Translating role-based access control policy to resource authorization policy

US 20070283443A1
Filed: 05/30/2006
Published: 12/06/2007
Est. Priority Date: 05/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method for authoring role based access control policy in a networked computing environment, comprising:

defining at least one scope wherein each scope represents a set of resources in the networked computing environment;

defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and

defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Translation of role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, is provided. A generic RBAC system is defined from which mappings to other authorization enforcement mechanism make possible the translation of RBAC “roles” to resource authorization policies applied to resources managed by a resource manager, e.g., a file system resource manager. An implementation is described that uses Windows Authorization Manager as a storage mechanism and object model to manage object types and relationships translated from an RBAC system.

269 Citations

21 Claims

1. A method for authoring role based access control policy in a networked computing environment, comprising:
- defining at least one scope wherein each scope represents a set of resources in the networked computing environment;
  
  defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and
  
  defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - granting or denying permissions to the at least one resource group based on the corresponding scope and application role of the resource group.
  - 3. The method of claim 1, further comprising:
    - translating the at least one scope, the at least one application role and the at least one resource group to permissions corresponding to a resource authorization policy model.
  - 4. The method of claim 1, further comprising:
    - translating the at least one scope, the at least one application role and the at least one resource group to data structures corresponding to a resource authorization policy model.
  - 5. The method of claim 4, further comprising:
    - translating the at least one scope, the at least one application role and the at least one resource group to form translation information for translating to access control list (ACL) and access control entry (ACE) data structures of a resource authorization policy model based on ACLs and ACEs.
  - 6. The method of claim 5, wherein the resource authorization policy model based on ACLs and ACEs is the Windows Authorization Manager (AzMan).
  - 7. The method of claim 5, further comprising:
    - propagating the translation information to access control list (ACL) and access control entry (ACE) data structures of the networked computing environment.
  - 8. The method of claim 1, wherein said defining of the at least one resource group of principals includes selecting a pre-existing membership group associated with an organization operating in the networked computing environment.
  - 9. The method of claim 8, further comprising:
    - updating the at least one resource group when the pre-existing membership group changes.
  - 10. The method of claim 9, wherein said defining of the at least one resource group of principals includes selecting an email group or a distribution list associated with the organization.
  - 11. The method of claim 1, wherein a scope of the at least one scope is defined as one or more of a collection of files, folders or other objects as organized by an operating system'"'"'s file system.
  - 12. The method of claim 1, further comprising:
    - updating the at least one scope when a set of resources associated with a scope changes.
  - 13. An application programming interface comprising computer executable interface modules having computer executable instructions for performing the method of claim 1.

14. A computer readable medium for storing role based access control policy data for controlling access in a networked computing environment, comprising:
- a first data structure including scope data representing at least one scope wherein each scope represents a set of resources in the networked computing environment;
  
  a second data structure including role data defining at least one application role, each application role including a set of permissions that are assigned to principals in a given scope; and
  
  a third data structure including group data defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is granted or denied access to specific resources according to a scope of the at least one scope and an application role of the at least one application role,wherein the first, second and third data structures are mappable according to a pre-determined mapping function to data structures associated with a resource authorization policy that applies authorization policy per resource.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer readable medium according to claim 14, wherein the resource authorization policy is a resource authorization policy that includes access control lists (ACEs) data structures as the basis resource authorization.
  - 16. The computer readable medium according to claim 14, further comprising:
    - a computer executable module for authoring the first, second and third data structures.
  - 17. The computer readable medium according to claim 14, further comprising:
    - a computer executable module for translating the first, second and third data structures to the data structures associated with the resource authorization policy.
  - 18. The computer readable medium according to claim 14, further comprising:
    - a computer executable module for translating the first, second and third data structures to the permissions associated with the resource authorization policy.

19. An authoring tool for creating role based access control policy to be enforced in a networked computing environment including authorizations based on resource authorization policy, comprising:
- means for defining at least one scope wherein each scope represents a set of resources in the networked computing environment;
  
  means for defining at least one application role, each including a set of permissions that are assigned to principals in a given scope; and
  
  means for defining at least one resource group of principals in an organizational identity management system, wherein each of the members of the at least one resource group is designated for access to specific resources according to a scope of the at least one scope and an application role of the at least one application role.
- View Dependent Claims (20, 21)
- - 20. The authoring tool of claim 19, further comprising:
    - means for granting or denying permissions to the at least one resource group based on the corresponding scope and application role of the resource group.
  - 21. The authoring tool of claim 20, further comprising:
    - means for translating the at least one scope, the at least one application role and the at least one resource group to permissions corresponding to the resource authorization policy model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
McPherson, Dave, Paramasivam, Muthukrishnan, Leach, Paul J.

Granted Patent

US 8,381,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Translating role-based access control policy to resource authorization policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Translating role-based access control policy to resource authorization policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links