Composable Security Policies

US 20080066147A1
Filed: 09/11/2006
Published: 03/13/2008
Est. Priority Date: 09/11/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving a resource request that is directed to a resource;

retrieving a trust policy that is authored by principal A, the trust policy associated with the resource;

retrieving a resource access policy that is authored by principal B, the resource authorization policy associated with the resource;

combining the trust policy and the resource access policy into a composed effective policy; and

making an authorization decision responsive to the resource request and based on the composed effective policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Composable security policies enable multiple authorization policies to be combined into a composed effective authorization policy such that policy authoring rights may be arbitrarily and flexibly delegated. In an example implementation, making an authorization decision based on a composed effective policy is described. In another example implementation, the delegation of policy authoring rights using an assertion in accordance with a security language is described. In yet another example implementation, a security authorization system is described that includes a mechanism enabling an administrator to explicitly grant all or a part of policy authoring rights to another administrator.

123 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a resource request that is directed to a resource;
  
  retrieving a trust policy that is authored by principal A, the trust policy associated with the resource;
  
  retrieving a resource access policy that is authored by principal B, the resource authorization policy associated with the resource;
  
  combining the trust policy and the resource access policy into a composed effective policy; and
  
  making an authorization decision responsive to the resource request and based on the composed effective policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising:
    - retrieving a delegation policy that is authored by principal C, the delegation policy associated with the resource;
      
      wherein the combining comprises;
      
      combining the delegation policy into the composed effective policy.
  - 3. The method as recited in claim 1, further comprising:
    - retrieving an audit policy that is authored by principal D, the audit policy associated with the resource;
      
      wherein the combining comprises;
      
      combining the audit policy into the composed effective policy.
  - 4. The method as recited in claim 1, further comprising:
    - delegating, by an administrator, a right to author the trust policy to the principal A; and
      
      delegating, by the administrator, a right to author the resource access policy to the principal B.
  - 5. The method as recited in claim 1, further comprising:
    - delegating, by a first administrator, a right to author the trust policy to the principal A; and
      
      delegating, by a second administrator, a right to author the resource access policy to the principal B.
  - 6. The method as recited in claim 1, wherein the trust policy identifies a security token service (STS) that is empowered to assert that principals possesses one or more attributes;
    - and wherein the resource access policy specifies at least one attribute that a principal must possess to access the resource.
  - 7. The method as recited in claim 1, wherein the trust policy is authored by the principal A using a security language, and the resource access policy is also authored by the principal B using the security language;
    - and wherein the combining is enabled by the security language.

8. A method comprising:
- delegating, by an entity to an administrator A, a portion PA of policy authoring rights with respect to a resource; and
  
  delegating, by the entity to an administrator B, a portion PB of the policy authoring rights with respect to the resource;
  
  wherein each delegating is effected using at least one assertion issued by the entity in accordance with a security language, the at least one assertion including a delegation-directive verb.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as recited in claim 8, further comprising:
    - issuing, by the administrator A, a first authorization policy that is directed to the portion PA of the policy authoring rights with respect to the resource; and
      
      issuing, by the administrator B, a second authorization policy that is directed to the portion PB of the policy authoring rights with respect to the resource.
  - 10. The method as recited in claim 8, wherein:
    - the portions PA and PB relate to different parts of the resource;
      
      the portions PA and PB relate to different actions that may be taken with regard to the resource;
      
      the portions PA and PB relate to different policy categories that may exist with regard to security polices about the resource;
      
      orthe portions PA and PB relate to different groups of principals that may access the resource.
  - 11. The method as recited in claim 8, wherein the portion PA relates to actions that may be taken on the resource, and the portion PB relates to identifying types of principals that may access the resource.
  - 12. The method as recited in claim 8, further comprising:
    - delegating, by the entity to an administrator C, a portion PC of the policy authoring rights with respect to the resource; and
      
      wherein the three delegating actions enable the entity to separate duties with respect to the resource among the three different administrators A, B, and C.
  - 13. The method as recited in claim 8, wherein the portion PA of the policy authoring rights comprises delegation rights with respect to the resource;
    - andwherein the method further comprises;
      
      delegating, by the administrator A to a sub-administrator, a particular part of the portion PA of the policy authoring rights with respect to the resource.
  - 14. The method as recited in claim 13, farther comprising:
    - issuing, by the sub-administrator, a policy directed to the particular part of the portion PA of the policy authoring rights with respect to the resource;
      
      receiving a resource request that is directed to the resource;
      
      combining policy assertions from the entity, the administrator A, and the sub-administrator into a composed effective policy; and
      
      making an authorization decision responsive to the resource request and based on the composed effective policy.

15. A security authorization system comprising policy authoring rights on at least one resource and a security language;
- wherein the security language includes a mechanism enabling an administrator to explicitly grant all or a part of the policy authoring rights to another administrator so as to allow the other administrator to make policy assertions about the at least one resource; and
  
  wherein the mechanism comprises a delegation-directive verb.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The security authorization system as recited in claim 15, wherein each policy assertion includes at least one variable representing a principal, at least one variable representing a resource, or at least one variable representing an action on a resource.
  - 17. The security authorization system as recited in claim 15, further comprising an application programming interface (API) that accepts the policy assertions.
  - 18. The security authorization system as recited in claim 15, wherein the mechanism comprises an assertion that comports with the following:
    - assertor says delegation-fact if fact₁, fact₂, . . . , fact_n, constraints_{1 . . . m}, in which (i) fact_{1 . . . n}and constraints_{1 . . . m}are optional in each assertion and (ii) the “
      
      delegation fact”
      
      delegates at least one policy authoring right and comports with;
      
      principal delegation-directive-verb delegated-fact.
  - 19. The security authorization system as recited in claim 15, wherein each policy assertion is monotonic such that each assertion adds one or more rights.
  - 20. The security authorization system as recited in claim 15, further comprising a policy composition mechanism that combines multiple authorization policies that are associated with a given resource into a composed effective authorization policy that may be used in an authorization decision regarding the given resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., LaMacchia, Brian A., Fee, Gregory D.

Application Number

US11/530,543
Publication Number

US 20080066147A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6236   between heterogeneous systems

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

Composable Security Policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Composable Security Policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links