the first web service, the second web service request comprising a second access token, the first action data identifying the first action being requested to be applied to the first resource, and the first resource data identifying the first resource;
  
  identifying the first zone based on the second web service request;
  
  identifying a second security token provider based on the second access token;
  
  identifying the one or more trusted token providers for the identified first zone;
  
  comparing the second identified security token provider of the second access token to the identified one or more trusted token providers for the identified first zone;
  
  generating a determination that the identified second security token provider of the second access token matches one of the identified one or more trusted token providers for the identified first zone; and
  
  permitting the second web service request based on the determination that the identified second security token provider matches one of the identified one or more trusted token providers for the identified first zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, further comprising:
    - storing, in a policy data store, a script comprising an access control policy for accessing the first resource of the first web service, the access control policy comprising one or more policy conditions to be satisfied in order to permit an action,wherein the denying the first web service request comprises blocking a performance of an access authorization process, the access authorization process being configured to generate a decision to either permit or deny the first web service request based on a determination of whether the one or more policy conditions of the access control policy are satisfied.
  - 3. The computer-implemented method of claim 1, further comprising:
    - storing, in a policy data store, a script comprising an access control policy for accessing the first resource of the first web service, the access control policy comprising one or more policy conditions to be satisfied in order to permit an action; and
      
      performing an access authorization process based on the determination that the identified second security token provider matches one of the identified one or more trusted token providers for the identified first zone, the access authorization process being configured to generate a decision to either permit or deny the second web service request based on a determination of whether the one or more policy conditions of the access control policy are satisfied.
  - 4. The computer-implemented method of claim 3, wherein the script is included within a JavaScript Object Notation (JSON).
  - 5. The computer-implemented method of claim 3, further comprising:
    - storing, in an attribute data store, a user attribute of the first user and a resource attribute of the first resource of the first web service, the user attribute comprising user information about the first user other than an identification of the first user, the resource attribute comprising resource information about the first resource other than an identification of the first resource,wherein the one or more policy conditions comprises at least one of the user attribute and the resource attribute.
  - 6. The computer-implemented method of claim 5, wherein the user attribute comprises an organization to which the first user belongs, a group to which the first user belongs, or a role of the first user.
  - 7. The computer-implemented method of claim 5, wherein the resource attribute comprises an organization associated with the first resource, a group associated with the first resource, or a role associated with the first resource.
  - 8. The computer-implemented method of claim 5, wherein the generating of the decision to either permit or deny the web service request comprises:
    - retrieving the user attribute and the resource attribute from the attribute data store based on the second web service request; and
      
      determining whether the one or more policy conditions of the access control policy are satisfied based on the retrieved user attribute, the retrieved resource attribute, and the second web service request.
  - 9. The computer-implemented method of claim 8, wherein the retrieving the user attribute from the attribute data store comprises extracting the user attribute based on the second access token for the first user.
  - 10. The computer-implemented method of claim 8, further comprising:
    - modifying the script in response to a user input, the modification of the script comprising a policy modification of the access control policy; and
      
      storing the modified script in the policy data store,wherein the access authorization process is further configured to generate the decision to either permit or deny the second web service request based on the modified access control policy, the retrieved user attribute, and the retrieved resource attribute, the generating of the decision comprising interpreting the modified script.
  - 11. The computer-implemented method of claim 1, wherein the first web service comprises a representational state transfer (RESTful) application programming interface (API).
  - 12. The computer-implemented method of claim 1, wherein the first action comprises a HyperText Transfer Protocol (HTTP) method.
  - 13. The computer-implemented method of claim 1, wherein the first resource data comprises a uniform resource identifier (URI) corresponding to the first resource.
  - 14. The computer-implemented method of claim 1, wherein the first web service comprises a service in an Industrial Internet of Things (IIoT).

15. A system comprising:
- at least one processor; and
  
  a non-transitory computer-readable medium storing executable instructions that, when executed, cause the at least one processor to perform operations comprising;
  
  receiving a first web service request for accessing a first resource of a first web service, the first web service request corresponding to a first user and comprising a first access token, first action data identifying a first action being requested to be applied to the first resource, and first resource data identifying the first resource;
  
  identifying a first zone for the first web service request;
  
  identifying a first security token provider based on the first access token;
  
  identifying one or more trusted token providers for the identified first zone;
  
  comparing the first identified security token provider to the identified one or more trusted token providers for the identified first zone;
  
  generating a determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  denying the first web service request based on the determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  receiving a second web service request for accessing the first resource of the first web service, the second web service request comprising a second access token, the first action data identifying the first action being requested to be applied to the first resource, and the first resource data identifying the first resource;
  
  identifying the first zone based on the second web service request;
  
  identifying a second security token provider based on the second access token;
  
  identifying the one or more trusted token providers for the identified first zone;
  
  comparing the second identified security token provider of the second access token to the identified one or more trusted token providers for the identified first zone;
  
  generating a determination that the identified second security token provider of the second access token matches one of the identified one or more trusted token providers for the identified first zone; and
  
  permitting the second web service request based on the determination that the identified second security token provider matches one of the identified one or more trusted token providers for the identified first zone.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein the operations further comprise:
    - storing, in a policy data store, a script comprising an access control policy for accessing the first resource of the first web service, the access control policy comprising one or more policy conditions to be satisfied in order to permit an action,wherein the denying the first web service request comprises blocking a performance of an access authorization process, the access authorization process being configured to generate a decision to either permit or deny the first web service request based on a determination of whether the one or more policy conditions of the access control policy are satisfied.

17. A non-transitory machine-readable storage medium, tangibly embodying a set of instructions that, when executed by at least one processor, causes the at least one processor to perform operations comprising:
- receiving a first web service request for accessing a first resource of a first web service, the first web service request corresponding to a first user and comprising a first access token, first action data identifying a first action being requested to be applied to the first resource, and first resource data identifying the first resource;
  
  identifying a first zone for the first web service request;
  
  identifying a first security token provider based on the first access token;
  
  identifying one or more trusted token providers for the identified first zone;
  
  comparing the first identified security token provider to the identified one or more trusted token providers for the identified first zone;
  
  generating a determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  denying the first web service request based on the determination that the identified first security token provider does not match any of the identified one or more trusted token providers for the identified first zone;
  
  receiving a second web service request for accessing the first resource of the first web service, the second web service request comprising a second access token, the first action data identifying the first action being requested to be applied to the first resource, and the first resource data identifying the first resource;
  
  identifying the first zone based on the second web service request;
  
  identifying a second security token provider based on the second access token;
  
  identifying the one or more trusted token providers for the identified first zone;
  
  comparing the second identified security token provider of the second access token to the identified one or more trusted token providers for the identified first zone;
  
  generating a determination that the identified second security token provider of the second access token matches one of the identified one or more trusted token providers for the identified first zone; and
  
  permitting the second web service request based on the determination that the identified second security token provider matches one of the identified one or more trusted token providers for the identified first zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Digital Holdings LLC (GE Vernova, Inc.)
Original Assignee
General Electric Company
Inventors
Amiri, Dariush, Banga, Vineet
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/148,944
Publication Number

US 20170223026A1
Time in Patent Office

683 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

System and method for zone access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for zone access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links