SYSTEM AND METHOD FOR DYNAMIC ROLE ASSOCIATION
First Claim
1. A system, comprising:
- a security service that makes decisions to permit or deny access requests;
an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passing the access request and a callback handler to the security service; and
a plurality of security plug-ins at the security provider that use the callback handler to request context information describing the access request, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain;
wherein the security service determines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins.
1 Assignment
0 Petitions
Accused Products
Abstract
A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.
43 Citations
19 Claims
-
1. A system, comprising:
-
a security service that makes decisions to permit or deny access requests; an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passing the access request and a callback handler to the security service; and a plurality of security plug-ins at the security provider that use the callback handler to request context information describing the access request, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain; wherein the security service determines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
receiving at an application container an access request from a client to access a protected resource; communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service; using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request; determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain; making a decision at the security service to permit or deny the access request; and communicating a permitted access request to the protected resource. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer readable storage medium storing instructions, the instructions comprising:
-
receiving at an application container an access request from a client to access a protected resource; communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service; using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request; determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain; making a decision at the security service to permit or deny the access request; and communicating a permitted access request to the protected resource. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification