Controlling computer applications' access to data

US 20060174334A1
Filed: 01/28/2005
Published: 08/03/2006
Est. Priority Date: 01/28/2005
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable media comprising computer-executable instructions for controlling an application attempting to access data, the computer-executable instructions comprising instructions for:

associating the application with a security token comprising an application ID;

receiving a request from the application for access to the data; and

evaluating the request based in part on comparison of the security token to a listing of approved application IDs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that control attempts made by an application to access data. In one embodiment, the application is associated with a security token that includes an application ID. In operation, the system receives a request, initiated by the application, for access to the data. The system is configured to evaluate the request for access based in part on comparison of the security token and a listing of approved application IDs associated with the data.

108 Citations

View as Search Results

20 Claims

1. One or more computer-readable media comprising computer-executable instructions for controlling an application attempting to access data, the computer-executable instructions comprising instructions for:
- associating the application with a security token comprising an application ID;
  
  receiving a request from the application for access to the data; and
  
  evaluating the request based in part on comparison of the security token to a listing of approved application IDs.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The one or more computer-readable medium as recited in claim 1, wherein associating the application with the security token comprises instructions for:
    - verifying a signature of the application ID to confirm that the application ID is a strong application ID;
      
      forming the security token upon execution of the application; and
      
      including the strong application ID within the security token.
  - 3. The one or more computer-readable medium as recited in claim 1, wherein associating the application with the security token comprises instructions for:
    - configuring the application as a security principal upon verification of the application ID;
      
      configuring a user as a security principal upon verification of the user'"'"'s user ID; and
      
      including the user ID within the security token.
  - 4. The one or more computer-readable medium as recited in claim 1, wherein associating the application with the security token comprises instructions for:
    - verifying, cryptographically, that the application has a strong application ID; and
      
      configuring the application as a security principal according to the strong application ID.
  - 5. The one or more computer-readable medium as recited in claim 1, wherein evaluating the request comprises instructions for:
    - comparing the token to the listing, wherein the listing is configured as an access control list; and
      
      allowing the request where the application ID from the token is contained within the access control list.
  - 6. The one or more computer-readable medium as recited in claim 1, wherein evaluating the request comprises instructions for:
    - comparing a user ID and the application ID from within the token to approved user IDs and the approved application IDs within the listing; and
      
      allowing access to the data wherein both the user ID is included within the approved user IDs and also the application ID is included within the approved application IDs.

7. A method for controlling access to data, the method comprising:
- identifying a strong application ID associated with an application;
  
  configuring a token comprising the strong application ID; and
  
  determining if the access to the data should be permitted by comparing the token with an access control list associated with the data.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as recited in claim 7, wherein identifying the strong application ID comprises:
    - performing a cryptographic validation using a key; and
      
      confirming that the cryptographic validation provides evidence as to the identity of the application.
  - 9. The method as recited in claim 7, wherein the access control list is configured to include application IDs of applications for which authorization to access the data has been granted.
  - 10. The method as recited in claim 7, wherein configuring the token comprises:
    - configuring the token to additionally comprise a user ID.
  - 11. The method as recited in claim 7, wherein determining if the access to the data should be permitted comprises:
    - comparing a user ID and the strong application ID from within the token to approved user IDs and the approved application IDs within the access control list; and
      
      allowing access to the data wherein both the user ID is included within the approved user IDs and also the strong application ID is included within the approved application IDs.
  - 12. The method as recited in claim 7, additionally comprising:
    - allowing the application to update application owned data if comparison of the token with an access control list governing data indicates.

13. A system configured to control computer applications'"'"' access to data, the system comprising:
- an environment within which a process may be operated;
  
  a security token containing a strong application ID associated with the process; and
  
  a system security function configured to make a decision to allow or prevent access to the data by the process, wherein the decision is made using the strong application ID from the security token.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system as recited in claim 13, wherein the token comprises:
    - a user ID; and
      
      the strong application ID, wherein the strong application ID has been verified cryptographically.
  - 15. The system of claim 13, additionally comprising:
    - an access control list to contain information on application IDs and user IDs qualified to gain access to the data; and
      
      wherein the system security function is configured to make a comparison between the token and the access control list, wherein the comparison governs access to the data.
  - 16. The system as recited in claim 13, additionally comprising:
    - a user ID contained within the security token.
  - 17. The system of claim 13, wherein the process is configured as a security principle with respect to the data.
  - 18. The system as recited in claim 13, wherein the system security function is configured to allow access only to data over which the application and a user executing the application are both security principals.
  - 19. The system as recited in claim 13, wherein the system security function is configured for:
    - comparing the token to an access control list, wherein the access control list comprises approved strong application IDs with respect to the application, and wherein the comparing is in response to a request for access to the data; and
      
      allowing the request where the strong application ID from the token is in the access control list.
  - 20. The system as recited in claim 13, wherein the system security function is configured for:
    - comparing a user ID and the strong application ID from within the token to approved user IDs and approved strong application IDs; and
      
      allowing access to the data wherein the user ID is included within the approved user IDs and the strong application ID is also included within the approved strong application IDs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Leach, Paul J., Jones, Thomas C., Brundrett, Peter T., Schutz, Klaus U., Perlin, Eric C.

Granted Patent

US 7,802,294 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

Controlling computer applications' access to data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling computer applications' access to data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links