An unprecedented number of electronic transactions are required to sustain a modern global economy. In order to protect the persons and companies performing these transactions, it has been necessary to provide authentication and authorization systems to provide security. A typical transaction normally requires: a data server, an application, and a user of the application. The data server may, for example, be a central mainframe computer at a bank containing account information, or a database server at a retailer containing customer information, or a file server for an accounting agency containing tax files. The application may be a program running on a personal computer (PC), a portable program running on a hand-held PC or personal digital assistant (PDA), or a web-based program running on the combination of a PC web-browser, web server, and application logic server. The application is usually connected or connectable via telecommunications to the data server. The user utilizes the application to generate action requests or messages which are transmitted to the data server. Actions will be performed on resources on the data server based on the contents of the request.
Unique information for the application and/or the user, such as a communication address, a user-id password combination, biometric information, or a security token uniquely identifies the user of the application. Whenever an action request is generated in the application, usually at the request of the user, this unique identification information is used to authenticate the user. Typically, the action request is authenticated by using an authentication algorithm to generate a digital token using the unique information. The authenticated information is sent to the data server along with the action request. The data server (or possibly web-server) uses the same authentication algorithm or a complementary authentication algorithm to verify the authenticity of the action request, and can grant or deny access for to the action based on the authentication information.
For certain application requests, such as an instruction given to a bank to transfer money from an account, it may be required to perform some form of access control that ensures only an authorized user can issue the instruction. The process of authorizing the user can be based on attributes of the user, attributes of the action request, or attributes of the resource the action is being performed on. Authorization typically requires that the user be authenticated. For other applications, it may not be required or, it may be undesirable to provide authorization access control for reasons of efficiency or performance.
Access control is the process of granting or denying an action based on authentication and authorization. Authentication is the process of verifying that a user is who he or she purports to be. Authorization is the process of determining whether a user is allowed to perform a requested action based on a set of pre-defined rules. Authorization is often reliant on authentication to ensure that a user is correctly identified. For example, an authorization mechanism is described in U.S. Pat. No. 5,455,953, which discloses a method and apparatus for use in a data processing system for providing authorization information for a client requesting access to a server resource in a server. This data processing system includes a client mechanism, a server mechanism including a server resource and an authorization mechanism.
Traditionally, authentication and authorization checks have been coded directly into applications. However, with the advent of web-based application architecture, authentication has been abstracted out of many applications and performed by a centralized authentication system. There are several commercial products available today that offer such functionality. One such authentication system is described in U.S. Pat. No. 6,185,682, which discloses an authentication system that includes at least one station and a host. A user transmits an authenticated instruction on the station to the host. The host checks the authenticated instruction, and if valid proceeds with processing the instruction. This system protects against any third party fraudulently pretending to be another party transmitting a message on behalf of the other party.
For the most part, authorization is still typically performed inside of applications; consequently, performing authorization in this manner makes any change in authorization rules slow and costly. In many industries new security regulations are mandated at a rate that makes it impossible and/or very costly to keep authorization rules up to date. Therefore, there is a need for a system that allows a user to implement and manage authorization access controls in a relatively simple and convenient manner external to applications.