Securely authorizing the performance of actions

US 20040243824A1
Filed: 05/28/2003
Published: 12/02/2004
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method for an electronic device for authorizing the performance of actions, the method comprising:

receiving a request to perform an action;

ascertaining one or more authentication ticket requirements that are related to authorizing performance of the action; and

pursuing at least one authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securely authorizing the performance of actions may be enabled by linking each secure/privileged action to a requisite policy for authorizing that secure/privileged action. In a described media implementation, one or more electronically-accessible media include electronically-executable instructions that, when executed, direct an electronic device to execute operations including: receiving an action performance request that is directed to a requested action; locating an authorization policy that is associated with the requested action from among multiple authorization policies, the authorization policy indicating how performance of the requested action can be authorized; and extracting at least one rule and one or more authentication ticket requirements from the authorization policy. Example operations may further include: determining whether one or more authentication tickets have been validated in accordance with the at least one rule and/or the one or more authentication ticket requirements; and if so, authorizing performance of the requested action.

81 Citations

View as Search Results

76 Claims

1. A method for an electronic device for authorizing the performance of actions, the method comprising:
- receiving a request to perform an action;
  
  ascertaining one or more authentication ticket requirements that are related to authorizing performance of the action; and
  
  pursuing at least one authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method for an electronic device as recited in claim 1, wherein the ascertaining comprises:
    - accessing an authorization policy that is associated with the action.
  - 3. The method for an electronic device as recited in claim 2, wherein the ascertaining further comprises:
    - extracting the one or more authentication ticket requirements from a rule that is included as at least part of the authorization policy.
  - 4. The method for an electronic device as recited in claim 1, wherein the pursuing comprises:
    - contacting at least one entity that is capable of creating the at least one authentication ticket by meeting the at least a portion of the one or more authentication ticket requirements.
  - 5. The method for an electronic device as recited in claim 1, wherein the pursuing comprises:
    - determining whether an entity identified by the one or more authentication ticket requirements approves of the performance of the action.
  - 6. The method for an electronic device as recited in claim 5, wherein the determining comprises:
    - verifying at least one of a password and a smartcard provided by the entity in response to a request for the at least one authentication ticket.
  - 7. The method for an electronic device as recited in claim 1, further comprising:
    - determining whether the at least one authentication ticket corresponding to the at least a portion of the one or more authentication ticket requirements has been acquired; and
      
      if so, permitting and/or causing the action to be performed.
  - 8. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic device to execute the method as recited in claim 1.

9. An arrangement for authorizing the performance of actions, the arrangement comprising:
- receiving means for receiving a request to perform an action;
  
  ascertaining means for ascertaining one or more authentication ticket requirements that are related to authorizing performance of the action; and
  
  pursuing means for pursuing acquisition of at least one authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The arrangement as recited in claim 9, further comprising:
    - verifying means for verifying that the at least one authentication ticket is validated; and
      
      enabling means for permitting or causing the action to be performed if the verifying means verifies that the at least one authentication ticket is validated.
  - 11. The arrangement as recited in claim 9, wherein the arrangement comprises at least one computer.
  - 12. The arrangement as recited in claim 9, wherein the arrangement comprises one or more electronically-accessible media.
  - 13. The arrangement as recited in claim 9, further comprising:
    - data structure means for storing a database that includes a plurality of authorization policies, each authorization policy of the plurality of authorization policies associated with an action that may be requested and including at least one authentication ticket requirement that is related to authorizing performance of the action that may be requested.
  - 14. The arrangement as recited in claim 13, wherein the ascertaining means uses the data structure means to ascertain the one or more authentication ticket requirements that are related to authorizing performance of the action.

15. One or more electronically-accessible media comprising a database, the database comprising:
- a plurality of entries that are each directed to an authorization policy, each authorization policy associated with at least one action of a plurality of actions;
  
  each entry of the plurality of entries including at least one rule that stipulates how the authorization policy to which the entry is directed may be satisfied, the at least one rule including one or more authentication ticket requirements; and
  
  wherein the database may be searched at least by the actions of the plurality of actions.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The one or more electronically-accessible media comprising the database as recited in claim 15, wherein at least one entry of the plurality of entries includes a first rule and a second rule;
    - the first rule including at least one requirement for at least one validated authentication ticket, and the second rule including at least one requirement for at least two validated authentication tickets.
  - 17. The one or more electronically-accessible media comprising the database as recited in claim 16, wherein the at least one entry is directed to a particular authorization policy;
    - and wherein the particular authorization policy may be satisfied by complying with the first rule and/or by complying with the second rule.
  - 18. The one or more electronically-accessible media comprising the database as recited in claim 16, wherein the at least one entry is directed to a particular authorization policy;
    - and wherein the particular authorization policy may be satisfied by acquisition of the at least one validated authentication ticket of the first rule and/or by acquisition of the at least two validated authentication tickets of the second rule.
  - 19. The one or more electronically-accessible media comprising the database as recited in claim 15, wherein at least one entry of the plurality of entries includes a first rule and a second rule;
    - the first rule stipulating a first route that may be followed to conform thereto and thereby satisfy an authorization policy to which the at least one entry is directed, and the second rule stipulating a second route that may be followed to conform thereto and thereby satisfy the authorization policy to which the at least one entry is directed.

20. One or more electronically-accessible media comprising a database, the database comprising:
- a first entry that is directed to a first authorization policy that is associated with a first privileged action, the first entry including;
  
  at least one first rule that stipulates how the first authorization policy can be satisfied to ensure that the first privileged action is performed responsive to a secure authentication; and
  
  a second entry that is directed to a second authorization policy that is associated with a second privileged action, the second entry including;
  
  at least one second rule that stipulates how the second authorization policy can be satisfied to ensure that the second privileged action is performed responsive to a secure authentication;
  
  wherein the database is adapted to be searched with reference to a privileged action to locate an associated authorization policy.
- View Dependent Claims (21, 22)
- - 21. The one or more electronically-accessible media comprising the database as recited in claim 20, wherein the second entry further includes:
    - at least one third rule that stipulates how the second authorization policy can be satisfied to ensure that the second privileged action is performed responsive to a secure authentication.
  - 22. The one or more electronically-accessible media comprising the database as recited in claim 20, wherein the at least one first rule includes one or more first authentication ticket requirements and the at least one second rule includes one or more second authentication ticket requirements.

23. A system for authorizing the performance of actions, the system comprising:
- one or more agents that are capable of receiving a plurality of action performance requests;
  
  the one or more agents to consult a plurality of authorization policies, each authorization policy of the plurality of authorization policies associated with at least one action and indicating how performance of the at least one action can be authorized;
  
  the one or more agents to pursue authorization for the plurality of action performance requests.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The system as recited in claim 23, wherein the one or more agents are to pursue authorization for the plurality of action performance requests by ascertaining a particular authorization policy of the plurality of authorization policies responsive to a particular action of a particular action performance request of the plurality of action performance requests, the particular action associated with the particular authorization policy.
  - 25. The system as recited in claim 23, wherein each action is likewise associated with one or more authorization policies of the plurality of authorization policies.
  - 26. The system as recited in claim 23, wherein the system comprises at least one electronic device.
  - 27. The system as recited in claim 23, wherein the system comprises at least part of a network.
  - 28. The system as recited in claim 23, wherein the one or more agents comprise a first agent and a plurality of second agents;
    - and wherein the first agent is capable of receiving the plurality of action performance requests, and each respective second agent of the plurality of second agents is assigned to handle a respective action performance request of the plurality of action performance requests.
  - 29. The system as recited in claim 28, wherein each of the respective second agents of the plurality of second agents is to pursue authorization for the respective action performance request of the plurality of action performance requests.
  - 30. The system as recited in claim 28, wherein the first agent comprises a security agent engine, and the plurality of second agents comprise a plurality of action security agents.
  - 31. The system as recited in claim 23, wherein the one or more agents are to pursue the authorization of a particular action performance request by showing a user interface to a user that input the particular action performance request, by throwing a user interface to an entity that can approve performance of an action of the particular action performance request, by sending an electronic message to an entity that can approve performance of the action of the particular action performance request, and by verifying a privilege status on at least one of a client machine of the user that input the particular action performance request and a network of the user that input the particular action performance request.
  - 32. The system as recited in claim 23, wherein each authorization policy of the plurality of authorization policies indicates one or more authentication ticket requirements that are related to the associated at least one action.
  - 33. The system as recited in claim 32, wherein the associated at least one action for each authorization policy of the plurality of authorization policies is authorized when at least one validated authentication ticket corresponding to at least a subset of the one or more authentication ticket requirements is acquired.
  - 34. The system as recited in claim 23, wherein the one or more agents are to enable the associated at least one action to be performed when performance of the associated at least one action has been authorized.

35. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic device to execute operations comprising:
- receiving a request for an action;
  
  accessing an authorization policy that is associated with the requested action;
  
  ascertaining one or more rules from the accessed authorization policy;
  
  extracting at least one authentication ticket requirement from the one or more rules; and
  
  determining if at least one validated authentication ticket that corresponds to the at least one authentication ticket requirement is acquired.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 36. The one or more electronically-accessible media as recited in claim 35, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - if the at least one validated authentication ticket is determined to be acquired, enabling the requested action to be performed.
  - 37. The one or more electronically-accessible media as recited in claim 35, wherein at least a portion of the electronically-executable instructions comprise at least part of an operating system.
  - 38. The one or more electronically-accessible media as recited in claim 35, wherein the operation of receiving further comprises:
    - receiving the request from a user.
  - 39. The one or more electronically-accessible media as recited in claim 35, wherein the operation of receiving further comprises:
    - receiving the request from an application.
  - 40. The one or more electronically-accessible media as recited in claim 35, wherein the operation of receiving further comprises:
    - receiving the request over a network connection.
  - 41. The one or more electronically-accessible media as recited in claim 35, wherein the operation of receiving further comprises:
    - receiving the request from a user interface window.
  - 42. The one or more electronically-accessible media as recited in claim 35, wherein the operation of accessing further comprises:
    - accessing a data structure that includes a plurality of authorization policies, the plurality of authorization policies including the authorization policy that is associated with the requested action.
  - 43. The one or more electronically-accessible media as recited in claim 35, wherein the operation of accessing further comprises:
    - accessing a data structure that includes a plurality of authorization policies on a machine that received the request in the operation of receiving.
  - 44. The one or more electronically-accessible media as recited in claim 35, wherein the operation of accessing further comprises:
    - accessing a data structure that includes a plurality of authorization policies over a network connection.
  - 45. The one or more electronically-accessible media as recited in claim 35, wherein the operation of ascertaining further comprises:
    - ascertaining a plurality of rules from the accessed authorization policy;
      
      wherein, in accordance with the electronically-executable instructions, compliance with any one or more of the plurality of rules is treated as a satisfaction of the accessed authorization policy.
  - 46. The one or more electronically-accessible media as recited in claim 35, wherein the operation of extracting further comprises:
    - extracting a plurality of authentication ticket requirements from the one or more rules;
      
      wherein, in accordance with a stipulation of a rule of the one or more rules, the rule is complied with if all indicated authentication tickets corresponding to the plurality of authentication ticket requirements are acquired.
  - 47. The one or more electronically-accessible media as recited in claim 35, wherein the operation of extracting further comprises:
    - extracting a plurality of authentication ticket requirements from the one or more rules;
      
      wherein, in accordance with a stipulation of a rule of the one or more rules, the rule is complied with if authentication tickets corresponding to a subset of the plurality of authentication ticket requirements are acquired.
  - 48. The one or more electronically-accessible media as recited in claim 35, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - sending at least one authentication ticket request to at least one entity.
  - 49. The one or more electronically-accessible media as recited in claim 35, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - receiving the at least one validated authentication ticket from at least one entity.
  - 50. The one or more electronically-accessible media as recited in claim 35, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - sending at least one authentication ticket request to at least one entity over a network connection.
  - 51. The one or more electronically-accessible media as recited in claim 35, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - receiving the at least one validated authentication ticket from at least one entity over a network connection.
  - 52. The one or more electronically-accessible media as recited in claim 35, wherein the operation of determining further comprises:
    - verifying that a code entered by an entity matches a stored security code.
  - 53. The one or more electronically-accessible media as recited in claim 35, wherein the operation of determining further comprises:
    - verifying that a smart card input by an entity is legitimate.

54. An arrangement comprising:
- agent means for authorizing performance of a requested action;
  
  the agent means comprising;
  
  access means for accessing an authorization policy, which is associated with the requested action, based on the requested action; and
  
  determination means for determining whether the authorization policy is satisfied.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61)
- - 55. The arrangement as recited in claim 54, wherein the agent means further comprises:
    - enabling means for enabling the requested action to be performed if the determination means determines that the authorization policy is satisfied.
  - 56. The arrangement as recited in claim 54, wherein the arrangement comprises at least one electronic device.
  - 57. The arrangement as recited in claim 54, wherein the arrangement comprises one or more electronically-accessible media that include electronically-executable instructions.
  - 58. The arrangement as recited in claim 54, wherein the agent means further comprises:
    - receiving means for receiving an action performance request that identifies the requested action.
  - 59. The arrangement as recited in claim 54, wherein the access means further comprises:
    - ascertaining means for ascertaining one or more authentication ticket requirements that are related to authorizing performance of the requested action.
  - 60. The arrangement as recited in claim 59, wherein the agent means further comprises:
    - pursuing means for pursuing acquisition of at least one authentication ticket that meets at least a portion of the one or more authentication ticket requirements.
  - 61. The arrangement as recited in claim 54, wherein the access means further comprises:
    - ascertaining means for ascertaining one or more rules from the authorization policy that is associated with the requested action;
      
      wherein the determination means determines that the authorization policy is satisfied if at least one rule of the one or more rules is complied with.

62. An electronic device to authorize the performance of actions, the electronic device comprising:
- one or more processors; and
  
  one or more media including electronically-executable instructions, which may be executed by the one or more processors, to cause the electronic device to execute operations comprising;
  
  receiving a request for an action;
  
  locating the requested action at a particular authorization policy of a plurality of authorization policies;
  
  ascertaining at least one rule from the particular authorization policy; and
  
  extracting one or more authentication ticket requirements from the at least one rule.
- View Dependent Claims (63, 64, 65)
- - 63. The electronic device as recited in claim 62, wherein the electronic device comprises a client computer or a server computer.
  - 64. The electronic device as recited in claim 62, wherein the electronically-executable instructions are to cause the electronic device to execute further operations comprising:
    - determining whether at least one validated authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements has been acquired as stipulated by the at least one rule; and
      
      if so, enabling the requested action to be performed.
  - 65. The electronic device as recited in claim 64, wherein the operation of enabling comprises at least one of the operations of:
    - permitting the requested action to be performed; and
      
      causing the requested action to be performed.

66. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic device to execute operations comprising:
- receiving a plurality of performance requests, each respective performance request of the plurality of performance requests identifying a respective requested action; and
  
  creating a respective action agent for each respective performance request of the plurality of performance requests, each respective action agent adapted to determine whether the respective requested action of each respective performance request is authorized to be performed responsive to an authorization policy that is associated with the respective requested action.

67. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic device to execute operations comprising:
- receiving an action performance request that is directed to a requested action;
  
  locating an authorization policy that is associated with the requested action from among a plurality of authorization policies, the authorization policy indicating how performance of the requested action can be authorized; and
  
  extracting at least one rule and one or more authentication ticket requirements from the authorization policy that is associated with the requested action.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 68. The one or more electronically-accessible media as recited in claim 67, wherein the electronically-executable instructions comprise a security agent engine that enables, at least in part, execution of the operations of receiving, locating, and extracting.
  - 69. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute further operations comprising:
    - ensuring that sufficient resources exist to perform the requested action; and
      
      if so, instantiating an action security agent to handle the action performance request in accordance with the authorization policy.
  - 70. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - instantiating an agent to handle the action performance request in accordance with the authorization policy.
  - 71. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute a further operation comprising:
    - setting a timer in dependence on the at least one rule from the authorization policy that is associated with the requested action.
  - 72. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute further operations comprising:
    - setting a timer in dependence on the at least one rule from the authorization policy that is associated with the requested action;
      
      determining whether the timer expires prior to acquisition of at least one authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements in accordance with the at least one rule; and
      
      if so, refusing the action performance request.
  - 73. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute further operations comprising:
    - analyzing the at least one rule from the authorization policy that is associated with the requested action; and
      
      submitting one or more authentication ticket requests based on at least a portion of the one or more authentication ticket requirements.
  - 74. The one or more electronically-accessible media as recited in claim 67, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute further operations comprising:
    - receiving one or more authentication tickets;
      
      determining whether the one or more authentication tickets have been validated in accordance with the at least one rule and/or the one or more authentication ticket requirements; and
      
      if so, authorizing performance of the requested action.
  - 75. The one or more electronically-accessible media as recited in claim 74, comprising the electronically-executable instructions that, when executed, direct the electronic device to execute further operations comprising:
    - if not, determining whether a timer set in accordance with the at least one rule has expired; and
      
      if the timer has not expired, repeating the operation of determining whether the one or more authentication tickets have been validated.
  - 76. The one or more electronically-accessible media as recited in claim 74, wherein the electronically-executable instructions comprise at least one action security agent that enables, at least in part, execution of the operations of receiving one or more authentication tickets, determining, and authorizing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jones, Thomas C.

Granted Patent

US 7,257,835 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 21/33 using certificates

Securely authorizing the performance of actions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

76 Claims

Specification

Solutions

Use Cases

Quick Links

Securely authorizing the performance of actions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

76 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links