Obligation system for enterprise environments

摘要

An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications. Such obligations can indicate requirements that those applications need to fulfill in conjunction with performing operations on resources.