公开(公告)号：US08607322B2

公开(公告)日：2013-12-10

申请号：US10896351

申请日：2004-07-21

Applicant: Heather Maria Hinton ,  Brian James Turner ,  Anthony Scott Moran ,  Shane Weeden ,  Ian Michael Glazer ,  Gavin George Bray ,  Venkat Raghavan

Inventor： Heather Maria Hinton ,  Brian James Turner ,  Anthony Scott Moran ,  Shane Weeden ,  Ian Michael Glazer ,  Gavin George Bray ,  Venkat Raghavan

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06

CPC classification number: H04L63/0815 ,  G06F21/41 ,  H04L63/0407

Abstract: A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.

Abstract translation: 提出了一种方法和系统，其中联合域在联合环境中相互作用。 联盟内的域可以为其他联盟域的用户启动联合单点登录操作。 域内的联络点服务器依赖于域内的信任代理来管理域和联盟之间的信任关系。 信任代理根据需要解释其他联盟域的断言。 信托代理可能与一个或多个信托经纪人有信任关系，信托代理可以依靠信托代理人来解释断言。 当用户在特定联盟域中配置时，联盟域可以将用户配置到联合环境中的其他联合域。 提供操作可以包括创建或删除用户的帐户，推送包括属性的更新的用户帐户信息，以及请求包括属性的帐户信息的更新。

公开(公告)号：US06910041B2

公开(公告)日：2005-06-21

申请号：US09935394

申请日：2001-08-23

Applicant: Scott Anthony Exton ,  Michael Powell ,  Brian James Turner

Inventor： Scott Anthony Exton ,  Michael Powell ,  Brian James Turner

IPC: G06F21/00 ,  G06F7/00 ,  G06F17/30

CPC classification number: G06F21/6218 ,  G06F2221/2141 ,  Y10S707/99939 ,  Y10S707/99944

Abstract: An administration model is provided that uses access control lists to define permissions for users and groups of users. The model identifies a number of objects to be administered. Associated with each of these objects is a set of administrative operations that can be performed on the object. For each of these operations a permission in an access control list entry is defined. The protected resources are arranged in a hierarchical fashion and an access control list can be associated with any point in the hierarchy. The access control list provides fine-grained control over the protected resources. At the time an administrator requests to perform an operation, the administrator's identification is used to look up the prevailing access control list to determine whether the operation is permitted.

Abstract translation: 提供了一种使用访问控制列表为用户和用户组定义权限的管理模型。 该模型识别要管理的多个对象。 与这些对象中的每一个相关联的是可以对对象执行的一组管理操作。 对于每个这些操作，定义访问控制列表条目中的权限。 受保护的资源以分层方式排列，并且访问控制列表可以与层次结构中的任何点相关联。 访问控制列表提供对受保护资源的细粒度控制。 在管理员请求执行操作时，管理员的身份用于查找主要的访问控制列表，以确定该操作是否被允许。

公开(公告)号：US07380271B2

公开(公告)日：2008-05-27

申请号：US09903704

申请日：2001-07-12

Applicant: Anthony Scott Moran ,  Brian James Turner ,  Peter Sean Calvert

Inventor： Anthony Scott Moran ,  Brian James Turner ,  Peter Sean Calvert

IPC: H04L9/00 ,  H04L9/32 ,  G06F12/14

CPC classification number: H04L63/102 ,  G06F21/6218 ,  H04L63/101 ,  H04L63/105

Abstract: Access Control Lists (ACLs) are used to describe the permitted actions (permissions) on protected network computer system resources or objects associated with an client or user identity. An identity may be an individual user or group of users. The actions are used to represent the different access methods available on a particular projected object or resource. A new action grouping mechanism is provided which tags each action with an action group name. The grouping of actions facilitates a larger permission set to be defined in an ACL, whereas action permission indicators can be reused for unique action definitions within various action groups. This effectively extends the finite total number of permissions available within a security system, allows a more descriptive and extensible permission mechanism in an Access Control List, as well as aiding in the simplification of management and definition of security policies.

Abstract translation: 访问控制列表（ACL）用于描述受保护的网络计算机系统资源或与客户端或用户身份相关联的对象的允许操作（权限）。 身份可以是单个用户或一组用户。 这些动作用于表示特定投影对象或资源上可用的不同访问方法。 提供了一个新的动作分组机制，用于使用动作组名称标记每个动作。 动作分组有助于在ACL中定义更大的权限集，而动作权限指示符可以重用于各种动作组中的唯一动作定义。 这有效地扩展了安全系统中可用的有限总共权限，允许在访问控制列表中更加描述性和可扩展的权限机制，并且有助于简化安全策略的管理和定义。

公开(公告)号：US07685300B2

公开(公告)日：2010-03-23

申请号：US10655368

申请日：2003-09-04

Applicant: Warwick Leslie Burrows ,  Guenter Karioth ,  Birgit Monika Pfitzmann ,  Matthias Schunter ,  Anthony Scott Moran ,  Brian James Turner

Inventor： Warwick Leslie Burrows ,  Guenter Karioth ,  Birgit Monika Pfitzmann ,  Matthias Schunter ,  Anthony Scott Moran ,  Brian James Turner

IPC: G06F15/16

CPC classification number: H04L67/14 ,  H04L63/08 ,  H04L67/02 ,  H04L67/327

Abstract: A method is presented for obtaining information from a client for the benefit of a server using a particular communication protocol that the server does not implement. A primary server receives a client-generated request, and the primary server sends a first request to a secondary server as part of the processing of the client-generated request. While processing the first request, the secondary server determines a need for data obtainable from a client application that supports user interaction using a communication protocol for which the secondary server is not configured to implement. The secondary server sends a second request to the primary server for obtaining data that results from using the communication protocol. The secondary server subsequently receives the resulting data and continues to process the first request using the resulting data, after which the secondary server returns a response for the first request to the primary server.

Abstract translation: 提出了一种用于从服务器获取信息以利用服务器不实现的特定通信协议的服务器的方法。 主服务器接收客户端生成的请求，主服务器作为处理客户端生成的请求的一部分向第二个服务器发送第一个请求。 在处理第一请求时，辅助服务器确定需要使用辅助服务器未被配置为实现的通信协议从支持用户交互的客户端应用获得的数据。 辅助服务器向主服务器发送第二个请求，以获取使用通信协议产生的数据。 次服务器随后接收所得到的数据，并使用所得到的数据继续处理第一请求，之后辅助服务器向主服务器返回对第一请求的响应。

公开(公告)号：US07827598B2

公开(公告)日：2010-11-02

申请号：US11947104

申请日：2007-11-29

Applicant: Anthony Scott Moran ,  Brian James Turner ,  Peter Sean Calvert

Inventor： Anthony Scott Moran ,  Brian James Turner ,  Peter Sean Calvert

IPC: H04L9/00 ,  H04L9/32 ,  G06F12/14

CPC classification number: H04L63/102 ,  G06F21/6218 ,  H04L63/101 ,  H04L63/105

Abstract: Access Control Lists control permitted actions on protected network computer system resources by providing an access control policy associated with the requested protected system resource containing a permission list of permitted identities and at least one action group tag with associated action indicators; reusing a finite quantity of action indicators among a plurality of action group tags to control a number of unique permissions less than or equal to the product of the quantity of allowable action indicators and a quantity of allowable action group tags; evaluating the permission list according to a specific permission definition associated with the action group tag, the permission definition providing a correlation between members of a set of action indicators; and granting authorization to perform actions on the requested protected system resource to the requesting user if the access control policy permission list includes an appropriate action indicator correlated to an action group tag.

Abstract translation: 访问控制列出通过提供与所请求的受保护系统资源相关联的访问控制策略来控制对受保护的网络计算机系统资源的操作，其包含允许的身份的许可列表以及至少一个具有相关联的动作指示符的动作组标签; 在多个动作组标签中重复使用有限数量的动作指示符，以控制小于或等于可允许动作指示器的数量与允许动作组标签的数量的乘积的唯一权限的数量; 根据与所述动作组标签相关联的特定许可定义来评估所述权限列表，所述许可定义提供一组动作指示符的成员之间的相关性; 以及如果访问控制策略许可列表包括与动作组标签相关联的适当的动作指示，则授权对所请求的受保护系统资源执行对请求用户的动作。