Self-describing authorization policy for accessing cloud-based resources

Assignee

• Microsoft Corporation · US

Inventors

• David R. Reed · Seattle, US
• Eric Fleischman · Redmond, US
• Abolade Gbadegesin · Sammamish, US
• Dharma Shukla · Bellevue, US
• Nikolay Smolyanskiy · Seattle, US
• Thomas A. Galvin · Bellevue, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/102
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A ticketing system adapted for use with a cloud-based services platform is provided by a ticket-based authorization model in which the authorization requirements for traversing one or more meshes of resources associated with a cloud service are annotated in links included in a resource that refer to other resources. The meshes are thus self-describing with respect to the association among the resources (i.e., the links) as well as the authorization required to access resources. Resource access requires a principal ticket which asserts that a caller at a client (e.g., a security principal representing a device or identity associated with a user) is authenticated, plus zero or more claim tickets. The claim tickets make additional assertions about the caller that the cloud service may use to check that the caller is authorized to access the resource.