| CPC H04L 63/102 (2013.01) [H04L 63/08 (2013.01); H04L 63/10 (2013.01); H04L 63/20 (2013.01)] | 12 Claims |
|
1. A method, comprising:
managing user access to an application hosted by a computing system, by performing operations comprising:
receiving at the application, a token from an authentication component of an authorization/authentication service, which includes the authentication component and an authorization component,
wherein the token includes an application role and a privilege mask associated with the application role,
wherein the application role corresponds to a role of an entity with respect to the application, and the privilege mask defines one or more privileges, which can be granted to the entity with respect to the application upon authentication of the entity based on the role of the entity, and
wherein the token is generated by the authentication component based on the application role and the privilege mask, which has been generated by the authorization component in response to a set of characteristics sent by the authentication component to the authorization component;
receiving at the application, by way of the authorization/authentication service with which the application is in communication, an authentication request from the entity seeking access to the application;
identifying a change in the computing system;
based on the change, receiving an updated token at the application from the authorization/authentication service;
evaluating the authentication request based on the updated token;
approving the authentication request when information in the authentication request matches the updated token;
granting, to the entity, access to the application when the authentication request has been approved, wherein granting the entity access to the application comprises enabling the entity to access and run one or more functions of the application based on the privilege mask; and
denying access to the application when the information in the authentication request does not match the updated token and notifying the user the authentication request has been denied,
wherein the approving, granting, and denying processes are performed by the application to which the entity is seeking access, and
wherein, when the entity or a different entity seeks access to another application, user access to the another application is controlled by the another application.
|