Method and system for limiting rights of services

US 20060259980A1
Filed: 05/16/2005
Published: 11/16/2006
Est. Priority Date: 05/16/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method in a computer system for identifying access rights of services, the method comprising:

for services that are to execute within a service host, creating a security identifier that is unique to the service and independent of the computer system; and

adding the security identifier to a security context for the service host; and

when a service accesses an object, providing the security context with the added security identifiers to establish a right of the service to access the object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access rights and privileges of services is provided. A service control system creates a security identifier that is unique for each service that executes within a service host and adds the security identifiers to the security context of the service host. The service control system may create a unique security identifier for each service that is independent of the computer system and the account on which the service executes. The service control system may also adjust the privileges of the security context of a service host to be an aggregate of the privileges needed by the services that are to execute within the service host. The service control system may also create a restricted security context for the service host that includes the security identifiers of the services as restricted service identifiers.

40 Citations

View as Search Results

20 Claims

1. A method in a computer system for identifying access rights of services, the method comprising:
- for services that are to execute within a service host, creating a security identifier that is unique to the service and independent of the computer system; and
  
  adding the security identifier to a security context for the service host; and
  
  when a service accesses an object, providing the security context with the added security identifiers to establish a right of the service to access the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the security context is an access token.
  - 3. The method of claim 1 wherein the creating of the security identifier includes generating a hash value based on a unique service name of the service.
  - 4. The method of claim 3 wherein the hash value is generated using a secure hash algorithm.
  - 5. The method of claim 1 wherein each computer system that executes the same service generates the same security identifier for the service.
  - 6. The method of claim 1 wherein access control lists of objects include the security identifiers of services with access rights to the objects.
  - 7. The method of claim 6 wherein the access control lists with the same security identifiers are distributed to multiple computer systems.
  - 8. The method of claim 1 wherein the creating and adding of a security identifier is performed by a service control manager.
  - 9. The method of claim 1 wherein the security context has privileges and including determining privileges needed by the services that are to execute within the service host and adjusting the privileges of the security context to an aggregation of the privileges needed by the services.

10. A method in a computer system for establishing privileges of services of a service host, the method comprising:
- receiving a security context for the service host that includes privileges of the service host;
  
  determining the privileges of the services of the service host; and
  
  adjusting the privileges of the security context to an aggregation of the determined privileges.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 wherein the receiving, determining, and adjusting are performed by a service control manager.
  - 12. The method of claim 11 wherein the service control manager adds a security identifier for the services of the service host to the security context.
  - 13. The method of claim 10 wherein each service provides the security context with the aggregation of privileges when accessing an object.
  - 14. The method of claim 10 wherein when the privileges of a service are not available, then the determined privileges are default privileges.

15. A method in a computer system for controlling access of services to objects, the method comprising:
- under control of a service control manager, creating a restricted access token that includes the security identifiers of the services as restricted security identifiers; and
  
  under control of a service, providing the restricted access token to establish access rights of the service to an object that has an access control list that includes the security identifier of the service.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 including allowing access to an object only when the service has both non-restricted access and restricted access to the object.
  - 17. The method of claim 15 wherein the security identifiers are created based on service name.
  - 18. The method of claim 15 wherein the creating of the restricted access token includes creating the security identifiers of the services.
  - 19. The method of claim 18 wherein the creating of the restricted access token includes adjusting privileges of the access token to be an aggregation of the privileges of the services.
  - 20. The method of claim 15 wherein the creating of the restricted access token includes adjusting privileges of the access token to be an aggregation of the privileges of the services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sabbaraman, Chittur, Field, Scott A., Chinta, Ramesh

Application Number

US11/131,431
Publication Number

US 20060259980A1
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Method and system for limiting rights of services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for limiting rights of services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links