Integrated access authorization

US 20060075469A1
Filed: 10/01/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium whose contents cause a computer to:

receive an authorization query regarding a request to access a resource;

identify a principal requesting to access the resource;

perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and

responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, and enter an entry into an audit log, the entry recording the denial of authorization, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log. The facility may additionally determine whether the authorization query is a request for authorization to perform an inherently dangerous operation, and record an indication of an authorization to perform the inherently dangerous operation in the audit log.

63 Citations

View as Search Results

40 Claims

1. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource;
  
  identify a principal requesting to access the resource;
  
  perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
  
  responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, and enter an entry into an audit log, the entry recording the denial of authorization, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable storage medium of claim 1, wherein the entry identifies the denied request to access the resource.
  - 3. The computer-readable storage medium of claim 1, wherein the entry identifies a rule in the policy that caused the denial of authorization to access the resource.
  - 4. The computer-readable storage medium of claim 1, wherein the entry identifies the principal.
  - 5. The computer-readable storage medium of claim 1, wherein the entry identifies the requested resource.
  - 6. The computer-readable storage medium of claim 1 further comprising contents that cause the computer to trigger an event based on the entry in the audit log.
  - 7. The computer-readable storage medium of claim 6, wherein the event includes providing an indication of the denied request to an interested party.
  - 8. The computer-readable storage medium of claim 6, wherein the event includes imposing a different policy to the principal.
  - 9. The computer-readable storage medium of claim 1 further comprising contents that cause the computer to, responsive to determining to allow authorization to access the resource, return an allow decision granting authorization to access the resource, and enter an entry into the audit log, the entry recording the authorization to access the resource.

10. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to perform an operation on a computer;
  
  identify a principal requesting to perform the operation;
  
  perform an access control check to determine whether to allow authorization to perform the operation, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
  
  responsive to determining to allow authorization to perform the operation, determine whether the requested operation is an inherently dangerous operation; and
  
  responsive to determining that the requested operation is an inherently dangerous operation, enter an entry into an audit log, the entry recording the authorization to perform an inherently dangerous operation, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer.
- View Dependent Claims (11)
- - 11. The computer-readable storage medium of claim 10 further comprising contents that cause the computer to trigger an event based on the entry in the audit log.

12. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource;
  
  identify a principal requesting to access the resource;
  
  perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
  
  responsive to determining to deny authorization to access the resource, identify a rule in the policy that caused the denial of authorization to access the resource and determine whether learning mode is enabled for the identified rule;
  
  responsive to determining that learning mode is enabled for the identified rule, return an allow decision granting authorization to access the resource, and enter an entry into a report log, the entry recording an indication of the rule having the enabled learning mode, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer.
- View Dependent Claims (13, 14, 15)
- - 13. The computer-readable storage medium of claim 12 further comprising contents that cause the computer to, responsive to determining that learning mode is not enabled for the identified rule, return a deny decision denying authorization to access the resource.
  - 14. The computer-readable storage medium of claim 12, wherein the entry identifies the principal.
  - 15. The computer-readable storage medium of claim 12 further comprising contents that cause the computer to:
    - responsive to determining to allow authorization to access the resource, identify a rule in the policy that caused the allowance of authorization to access the resource and determine whether learning mode is enabled for the identified rule; and
      
      responsive to determining that learning mode is enabled for the identified rule, return an allow decision granting authorization to access the resource, and enter an entry into a report log, the entry recording an indication of the rule having the enabled learning mode.

16. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource on a computer;
  
  perform a first access control check to determine whether to allow or deny authorization to access the resource;
  
  responsive to determining to allow authorization to access the resource based on the first access control check;
  
  identify a principal requesting access to the resource;
  
  perform a second access control check to determine whether to allow or deny authorization to access the resource, the second access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
  
  responsive to determining to allow authorization to access the resource, return an allow decision granting authorization to access the resource; and
  
  responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, such that the computer instructions for the second access control check are executed as an integral component of an operating system suitable for executing on the computer.

17. One or more computer memories collectively containing a centralized policy store, the centralized policy store comprising at least one policy, the policy comprising at least one rule having an indication of whether to activate learning mode for the rule, such that the indication of whether to activate learning mode is used to determine whether to apply the rule in processing an access control check to determine whether access to a resource is authorized.

18. A method in a computing system for auditing requests to access a resource, the method comprising:
- identifying a principal requesting to access a resource;
  
  performing an access control check to determine whether to deny or allows authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
  
  responsive to determining to deny authorization to access the resource, returning a deny decision denying authorization to access the resource, and entering an entry into an audit log, the entry recording the denial of authorization, such that the method is performed by an integral component of an operating system executing on the computing system.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of claim 18 further comprising providing a notification of the denial of authorization to a system administrator.
  - 20. The method of claim 18 further comprising, responsive to determining to deny authorization to access the resource, invoking a second policy applicable to the principal, the second policy being applied to a subsequent request made by the principal.
  - 21. The method of claim 18 further comprising, responsive to determining to deny authorization to access the resource, terminating a process associated with the principal, the process being identified as having made the request to access the resource.
  - 22. The method of claim 18 further comprising:
    - determining whether the requested access to the resource comprises an inherently dangerous operation; and
      
      responsive to determining that the requested access to the resource comprises an inherently dangerous operation, making an entry into the audit log, the entry recording the denial of authorization for the inherently dangerous operation.
  - 23. The method of claim 18 further comprising:
    - responsive to determining to allow authorization to access the resource, returning an allow decision granting authorization to access the resource, and;
      
      determining whether the requested access to the resource comprises an inherently dangerous operation; and
      
      responsive to determining that the requested access to the resource comprises an inherently dangerous operation, making an entry into the audit log, the entry recording the granting of authorization for the inherently dangerous operation.
  - 24. The method of claim 23 further comprising providing a notification of the grant of authorization to perform the inherently dangerous operation to an entity other than the principal.
  - 25. The method of claim 23 further comprising applying a second policy to the principal, the second policy being stricter than the policy.

26. A method in a computing system for fine-tuning a policy, the method comprising:
- providing a centralized policy store, the centralized policy store comprising at least one policy, the policy comprising at least one rule having an indication of whether to activate learning mode for the rule, such that;
  
  if the rule fails and causes a denial of authorization to access a resource and learning mode is activated;
  
  granting authorization to access the resource; and
  
  recording the grant of the authorization and the failure of the rule in a log;
  
  if the rule fails and causes the denial of authorization to access the resource and learning mode is not activated;
  
  denying authorization to access the resource, such that the method is performed by an integral component of an operating system executing on the computing system.
- View Dependent Claims (27)
- - 27. The method of claim 26 further comprising:
    - if the rule allows authorization to access the resource and learning mode is activated;
      
      granting authorization to access the resource; and
      
      recording the grant of the authorization and an indication of the rule responsible for allowing authorization to access the resource in the log.

28. A method in a computing system for performing a tiered access control check, the method comprising:
- performing a first access control check to determine whether to grant or deny authorization to access a resource;
  
  responsive to determining to grant authorization to access the resource based on the first access control check;
  
  identifying a principal requesting access to the resource;
  
  performing a second access control check to determine whether to grant or deny authorization to access the resource, the second access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
  
  responsive to determining to grant authorization to access the resource, returning an allow decision granting authorization to access the resource; and
  
  responsive to determining to deny authorization to access the resource, returning a deny decision denying authorization to access the resource, such that the second access control check is performed by an integral component of an operating system suitable for executing on the computer.

29. A system for auditing requests for authorization to access a resource provided on a computing system, the system comprising:
- a centralized policy store having at least one policy, the policy having one or more rules;
  
  an authorization component operable to execute as a component of an operating system suitable for executing on the computing system, the authorization component further operable to;
  
  identify a principal requesting to access a resource;
  
  apply the policy to the principal to determine whether to deny authorization to access the resource; and
  
  responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, and record the denial of authorization in an audit log.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
- - 30. The system of claim 29, wherein the authorization component is further operable to record an indication of the principal in the audit log in response to determining to deny authorization to access the resource.
  - 31. The system of claim 29, wherein the authorization component is further operable to record an indication of a rule in the policy that caused the denial of authorization to access the resource in the audit log in response to determining to deny authorization to access the resource.
  - 32. The system of claim 29, wherein the authorization component is further operable to record an indication of the requested resource in the audit log in response to determining to deny authorization to access the resource.
  - 33. The system of claim 29 wherein the authorization component is further operable to trigger an event based on the entry in the audit log.
  - 34. The system of claim 33, wherein the event is an indication of the denied request to an entity other than the principal.
  - 35. The system of claim 33, wherein the event is an application of a second policy to the principal.
  - 36. The system of claim 29, wherein the authorization component is further operable to:
    - apply the policy to the principal to determine whether to allow authorization to access the resource; and
      
      responsive to determining to allow authorization to access the resource, return an allow decision allowing authorization to access the resource, and record the allowance of authorization in an audit log.
  - 37. The system of claim 36, wherein the authorization component is further operable to:
    - determine whether the access to the resource involves an inherently dangerous operation; and
      
      responsive to determining that the access to the resource involves an inherently dangerous operation, record an indication of the authorization to access the resource involving the inherently dangerous operation in the audit log.

38. A system for fine-tuning a policy comprising:
- a centralized policy store having at least one policy, the policy comprising at least one rule having an indication of whether to activate learning mode for the rule;
  
  an authorization component operable to execute as a component of an operating system suitable for executing on the computing system, the authorization component also operable to apply the rule to an authorization query to determine whether the rule fails and causes a denial of an authorization, the authorization component further operable to;
  
  responsive to determining that the rule fails, determine whether learning mode is activated for the failed rule;
  
  responsive to determining that learning mode is activated, grant the authorization; and
  
  record the grant of the authorization and the failure of the rule in a log.
- View Dependent Claims (39)
- - 39. The system of claim 38 further comprising:
    - responsive to determining that the rule does not fail and learning mode is activated;
      
      grant the authorization; and
      
      record the grant of the authorization and an indication of the rule responsible for the grant of the authorization in the log.

40. A system for performing a tiered access control check, the system comprising:
- a first access control component operable to determine whether authorization to access a resource should be granted;
  
  a second access control component operable to execute as a component of an operating system suitable for executing on a computing system, the second access control component also operable to determine whether authorization to access the resource should be granted based on an identity of a principal requesting to access the resource and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
  
  such that the second control component is executed subsequent to the first access control component determining that authorization to access the resource should be granted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark

Granted Patent

US 7,506,364 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

Integrated access authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated access authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links