The invention relates to the general field of telecommunications, and in particular to so-called “cloud” computing systems.
The invention relates particularly to the user of an entity, such as a business, accessing computer networks and resources made available to that entity by a cloud computing system.
According to the definition given by the National Institute of Standards and Technology (NIST), “cloud computing” is a model enabling users to have self-service access on demand via a network to computer and network resources such as storage space, computation power, applications, software, or indeed services, which are virtualized (i.e. made virtual) and pooled (i.e. shared).
In other words, the computer services and networks are no longer on a local server of an entity or on a user station, but in accordance with the concept of cloud computing they are “dematerialized” in a “cloud” made up of a plurality of mutually interconnectable remote servers that are accessible by users, e.g. via a network application. Users can thus have access to these resources in a manner that varies over time, but without any need to manage the underlying infrastructure for managing the resources, which infrastructure is often complex.
The concept of “cloud computing” is described in greater detail in the document published by the International Telecommunication Union (ITU) entitled “FG cloud TR, version 1.0—part 1: Introduction to the cloud ecosystem: definitions, taxonomies, use cases and high-level requirements”, February 2012.
In known manner, cloud computing benefits from numerous advantages:                flexibility and diversity of resources that are pooled and practically unlimited;        scalability of the resources that are provided on demand;        simple and automatic administration of computer infrastructures and business networks, associated with reduced administration costs; and        etc.        
The major challenge of cloud computing nevertheless remains guaranteeing secure and protected access to resources.
Converting from a traditional computer environment that is secure and closed to an infrastructure in a cloud that is open and pooled, over which the user or the business has no control, and which is accessible via a telecommunications network such as the public Internet, which is particularly vulnerable and is continuously being subjected to computer piracy and attacks, naturally gives rise to security concerns with potential users.
Access control thus appears nowadays to the ITU as constituting the fundamental means for securing access to cloud computer systems.
Numerous mechanisms already exist in the state of the art for controlling (and making secure) access to a computer system (or in equivalent manner to an information system) for entities or organizations such as businesses.
These mechanisms are based essentially on two elements, namely:                defining a policy in terms of access rights and formulated using a subject-object-action approach, i.e. such-and-such a subject does or does not have permission to perform such-and-such an action on such-and-such an object; and        implementing this policy on receiving a request from a user seeking to access resources made available by the computer system, by verifying the user's rights to access the resources.        
By way of example, such mechanisms are the role-based access control (RBAC) model and the organization-based access control (OrBAC) model as described respectively in the documents by R-S. Sandhu et al., “Role-based access control models”, IEEE Computer 29(2), pp. 38-47, 1996, and by A. Abou El Kalam et al., “Organization-based access control” 4th IEEE International Workshop on Policies for Distributed Systems and Networks, 2003.
Those models rely on the concept of an organization, and they serve to model a variety of security policies defined for and by that organization for accessing its resources.
Thus, more precisely, the OrBAC model introduces concepts of “roles”, “activities”, and “views” in order to define a security policy associated with an organization, in which:                a role is a set of subjects to which the same security rules are applied;        an activity is a set of actions to which the same security rules are applied; and        a view is a set of objects to which the same security rules are applied.        
Access to the resources of the organization is then controlled by specifying whether a role does or does not have permission to perform an activity on a view.
Although those models are particularly well adapted to representing the way access rights are distributed within an entity such as a business, and can thus be used effectively for managing access to relatively unchanging resources in conventional computer systems such as those presently in use in businesses, they are difficult to apply unchanged to cloud computing systems, and they are also found to be insufficient for taking account of the specific features of such systems.
Specifically, an essential characteristic of a cloud computing system is the way the resources that are allocated by the system to an entity can vary dynamically as a function of the needs of the entity.
Furthermore, such resources are allocated dynamically by the cloud computing system to the entity as such and not specifically to users: in other words, all of the users of the entity share all of the resources allocated to that entity.
It should also be observed that the way the entity itself is organized may also change while the entity is using the cloud computing system.
As a result, access to the resources of a cloud computing system cannot be limited to controlling access to those resources on the basis of rights as verified in the manner defined in the RBAC and OrBAC models as presently envisaged for managing conventional computer systems.
There therefore exists a need for a mechanism for managing access to resources made available by a cloud computing system that takes account of the above-mentioned features that are specific to systems of that type.