Role-based access control to computing resources in an inter-organizational community

US 9,769,177 B2
Filed: 06/11/2008
Issued: 09/19/2017
Est. Priority Date: 06/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a plurality of computing resources in a distributed computing environment, the distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node and at least one computing resource, the method comprising:

responsive to receiving a certificate request from a computing resource requester belonging to a first organization of the plurality of organizations, the application role server conditionally, upon successfully authenticating the computing resource requester by querying an authentication server, issuing a digital certificate to the computing resource requester, wherein the digital certificate comprises computing resource requester identity information and role assignment information, to provide proof of identity and role assignment information for the computing resource to each organization represented in the plurality of computing resources in the distributed computing environment, wherein the at least one access control node of each organization separately authenticates the identity and role assignment information of the computing resource with the digital certificate before providing access to the at least one computing resource of the organization;

responsive to a first access control node belonging to the first organization receiving a resource access request from the computing resource requester, wherein the resource access request comprises the digital certificate, the resource access request requesting access to a computing resource belonging to a second organization, the first access control node forwarding the resource access request to a second access control node belonging the to the second organization, wherein the computing resource belonging to the second organization does not belong to the first organization, and wherein the second access control node identifies one or more computing resources belonging to the second organization that the computing resource requester is allowed to access, based upon ascertaining access privileges of the computing resource requester, wherein the ascertaining access privileges includes querying a permission role assignment table, the permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role;

responsive to the second access control node identifying the one or more computing resources belonging to the second organization, providing, to the computing resource requester belonging to the first organization of the plurality of organizations, a prompt to choose a computing resource of the one or more resources belonging to the second organization, based on a resource description and parameters selected from the group consisting of;

a service level, a resource usage price, and a resource access policy; and

based on obtaining the computing resource chosen, granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a plurality of computing resources in a distributed computing environment can comprise the steps of: an application role server, responsive to receiving a certificate request, authenticating the requester and issuing a digital certificate to the requester; an access control node, responsive to receiving a resource access request, granting access to the computing resource to the requester upon ascertaining the requestor'"'"'s access privileges, or forwarding the resource access request to another access control node.

72 Citations

25 Claims

1. A method for controlling access to a plurality of computing resources in a distributed computing environment, the distributed computing environment including an application role server and a plurality of organizations, each organization including at least one access control node and at least one computing resource, the method comprising:
- responsive to receiving a certificate request from a computing resource requester belonging to a first organization of the plurality of organizations, the application role server conditionally, upon successfully authenticating the computing resource requester by querying an authentication server, issuing a digital certificate to the computing resource requester, wherein the digital certificate comprises computing resource requester identity information and role assignment information, to provide proof of identity and role assignment information for the computing resource to each organization represented in the plurality of computing resources in the distributed computing environment, wherein the at least one access control node of each organization separately authenticates the identity and role assignment information of the computing resource with the digital certificate before providing access to the at least one computing resource of the organization;
  
  responsive to a first access control node belonging to the first organization receiving a resource access request from the computing resource requester, wherein the resource access request comprises the digital certificate, the resource access request requesting access to a computing resource belonging to a second organization, the first access control node forwarding the resource access request to a second access control node belonging the to the second organization, wherein the computing resource belonging to the second organization does not belong to the first organization, and wherein the second access control node identifies one or more computing resources belonging to the second organization that the computing resource requester is allowed to access, based upon ascertaining access privileges of the computing resource requester, wherein the ascertaining access privileges includes querying a permission role assignment table, the permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role;
  
  responsive to the second access control node identifying the one or more computing resources belonging to the second organization, providing, to the computing resource requester belonging to the first organization of the plurality of organizations, a prompt to choose a computing resource of the one or more resources belonging to the second organization, based on a resource description and parameters selected from the group consisting of;
  
  a service level, a resource usage price, and a resource access policy; and
  
  based on obtaining the computing resource chosen, granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first access control node granting access to the computing resource chosen of the one or more resources belonging to the second organization is performed conditionally, upon successfully authenticating the computing resource requester.
  - 3. The method of claim 1, wherein the granting to the computing resource requester access includes forwarding to the computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for the computing resource chosen of the one or more resources belonging to the second organization;
      
      a second URL and an authorization token.
  - 4. The method of claim 1, wherein the granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization includes forwarding the computing resource chosen of the one or more resources belonging to the second organization to the computing resource requester.
  - 5. The method of claim 1, wherein the computing resource chosen of the one or more resources belonging to the second organization is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 6. The method of claim 1, wherein the digital certificate includes role assignment information for the computing resource requester.
  - 7. The method of claim 1, wherein the digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.
  - 8. The method of claim 1, wherein the computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 9. The method of claim 1, further comprising:
    - receiving, by the computing resource requester, responsive to the forwarding or the granting, identifiers of computing resources belonging to the second organization meeting parameters in the resource access request for the computing resource, wherein the computing resource requester is authorized to access the identified computing resources belonging to the second organization.

10. A computer program product comprising:
- a non-transitory computer readable storage medium readable by one or more processors in a distributed computing environment, and storing instructions for execution by the one or more processors for performing a method for controlling access to a plurality of computing resources in a distributed computing environment, the distributed computing environment including an application role server and a plurality of access control nodes, the method comprising;
  
  responsive to receiving a certificate request from a computing resource requester belonging to a first organization of the plurality of organizations, the application role server conditionally, upon successfully authenticating the computing resource requester by querying an authentication server, issuing a digital certificate to the computing resource requester, wherein the digital certificate comprises computing resource requester identity information and role assignment information, to provide proof of identity and role assignment information for the computing resource to each organization represented in the plurality of computing resources in the distributed computing environment, wherein the at least one access control node of each organization separately authenticates the identity and role assignment information of the computing resource with the digital certificate before providing access to the at least one computing resource of the organization;
  
  responsive to a first access control node belonging to the first organization receiving a resource access request from the computing resource requester, wherein the resource access request comprises the digital certificate, the resource access request requesting access to a computing resource belonging to a second organization, the first access control node forwarding the resource access request to a second access control node belonging the to the second organization, wherein the computing resource belonging to the second organization does not belong to the first organization, and wherein the second access control node identifies one or more computing resources belonging to the second organization that the computing resource requester is allowed to access, based upon ascertaining access privileges of the computing resource requester, wherein the ascertaining access privileges includes querying a permission role assignment table, the permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role;
  
  responsive to the second access control node identifying the one or more computing resources belonging to the second organization, providing, to the computing resource requester belonging to the first organization of the plurality of organizations, a prompt to choose a computing resource of the one or more resources belonging to the second organization, based on a resource description and parameters selected from the group consisting of;
  
  a service level, a resource usage price, and a resource access policy; and
  
  based on obtaining the computing resource chosen, granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer program product of claim 10, wherein the first access control node granting access to the computing resource chosen of the one or more resources belonging to the second organization is performed conditionally, upon successfully authenticating the computing resource requester.
  - 12. The computer program product of claim 10, wherein the granting to the computing resource requester access includes forwarding to the computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for the computing resource chosen of the one or more resources belonging to the second organization;
      
      a second URL and an authorization token.
  - 13. The computer program product of claim 10, wherein the granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization includes forwarding the computing resource chosen of the one or more resources belonging to the second organization to the computing resource requester.
  - 14. The computer program product of claim 10, wherein the computing resource chosen of the one or more resources belonging to the second organization is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 15. The computer program product of claim 10 wherein the digital certificate includes role assignment information for the computing resource requester.
  - 16. The computer program product of claim 10 wherein the digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.
  - 17. The computer program product of claim 10 wherein the computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.

18. A system comprising:
- one or more memory;
  
  one or more processors in communication with the memory; and
  
  program instructions executable by the one or more processors in a distributed computed environment via the one or more memory to perform a method for controlling access to a plurality of computing resources in a distributed computing environment, said distributed computing environment including an application role server and a plurality of access control nodes, the method comprising;
  
  responsive to receiving a certificate request from a computing resource requester belonging to a first organization of the plurality of organizations, the application role server conditionally, upon successfully authenticating the computing resource requester by querying an authentication server, issuing a digital certificate to the computing resource requester, wherein the digital certificate comprises computing resource requester identity information and role assignment information, to provide proof of identity and role assignment information for the computing resource to each organization represented in the plurality of computing resources in the distributed computing environment, wherein the at least one access control node of each organization separately authenticates the identity and role assignment information of the computing resource with the digital certificate before providing access to the at least one computing resource of the organization;
  
  responsive to a first access control node belonging to the first organization receiving a resource access request from the computing resource requester, wherein the resource access request comprises the digital certificate, the resource access request requesting access to a computing resource belonging to a second organization, the first access control node forwarding the resource access request to a second access control node belonging the to the second organization, wherein the computing resource belonging to the second organization does not belong to the first organization, and wherein the second access control node identifies one or more computing resources belonging to the second organization that the computing resource requester is allowed to access, based upon ascertaining access privileges of the computing resource requester, wherein the ascertaining access privileges includes querying a permission role assignment table, the permission role assignment table including at least one permission role assignment record specifying an access level corresponding to a combination of a resource identifier and a role;
  
  responsive to the second access control node identifying the one or more computing resources belonging to the second organization, providing, to the computing resource requester belonging to the first organization of the plurality of organizations, a prompt to choose a computing resource of the one or more resources belonging to the second organization, based on a resource description and parameters selected from the group consisting of;
  
  a service level, a resource usage price, and a resource access policy; and
  
  based on obtaining the computing resource chosen, granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18, wherein the first access control node granting access to the computing resource chosen of the one or more resources belonging to the second organization is performed conditionally, upon successfully authenticating the computing resource requester.
  - 20. The system of claim 18, wherein the granting to the computing resource requester access includes forwarding to the computing resource requester a resource access token selected from the group consisting of:
    - a first short-living Universal Resource Locator (URL) for the computing resource chosen of the one or more resources belonging to the second organization;
      
      a second URL and an authorization token.
  - 21. The system of claim 18, wherein the granting to the computing resource requester access to the computing resource chosen of the one or more resources belonging to the second organization includes forwarding the computing resource chosen of the one or more resources belonging to the second organization to the computing resource requester.
  - 22. The system of claim 18, wherein the computing resource chosen of the one or more resources belonging to the second organization is selected from the group consisting of:
    - a file, a software application, a web service, and a network-accessible storage.
  - 23. The system of claim 18, wherein the digital certificate includes role assignment information for the computing resource requester.
  - 24. The system of claim 18 wherein the computing resource requester is provided by an entity selected from the group consisting of:
    - a human computer operator and a software program.
  - 25. The system of claim 18, wherein the digital certificate includes a computing resource requester authentication information selected from the group consisting of:
    - a hashed password and an encrypted password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syracuse University
Original Assignee
Syracuse University
Inventors
Park, Joon S.
Primary Examiner(s)
Shayanfar, Ali

Application Number

US12/137,077
Publication Number

US 20080313716A1
Time in Patent Office

3,387 Days
Field of Search

726 2- 10
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/104   Grouping of entities

H04L 63/126   the source of the received ...

Role-based access control to computing resources in an inter-organizational community

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based access control to computing resources in an inter-organizational community

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links