| 摘要 |
An access control system is provided to provide a core server to authenticate the permissions of users to access services provided by other operators. The provision of a single core server allows many-to-many access agreements to be mediated and maintained for effectively than by operating individual one-to-one access permissions. This allows updates to access permissions to be handled by the operator responsible for the user or service in question, without the need to directly co-operate which each and every service involved. When an access attempt is made through a user interface (10) to access a service provided by another user (20), the service provider (21) refers the request to a core server (30) for authentication, and the core server (30) instructs the user to identify an identity provider (32) with which he is authenticated (step 63). Details provided by the user may be stored by the core server (30) for one or more subsequent uses. The core server (30) will permit or suspend access according to the response received from the identity provider (32). Because the authentication check (450, 451) is made by the identity provider (11) associated with the user (10), the user identity's permissions are under a single control and can be readily updated, or deleted as necessary, for all services by modifying the user profile store (16), regardless of how many different servers those services are hosted on. Similarly, if a service provider (25) requires amendment of the permissions granted to members of a particular enterprise (for instance to provide a new service, or because a subscription has expired), it can do so by sending an instruction to the core to amend the user profile store (16) in respect of all users (12) associated with a flag indicative of their association with that enterprise (11). |
