Access authorization API

US 20060075464A1
Filed: 10/01/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium whose contents cause a computer to:

receive from a first process a request to set a policy on a second process;

determine whether the first process possesses adequate privilege to set the policy on the second process; and

responsive to determining that the first process possesses adequate privilege, set the policy on the second process, such that the policy is applied to the second process in performing access control checks to determine whether the second process has authorization to access a resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

100 Citations

View as Search Results

39 Claims

1. A computer-readable storage medium whose contents cause a computer to:
- receive from a first process a request to set a policy on a second process;
  
  determine whether the first process possesses adequate privilege to set the policy on the second process; and
  
  responsive to determining that the first process possesses adequate privilege, set the policy on the second process, such that the policy is applied to the second process in performing access control checks to determine whether the second process has authorization to access a resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-readable storage medium of claim 1, wherein the first process is a parent of the second process.
  - 3. The computer-readable storage medium of claim 1, wherein the policy is an irrevocable policy.
  - 4. The computer-readable storage medium of claim 1, wherein the policy is a revocable policy, and further comprising contents that cause the computer to:
    - responsive to setting the policy on the second process, return an identifier to the first process.
  - 5. The computer-readable storage medium of claim 4, wherein the identifier is returned in a cookie.
  - 6. The computer-readable storage medium of claim 4 further comprising computer instructions that cause the computer to:
    - receive a request to revoke the policy on the second process;
      
      authenticate the request to revoke the policy on the second process; and
      
      responsive to authenticating the request to revoke the policy, revoke the policy on the second process, such that the policy is no longer applied to the second process in performing access control checks to determine whether the second process has authorization to access a resource.
  - 7. The computer-readable storage medium of claim 6, wherein the request to revoke the policy is authenticated by receipt of the identifier.
  - 8. The computer-readable storage medium of claim 6, wherein the request to revoke the policy is submitted by the first process.
  - 9. The computer-readable storage medium of claim 6, wherein the request to revoke the policy is submitted by the second process.
  - 10. The computer-readable storage medium of claim 1, wherein the first process and the second process are the same.
  - 11. The computer-readable storage medium of claim 1, wherein the request to set the policy is received through an API.
  - 12. The computer-readable storage medium of claim 1, wherein the request to set the policy is a request to set the policy on all process threads of the second process.
  - 13. The computer-readable storage medium of claim 1, wherein the request to set the policy is a request to set the policy on one or more process threads of the second process. A computer-readable storage medium whose contents cause a computer to:

14. A computer-readable storage medium whose contents cause a computer to:
- submit a first request to set a self-imposed policy to a first policy;
  
  submit at least one request to access a first resource;
  
  submit a second request to set a self-imposed policy to a second policy; and
  
  submit at least one request to access a second resource, such that the first policy is used to determine whether there is authorization to access the first resource, and the second policy is used to determine whether there is authorization to access the second resource.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-readable storage medium of claim 14, wherein the second policy is more restrictive than the first policy.
  - 16. The computer-readable storage medium of claim 14, wherein the second request to set a self-imposed policy to the second policy revokes the first policy.
  - 17. The computer-readable storage medium of claim 14, wherein the second request to set a self-imposed policy to the second policy does not revoke the first policy.
  - 18. The computer-readable storage medium of claim 14, wherein the second request to set a self-imposed policy to the second policy does not revoke the first policy, such that the first policy and the second policy are used to determine whether there is authorization to access the second resource.

19. A computer-readable storage medium whose contents cause a computer to:
- receive from a first process a request to set a self-imposed revocable policy on itself to a first policy;
  
  set the policy on the first process to the first policy;
  
  return an identifier to the first process;
  
  receive from the first process at least one request to access a first resource;
  
  apply the first policy to the request to access the first resource to determine whether the first process has authorization to access the first resource;
  
  receive from the first process a request to revoke the first policy;
  
  authenticate the request to revoke the first policy; and
  
  subsequent to authenticating the request to revoke the first policy, revoke the first policy.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-readable storage medium of claim 19 further comprising contents that cause the computer to, subsequent to revoking the first policy, set the policy on the first process to a prior policy that was being applied prior to the request to set the self-imposed revocable policy.
  - 21. The computer-readable storage medium of claim 20, wherein an indication of the prior policy is submitted by the first process.
  - 22. The computer-readable storage medium of claim 19, wherein the identifier is received with the request to revoke the first policy.
  - 23. The computer-readable storage medium of claim 19 further comprising contents that cause the computer to, subsequent to setting the policy on the first process to the first policy, return an indication of a prior policy which was in effect prior to the request to set the self-imposed revocable policy.

24. A computer-readable storage medium whose contents cause a computer to:
- receive from a first process a request for a resource provided by the process, the request includes an identifier;
  
  impersonate the first process;
  
  determine whether the first process has authorization to request the resource;
  
  subsequent to determining that the first process has authorization to request the resource, process the request for the resource.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The computer-readable storage medium of claim 24, wherein the process impersonates the first process by assuming the identity of the first process.
  - 26. The computer-readable storage medium of claim 24, wherein the process determines whether the first process has authorization to request the resource by sending a request to perform an access control check, the request includes the identifier received from the first process and an indication of the requested resource.
  - 27. The computer-readable storage medium of claim 26, wherein the request to perform the access control check is made to an operating system.
  - 28. The computer-readable storage medium of claim 24, wherein the determination of whether the first process has authorization to request the resource involves a check of a policy applicable to the first process.

29. A method in a computer system for setting a policy on a controlled process executing on the computer system, the method comprising:
- receiving from a controlling process a request to set a policy on the controlled process;
  
  determining whether the controlling process has privilege to set the policy on the controlled process; and
  
  responsive to determining that the controlling process has privilege to set the policy on the controlled process, setting the policy on the controlled process, such that the policy is applied to the controlled process in performing access control checks to determine whether the controlled process has authorization to access a resource.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 30. The method of claim 29, wherein the policy is a revocable policy and, subsequent to setting the policy on the controlled process, sending the controlling process an identifier for use in requesting a revocation of the set policy.
  - 31. The method of claim 30 further comprising, subsequent to setting the policy on the controlled process, sending the controlling process an indication of a prior policy that was in effect before setting the policy.
  - 32. The method of claim 30 further comprising:
    - receiving a request to revoke the policy on the controlled process;
      
      authenticating the request to revoke the policy on the controlled process; and
      
      responsive to authenticating the request to revoke the policy, revoking the policy on the controlled process.
  - 33. The method of claim 32, wherein the authenticating the request comprises a check to determine whether the identifier is received as part of the request to revoke the policy.
  - 34. The method of claim 32, wherein the request to revoke the policy is received from the controlling process.
  - 35. The method of claim 32, wherein the request to revoke the policy is received from the controlled process.
  - 36. The method of claim 32, wherein the request to revoke the policy is received from a process other than the controlling process or the controlled process.
  - 37. The method of claim 32 further comprising, responsive to authenticating the request to revoke the policy, setting a prior policy on the controlled process that was in effect before setting the policy just revoked.
  - 38. The method of claim 29, wherein the controlled process and the controlling process are the same process.
  - 39. The method of claim 29, wherein the controlled process is an executing thread of the controlling process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark, Golan, Gilad, Field, Scott A.

Granted Patent

US 7,818,781 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06Q 40/00   Finance; Insurance; Tax str...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Access authorization API

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization API

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links