Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/604—Tools and structures for managing or administering access control systems
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/40—Network security protocols
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/50—Network services
  • H04L67/56—Provisioning of proxy services
  • H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching

Definitions

• the subject matter disclosed herein generally relates to the technical field of computer security and, in one specific example, to methods, systems, and machine-readable storage media for access-control management.
• FIG. 1 depicts a block diagram showing an example networked environment in which the disclosed technology may be practiced, according to various example embodiments.
• FIG. 2 depicts a block diagram illustrating an example attribute-based access control system for managing access to resources, according to various example embodiments.
• FIG. 3 depicts a flowchart illustrating an example method for managing access to resources using attribute-based access control by an example attributebased access control system during operation, according to various example embodiments.
• FIG. 4 depicts a flowchart illustrating another example method for managing access to resources using attribute-based access control by an example attribute-based access control system during operation, according to various example embodiments.
• FIG. 5 depicts a block diagram illustrating an example set of attributebased access control policies, according to various example embodiments.
• FIG. 6 depicts a block diagram illustrating data flow within an example networked environment in which the disclosed technology may be practiced, according to various example embodiments.
• FIG. 7 depicts a block diagram showing an example networked environment in which the disclosed technology may be practiced, according to various example embodiments.
• FIG. 8 depicts a block diagram illustrating an example role-based access control system for managing access to resources, according to various example embodiments.
• FIG. 9 depicts a flowchart illustrating an example method for managing access to resources by an example role-based access control system during operation, according to various example embodiments.
• FIG. 10 depicts a block diagram illustrating an example set of permissions included in a role, according to various example embodiments.
• FIG. 11 depicts a block diagram showing an exemplary tree structure illustrating an example URI classifier, according to various example embodiments.
• FIG. 12 depicts a block diagram illustrating an example assertion tree, according to various example embodiments.
• FIG. 13 depicts a block diagram showing an example networked environment in which the disclosed technology may be practiced, according to various example embodiments.
• FIG. 14 depicts a block diagram illustrating an example role-based access control system for managing access to resources using serialized tokens, according to various example embodiments.
• FIG. 15 depicts a flowchart illustrating an example method for managing access to resources using serialized tokens by an example role-based access control system during operation, according to various example embodiments.
• FIG. 16 depicts a flowchart illustrating another example method for managing access to resources using serialized tokens by an example role-based access control system during operation, according to various example embodiments.
• FIG. 17 depicts a block diagram illustrating an example set of permissions included in a customized role, according to various example embodiments.
• FIG. 18 depicts a block diagram showing an exemplary tree structure illustrating an example URI classifier, according to various example embodiments.
• FIG. 19 depicts a block diagram illustrating an example assertion tree, according to various example embodiments.
• FIG. 20 depicts a block diagram illustrating an example graph representing a serialized token, according to some embodiments.
• FIG. 21 depicts a block diagram illustrating an architecture of software, according to some embodiments.
• FIG. 22 illustrates a diagrammatic representation of a machine in the form of a computer system within which a set of instructions may be executed for causing a machine to perform any one or more of the methodologies discussed herein, according to some embodiments.
• Various embodiments include systems, methods, and non-transitory computer-readable media for generating and managing access to resources using attribute-based access control (“ABAC”).
• ABAC attribute-based access control
• An ABAC system provides a finegrained and contextual access control that allows a large set of possible combinations of variables to reflect more definitive attribute-based access control policies.
• the ABAC system receives a request for providing access to a resource in a communication platform (e.g., via a console interface or an API interface).
• the request can be sent from an identity, such as a person or an application user.
• the ABAC system identifies one or more attributebased access control policies (also referred to as policies herein) associated with the resource.
• the ABAC system identifies one or more attribute-based access control policies that match the request.
• An identity may be associated with the one or more attribute-based permissions (also referred to as attribute-based access control policies).
• a role may be assigned to the identity and that the role corresponds to one or more attribute-based access control policies.
• an attribute-based access control policy can be represented by a text string that includes a namespace identifier, a product identifier, a resource identifier, an action identifier, and a predicate.
• the operands can be either constant values or be represented by terms of the form.
• a predicate format may include one or more of the following elements: one or more expressions or conditions, logical operators, pre-defined variables, binary operators, pre-defined functions, string constraints, and so on.
• the ABAC system can use a proxy (e.g., a cached proxy) to retrieve metadata (also referred to as resource metadata) from a cache.
• the metadata is associated with the resource that is being requested.
• metadata can correspond to values of attributes described herein.
• an API call can be made to a service (e.g., resource metadata service) to retrieve such metadata.
• the API call can include the resource type identifier (e.g., calls, voice. calls) and/or the resource identifier (e.g., CR123).
• the ABAC system can transmit an API call (e.g., a further API call) to retrieve the metadata from a system of record where the resource can be read.
• an API call e.g., a further API call
• the ABAC system upon retrieving the resource metadata, can use a mapping function to convert the resource metadata into a generic resource-metadata object.
• the ABAC system can then use the generic resource-metadata object to perform various operations described herein, such as authorizing requests, including determining whether a condition provided in the predicate is satisfied.
• the ABAC system provides the access to the resource based on the determining of the access, in response to receiving the request.
• the ABAC system upon receiving the request, the ABAC system generates a graph that represents one or more attribute-based access control policies associated with the identity.
• the ABAC system may traverse the graph to identify an attribute-based access control policy that matches the request.
• the graph may be generated at run time and dynamically updated at run time. For example, once a graph (also referred to as an assertion tree) is generated at run time, the graph may be stored in volatile computer memory (e.g., cache memory) for a limited time period, as a user is likely to request access to resources again shortly after making the first request.
• a session may be initiated once a request is authenticated for a user. The graph may be temporarily stored in the cache memory for the duration of the session.
• the ABAC system in order to provide access to the requested resource based on the attribute-based access control policy identified from the graph, identifies metadata associated with the resource, identifies a predicate associated with the attribute-based access control policy, and determines whether the metadata (e.g., resource metadata) satisfies the condition provided in the predicate. If the predicate result is true, indicating the condition is satisfied, the ABAC system determines the access control policy matches the request. Otherwise, the access control policy does not match.
• the ABAC system To determine whether the metadata of the resource satisfies the condition, the ABAC system identifies the language type of the resource (e.g., “calls”) based on the metadata (e.g., resource metadata), and determines if the language type is Spanish. The predicate function returns a true value if the language type is Spanish, indicating a match. Otherwise, the predicate function returns a false value. When there is a match, the ABAC system proceeds to provide access to the resource to the requesting identity.
• the language type of the resource e.g., “calls”
• the metadata e.g., resource metadata
• the predicate function returns a true value if the language type is Spanish, indicating a match. Otherwise, the predicate function returns a false value.
• the ABAC system proceeds to provide access to the resource to the requesting identity.
• the ABAC system Upon authorizing the request, the ABAC system generates a token to pass the attribute-based access control policies to one or more downstream services associated with the resource to provide the relevant access.
• a service may include one or more resources.
• downstream services may include a contact center, dialplan, phone number services, and so on.
• the one or more downstream services can optionally be configured to process the graph generated by the ABAC system.
• a technical improvement is that these downstream services or systems do not need to implement their own separate access control systems. In various embodiments, they can be configured to handle the graph (also referred to as assertion tree) that is passed through to them by the ABAC sy stem.
• the ABAC system signs the token before passing the token to one or more downstream services.
• a token is signed using a digital signature algorithm (e.g., Edwards-curve Digital Signature Algorithm).
• a role may be created for an identity to include one or more attribute-based access control policies (also referred to as attributebased permissions).
• a user may be a person, a group of people, or an application.
• An application may be developed by a third party (e.g., a customer) using client-side SDK kits provided by the communication platform.
• the ABAC system causes a display of a user interface, including an indication of authorization status indicating whether the request is authorized.
• the indication of authorization status may be a selectable user interface element (e.g., a window or an icon) notifying the user the request is either allowed or denied.
• the ABAC system may cause the requested resource to be accessible by the requesting identify (e.g., displaying the resource in the user interface) or cause the action specified in the access control policy to be automatically executed (e.g., deleting the resource specified in the request).
• a request may be an API request that can be authenticated using an API key.
• An API request occurs when an identity (e g., a person or an application user) adds an endpoint to a URI and makes a call to a server.
• An API endpoint refers to a touchpoint of an interaction between an API and a system.
• An API endpoint provides the location where an API accesses a resource.
• a request is received for providing an access to a resource.
• An ABAC policy associated with the resource that matches the request is identified.
• a predicate included in the ABAC policy is evaluated based on metadata associated with the resource.
• Access to the resource is provided based on the evaluation of the predicate.
• FIG. 1 depicts a block diagram showing an example networked environment 100 in which the disclosed technology may be practiced, according to various example embodiments.
• the example networked environment 100 includes one or more computing devices (e.g., client devices 102), communication service provider 104, cloud-based communication platform 106, and one or more agents 122, communicatively coupled to a communication network 112 and configured to communicate with each other through the use of the communication network 112.
• the cloud-based communication platform 106 includes resources 116 and an attribute-based access control system 110 (also referred to as ABAC system 110).
• resources 116 include one or more services 118, each of which may use the ABAC system 110 to manage access control.
• the ABAC system is meant to be a universal system that can be used by multiple services of the communication platform 106 such that each of the services does not need to implement its own access control mechanism.
• a communication platform 106 may include a number of products (or services 118) in a namespace.
• a resource may be a product, service, or feature associated with the product or service.
• the ABAC system may reside in the communication platform, as illustrated in FIG. 1, or may be an external system that is communicatively coupled to the communication platform 106.
• a service includes one or more resources.
• a service itself may be a resource.
• a service may include one or more resources.
• the communication network 112 is any type of network, including a local area network (LAN), such as an intranet, a wide area network (WAN), such as the internet, a telephone, and a mobile device network, such as a cellular network, or any combination thereof. Further, the communication network 112 may be a public network, a private network, or a combination thereof. The communication network 112 is implemented using any number of communication links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the communication network 112 is configured to support the transmission of data formatted using any number of protocols.
• the networked environment 100 in FIG. 1 illustrates only one client device 102, one agent 122, and one communication service provider 104. This is only for ease of explanation and is not meant to be limiting.
• the networked environment 100 can include any number of client devices 102, agents 122, and communication service provider 104.
• each communication service provider 104 may concurrently interact with any number of client devices 102 and agents 122, and support connections from a variety of different types of client devices 102, such as desktop computers, mobile computers, mobile communications devices, e.g., mobile phones, smart phones, tablets, smart televisions, set-top boxes, and/or any other network- enabled computing devices.
• the client devices 102 may be of varying types, capabilities, operating systems, and so forth.
• a user interacts with the communication service provider 104 via a client-side application 114 installed on the client device 102.
• the client-side application 114 includes a component specific to the communication service provider 104.
• the component may be a stand-alone application, one or more application plug-ins, and/or a browser extension.
• the users may also interact with the communication service provider 104 via a third-party application, such as a web browser or messaging application, which resides on the client devices 102 and is configured to communicate with the communication service provider 104.
• the client-side application presents a user interface (UI) for the user to interact with the communication service provider 104.
• UI user interface
• the user interacts with the communication service provider 104 via a client-side application integrated with the file system or via a webpage displayed using a web browser application.
• a user may also interact with communication platform 106 via the clientside application 114 installed on the client devices 102.
• the client-side application includes a component specific to the communication platform 106.
• the component may be a stand-alone application, one or more application plug-ins, and/or a browser extension.
• the user may also interact with the communication platform 106 via console interface provided by the communication platform 106, such as a web browser or messaging application configured to communicate with the communication platform 106.
• the client-side application presents a user interface (UI) for the user to interact with the communication platform 106.
• UI user interface
• the communication service provider 104 may be external to the cloud-based communication platform 106.
• the conversation manager 124 and conversation database 120 may reside within the cloud-based communication platform 106.
• the communications service provider 104 when a user of a client device 102 requests a video or voice communication with a company, the communications service provider 104, via a communication router 108, routes the video or voice communications to an agent 122 from that company.
• a conversation manager 124 routes the call to the user of the client device 102.
• the conversation manager 124 records the conversations (e.g., voice data) in a conversations database 120 of the communications service provider 104.
• the communications service provider 104 includes a video processor (not shown) that processes video calls, a voice processor (not shown) that processes voice calls.
• the conversation manager 124 manages the conversations, such as establishing, monitoring, and terminating conversations and managing the storage of conversation data when requested by a user of a client device 102.
• the user (or customer) may use the conversation data to manage, monitor, and improve operations, such as to monitor for compliance by an agent or to determine when a follow-up call is requested to further a sales process.
• a user of client device 102 sends a request to the communication service provider 104 to provide access to resources, such as conversation data that includes recordings of voice or video calls.
• each recording is associated with a transcript of a conversation.
• the request receiving component 210 is configured to receive requests for providing access to resources in a communication platform.
• a request can be sent from an identity, such as a person or an application user.
• a request may be received via a gateway, such as a console interface or an API interface provided by the cloud-based communication platform 106.
• the access control policy identifying component 220 is configured to identify one or more attribute-based access control policies associated with the resource.
• the ABAC system identifies one or more attribute-based access control policies that match the request.
• the access control policy identifying component 220 can be configured to generate a graph representing one or more granted access control policies associated with the identify and/or resource of the request.
• the access control policy identifying component 220 can be configured to traverse the graph to identify the one or more attribute-based access control policies that match the request.
• the metadata retrieving component 230 can be configured to transmit an API call (e.g., a further API call) to retrieve the resource metadata from a system of record where the resource can be read.
• an API call e.g., a further API call
• the access determining component 240 is configured to determine the access to the resource, including evaluating a predicate included in the attributebased access control policy based on the resource metadata.
• An attribute-based access control policy can be represented by (or can include) a text string that includes a namespace identifier, a product identifier, a resource identifier, an action identifier, and a predicate.
• the access providing component 250 is configured to provide the access to the resource based on the determining of the access, in response to receiving the request. Specifically, upon authorizing the request, the access providing component 250 is configured to generate a token to pass one or more attributebased access control policies to one or more downstream services associated with the resource to provide the relevant access. In various embodiments, the access providing component 250 is configured to sign the token before passing the token to the one or more downstream services. In various embodiments, a token can be signed using a digital signature algorithm (e.g., Edwards-curve Digital Signature Algorithm).
• a digital signature algorithm e.g., Edwards-curve Digital Signature Algorithm
• FIG. 3 depicts a flowchart illustrating an example method 300 for managing access to resources using attribute-based access control by an example attribute-based access control system during operation, according to various example embodiments.
• example methods described herein may be performed by a machine in accordance with some embodiments.
• method 300 can be performed by the ABAC system 110 described with respect to FIG. 1, and the ABAC system 204 described with respect to FIG. 2, or individual components thereof.
• An operation of various methods described herein may be performed by one or more hardware processors (e.g., central processing units or graphics processing units) of a computing device (e.g., a desktop, server, laptop, mobile phone, tablet, etc.), which may be part of a computing system based on a cloud architecture.
• hardware processors e.g., central processing units or graphics processing units
• Example methods described herein may also be implemented in the form of executable instructions stored on a machine-readable medium or in the form of electronic circuitry.
• the operations of method 300 may be represented by executable instructions that, when executed by a processor of a computing device, cause the computing device to perform method 300.
• an operation of an example method described herein may be repeated in different ways or involve intervening operations not shown. Though the operations of example methods may be depicted and described in a certain order, the order in which the operations are performed may vary among embodiments, including performing certain operations in parallel.
• the request may be responsive to a detection of an attempt by a user (e.g., via client-side application 114 and/or client device 102) or a request received from the user at one or more downstream systems or services to access the one or more resources.
• the processor determines the access to the resource, including evaluating a predicate included in the attribute-based access control policy based on the resource metadata.
• An attribute-based access control policy can be represented by (or can include) a text string that includes a namespace identifier, a product identifier, a resource identifier, an action identifier, and a predicate.
• the processor can use a mapping function to convert the retrieved resource metadata into one or more generic resource-metadata objects.
• the processor can use the one or more generic resource-metadata objects to determine whether one or more conditions provided in the predicate are satisfied.
• a predicate function returns a true value if a condition is satisfied, indicating a match. Otherwise, the predicate function returns a false value.
• the processor provides access to the resource based on determining the access, in response to receiving the request. Specifically, upon authorizing the request, the processor generates a token to pass one or more attribute-based access control policies to one or more downstream services associated with the resource to provide the relevant access. In various embodiments, the processor signs (or causes to sign) the token before passing the token to the one or more downstream services. In various embodiments, a token can be signed using a digital signature algorithm (e.g., Edwards-curve Digital Signature Algorithm). [0067] Though not illustrated, method 300 can include an operation where a graphical user interface for managing access to computing resources can be displayed (or caused to be displayed) by the hardware processor.
• a digital signature algorithm e.g., Edwards-curve Digital Signature Algorithm
• An operation of various methods described herein may be performed by one or more hardware processors (e.g., central processing units or graphics processing units) of a computing device (e.g., a desktop, server, laptop, mobile phone, tablet, etc.), which may be part of a computing system based on a cloud architecture.
• Example methods described herein may also be implemented in the form of executable instructions stored on a machine-readable medium or in the form of electronic circuitry.
• the operations of method 400 may be represented by executable instructions that, when executed by a processor of a computing device, cause the computing device to perform method 400.
• an operation of an example method described herein may be repeated in different ways or involve intervening operations not shown. Though the operations of example methods may be depicted and described in a certain order, the order in which the operations are performed may vary among embodiments, including performing certain operations in parallel.
• one or more operations of method 400 may be a sub-routine of one or more of the operations of method 300. In various embodiments, one or more operations in method 400 may be performed subsequent to the operations of method 300.
• the processor transmits or can use a proxy (e.g., a cached proxy) to transmit one or more API calls to retrieve the metadata associated with the resource (also referred to as resource metadata) from a cache.
• a proxy e.g., a cached proxy
• the processor determines that the resource metadata cannot be retrieved from the cache due to various reasons.
• An example reason can be that metadata is not stored in the cache, and/or that the cache is unresponsive or unavailable due to various issues (e.g., system latency, connection failure).
• the processor transmits one or more further API calls to retrieve the resource metadata from one or more systems of record where the resource can be read.
• the processor uses a mapping function to convert the resource metadata into one or more generic resource-metadata objects.
• Metadata can be data that describes one or more attributes of a resource.
• An example resource metadata (or attribute) of a resource may be the type, ownership, discoverability, documentation, evaluation, selection, location, or size of the resource.
• method 400 can include an operation where a graphical user interface for managing access to computing resources can be displayed (or caused to be displayed) by the hardware processor.
• the operation can cause a client device (e.g., the client device 102 communicatively coupled to the ABAC system 110) to display the graphical user interface for managing access to computing resources.
• This operation for displaying the graphical user interface can be separate from operations 402 through 410 or, alternatively, form part of one or more of operations 402 through 410.
• FIG. 5 depicts a block diagram 500 illustrating an example set of attribute-based access control policies, according to various example embodiments.
• role 520 includes a set of attribute-based access control policies, including policies 502, 504, and 506.
• Policy 506, similar to policies 502 and 504, is represented by a text string that includes a namespace identifier “XYZ,” a product identifier “iam,” a resource identifier “api-keys,” and an action identifier indicating all allowed actions (e.g., read, create, update, delete, list, or do) on the resource.
• a namespace may refer to a service provider of the cloud-based communication platform 106, or the communication service provider 104, as illustrated in FIG. 1.
• predicate 508 of policy 502 is [not(equals($Resource. owner, ‘AC0001’))], indicating permissions can be granted for all “studio” resources except for ones owned by resource owner “AC0001.”
• FIG. 5 is merely a non-limiting example of attribute-based access control policies (also referred to as attribute-based permissions). It is appreciated that many other attribute-based permissions can be implemented based on the same or similar format to facilitate the functionality described herein.
• FIG. 6 depicts a block diagram 600 illustrating data flow within an example networked environment in which the disclosed technology may be practiced, according to various example embodiments.
• the cloud-based communication platform 602 can correspond to the cloud-based communication platform 106 described in FIG. 1.
• the cloud-based communication platform 602 includes an API 604, an authentication service 606, one or more downstream services 608, an access control service 610, and a resource metadata service 612.
• a service can correspond to one or more components described herein.
• the ABAC system 110 described with respect to FIG. 1, the ABAC system 204 described with respect to FIG. 2, and/or individual components thereof can include one or more services described in FIG. 6.
• customer 614 transmits one or more requests (e.g., resource-accessing requests) via the API 604 to the authentication service 606.
• the authentication service 606 can authenticate the one or more requests and communicate with the access control service 610 for access control authorization.
• the access control service 610 communicates with the resource metadata service 612 to retrieve metadata (e.g., resource metadata), based on which access control authorizations can be performed using the access control policies described herein. Access can be provided based on the results of the authentication of the requests and the authorization of the access.
• Access tokens such as serialized tokens, can be generated in the process of providing the requested access.
• Various embodiments include systems, methods, and non-transitory computer-readable media for generating and managing access to resources using role-based access control.
• a role-based access control (RBAC) system uses a Uniform Resource Identifier (URI) analyzing component to analyze the request and classifies the URI into a permission.
• URI Uniform Resource Identifier
• a permission is an authorization granted to an identity (e.g., a user, an application, or a credential, such as an API Key) to perform an action on a resource specified in the permission.
• a permission may be represented by a text string that includes four parts: namespace, product name, resource name, and the type of action.
• Each of these parts is an identifier separated by a ‘7,” such as /namespace/product name/resource name/action.
• a permission to make a phone call can be represented by a text string “/entity/product/call/create.”
• a text string may correspond to an assertion that maps to one or more URIs.
• a resource is associated with a public URI and method (e.g., GET, PUT, POST, DELETE).
• the communication platform may register multiple URIs for a single permission and may register multiple permissions for a single role.
• the user may perform the action on the particular resource associated with the product and namespace (e.g., an entity) specified in the permission.
• Actions configured to be performed on resources may include, for example, read, create, update, delete, list, and do.
• a role may be created for or assigned to an identity to include one or more permissions.
• a user may be a person, or a group of people.
• a permission can be assigned to an application (e g., an application associated with an application user), or to a credential (e g., an API Key).
• An application may be developed by a third party (e.g., a customer) using client-side SDK kits provided by the communication platform.
• the RBAC system may deny the request, discard the request, or redirect the request to a system communicatively coupled to the communication platform for handling.
• the RBAC system generates a graph, such as a tree structure, of all the permissions the user has been granted, and traverses the graph to match the classified permission with a permission included in the graph, such as the graph (also referred to as assertion tree) illustrated in FIG. 6. If the RBAC system determines there is a match, the request will be granted. Otherwise, the request will be denied.
• the assertion tree may be generated at run time and dynamically updated at run time. For example, once an assertion tree is generated at run time, it may be stored in volatile computer memory (e.g., cache memory) for a limited time period, as a user is likely to request access to resources again shortly after making the first request.
• a session may be initiated once a request is authorized for an identity (e.g., a user, an application, or a credential). The graph may be temporarily stored in cache memory for the duration of the session.
• the RBAC system causes a display of a user interface, including an indication of authorization status indicating whether the request is granted.
• the indication of authorization status may be a selectable user interface element (e.g., a window or an icon) notifying the user the request is allowed or denied.
• the RBAC system may cause the requested resource to be accessible to the requesting user (e.g., displaying the resource in the user interface) or cause the action specified in the permission to be automatically executed (e.g., deleting the resource specified in the request).
• the RBAC system may receive a request to assign a role (e.g., a customized role) to an identity.
• the role is associated with a list of permissions.
• the RBAC system may match the list of permission specified in the request to existing permissions available on the communication platform and generate the role for the identity by associating the list of permissions with an identify.
• the RBAC system provides existing permissions available on the communication platform to a customer so that the customer can create a role that can be assigned to an identity. This assignment may associate the list of permissions included in a role with the identify for access within a scope of resources.
• a communication platform may include a number of products in the namespace.
• a resource may be a product, or a feature associated with a product, such as a phone number, a call record, a studio flow, or a message.
• the RBAC system may reside in the communication platform, as illustrated in FIG. 1, or may be an external system that is communicatively coupled to the communication platform.
• a request may be an API request that can be authorized using an API key.
• An API request occurs when an identity (e.g., a user or an application) makes a call to a server using an API endpoint.
• An API endpoint refers to a touchpoint of an interaction between an API and a system.
• An API endpoint provides the location where an API accesses a resource.
• a permission can register multiple URIs to accommodate multiple interfaces and system versions that can be used to access the resource, e.g., public API endpoints, console, SDK, etc.
• a permission can register multiple URIs to accommodate multiple interfaces and system versions that can be used to access the resource, e.g., public API endpoints, console, SDK, etc.
• FIG. 7 depicts a block diagram showing an example networked environment 700 in which the disclosed technology may be practiced, according to various example embodiments.
• the example networked environment 700 includes multiple computing devices (e.g., client device 702), customer computing system 704, and cloud-based communication platform 706 communicatively coupled to a communication network 712 and configured to communicate with each other through the use of the communication network 712.
• the cloud-based communication platform 706 includes resources 716 and a rolebased access control system 710 (also referred to as RBAC system 710).
• services 718 host or include one or more resources 716.
• a service may use the RBAC system 710 to manage access control.
• the RBAC system is meant to be a universal system that can be used by multiple services of the communication platform 706 such that each of the services does not need to implement its own access controls.
• the communication network 712 is any type of network, including a local area network (LAN), such as an intranet, a wide area network (WAN), such as the internet, a telephone and mobile device network, such as cellular network, or any combination thereof. Further, the communication network 712 may be a public network, a private network, or a combination thereof. The communication network 712 is implemented using any number of communication links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the communication network 712 is configured to support the transmission of data formatted using any number of protocols.
• a computing device is any type of general computing device capable of network communication with other computing devices.
• a computing device can be a personal computing device such as a desktop or workstation, a business server, or a portable computing device, such as a laptop, smart phone, or a tablet personal computer.
• a computing device can include some or all of the features, components, and peripherals of the machine 2200 shown in FIG. 22.
• a computing device includes a communication interface configured to receive a communication, such as a request, data, and the like, from another computing device in network communication with the computing device and pass the communication along to an appropriate module running on the computing device.
• the communication interface also sends a communication to another computing device in network communication with the computing device.
• the customer computing system 704 is one or more computing devices associated with a customer of the cloud-based communication platform 706 (also referred to as communication platform 706)
• a customer may be a business, a company, and/or any other type of entity that uses the services provided by communication platform 706.
• the customer may provide any type of service, such as a banking service, travel service, retail service, and the like.
• the service may be an online and/or offline service. That is, the service may be available only online, such as an online retailer, offline, such as a physical retailer, or both online and offline, such as a retailer that provides a website or application as well as a physical retail store.
• the customer computing system 704 may facilitate any service of a customer that is provided online.
• users of client devices 702 may interact with the customer computing system 704 via communication network 712 to utilize the online service provided by the customer.
• the customer computing system 704 does not have to provide an online service that is accessible to users. That is, the customer computing system 704 may simply be a computing system used by a customer to perform any type of functionality.
• a user of a client device 702 may be a person or a group of people. A user may send requests to access certain resources on the communication platform 706.
• a customer of the customer computing system 704 may be a business, company, and/or any other type of entity that develops applications using client-side SDK kits provided by the communication platform 706.
• the application also referred to as application user
• the application may send requests to access certain resources on the communication platform 706.
• the networked environment 700 in FIG. 7 illustrates only one client device 702, and one customer computing system 704, this is only for ease of explanation and is not meant to be limiting.
• the networked environment 700 can include any number of client devices 702, and/or customer computing systems 704.
• each customer computing system 704 may concurrently interact with any number of client devices 702, and support connections from a variety of different types of client devices 702, such as desktop computers, mobile computers, mobile communications devices, e.g., mobile phones, smart phones, tablets; smart televisions, set-top boxes, and/or any other network-enabled computing devices.
• the client devices 702 may be of varying types, capabilities, operating systems, and so forth.
• a user interacts with a customer computing system 704 via a client-side application 714 installed on the client devices 702.
• the client-side application 714 includes a component specific to the customer computing system 704.
• the component may be a stand-alone application, one or more application plug-ins, and/or a browser extension.
• the users may also interact with the customer computing system 704 via a third-party application, such as a web browser or messaging application, that resides on the client devices 702 and is configured to communicate with the customer computing system 704.
• the client-side application presents a user interface (UI) for the user to interact with the customer computing system 704.
• UI user interface
• the user interacts with the customer computing system 704 via a client-side application integrated with the file system or via a web page displayed using a web browser application.
• a user may also interact with communication platform 706 via the clientside application 714 installed on the client devices 702.
• the client-side application includes a component specific to the communication platform 706.
• the component may be a stand-alone application, one or more application plug-ins, and/or a browser extension.
• the user may also interact with the communication platform 706 via console interface provided by the communication platform 706, such as a web browser or messaging application configured to communicate with the communication platform 706.
• the client-side application presents a user interface (UI) for the user to interact with the communication platform 706.
• UI user interface
• the operating system 2114 may manage hardware resources and provide common services.
• the operating system 2114 may include, for example, a kernel 2123, services 2130, and drivers 2132.
• the kernel 2123 may act as an abstraction layer between the hardware and the other software layers.
• the kernel 2123 may be responsible for memory management, processor management (e.g., scheduling), component management, networking, security settings, and so on.
• the services 2130 may provide other common services for the other software layers.
• the drivers 2132 may be responsible for controlling or interfacing with the underlying hardware.
• the drivers 2132 may include display drivers, camera drivers, Bluetooth® drivers, flash memory drivers, serial communication drivers (e.g., Universal Serial Bus (USB) drivers), Wi-Fi® drivers, audio drivers, power management drivers, and so forth depending on the hardware configuration.
• USB Universal Serial Bus
• machine-storage medium As used herein, the terms “machine-storage medium,” “device-storage medium,” and “computer-storage medium” mean the same thing and may be used interchangeably.
• the terms refer to a single or multiple storage devices and/or media (e g., a centralized or distributed database, and/or associated caches and servers) that store executable instructions 2216 and/or data.
• the terms shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media, including memory internal or external to processors.
• the coupling 2232 may implement any of a variety of types of data transfer technology, such as Single Carrier Radio Transmission Technology (IxRTT), Evolution-Data Optimized (EVDO) technology, General Packet Radio Service (GPRS) technology, Enhanced Data rates for GSM Evolution (EDGE) technology, third Generation Partnership Project (3GPP) including 3G, fourth generation wireless (4G) networks, Universal Mobile Telecommunications System (UMTS), High-Speed Packet Access (HSPA), Worldwide Interoperability for Microwave Access (WiMAX), Long-Term Evolution (LTE) standard, others defined by various standard-setting organizations, other long-range protocols, or other data transfer technology.
• IxRTT Single Carrier Radio Transmission Technology
• GPRS General Packet Radio Service
• EDGE Enhanced Data rates for GSM Evolution
• 3GPP Third Generation Partnership Project
• 4G fourth generation wireless (4G) networks
• Universal Mobile Telecommunications System (UMTS) Universal Mobile Telecommunications System
• HSPA High-Speed Packet Access
• WiMAX Worldwide Interoperability for
• the term “or” may be construed in either an inclusive or exclusive sense.
• the terms “a” or “an” should be read as meaning “at least one,” “one or more,” or the like.
• the presence of broadening words and phrases such as “one or more,” “at least,” “but not limited to,” or other like phrases in some instances shall not be read to mean that the narrower case is intended or required in instances where such broadening phrases may be absent.
• boundaries between various resources, operations, modules, engines, and data stores are somewhat arbitrary, and particular operations are illustrated in a context of specific illustrative configurations. Other allocations of functionality are envisioned and may fall within a scope of various embodiments of the present disclosure.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Health & Medical Sciences (AREA)
• Computer Hardware Design (AREA)
• Bioethics (AREA)
• Software Systems (AREA)
• Health & Medical Sciences (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Automation & Control Theory (AREA)
• Databases & Information Systems (AREA)
• Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Applications Claiming Priority (5)

Publications (2)

Family

ID=88519822

Family Applications (1)

Country Status (2)

Families Citing this family (1)

Family Cites Families (5)

• 2023
  • 2023-04-26 WO PCT/US2023/066237 patent/WO2023212593A1/en not_active Ceased
  • 2023-04-26 EP EP23797510.7A patent/EP4515436A4/de active Pending

Also Published As

Similar Documents

Legal Events