| 发明名称 |
Network layer claims based access control |
| 摘要 |
Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s). |
| 申请公布号 |
US9344432(B2) |
申请公布日期 |
2016.05.17 |
| 申请号 |
US201012822724 |
申请日期 |
2010.06.24 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Tor Yair;Rose Daniel;Neystadt Eugene (John);Schnell Patrik;Sapir Moshe;Ananiev Oleg;Zavalkovsky Arthur;Eyal Anat |
| 分类号 |
H04L29/06;G06F15/16;G06F21/33;G06F21/41 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Drakos Kate;Mehta Aneesh;Minhas Micky |
| 主权项 |
1. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
receiving from the computer a request for one or more requester claims; providing the one or more requester claims to the computer in a first communication formatted to comply with the network layer security protocol, at least one of the one or more requester claims comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer; receiving from the network resource a request for one or more resource claims, at least one of the resource claims comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage; providing the one or more resource claims to the network resource in a second communication formatted to comply with the network layer security protocol; receiving a request for an access control policy decision, the request for the access control policy decision providing information included in the one or more requester claims and the one or more resource claims; and issuing the requested access control policy decision based at least in part on the provided information. |
| 地址 |
Redmond WA US |
