Abstract: In some example embodiments, a method includes storing a user attribute, a resource attribute of a resource of a web service, one or more scope conditions for applying one of attributes in generating a decision of whether to permit an action, and a script comprising an access control policy comprising one or more policy conditions to be satisfied in order to permit an action. A web service request may be received for accessing the resource. The scope condition(s) may be determined to be satisfied, and a decision to permit or deny the web service request may be generated based on the access control policy, with use of the stored attribute in generating the decision being based on the determination that the scope condition(s) are satisfied. Generating the decision may comprise interpreting the script. The decision may be transmitted to the web service.

Abstract: In some example embodiments, a method includes storing a user attribute, a resource attribute of a resource of a web service, one or more scope conditions for applying one of attributes in generating a decision of whether to permit an action, and a script comprising an access control policy comprising one or more policy conditions to be satisfied in order to permit an action. A web service request may be received for accessing the resource. The scope condition(s) may be determined to be satisfied, and a decision to permit or deny the web service request may be generated based on the access control policy, with use of the stored attribute in generating the decision being based on the determination that the scope condition(s) are satisfied. Generating the decision may comprise interpreting the script. The decision may be transmitted to the web service.

Abstract: In some example embodiments, a method includes storing a user attribute, a resource attribute of a resource of a web service, one or more scope conditions for applying one of attributes in generating a decision of whether to permit an action, and a script comprising an access control policy comprising one or more policy conditions to be satisfied in order to permit an action. A web service request may be received for accessing the resource. The scope condition(s) may be determined to be satisfied, and a decision to permit or deny the web service request may be generated based on the access control policy, with use of the stored attribute in generating the decision being based on the determination that the scope condition(s) are satisfied. Generating the decision may comprise interpreting the script. The decision may be transmitted to the web service.

Abstract: In some example embodiments, a method comprises receiving a web service request for accessing a resource of a web service, with the web service request corresponding to a user and comprising an access token, identifying a zone for the web service request, identifying a security token provider based on the access token, identifying one or more trusted token providers for the zone, comparing the security token provider to the trusted token provider(s) for the zone, generating a determination that the security token provider does not match any of the trusted token provider(s) for the zone, and denying the web service request based on the determination that the security token provider does not match any of the trusted token provider(s) for the zone.

Abstract: In some example embodiments, a method includes storing a user attribute, a resource attribute of a resource of a web service, one or more scope conditions for applying one of attributes in generating a decision of whether to permit an action, and a script comprising an access control policy comprising one or more policy conditions to be satisfied in order to permit an action. A web service request may be received for accessing the resource. The scope condition(s) may be determined to be satisfied, and a decision to permit or deny the web service request may be generated based on the access control policy, with use of the stored attribute in generating the decision being based on the determination that the scope condition(s) are satisfied. Generating the decision may comprise interpreting the script. The decision may be transmitted to the web service.

Abstract: A system and method for access control services are disclosed. In some example embodiments, the method includes storing a user attribute of a user, a resource attribute of a resource of a web service, and an access control policy for accessing the resource, with the access control policy comprising one or more policy conditions to be satisfied in order to permit an action. In some example embodiments, a web service request for accessing the resource of the web service is received, with the web service request corresponding to the user and comprising an access token for the user, action data, and resource data. In some example embodiments, a decision to either permit or deny the web service request is generated based on the access control policy, the user attribute, and the resource attribute, and the decision is transmitted to the web service.

Abstract: In some example embodiments, a method comprises receiving a web service request for accessing a resource of a web service, with the web service request corresponding to a user and comprising an access token, identifying a zone for the web service request, identifying a security token provider based on the access token, identifying one or more trusted token providers for the zone, comparing the security token provider to the trusted token provider(s) for the zone, generating a determination that the security token provider does not match any of the trusted token provider(s) for the zone, and denying the web service request based on the determination that the security token provider does not match any of the trusted token provider(s) for the zone.