Field
The present specification generally relates to authorization systems.
Technical Background
Access control is used to restrict system (or other) access to authorized functions and users (or their delegates) and is generally considered a form of computer systems security. It is often utilized in Web Access Management (WAM) to control access to web resources, perform authentication, facilitate policy-based authorizations, and more.
Different authorization solution models may be used separately or together to provide a robust access management system. Referring to FIG. 1, generally, these include agent authorization, business authorization, and securable object authorization. All three can be analogized to a gaining access to a secure apartment complex.
An Agent Authorization calculates whether one application is permitted to make a call/request to another application/service/etc. Using the secure apartment complex analogy, its gatekeeping function is whether the user can even find the apartment building.
A Business Authorization (possibly disposed in a WAM) calculates whether a particular user is permitted to access a given service (e.g., is user's subscription active? What restrictions apply? Is this a transactional purchase? Has the user undergone proper credentialing and asserted a permissible use for the requested access?). Again, using the secure apartment complex analogy, its gatekeeping function acts to determine if a user can enter the building when that user knocks on the door to the apartment building.
Business Authorizations may include content restrictions which are policies designed to prevent access to specific content sets by users in specific markets/geographies/royalty paradigms and may be vendor specified and/or contractually mandated. Content restrictions may need to be enforced by retrieval as well as search and alert modules/functions. Internal Content Restrictions may include internally (although not contractually) developed content restrictions that may be motivated by financial considerations (e.g., not offering high-revenue content to academic markets).
A Securable Object Authorization calculates more specific access within an application or via a service provider by governing how service providers control access to user generated content (e.g. folders, alerts, etc.). It utilizes policies governing which user identities, privileges allocated to those user identities, who owns the securable object, and what permissions have been assigned to that object to calculate whether a given request may be authorized. This phase of authorization may be likened to gaining access to a specific apartment in the building.
Role-based authorization may be utilized to assign permissions to perform certain operations to specific roles. Users, assigned to roles, acquire that role's permissions to access a given function. Role-based authorization supports the least authorization/privilege necessary for a task by allowing a product, a capability within a product, or a subset of capabilities to be usable only when certain roles attempt to access that set of data/functionality.
Prior art systems which utilize the Principle of Least Privilege require the user to have separate accounts for each role (s)he has been assigned. They also do not allow one authorized user to work on behalf of another user without having to logon as that other person or under a different identity. Prior art requires the user to re-authenticate (that is, to log off and then log back on again using different credentials) in order to switch from being a regular user to being an administrator or vice-versa.
Role-based authorization provides users access to product capabilities based on a combination of the user, their role, and the functionality sought by the user. A user, however, may not fit a one-size-fits-all role. Likewise, individually customizing a profile for each user of a system would result in significant overhead.
Thus, there is a need in the art to improve role-based authorizations through the provision of a set of role-based templates that may be customized to further meet specific needs. Additionally, there is a need to provide a user the ability to act on behalf of another user while validating both users' authorization for a request through the use of their assigned roles.