System and methods for usage management in multi-level security networks
US-9270701-B1 · Feb 23, 2016 · US
Method of managing access control in a cloud network
US10375113B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10375113-B2 |
| Application number | US-201514752237-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 26, 2015 |
| Priority date | Jun 27, 2014 |
| Publication date | Aug 6, 2019 |
| Grant date | Aug 6, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method which makes it possible to manage access control between a first entity and a second entity belonging to two security domains in a cloud network is disclosed. In one aspect the method comprises, if the entities belong to security domains implementing different access control policies, determining whether there exists a first access control rule between the first entity and a virtual entity within the security domain of the first entity, and a second access control second rule between the second entity and the virtual entity within the security domain of the second entity. If so, the method may comprise controlling access between the first and second entities as a function of the first and second rules.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of defining, in a cloud network, an access control rule between a first entity and a second entity, the first and second entities belonging respectively to first and second security domains that implement different access control policies, the method comprising: creating a virtual entity visible to each of the first and second security domains, the virtual entity functioning as a resource within the first security domain of the first entity and functioning as a user within the second security domain of the second entity; creating a first access control rule between said first entity and said virtual entity within the first security domain of the first entity, the first access control rule defining access rights for the first entity to access the virtual entity; creating a second access control rule between said second entity and said virtual entity within the second security domain of the second entity, the second access control rule defining access rights for the virtual entity to access the second entity; and defining and storing a relationship between said first and second security domains via said virtual entity. 2. A method according to claim 1 , wherein said access control policies are selected from the group consisting of RBAC, OrBAC, ABAC, and MLS. 3. An access control management method between a first entity and a second entity in a cloud network, the method comprising: determining whether the first and second entities belong to security domains that implement different access control policies; if the first and second entities belong to security domains implementing different access control policies, determining whether there exists a virtual entity establishing a relationship between said security domains by functioning as a resource within a first security domain of the first entity and functioning as a user within a second security domain of the second entity, a first access control rule between said first entity and said virtual entity within the first security domain of said first entity, the first access control rule defining access rights for the first entity to access the virtual entity, and a second access control rule between said second entity and said virtual entity within the second security domain of said second entity, the second access control rule defining access rights for the virtual entity to access the second entity; and if so: controlling access between said first and second entities as a function of said first and second access control rules. 4. An access control management method according to claim 3 , wherein, if said first and second entities belong to security domains implementing the same access control policy, the method further comprises performing an access control step between said first and second entities as a function of said same access control policy. 5. A method according to claim 3 wherein said access control policies are selected from the group consisting of RBAC, OrBAC, ABAC, and MLS. 6. A processor configured to manage access control between a first entity and a second entity in a cloud network, wherein said processor is configured to: determine whether said first and second entities belong to security domains implementing different access control policies; if the first and second entities belong to security domains implementing different access control policies, determining whether there exists a virtual entity establishing a relationship between said security domains by functioning as a resource within a first security domain of the first entity and functioning as a user within a second security domain of the second entity, a first access control rule between said first entity and said virtual entity within the first security domain of said first entity, the first access control rule defining access rights for the first entity to access the virtual entity, and a second access control rule between said second entity and said virtual entity within the second security domain of said second entity, the second access control rule defining access rights for the virtual entity to access the second entity; and if so: control access between said first and second entities as a function of said first and second access control rules. 7. A computer having stored thereon a program including instructions for executing the access control management method according to claim 3 . 8. A non-transitory computer readable data medium having stored thereon instructions for executing the access control method according to claim 3 when said instructions are executed by a computer. 9. A method according to claim 1 , wherein the first entity is a user of the first security domain and the second entity is a resource of the second security domain. 10. A method according to claim 3 , wherein the first entity is a user of the first security domain and the second entity is a resource of the second security domain. 11. A processor according to claim 6 , wherein the first entity is a user of the first security domain and the second entity is a resource of the second security domain. 12. A method according to claim 1 , wherein the first access control rule enables the first entity to access the virtual resource within the first security domain, and the second access control rule enables the virtual resource to access the second entity within the second security domain. 13. A method according to claim 3 , wherein the first access control rule enables the first entity to access the virtual resource within the first security domain, and the second access control rule enables the virtual resource to access the second entity within the second security domain. 14. A processor according to claim 6 , wherein the first access control rule enables the first entity to access the virtual resource within the first security domain, and the second access control rule enables the virtual resource to access the second entity within the second security domain. 15. A processor according to claim 6 , wherein said access control policies are selected from the group consisting of RBAC, OrBAC, ABAC, and MLS. 16. A processor according to claim 6 , wherein the processor is further configured, if said first and second entities belong to security domains implementing the same access control policy, to perform an access control step between said first and second entities as a function of said same access control policy. 17. A computer having stored thereon a program including instructions for executing the method according to claim 1 . 18. A non-transitory computer readable data medium having stored thereon instructions for executing the method according to claim 1 when said instructions are executed by a computer. 19. A method according to claim 3 , wherein the access control policies are incompatible. 20. A processor according to claim 6 , wherein the access control policies are incompatible.
Assignees
Inventors
Classifications
Access control lists [ACL] · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Multiple levels of security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10375113B2 cover?
- A method which makes it possible to manage access control between a first entity and a second entity belonging to two security domains in a cloud network is disclosed. In one aspect the method comprises, if the entities belong to security domains implementing different access control policies, determining whether there exists a first access control rule between the first entity and a virtual en…
- Who is the assignee on this patent?
- Orange
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 06 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).