View All Documents & Correspondence
Attribute Based Access Control And Authorization
Abstract: The present subject matter relates to methods and systems for attribute-based access control and authorization (AACA) in an enterprise. In one implementation, the present subject matter provides an AACA system (102), for an application (202), that offers authentication, authorization, and access control based on user attributes. Further, the AACA system (102) maintains user identity, provides support for user and admin policies for access control and authorization. Yet further, the AACA system (102) separates authentication, authorization, and access control processes from the application (104).
Notices, Deadlines & Correspondence
Patent Information
Applicants
TATA CONSULTANCY SERVICES LIMITED
Inventors
1. REDDY, Srinivas G
2. REDDY, RajidiSatish Chandra
Specification
CLIAMS:1. A method for providing access control and authorization to an application (202) by an attribute-based access control and authorization (AACA) system (102) in an enterprise, the method comprising:
receiving credentials of the application (202) residing on a client device (104);
authenticating the application (202) for accessing the AACA system (102) based on the received credentials;
redirecting an output of the application (202) to a login screen (206) in response to successful authentication of the application (202);
receiving, by the login screen (206), user credentials of a user accessing the application (202) residing on the client device (104);
authenticating the user based on the received user credentials;
in response to successful authentication, receiving an authorization from the user to authorize the application (202); and
in response to successful user authorization, transmitting an identity token and an authorization token to the application (202) residing on the client device (104), the identity token and the authorization token enables the application (202) to access the enterprise data stored on AACA system (102).
2. The method as claimed in claim 1, wherein the method further comprising:
receiving, by the AACA system (102), an application name, an application ID, and an application homepage uniform resource location (URL) of the application (202) residing on the client device (104);
registering the application (202) on the AACA system (102); and
in response to the registration, transmitting the credentials to the application (202) from the AACA system (102), wherein the credentials comprises an application ID and a key.
3. The method as claimed in claim 1, wherein after successful authentication of the application (202), the method further comprising:
determining whether the user is already authenticated by checking a user ID present in the user credentials; and
when the user is already authenticated, redirecting the application (202) to a user’s authorization page.
4. The method as claimed in claim 1, wherein receiving user credentials of a user accessing the application (202) residing on the client device (104), comprises restricting user credentials from being shared with the application (202).
5. The method as claimed in claim 1, wherein the method further comprising providing dynamic access control by the AACA system (102) to the application (202) in the enterprise, and wherein the providing dynamic access control comprises:
receiving an access control request from the client device (104) at the AACA system (102) for providing the user with the access to a module of the AACA system (102), wherein the access control request comprises the identity token, the authorization token and a module ID of the module;
evaluating the access control request for the module based on the identity token, the authorization token and the module ID of the module; and
providing an access of the module to the user through the application (202) based on the evaluation of the access control request.
6. The method as claimed in claim 5, wherein after providing the access to the module, the method further comprises permitting the user to delegate access permission to the module, accessible by the user, to other user based on attributes of the other user.
7. The method as claimed in claim 5, wherein the method further comprises providing user centric authorization by the AACA system (102) in the enterprise, and wherein the providing user centric authorization comprising:
providing existing policies stored in a policy data (130) to the application (202) from the AACA system (102), wherein existing policies are associated with the module;
receiving a new policy from the application (102) at the AACA system (102) for associating the new policy to the module; and
storing the new policy in the policy data (130).
8. The method as claimed in 7, wherein the method further comprising providing a method for:
permitting the user to create application level module access polices when the user is having administrative privileges.
permitting the user to create user level module access polices when the user is a regular user.
9. The method as claimed in 7, wherein the method further comprises receiving policy creation and association with a module request from the application (202) at the AACA system (102), wherein the request comprises the authorization token, the module ID of the module, and policy details in an encrypted form.
10. The method as claimed in 7, wherein the method further comprises receiving existing policy association with a module request from the application (202) at the AACA system (102), wherein the request comprises the identity token, the authorization token, the module ID of the module, a policy Id in an encrypted form.
11. The method as claimed in 7, wherein the method further comprises receiving changing policy association with a module request from the application (202) at the AACA system (102), the request comprises receiving the authorization token, the module ID of the module, an existing policy Id, and a new policy Id in an encrypted form.
12. An attribute-based access control and authorization (AACA) system (102), comprising:
a processor (108);
an authorization module (118), coupled to the processor (108), to
receive credentials of an application (202) residing on the client device (104);
based on the received credentials, authenticate the application (202) to be valid;
in response to the successful authentication of the application (202), redirect an output of the application (202) to a login screen (206) for receiving user credentials of a user accessing the application (202) on the client device (104);
authenticate the user based on the received user credentials; and
receive an authorization from the user to authorize the application (202) upon successful user authentication; and
upon successful authorization, provide the application (202) residing on the client device (104) with an identity token and an authorization token; and
an access control module (120), coupled to the processor (108), to
receive an access control request from the client device (104) for providing access to a module of the AACA system (102), wherein the access control request comprises the identity token, the authorization token and a module ID of the module;
validate the access control request for the module based on the identity token, the authorization token and the module ID of the module; and
provide access control decision to the application (202) on access of the module to the user based on the validation of the access control request.
13. The AACA system (102) as claimed in claim 13, wherein before providing the access control decision, the access control module (120):
transmits the access control request to a policy engine (122); and
receives access control evaluation decision from the policy engine (122) for validation of the access control decision to the application.
14. The AACA system (102) as claimed in claim 13, wherein the policy engine (122):
receives the access control request from the access control module (120), wherein the access control request comprises the identity token, the module Id and permissions;
fetches user attributes from user data (126), module attributes from resource data (128) and policies associated with the module from policy data (130) of the AACA system (102);
evaluates the access control request based on the user attributes, the module attributes, and the policies; and
provides access control decision to the application (202) on access of the module to the user based on the evaluation.
15. The AACA system (102) as claimed in claim 13, wherein the authorization module (118) further:
receives an application name, an application ID, and an application homepage uniform resource location (URL) of the application (202) residing on the client device (104);
registers the application (202) on the AACA system (102); and
in response to the registration, provides the credentials to the application (202), wherein the credentials comprise an application ID and a key.
16. The AACA system (102) as claimed in claim 13, wherein the authorization module (118) restricts the user credentials of the user from being shared with the application (202).
,TagSPECI:As Attached
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 214-MUM-2015-POWER OF ATTORNEY-23-04-2015.pdf | 2015-04-23 |
| 2 | 214-MUM-2015-CORRESPONDENCE-23-04-2015.pdf | 2015-04-23 |
| 3 | PD014846IN-SC - SPEC FOR FILING.pdf | 2018-08-11 |
| 4 | PD014846IN-SC - FORM 5.pdf | 2018-08-11 |
| 5 | PD014846IN-SC - FORM 3.pdf | 2018-08-11 |
| 6 | PD014846IN-SC - DRAWINGS FOR FILING.pdf | 2018-08-11 |
| 7 | 214-MUM-2015-Form 1-040615.pdf | 2018-08-11 |
| 8 | 214-MUM-2015-Correspondence-040615.pdf | 2018-08-11 |
| 9 | 214-MUM-2015-FER.pdf | 2019-11-04 |
| 10 | 214-MUM-2015-FER_SER_REPLY [01-05-2020(online)].pdf | 2020-05-01 |
| 11 | 214-MUM-2015-CLAIMS [01-05-2020(online)].pdf | 2020-05-01 |
| 12 | 214-MUM-2015-US(14)-HearingNotice-(HearingDate-01-12-2023).pdf | 2023-10-27 |
| 13 | 214-MUM-2015-Correspondence to notify the Controller [01-11-2023(online)].pdf | 2023-11-01 |
| 14 | 214-MUM-2015-FORM-26 [30-11-2023(online)].pdf | 2023-11-30 |
| 15 | 214-MUM-2015-Written submissions and relevant documents [14-12-2023(online)].pdf | 2023-12-14 |
| 16 | 214-MUM-2015-PatentCertificate19-02-2024.pdf | 2024-02-19 |
| 17 | 214-MUM-2015-IntimationOfGrant19-02-2024.pdf | 2024-02-19 |
Search Strategy
| 1 | searchstrategy1_27-09-2019.pdf |