Access authorization having a centralized policy
First Claim
1. A computer-readable storage medium whose contents cause a computer to perform an access control check based on an applicable policy in response to an authorization query regarding an access to a resource, the applicable policy composed of one or more rules applicable to a principal, the applicable policy being a part of a centralized policy store.
2 Assignments
0 Petitions
Accused Products
Abstract
A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.
37 Citations
33 Claims
- 1. A computer-readable storage medium whose contents cause a computer to perform an access control check based on an applicable policy in response to an authorization query regarding an access to a resource, the applicable policy composed of one or more rules applicable to a principal, the applicable policy being a part of a centralized policy store.
- 5. One or more computer memories collectively containing a centralized policy data structure, the centralized policy data structure comprising at least one policy, the policy comprising at least one rule having at least one dependency on a dynamically configurable environment parameter, such that the policy is used to determine whether access to a resource is authorized, the determination based on an identity of a principal and the rules in the policy that are applicable to the principal.
-
15. A computer-readable storage medium whose contents cause a computer to:
-
receive a request to load an application program image into memory;
responsive to receiving the request to load the application program image, determining whether there is a policy applicable to the application program image;
responsive to determining that there is an applicable policy, loading the application program image; and
responsive to determining that an applicable policy does not exist, denying the request to load the application program image. - View Dependent Claims (16, 17, 18)
-
-
19. A computer-readable storage medium whose contents cause a computer to:
-
receive a request to load an application program image into memory;
determining whether the application program image intends to access a predetermined resource; and
responsive to determining that the application program image intends to access the predetermined resource, denying the request to load the application program image. - View Dependent Claims (20)
-
-
21. A method in a computing system for performing an access control check, the method comprising:
-
receiving a request to perform an access control check for authorization to access a resource;
determining an identity of a principal requesting access to the resource;
identifying a policy applicable to the principal, the policy composed of one or more rules, the policy being a part of a centralized group of policies; and
performing an access control check against the identity of the principal, the policy applicable to the principal, and the resource. - View Dependent Claims (22, 23, 24)
-
-
25. A system for performing an access control check comprising:
-
an authorization query component operable to receive an authorization query regarding access to a resource;
a principal identification component operable to identify a principal requesting access to the resource;
a policy identification component operable to identify a policy applicable to the principal, the policy composed of one or more rules, the policy being a part of a centralized group of policies; and
an access control check component operable to perform an access control check as a function of the principal, the policy applicable to the principal, and the resource.
-
-
26. A method in a computing system for querying the security risk of an application program, the method comprising:
-
determining whether there is a policy applicable to an application program image;
responsive to determining that there is an applicable policy, processing the application program image; and
responsive to determining that an applicable policy does not exist, not processing the application program image. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A system for processing an application program based on the existence of an applicable policy, the system comprising:
-
a means for receiving a request to perform an operation on an application program image;
a means for determining whether a policy exists for the application program image; and
a means for performing the operation based on the determination of whether an applicable policy exists. - View Dependent Claims (32, 33)
-
Specification