Caching and accessing rights in a distributed computing system
First Claim
1. A method for caching and accessing access rights to at least one resource in a distributed computing system, the method comprising:
- accessing, by a software agent, a directory service, wherein the agent is located on a deputization point coupled to the directory service, and wherein the directory service comprises the access rights of a software principal to a resource;
updating, by the agent, the access rights in an access control list cache, wherein the access control list cache is coupled to the deputization point and to the principal;
receiving, at the access control list cache, a request from the principal or the access rights stored in the access control list cache;
retrieving, from the access control list cache, the access rights;
forwarding, to the principal, the access rights;
delegating one or more of the principal'"'"'s access rights to at least one software entity; and
accessing the resource, by the software entity, using the delegated access rights without requiring intervention of the principal to authenticate access requests by the software entity, wherein tasks can be accomplished by the software entity without control by the principal.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method for caching and accessing rights in a distributed computing system is disclosed. An agent, that is located on a Distributed Deputization Point (DPP) parses a directory service. The agent then updates the rights to an Access Control List (ACL) cache. The ACL cache then receives, from an authenticated user, a request for the rights. The ACL cache retrieves the rights and forwards them to the user. The user may now access certain resources based on the rights it has obtained the first time it accesses these resources. Additionally, if the user attempts to access certain resources that are not contained in the ACL cache, a resource manger is invoked which provides the access control rights for the missing resources to the ACL cache.
120 Citations
32 Claims
-
1. A method for caching and accessing access rights to at least one resource in a distributed computing system, the method comprising:
-
accessing, by a software agent, a directory service, wherein the agent is located on a deputization point coupled to the directory service, and wherein the directory service comprises the access rights of a software principal to a resource; updating, by the agent, the access rights in an access control list cache, wherein the access control list cache is coupled to the deputization point and to the principal; receiving, at the access control list cache, a request from the principal or the access rights stored in the access control list cache; retrieving, from the access control list cache, the access rights; forwarding, to the principal, the access rights; delegating one or more of the principal'"'"'s access rights to at least one software entity; and accessing the resource, by the software entity, using the delegated access rights without requiring intervention of the principal to authenticate access requests by the software entity, wherein tasks can be accomplished by the software entity without control by the principal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A distributed computing system supporting access control caching, the system comprises:
-
a plurality of computers, each having a memory and a processor; a plurality of communication links connecting the plurality of computers; a principal located on a first one of the computers; an agent located on a second one of the computers; a resource located on a third one of the computers; a first set of access rights located on a fourth one of the computers; a second set of access rights located on a fifth one of the computers; means for accessing, by the agent, the first set of access rights of the principal to the resource; means for updating, by the agent, the first set of access rights to an access control list cache, wherein the access control list cache is located on a sixth one of the computers; means for receiving, at the access control list cache, a request from the principal for the first set of access rights; means for retrieving, by the access control list cache, the first set of access rights; means for forwarding, to the principal, the first set of access rights; and means for providing, to the principal, a deputization certificate adapted for enabling the principle to copy one or more of the principal'"'"'s access rights to at least one software entity. - View Dependent Claims (10, 11, 12)
-
-
13. A computer storage medium having a configuration that represents data and instructions which will cause performance of method steps for caching and accessing access rights in a distributed computing system, the method comprising:
-
accessing, by a software agent, a directory service, wherein the agent is located on a deputization point coupled to the directory service having the access rights of at least one principal to at least one resource; updating, by the agent, the access rights to an access control list cache, wherein the access control list cache is coupled to the deputization point, and wherein the access control list cache is coupled to the principal; receiving, at the access control list cache, a request from the principal for the access rights; retrieving, by the access control list cache, the access rights; forwarding, to the principal, the access rights; forwarding, to the principal, a deputization credential empowering the principal to deputize software entities; and deputizing, by the principal, at least one of the software entities, wherein the software entity can exercise one or more of the principal'"'"'s access rights due to the deputization. - View Dependent Claims (14, 15, 16)
-
-
17. A method for controlling access within a computer system using deputization, the method comprising:
-
receiving an access authorization request at a deputization point from a principal, wherein the access authorization request requests validation of the principal'"'"'s identity; determining whether to validate the principal based on the access authorization request; identifying one or more resource access permissions for the principal if the principal is validated, wherein the resource access permissions enable the principal to access one or more resources; and providing the principal with deputizing authority at the identified access authorization level, wherein the deputizing authority comprises a deputization credential that enables the principal to give at least one software entity within the computer system a level of resource access permission equal to or lesser than the principal'"'"'s resource access permissions. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A computer-executable method for delegating permission from a software principal to a software deputy within a computer network to access at least one resource that is accessible to the principal, the method comprising:
-
receiving a request from the principal for a deputy credential, wherein the request includes the principal'"'"'s identity and at least one permission to be assigned to the deputy; sending the deputy credential to the principal, wherein the deputy credential enables the principal to assign the permission to the resource to the deputy; receiving a deputization request from the principal to assign the permission to the deputy; and assigning the permission to the deputy, wherein the deputy can independently access the resource using the assigned permission without being controlled by the principal. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification