Access authorization having a centralized policy

US 20060075461A1
Filed: 10/01/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium whose contents cause a computer to perform an access control check based on an applicable policy in response to an authorization query regarding an access to a resource, the applicable policy composed of one or more rules applicable to a principal, the applicable policy being a part of a centralized policy store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

37 Citations

View as Search Results

33 Claims

1. A computer-readable storage medium whose contents cause a computer to perform an access control check based on an applicable policy in response to an authorization query regarding an access to a resource, the applicable policy composed of one or more rules applicable to a principal, the applicable policy being a part of a centralized policy store.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-readable storage medium of claim 1, wherein the principal is an application program requesting the access to the resource.
  - 3. The computer-readable storage medium of claim 1, wherein the principal is a combination of an application program requesting the access to the resource and an identity of a user on whose behalf the application program is executing.
  - 4. The computer-readable storage medium of claim 1, wherein the computer instructions are integrated into and execute as part of an operating system suitable for executing on the computer.

5. One or more computer memories collectively containing a centralized policy data structure, the centralized policy data structure comprising at least one policy, the policy comprising at least one rule having at least one dependency on a dynamically configurable environment parameter, such that the policy is used to determine whether access to a resource is authorized, the determination based on an identity of a principal and the rules in the policy that are applicable to the principal.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The computer memories of claim 5, wherein the environment parameter is set by an administrator who is different from an administrator of the policy.
  - 7. The computer memories of claim 5, wherein the environment parameter is a specified path.
  - 8. The computer memories of claim 5, wherein the environment parameter is a specification of a collection of filename extensions.
  - 9. The computer memories of claim 5, wherein the environment parameter is a specification of one or more directories.
  - 10. The computer memories of claim 5, wherein the environment parameter is an indication of a protocol.
  - 11. The computer memories of claim 5, wherein the rule defines privileges for an object within an operating system.
  - 12. The computer memories of claim 5, wherein the rule defines privileges for an object outside an operating system.
  - 13. The computer memories of claim 5, wherein the rule supports the inclusion of conditions.
  - 14. The computer memories of claim 5, wherein the rule applies to both present and future objects.

15. A computer-readable storage medium whose contents cause a computer to:
- receive a request to load an application program image into memory;
  
  responsive to receiving the request to load the application program image, determining whether there is a policy applicable to the application program image;
  
  responsive to determining that there is an applicable policy, loading the application program image; and
  
  responsive to determining that an applicable policy does not exist, denying the request to load the application program image.
- View Dependent Claims (16, 17, 18)
- - 16. The computer-readable storage medium of claim 15 further comprising contents that cause the computer to, responsive to determining that there is an applicable policy, determining a potential security risk associated with loading the application program image.
  - 17. The computer-readable storage medium of claim 16, wherein the potential security risk is based on an extent of authorization granted by the policy.
  - 18. The computer-readable storage medium of claim 15, wherein the determination of the existence of the policy is made prior to executing the application program image.

19. A computer-readable storage medium whose contents cause a computer to:
- receive a request to load an application program image into memory;
  
  determining whether the application program image intends to access a predetermined resource; and
  
  responsive to determining that the application program image intends to access the predetermined resource, denying the request to load the application program image.
- View Dependent Claims (20)
- - 20. The computer-readable storage medium of claim 19, wherein the determination of the intent to access the predetermined resource is based upon an analysis of a policy applicable to the application program image.

21. A method in a computing system for performing an access control check, the method comprising:
- receiving a request to perform an access control check for authorization to access a resource;
  
  determining an identity of a principal requesting access to the resource;
  
  identifying a policy applicable to the principal, the policy composed of one or more rules, the policy being a part of a centralized group of policies; and
  
  performing an access control check against the identity of the principal, the policy applicable to the principal, and the resource.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the access control check is further performed against a requested action on the resource.
  - 23. The method of claim 21, wherein the principal is an application program instance running on a computer.
  - 24. The method of claim 21, wherein the principal is a combination of an application program instance running on a computer and an identity of a user on whose behalf the application program instance is running.

25. A system for performing an access control check comprising:
- an authorization query component operable to receive an authorization query regarding access to a resource;
  
  a principal identification component operable to identify a principal requesting access to the resource;
  
  a policy identification component operable to identify a policy applicable to the principal, the policy composed of one or more rules, the policy being a part of a centralized group of policies; and
  
  an access control check component operable to perform an access control check as a function of the principal, the policy applicable to the principal, and the resource.

26. A method in a computing system for querying the security risk of an application program, the method comprising:
- determining whether there is a policy applicable to an application program image;
  
  responsive to determining that there is an applicable policy, processing the application program image; and
  
  responsive to determining that an applicable policy does not exist, not processing the application program image.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26 further comprising, responsive to determining that there is an applicable policy, determining a potential security risk associated with the application program image.
  - 28. The method of claim 26 further comprising analyzing the applicable policy to determine the intent of the application program image, such that further processing of the application program image is based on the intent of the application program image.
  - 29. The method of claim 26, wherein processing the application program image includes loading the application program image.
  - 30. The method of claim 26, wherein processing the application program image includes executing the application program image.

31. A system for processing an application program based on the existence of an applicable policy, the system comprising:
- a means for receiving a request to perform an operation on an application program image;
  
  a means for determining whether a policy exists for the application program image; and
  
  a means for performing the operation based on the determination of whether an applicable policy exists.
- View Dependent Claims (32, 33)
- - 32. The system of claim 31, wherein the operation is loading the application program image.
  - 33. The system of claim 31, wherein the operation is executing the application program image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark

Granted Patent

US 7,685,632 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/102   Entity profiles

Access authorization having a centralized policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization having a centralized policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links