Method and apparatus for providing permission information in a security authorization mechanism

US 20060156021A1
Filed: 01/10/2005
Published: 07/13/2006
Est. Priority Date: 01/10/2005
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, each for performing at least one action with respect to an object, the apparatus comprising:

a group service having a store of groups, each group including at least one of the plurality of users; and

an authorization service that determines permission for a user to perform an action with respect to an object based on a set of permission information representing permissible actions to be performed with respect to at least one object by at least one group or user;

wherein the authorization service is arranged to receive information from a plurality of software products that each specify an object or object type and actions that are performable with respect to the object or object type by the respective software product, and wherein authorization to perform an action with respect to an object is assignable to at least one group.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator, and/or provide information specifying an object or object type and actions that are performable with respect to the object or object type by the respective software product.

Citations

20 Claims

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups, each group including at least one of the plurality of users; and
  
  an authorization service that determines permission for a user to perform an action with respect to an object based on a set of permission information representing permissible actions to be performed with respect to at least one object by at least one group or user;
  
  wherein the authorization service is arranged to receive information from a plurality of software products that each specify an object or object type and actions that are performable with respect to the object or object type by the respective software product, and wherein authorization to perform an action with respect to an object is assignable to at least one group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the store of groups includes groups of at least two different types, at least one group including at least one other group of another group type.
  - 3. The apparatus of claim 1, wherein software products added to the computer system are enabled to specify objects and actions that are performable with respect to the objects, and authorization to perform actions with respect to objects are assignable to existing groups in the store of groups.
  - 4. The apparatus of claim 1, wherein a user defines authorization for at least one group or at least one user to perform an action with respect to an object.
  - 5. The apparatus of claim 1, wherein the authorization service is arranged to receive authorization requests from multiple software products for authorization to perform an identified action with respect to an identified object for an identified user.
  - 6. The apparatus of claim 1, wherein each of the plurality of software products provides securable object class (SOC) information to the authorization service that includes at least one object type and actions that are performable by the respective software product with respect to the object type.
  - 7. The apparatus of claim 6, wherein each of the plurality of software products provides SOC information regarding all of the object types with respect to which the respective software product is adapted to perform at least one action, and all of the actions performable by the respective software product for each of the object types.
  - 8. The apparatus of claim 1, wherein the permission information includes authorization entries (ACEs) for a plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users.
  - 9. The apparatus of claim 1, wherein access to objects for which the authorization service determines permission is unrestricted by a system administrator.

10. A computer readable medium including instructions that constitute a software product for use in a computer system including a plurality of users, a group service having a store of groups, each group including at least one of the plurality of users, and an authorization service that determines permission for at least one user to perform an action with respect to an object based on permission information, the permission information indicating at least one action that may be performed with respect to an object by at least one group or user, the instructions, when executed, causing the computer system to perform a method comprising:
- providing information to the authorization service regarding at least one object or object type and respective one or more actions that are performable by the software product with respect to each of the at least one object or object type; and
  
  performing at least one action with respect to at least one object or object type.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The medium of claim 10, wherein access to objects for which the authorization service determines permission is unrestricted by a system administrator.
  - 12. The medium of claim 10, wherein the permission information includes an indication of authorization for at least one group to perform an action with respect to an object.
  - 13. The medium of claim 10, wherein the method further comprises:
    - sending a request to the authorization service for authorization to perform an action, the request including an identity of the action, an identity of the object with respect to which the action is to be performed, and an identity of the user requesting to perform the action; and
      
      performing the requested action after receiving authorization from the authorization service.
  - 14. The medium of claim 10, the method further comprising:
    - providing authorization entries (ACEs) for a plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users.

15. A method for operating a computer system, the computer system including a plurality of users, the method comprising:
- providing a group service having a store of groups, each group including at least one of the plurality of users;
  
  providing an authorization service that determines permission for a user to perform an action with respect to an object based on permission information representing permissible actions to be performed with respect to at least one object or object type by at least one group or user;
  
  providing one or more software products adapted to perform at least one action with respect to at least one object or object type; and
  
  sending information, from at least one of the software products to the authorization service, specifying an object or object type and actions that are performable with respect to the object or object type by the respective software product.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the permission information includes an indication of authorization for at least one group to perform an action with respect to an object.
  - 17. The method of claim 15, comprising:
    - providing a plurality of software products adapted to perform at least one action with respect to at least one object or object type.
  - 18. The method of claim 17, wherein each of the plurality of software products is adapted to send a request to the authorization service for authorization to perform an action, the request including an identity of the action, an identity of the object with respect to which the action is to be performed, and an identity of the user requesting to perform the action.
  - 19. The method of claim 18, wherein each of the plurality of software products performs the requested action after receiving authorization from the authorization service.
  - 20. The method of claim 19, wherein the permission information includes information regarding permissible actions to be performed by at least one group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Minium, Dennis W., Fu, Xiongjian, Shelepov, Bulat Y.

Application Number

US11/032,528
Publication Number

US 20060156021A1
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/105 Multiple levels of security

Method and apparatus for providing permission information in a security authorization mechanism

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing permission information in a security authorization mechanism

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links