1. Technical Field
The disclosed technology relates to simplifying access control of a computerized application to control the data access and operations of a service-application executing in a computer system.
2. Background Art
Computer applications are sometimes used as tools to help provide services for users in a computer system. These user services require access to information, some of which may be private or otherwise be sensitive digitally-encoded information. The problem of providing secure and managed access to such information by any computer application is complex and difficult to manage. These difficulties increase as multiple computer applications (such as an application-tool-set) interact to provide the capability of the application-tool-set and increase even more when the applications are on different computers. The prior art has allowed access to the sensitive digitally-encoded information by a first application (for example a service-application) for a second application (a requesting application that can be local or remote) based on the security credential of the service-application. Once the service-application's security credential is authenticated the service-application receives a set of rights (System-Rights) that allows it to access the sensitive digitally-encoded information of any user in the system. This approach works where the sensitive digitally-encoded information is stored as system information and both the requesting application and the service-application are simply sharing the information without involvement of a user.
However, this prior art approach presents fundamental security, access, and regulatory problems because all the operations/accesses performed by the service-application happen under the assumption that the service-application will behave normally, will not perform any malicious activity, and that the requesting application does not exploit (intentionally or unintentionally) security flaws in the service-application. This assumption may be valid when both the requesting application and the service-application are trusted (for example, if both the requesting application and the service-application were developed by the same team/vender). However, this assumption is weakened when the applications were separately developed, provided by different vendors, or deployed with different companies. Yet these applications must interact because of business needs.
Because the System-Rights provide the service-application with access to information from all users the sensitive digitally-encoded information of different users is not protected by the System-Rights. Nevertheless, it is important that the administrator of the service-application be able to prevent the service-application from operating on or accessing user information if the user who has invoked the requesting application (that then invoked the service-application) does not have rights to that information. However, the fine-grained administration of the Access Control Polices or Role Based Permissions required to appropriately protect each user's information is difficult and error-prone.
FIG. 1 illustrates a prior-art server system architecture 100 that demonstrates the prior-art approach. The prior-art server system architecture 100 includes a data storage 101 that contains data from or about multiple users. A user can login to the prior-art server system architecture 100 through a user login module 103 that assigns user-Rights to the user. The assigned user-Rights can enable the use of delegated-rights that can be managed by a delegation system module 105. The assigned user-Rights and the user access policy module 107 determine a limited access path 109 for the user to access the data storage 101 through an exposed data realm 111. Once the user has user-Rights, the user can invoke a user application module 114 as the requesting application.
In the case where the user application module 114 executes on a client computer networked to a server computer and requests service from the prior-art server system architecture 100, the user application module 114 on the client computer (not shown) can connect via a remote service provider access module 113 (for example by connecting using a specified port) to a server computer that transports data between the user application module 114 and a service-application 115 that has System-Rights. In the case where the user application module 114 executes on the same computer as the service-application 115 can also interact using the remote service provider access module 113 or by any appropriate inter-process communication facility supported by the server computer.
The service-application 115 then uses its System-Rights and a system access policy module 117 to access the data storage 101 as indicated by an unconstrained access path 119. Regardless of which user is being serviced, the service-application 115 has access any user's information on the data storage 101. Thus, a programming error or malicious code in the service-application 115 could access and/or modify other user information on the data storage 101. In addition, a programming error or malicious code in the user application module 114 or the remote application accessing the service-application 115 through the remote service provider access module 113 could exploit vulnerabilities in the service-application 115 to operate on or access any user's information.
Application authentication is well understood by one skilled in the art and there exist many techniques to authenticate an application. However, these known techniques do not support access rights and models resulting from stringent regulatory requirements.
There has been a long-felt, but unsatisfied need to provide a better way for administrating rights for applications that interact with other applications. Some of these long-felt needs include: 1) because the service-application that operates on sensitive digitally-encoded information is provided System-Rights that allow unfettered access to, and operations on the user data (including the sensitive digitally-encoded information) for all users. A need exists to limit the service-application's access to user data; 2) administrators of the service-application need easy-to-use, fine-grained user- or group-based control of the service-application's Rights to simply control the service-application's access to each user's information; 3) there is a need to protect user data from programming errors in the service-application and to prevent improper data access or operations resulting from accidental or intentional programming that misuses user data. 4) there is a need to protect the user data from attempts of the requesting application to exploit the service-application with the intent to improperly obtain user data or perform malicious acts; and 5) there is a need for an audit trail to capture the activity that has taken place on a user's behalf.
It would be advantageous to develop a technology that addresses the previously discussed issues.