Delegating right to access resource or the like in access management system

US 20060206925A1
Filed: 03/11/2005
Published: 09/14/2006
Est. Priority Date: 03/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method for a resource of a first organization to provide access thereto to a requestor of a second organization, the first organization having a first administrator trusted by the resource, the second organization having a second administrator, each of the first and second administrators for issuing credentials to entities, each credential as issued by an administrator to an entity tying the entity to the issuing administrator and evincing a relationship between the entity and the issuing administrator, the method comprising:

the first administrator issuing to the second administrator a first credential, the issued first credential stating policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator, the second administrator in fact issuing to the requester the second credential on behalf of the first administrator, the issued second credential including the issued first credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential;

the resource receiving from the requestor the request including the issued first credential and the issued second credential;

the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the second administrator, and also to confirm that the policy of the issued first credential allowed the second administrator to issue the second credential to the requestor;

the resource validating the issued second credential to confirm that the issued second credential ties the second administrator to the requestor; and

presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the second administrator, whereby the resource of the first organization can recognize and grant access to the requestor of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.

129 Citations

21 Claims

the first administrator issuing to the second administrator a first credential, the issued first credential stating policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator, the second administrator in fact issuing to the requester the second credential on behalf of the first administrator, the issued second credential including the issued first credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential;

the resource receiving from the requestor the request including the issued first credential and the issued second credential;

the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the second administrator, and also to confirm that the policy of the issued first credential allowed the second administrator to issue the second credential to the requestor;

the resource validating the issued second credential to confirm that the issued second credential ties the second administrator to the requestor; and

presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the second administrator, whereby the resource of the first organization can recognize and grant access to the requestor of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization.
View Dependent Claims (2, 3, 4, 5, 6, 7)

2. The method of claim 1 wherein the first administrator issues to the second administrator the first credential stating policy that the second administrator may issue the second credential to a particular set of entities including the requestor.
3. The method of claim 1 wherein the first administrator issues to the second administrator the first credential stating further policy that restricts rights the requester has with regard to the resource.
4. The method of claim 1 wherein the first administrator has a public-private key pair (PU-A, PR-A) and the second administrator has a public-private key pair (PU-B, PR-B), and wherein the first administrator issues to the second administrator the first credential including therein the public key of the second administrator (PU-B) and a digital signature based on the private key of the first administrator (S (PR-A)), the second administrator issuing to the requestor the second credential including therein a digital signature based on the private key of the second administrator (S (PR-B)).
5. The method of claim 4 wherein the resource has knowledge of (PU-A), the method comprising:
- the resource applying (PU-A) to (S (PR-A)) from the issued first credential to validate same;
  
  presuming such validation succeeds, the resource then obtaining (PU-B) from the validated first credential and applying such (PU-B) to (S (PR-B)) from the issued second credential to validate same.
6. The method of claim 1 comprising:
- the first administrator issuing to the second administrator a first credential further stating policy that allows the requestor access to the resource, the second administrator issuing to the requestor the second credential on behalf of the first administrator and including policy that allows the requestor access to the resource;
  
  Ski the resource further validating the issued first credential to confirm that the issued first credential allows the requester access to the resource; and
  
  the resource further validating the issued second credential to confirm that the issued second credential allows the requestor to access the resource.

7. The method of claim 1 comprising issuing each credential to include each policy therein specified as:

Principal P Has the right to assert Assertions matching A* To principals of type P* Subject to conditions C Issue by I Validity date-time D

where P is a reference to a specific principal who is allowed to delegate, A* is one or more patterns which all valid delegation assertions must match, P* is one or more patterns identifying value entities that P may delegate to, C* is zero or more conditions on any delegation by P, I is the entity issuing the policy, and D is a time period during which the delegation authorization is valid.

8. A method for a resource of a first organization to provide access thereto to a requestor of a second organization by way of a third organization, the first organization having a first administrator trusted by the resource, the second organization having a second administrator, the third organization having a third administrator, each administrator for issuing credentials to entities, each credential as issued by an administrator to an entity tying the entity to the issuing administrator and evincing a relationship between the entity and the issuing administrator, the method comprising:

the first administrator issuing to the third administrator a first credential, the issued first credential stating policy that the third administrator may issue a second credential to the second administrator on behalf of the first administrator and that the second administrator may issue a third credential to the requestor on behalf of the first administrator, the third administrator in fact issuing to the second administrator the second credential on behalf of the first administrator and the second administrator in fact issuing to the requestor the third credential on behalf of the first administrator, the issued second credential including the issued first credential and the issued third credential including the issued first credential and the issued second credential, the requestor of the second organization thereafter requesting access from the resource of the first organization and in doing so including with the request the issued first credential and the issued second credential and the issued third credential;

the resource receiving from the requestor the request including the issued first credential and the issued second credential and the issued third credential;

the resource validating the issued first credential to confirm that the issued first credential ties the trusted first administrator to the third administrator, and also to confirm that the policy of the issued first credential allowed the third administrator to issue the second credential to the second administrator and that the policy of the issued first credential also allowed the second administrator to issue the third credential to the requestor;

the resource validating the issued second credential to confirm that the issued second credential ties the third administrator to the second administrator, and also to confirm that the policy of the issued second credential allowed the second administrator to issue the third credential to the requestor;

the resource validating the issued third credential to confirm that the issued third credential ties the second administrator to the requester; and

presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted first administrator to the requestor by way of the third administrator and the second administrator, whereby the resource of the first organization can recognize and grant access to the requester of the second organization, even though such requestor is not issued any credential by the trusted first administrator of the first organization.
View Dependent Claims (9, 10, 11, 12, 13, 14)

9. The method of claim 8 wherein the first administrator issues to the third administrator the first credential stating policy that the second administrator may issue the third credential to a particular set of entities including the requestor.
10. The method of claim 8 wherein the first administrator issues to the third administrator the first credential stating further policy that restricts rights the requestor has with regard to the resource.
11. The method of claim 8 wherein the first administrator has a public-private key pair (PU-A, PR-A) and the second administrator has a public-private key pair (PU-B, PR-B) and the third administrator has a public-private key pair (PU-C, PR-C), and wherein the first administrator issues to the third administrator the first credential including therein the public key of the third administrator (PU-C) and a digital signature based on the private key of the first administrator (S (PR-A)), the third administrator issuing to the second administrator the second credential including therein the public key of the second administrator (PU-B) and a digital signature based on the private key of the third administrator (S (PR-C)), the second administrator issuing to the requestor the third credential including therein a digital signature based on the private key of the second administrator (S (PR-B)).
12. The method of claim 11 wherein the resource has knowledge of (PU-A), the method comprising:
- the resource applying (PU-A) to (S (PR-A)) from the issued first credential to validate same;
  
  presuming such validation succeeds, the resource then obtaining (PU-C) from the validated first credential and applying such (PU-C) to (S (PR-C)) from the issued second credential to validate same. presuming such validation succeeds, the resource then obtaining (PU-B) from the validated second credential and applying such (PU-B) to (S (PR-B)) from the issued third credential to validate same.
13. The method of claim 8 comprising:
- the first administrator issuing to the third administrator a first credential further stating policy that allows the requestor access to the resource, the third administrator issuing to the second administrator the second credential on behalf of the first administrator and including policy that allows the requestor access to the resource, the second administrator issuing to the requester the third credential on behalf of the first administrator and including policy that allows the requestor access to the resource;
  
  the resource further validating the issued first credential to confirm that the issued first credential allows the requestor access to the resource;
  
  the resource further validating the issued second credential to confirm that the issued second credential allows the requestor to access the resource; and
  
  the resource further validating the issued third credential to confirm that the issued third credential allows the requester to access the resource.

14. The method of claim 8 comprising issuing each credential to include each policy therein specified as:

Principal P Has the right to assert Assertions matching A* To principals of type P* Subject to conditions C Issue by I Validity date-time D

15. A method for a resource of an organization to provide access thereto to a requestor by way of an intermediary, the organization having an administrator trusted by the resource, the method comprising:

the administrator issuing to the intermediary a first credential, the issued first credential stating policy that the intermediary may issue a second credential to the requestor on behalf of the administrator, the intermediary in fact issuing to the requestor the second credential on behalf of the administrator, the issued second credential including the issued first credential, the requestor thereafter requesting access from the resource of the organization and in doing so including with the request the issued first credential and the issued second credential;

the resource receiving from the requestor the request including the issued first credential and the issued second credential;

the resource validating the issued first credential to confirm that the issued first credential ties the trusted administrator to the intermediary, and also to confirm that the policy of the issued first credential allowed the intermediary to issue the second credential to the requestor;

the resource validating the issued second credential to confirm that the issued second credential ties the intermediary to the requestor; and

presuming such validations succeed, the resource proceeding with the request from the resource knowing that such request from such requestor is based on rights delegated from the trusted administrator to the requestor by way of the intermediary, whereby the resource of the organization can recognize and grant access to the requestor, even though such requester is not issued any credential by the trusted administrator of the organization.
View Dependent Claims (16, 17, 18, 19, 20, 21)

16. The method of claim 15 wherein the administrator issues to the intermediary the first credential stating policy that the intermediary may issue the second credential to a particular set of entities including the requestor.
17. The method of claim 15 wherein the administrator issues to the intermediary the first credential stating further policy that restricts rights the requestor has with regard to the resource.
18. The method of claim 15 wherein the administrator has a public-private key pair (PU-A, PR-A) and the intermediary has a public-private key pair (PU-B, PR-B), and wherein the administrator issues to the intermediary the first credential including therein the public key of the intermediary (PU-B) and a digital signature based on the private key of the administrator (S (PR-A)), the intermediary issuing to the requestor the second credential including therein a digital signature based on the private key of the intermediary (S (PR-B)).
19. The method of claim 18 wherein the resource has knowledge of (PU-A), the method comprising:
- the resource applying (PU-A) to (S (PR-A)) from the issued first credential to validate same;
  
  presuming such validation succeeds, the resource then obtaining (PU-B) from the validated first credential and applying such (PU-B) to (S (PR-B)) from the issued second credential to validate same.
20. The method of claim 15 comprising:
- the administrator issuing to the intermediary a first credential further stating policy that allows the requestor access to the resource, the intermediary issuing to the requester the second credential on behalf of the administrator and including policy that allows the requestor access to the resource;
  
  the resource further validating the issued first credential to confirm that the issued first credential allows the requestor access to the resource; and
  
  the resource further validating the issued second credential to confirm that the issued second credential allows the requester to access the resource.

21. The method of claim 15 comprising issuing each credential to include each policy therein specified as:

Principal P Has the right to assert Assertions matching A* To principals of type P* Subject to conditions C Issue by I Validity date-time D

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rose, Charles F. III, Paramasivam, Muthukrishnan, Pandya, Ravindra Nath, LaMacchia, Brian, Dillaway, Blair Brewster

Granted Patent

US 7,770,206 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/33   using certificates

G06F 21/62   Protecting access to data v...

G06F 2221/2145   Inheriting rights or proper...

Delegating right to access resource or the like in access management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Delegating right to access resource or the like in access management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links