Role-based authorization management framework

US 20040083367A1
Filed: 10/25/2002
Published: 04/29/2004
Est. Priority Date: 10/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initializing an authorization policy store to maintain an application object that represents an application;

associating with the application object an operation object that represents an operation that can be performed using the application;

associating with the application object an application group object that represents a user that can be granted access to the application; and

associating a role object with the operation object and the application group object to represent authorization for the user to perform the operation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.

Citations

47 Claims

1. A method comprising:
- initializing an authorization policy store to maintain an application object that represents an application;
  
  associating with the application object an operation object that represents an operation that can be performed using the application;
  
  associating with the application object an application group object that represents a user that can be granted access to the application; and
  
  associating a role object with the operation object and the application group object to represent authorization for the user to perform the operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1 wherein the application group object represents a user based on a user ID or group ID associated with the user.
  - 3. The method as recited in claim 1 wherein the application group object represents a user based on a user attribute condition that can be dynamically compared with an attribute associated with the user.
  - 4. The method as recited in claim 1 further comprising:
    - receiving notification of a client attempt to perform an application operation; and
      
      comparing an attribute of the client and an attribute of the application operation with the role object to determine whether or not the client is authorized to perform the application operation.
  - 5. The method as recited in claim 1 further comprising:
    - associating a task object with a plurality of operation objects to represent a group of operations that can be performed using the application; and
      
      associating the task object with the role object to indicate that the user is authorized to perform the group of operations.
  - 6. The method as recited in claim 5 further comprising:
    - identifying the task object as a role definition object;
      
      associating the role definition object with a second task object; and
      
      associating the second task object with a second role object to indicate that a user associated with the second role object is authorized to perform the group of operations.
  - 7. The method as recited in claim 1 further comprising:
    - associating a scope object with the application object to represent a relationship between one or more authorization objects selected from a group of authorization objects comprising an application group object, a role object, a task object, an operation object, and another scope object.
  - 8. The method as recited in claim 1 further comprising:
    - associating a property with an authorization object to allow an application to record application-specific data associated with the authorization object.
  - 9. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to perform the method as recited in claim 1.

10. A method comprising:
- initializing an authorization policy store to maintain an application object that represents an application;
  
  associating with the application object a task object that represents an operation that can be performed using the application when a dynamic condition is met;
  
  associating with the application object an application group object that represents a user that can be granted access to the application; and
  
  associating a role object with the task object and the application group object to represent authorization for the user to perform the operation provided that the dynamic condition is met.
- View Dependent Claims (11, 12, 13)
- - 11. The method as recited in claim 10 wherein the dynamic condition is based on at least one of a date, a time, and a value submitted by the user.
  - 12. The method as recited in claim 10, further comprising:
    - receiving notification of a client attempt to perform an application operation;
      
      determining that the client is represented by the application group object;
      
      determining that the application operation is represented by the task object; and
      
      determining a value associated with the dynamic condition to determine whether or not the client is authorized to perform the application operation.
  - 13. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to perform the method as recited in claim 10.

14. A method comprising:
- receiving a user request to perform a function associated with an application;
  
  determining whether the user is authorized to perform the function based on data stored in a role-based authorization policy store associated with the application; and
  
  in an event that it is determined that the user is authorized to perform the function, transmitting a user authorization notification to the application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method as recited in claim 14 wherein:
    - the function comprises one or more application operations; and
      
      the authorization policy store comprises a hierarchical data structure that stores related authorization objects that represent the application operations and one or more users who are authorized to access one or more of the application operations.
  - 16. The method as recited in claim 14 wherein the determining comprises:
    - determining an application scope that is associated with the user request;
      
      identifying a scope object in the authorization policy store that represents the application scope;
      
      identifying a role object that is a child object of the scope object;
      
      identifying an application group object that is associated with the role object;
      
      determining that the user is identified as a member of a group of users represented by the application group object; and
      
      determining that the function is represented by one or more operation objects that are associated with the role object.
  - 17. The method as recited in claim 14 wherein the user request includes an indication of a particular role associated with the user, the particular role selected from a plurality of roles that are associated with the user;
    - and wherein the determining comprises;
      
      determining whether users associated the particular role are authorized to perform the function, regardless of whether or not users associated with any others of the plurality of roles are authorized to perform the function.
  - 18. The method as recited in claim 16 wherein the scope object comprises an application object.
  - 19. The method as recited in claim 14 wherein the determining comprises:
    - identifying multiple operation objects that, taken together, represent the function;
      
      determining an application scope that is associated with the user request;
      
      identifying a scope object in the authorization policy store that represents the application scope;
      
      identifying a role object that is a child object of the scope object;
      
      identifying an application group object that is associated with the role object;
      
      determining that the user is represented by the application group object; and
      
      determining that at least one of the operation objects is associated with the role object.
  - 20. The method as recited in claim 19 wherein the user is represented by the application group object based on a statically defined members attribute associated with the application group object.
  - 21. The method as recited in claim 19 wherein:
    - a member attribute associated with the application group object indicates that the user is a member of the application group; and
      
      a non member attribute associated with the application group object does not indicate that the user is to be excluded from the application group.
  - 22. The method as recited in claim 19 wherein the user is represented by the application group object based on an LDAP query.
  - 23. The method as recited in claim 14 wherein the user authorization notification comprises a list of authorized application operations.
  - 24. The method as recited in claim 14 wherein the user authorization notification comprises one or more authorization pairs, each authorization pair comprising an indicator of an operation associated with the function and an indicator of whether or not the user is authorized to have access to the operation.

25. An authorization management system comprising:
- an authorization policy store that stores role-based user permissions associated with an application; and
  
  an authorization interface that provides a mechanism for the application to verify the role-based user permissions.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The authorization management system as recited in claim 25, further comprising:
    - an authorization manager that provides a mechanism for creating, modifying, or deleting the role-based user permissions.
  - 27. The system as recited in claim 25 wherein the authorization policy store comprises a hierarchical structure of authorization objects.
  - 28. The system as recited in claim 27 wherein the authorization objects are selected from a group of authorization objects comprising an authorization store object, an application object, an application group object, a scope object, a role object, a task object, and an operation object.
  - 29. The system as recited in claim 25 wherein the authorization interface comprises:
    - an authorization store class that represents an authorization store object; and
      
      at least one an application class that represents an application object.
  - 30. The system as recited in claim 29 wherein the authorization interface further comprises:
    - at least one class selected from a group of classes comprising an operation class that represents an operation object, a task class that represents a task object, a scope class that represents a scope object, an application group class that represents an application group object, a role class that represents a role object, and a client context class that represents a user of the application.

31. An authorization management system comprising:
- an authorization policy store that stores role-based user permissions associated with an application; and
  
  an authorization manager that provides a mechanism for creating, modifying, or deleting the role-based user permissions.
- View Dependent Claims (32)
- - 32. The-authorization management system as recited in claim 31, further comprising:
    - an authorization interface that provides a mechanism for the application to verify the role-based user permissions.

33. A system comprising:
- means for storing hierarchically related data objects that represent a role-based user authorization policy, the data objects being selected from a group of data objects that represent at least one of a user, an operation, and authorization for the user to perform the operation;
  
  means for receiving a client request to perform an application operation; and
  
  means for verifying that the client is authorized to perform the application operation based on the authorization policy.
- View Dependent Claims (34)
- - 34. The system as recited in claim 33, further comprising:
    - means for modifying the related data objects to represent changes in the authorization policy.

35. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to:
- represent an application with an application object;
  
  represent an operation available through the application with an operation object;
  
  represent one or more users of the application with an application group object; and
  
  represent authorization for the one or more users to perform the operation with a role object that is associated with the application object, the operation object, and the application group object.
- View Dependent Claims (36, 37)
- - 36. The one or more computer-readable media as recited in claim 35 further comprising computer executable instructions that, when executed, direct a computing system to:
    - represent a group of one or more operations that a user may be authorized to perform with a task object; and
      
      associate the task object with a role object to represent that a group of users are authorized to perform the group of operations.
  - 37. The one or more computer-readable media as recited in claim 36 further comprising computer executable instructions that, when executed, direct a computing system to:
    - associate a condition with the task object that, when evaluated, provides a dynamic indication as to whether or not the one or more users are authorized to perform the group of operations.

38. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to:
- receive a user request to perform an application operation; and
  
  verify that the user is authorized to perform the application operation based on a user role-based authorization policy.

39. An application server comprising:
- a processor;
  
  a memory; and
  
  an authorization interface that is stored in the memory and executed on the processor to receive a request from a user to perform an operation and examine a role-based authorization policy to determine whether or not the user is authorized to perform the operation.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The application server as recited in claim 39 wherein the authorization interface comprises a client context class that maintains a representation of the user.
  - 41. The application server as recited in claim 40 wherein the client context class comprises an AccessCheck method that examines the role-based authorization policy-to determine whether or not the user is authorized to perform the operation.
  - 42. An application server as recited in claim 39, further comprising an authorization policy store for storing the role-based authorization policy.
  - 43. The application server as recited in claim 42 wherein the authorization policy store comprises:
    - an operation object that represents an operation that can be performed through an application;
      
      an application group object that represents one or more users; and
      
      a role object that is associated with the operation object and the application group object to represent authorization for the one or more users to perform the operation.

44. An authorization interface comprising:
- an application class for accessing authorization objects associated with an application object, the application objects representing applications;
  
  an operation class for accessing operation objects, the operation objects representing operations associated with the applications;
  
  an application group class for accessing application group objects, the application group objects representing groups of users associated with the applications; and
  
  a role class for accessing role objects, the role objects representing associations between application group objects and operation objects that define user authorization to perform one or more operations.
- View Dependent Claims (45, 46, 47)
- - 45. The authorization interface as recited in claim 44, further comprising a client context class that represents a particular user.
  - 46. The authorization interface as recited in claim 45 wherein the client context class comprises a method for determining whether or not the particular user is authorized to perform a requested application operation.
  - 47. The authorization interface as recited in claim 45 wherein the client context class comprises a method for determining one or more role objects with which a user is associated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, McKay, Everett, Dyke, Cliff Van, McPherson, Dave

Granted Patent

US 7,546,633 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/102   Entity profiles

Role-based authorization management framework

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Role-based authorization management framework

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links