Query interface to policy server
First Claim
1. A method for managing resource access, the method comprising:
- storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access;
receiving a request sent over a communication network, the request concerning access by a user to a requested resource;
receiving an indication over the communication network that an identity of the user is valid; and
executing instructions stored in memory, wherein execution of the instructions by a processor;
identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level,identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level,calculates an overall trust level of the request based on;
the trust level of the identification technique used to identify the user,the trust level of the path taken by the access request through the network, anda trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques,recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path,increases the overall trust level to the trust level of the encryption technique, andprovides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.
24 Assignments
0 Petitions
Accused Products
Abstract
A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.
166 Citations
15 Claims
-
1. A method for managing resource access, the method comprising:
-
storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access; receiving a request sent over a communication network, the request concerning access by a user to a requested resource; receiving an indication over the communication network that an identity of the user is valid; and executing instructions stored in memory, wherein execution of the instructions by a processor; identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level, identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level, calculates an overall trust level of the request based on; the trust level of the identification technique used to identify the user, the trust level of the path taken by the access request through the network, and a trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques, recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path, increases the overall trust level to the trust level of the encryption technique, and provides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for managing resource access, the system comprising:
-
memory for storing information regarding a plurality of resources, each resource associated with one or more requirements regarding access; a communications interface for receiving a request sent over a communication network, the request concerning access by a user to a requested resource and for receiving an indication over the communication network that an identity of the user is valid; and a processor for executing instructions stored in memory, wherein execution of the instructions by the processor; identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level, identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level, calculates an overall trust level of the request based on; the trust level of the identification technique used to identify the user, the trust level of the path taken by the access request through the network, and a trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques, recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path, increases the overall trust level to the trust level of the encryption technique, and provides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for managing resource access, the method comprising:
-
storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access; receiving a request sent over a communication network, the request concerning access by a user to a requested resource; receiving an indication over the communication network that an identity of the user is valid; identifying a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level; identifying identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level; calculating an overall trust level of the request based on; the trust level of the identification technique used to identify the user, the trust level of the path taken by the access request through the network, and a trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques, recognizing that the encryption technique has a higher trust level than a trust level of a portion of the path; increasing the overall trust level to the trust level of the encryption technique; and providing or refusing access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.
-
Specification