Methods and system of managing concurrent access to multiple resources

US 20030065676A1
Filed: 09/05/2001
Published: 04/03/2003
Est. Priority Date: 09/05/2001
Status: Active Grant

First Claim

Patent Images

1. A method for managing concurrent access by an application instance to two or more resource sets each of which comprises one or more resources, the method comprising:

assigning the application instance to a first resource set;

receiving a request from the application instance to access a resource in a second resource set; and

determining whether the application instance has permission to;

access the requested resource in the second resource set, access the second resource set, and concurrently access the first and second resource sets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to a method and system for managing concurrent access to multiple resources. Resources are assigned to sets in such a way that it is safe to concurrently access any combination of resources in a resource set. For each resource set, a virtual machine is defined and associated with the resource set. An application is assigned to a virtual machine. When an application requests access to a resource not in the application'"'"'s virtual machine, access control lists are consulted to determine whether the access should be allowed, given the other resources already accessed by the application.

207 Citations

51 Claims

1. A method for managing concurrent access by an application instance to two or more resource sets each of which comprises one or more resources, the method comprising:
- assigning the application instance to a first resource set;
  
  receiving a request from the application instance to access a resource in a second resource set; and
  
  determining whether the application instance has permission to;
  
  access the requested resource in the second resource set, access the second resource set, and concurrently access the first and second resource sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - if permission is denied, preventing access to the requested resource.
  - 3. The method of claim 1, wherein the assigning is associated with a criterion.
  - 4. The method of claim 1, further comprising, after determining:
    - if access is permitted but concurrent access is denied, generating a new instance of the application for accessing the requested resource.
  - 5. The method of claim 1 further comprising, after determining:
    - if access is permitted but concurrent access is denied, moving the application instance from associating with the first resource set to associating with the second resource set.
  - 6. The method of claim 1, further comprising:
    - assigning resources to resource sets based on the safety of concurrently accessing groups of resources.
  - 7. A computer-readable medium having instructions for performing the method of claim 1.

8. A method for managing creation of a resource in a resource set by an application instance, the method comprising:
- assigning the application instance to a first resource set;
  
  receiving a request from the application instance to create a new resource in a target resource set;
  
  determining whether the application instance has permission to create the new resource in the target resource set.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the assigning is associated with a criterion.
  - 10. The method of claim 8, further comprising, after determining:
    - if the request is granted, determining whether the target resource set exists; and
      
      if the target resource set exists, creating the new resource in the target resource set.
  - 11. The method of claim 10, further comprising:
    - if the target resource set does not exist, determining whether the application instance has permission to create a new resource set; and
      
      if the application instance has the permission, creating the target resource set that includes the resource, and informing the application instance of the creation of the target resource set.
  - 12. The method of claim 8, further comprising:
    - determining whether the application instance has permission to concurrently access the first and target resource sets; and
      
      if creation is permitted but concurrent access is denied, generating a new instance of the application for accessing the new resource.
  - 13. The method of claim 8, further comprising:
    - determining whether the application instance has permission to concurrently access the first and target resource sets; and
      
      if creation is permitted but concurrent access is denied, moving the application instance from associating with the first resource set to associating with the new resource.
  - 14. A computer-readable medium having instructions for performing the method of claim 8.

15. A system for creating a security environment usable by an application instance owned by a principal and operating in a computing device having multiple resources, the system comprising:
- a plurality of resource sets each of which comprises one or more resources grouped according to the safety of concurrent access to the resources;
  
  a plurality of virtual machines, each virtual machine being associated with a resource set and being adapted to allow the application instance to access the resource set associated with a virtual machine; and
  
  a set of rules associated with each resource set, the rules determining whether the principal has permission to access a target resource in the resource set.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15, wherein the rules state:
    - whether the principal may operate on each of the resources in the resource set; and
      
      whether the principal may operate on the resource set.
  - 17. The system of claim 16, wherein the operation comprises accessing a resource, creating a resource, or deleting a resource.
  - 18. The system of claim 15, wherein each virtual machine has an on-screen working area for running an instance of an application.
  - 19. The system of claim 15, further comprising a management facility that is adapted for operating the virtual machines.
  - 20. The system of claim 19, wherein the management facility is further adapted for generating a second instance of the application running on a second virtual machine if a first instance of the application requests access to a target resource associated with the second virtual machine and the principal owning the application instance has permission to access the target resource but not to concurrently access multiple resource sets according to the rules.
  - 21. The system of claim 19, wherein the management facility is further adapted for moving the application instance from associating with a first virtual machine to associating with a second virtual machine if the application instance requests access to a target resource associated with the second virtual machine and the principal owning the application instance has permission to access the target resource but not to concurrently access multiple resource sets according to the rules.
  - 22. The system of claim 19, wherein the management facility is further adapted for creating a new resource in a resource set associated with an existing virtual machine if an application instance requests creation of the new resource and the principal associated with the application instance has permission to create the new resource according to the rules.
  - 23. The system of claim 19, wherein the management facility is further adapted for creating a new virtual machine if an application requests creation of a new virtual machine and the application has permission to create the new virtual machine.

24. A computer management facility supporting a plurality of applications running on virtual machines connected to a multiplicity of resource sets, the management facility comprising:
- a persistent storage module for storing a record, the record comprising, for each principal, an indication of whether the principal has permission to access each of the resource sets, and an indication of whether the principal has permission to concurrently access a combination of two or more resource sets;
  
  a device driver connected to the applications and the persistent storage module, the device driver adapted for, upon receiving a request from an application instance to access a resource in a set connected to a virtual machine different from a virtual machine to which the application instance is assigned, checking the persistent storage module to see if the principal owning the application instance has permission to access the resource; and
  
  a virtual machine launching module connected to the device driver and the persistent storage module for launching a new virtual machine and updating the record of the persistent storage module.
- View Dependent Claims (25, 26, 27)
- - 25. The system of claim 24 wherein the device driver is adapted for, upon receiving a request from an application instance to access a resource set connected to a virtual machine different from a virtual machine to which the application instance is assigned, moving the application instance to the different virtual machine if the application instance does not have permission to concurrently access multiple resource sets.
  - 26. The system of claim 24 wherein the device driver is adapted for, upon receiving a request from a first application instance to access a resource set connected to a virtual machine different from a virtual machine to which the first application instance is assigned, creating a second application instance in the different virtual machine if the first application instance does not have permission to concurrently access multiple resource sets.
  - 27. The facility of claim 24, wherein the virtual machine launching module further comprises:
    - a desktop launching module for generating a new desktop in the new virtual machine, wherein the new desktop is adapted for supporting on-screen working areas from which the instance of the application is launched.

28. A method operable in a computer system having access to a plurality of networks, for managing an application instance'"'"'s concurrent access to the networks, the method comprising:
- associating a first instance of the application with a first network;
  
  upon receiving a request from the first instance of the application to access a second network, checking whether the application has permission to access the second network, the checking based, at least in part, on the safety of concurrent access to the first network and the second network; and
  
  informing the application of the result of the permission checking.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. The method of claim 28, further comprising:
    - associating a first routing table with the first network;
      
      defining a first set of interfaces, through which the first instance of the application exchanges a plurality of data packets with the first network;
      
      associating the first set of interfaces with the first network; and
      
      associating a first virtual network stack with the first network for managing the data packets transferred between the first network and the first set of interfaces.
  - 30. The method of claim 28, further comprising:
    - if access is granted but concurrent access is denied, generating a second instance of the application in association with the second network.
  - 31. The method of claim 30, further comprising:
    - associating a second routing table with the second network;
      
      defining a second set of interfaces, through which the second instance of the application exchanges a plurality of data packets with the second network;
      
      associating the second set of interfaces with the second network; and
      
      associating a second virtual network stack with the second network for managing the data packets transferred between the second network and the second set of interfaces.
  - 32. The method of claim 28, further comprising:
    - if access is granted but concurrent access is denied, moving the first instance of the application from associating with the first network to associating with the second network.
  - 33. The method of claim 28, further comprising:
    - upon receiving a request from the first instance of the application to create a connection to a third network, checking whether the application has permission to create the connection, the checking based, at least in part, on the safety of concurrent access to the first network and the third network; and
      
      informing the application of the result of the permission checking.
  - 34. The method of claim 33, further comprising:
    - if the permission is granted, creating the connection to the third network.
  - 35. The method of claim 34, further comprising:
    - if access is granted but concurrent access is denied, generating a third instance of the application in association with the third network.
  - 36. The method of claim 35, further comprising:
    - associating a third routing table with the third network;
      
      defining a third set of interfaces, through which the third instance of the application exchanges a plurality of data packets with the third network;
      
      associating the third set of interfaces with the third network; and
      
      associating a third virtual network stack with the third network for managing the data packets transferred between the third network and the third set of interfaces.
  - 37. The method of claim 34, further comprising:
    - if access is granted but concurrent is denied, moving the first instance of the application from associating with the first network to associating with the third network.
  - 38. A computer-readable medium having computer-readable instructions for performing the method of claim 28.

39. A method for a process to communicate with a management facility in order to request that action be taken with respect to a virtual machine, the method comprising:
- issuing, by the process, a call having at least one call parameter;
  
  receiving, by the management facility, the call and parsing the call to retrieve the at least one call parameter; and
  
  issuing, by the management facility, an acknowledgement having at least one acknowledgement parameter.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. The method of claim 39 wherein the requested action is a creation of the virtual machine, the at least one call parameter comprises a principal and information about the virtual machine to be created, and the at least one acknowledgement parameter comprises an identifier of the virtual machine and a status of the request.
  - 41. The method of claim 39 wherein the requested action is a destruction of the virtual machine, the at least one call parameter comprises a principal and an identifier of the virtual machine to be destroyed, and the acknowledgement parameter comprises a status of the request.
  - 42. The method of claim 39 wherein the requested action is a retrieval of information about the virtual machine, the at least one call parameter comprises a principal and an identifier of the virtual machine, and the at least one acknowledgement parameter comprises information about the virtual machine and a status of the request.
  - 43. The method of claim 39 wherein the requested action is a retrieval of information about a set of virtual machines, the call parameter comprises a principal, and the at least one acknowledgement parameter comprises information about the set of virtual machines and a status of the request.
  - 44. The method of claim 39 wherein the requested action is an update of information about the virtual machine, the at least one call parameter comprises a principal, an identifier of the virtual machine, and information about the virtual machine, and the acknowledgement parameter comprises a status of the request.
  - 45. The method of claim 39 wherein the requested action is a creation of a resource, the at least one call parameter comprises a principal, an identifier of an originating virtual machine, an identifier of a destination virtual machine, and information about the resource to be created, and the at least one acknowledgement parameter comprises an identifier of the resource and a status of the request.
  - 46. The method of claim 39 wherein the requested action is an access to a resource, the at least one call parameter comprises a principal, an identifier of an originating virtual machine, an identifier of a destination virtual machine, and an identifier of the resource, and the acknowledgement parameter comprises a status of the request.

47. A method for a process to communicate with a management facility in order to request that the process be registered to receive change notifications, the method comprising:
- issuing, by the process, a call having a plurality of call parameters comprising a module identification, a principal, a function to be called when a virtual machine is created, a function to be called when information about a virtual machine is updated, and a function to be called when a virtual machine is destroyed;
  
  receiving, by the management facility, the call and parsing the call to retrieve the call parameters; and
  
  issuing, by the management facility, an acknowledgement having an acknowledgement parameter comprising a status of the request.

48. A method for a management facility to notify a process of an action taken with respect to a virtual machine, the method comprising:
- issuing, by the management facility, a call having at least one call parameter; and
  
  receiving, by the process, the call and parsing the call to retrieve the at least one call parameter.
- View Dependent Claims (49, 50, 51)
- - 49. The method of claim 48 wherein the action is a creation of the virtual machine and the at least one call parameter comprises an identifier of the virtual machine and information about the virtual machine.
  - 50. The method of claim 48 wherein the action is an update in information about the virtual machine and the at least one call parameter comprises an identifier of the virtual machine and information about the virtual machine.
  - 51. The method of claim 48 wherein the action is a destruction of the virtual machine and the call parameter comprises an identifier of the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thaler, David G., Gbadegesin, Abolade

Granted Patent

US 7,257,815 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/104.1
CPC Class Codes

H04L 63/0254 Stateful filtering

H04L 63/101 Access control lists [ACL]

Methods and system of managing concurrent access to multiple resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

207 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and system of managing concurrent access to multiple resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

207 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links