Authorization Decisions with Principal Attributes

US 20080066158A1
Filed: 09/08/2006
Published: 03/13/2008
Est. Priority Date: 09/08/2006
Status: Abandoned Application

First Claim

Patent Images

1. A system implementing a security scheme having a unified principal-to-attribute binding mechanism, the system comprising token assertions that can utilize the unified principal-to-attribute binding mechanism and policy assertions that can utilize the unified principal-to-attribute binding mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authorization descisions may be made based on principal attributes. In an example implementation, a security scheme has a principal-to-attribute binding mechanism that is unified across both token assertions and policy assertions. In another example implementation, conditional access to a resource is based on a principal simultaneously possessing multiple attributes. In yet another example implementation, a principal may be granted access to a resource if the principal possesses at least one value that is included in a defined subset of values for a given attribute.

119 Citations

View as Search Results

20 Claims

1. A system implementing a security scheme having a unified principal-to-attribute binding mechanism, the system comprising token assertions that can utilize the unified principal-to-attribute binding mechanism and policy assertions that can utilize the unified principal-to-attribute binding mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system as recited in claim 1, wherein the token assertions are used by resource access requestors to provide authentication, and wherein policy assertions are used by resource protectors to indicate access rights to resources.
  - 3. The system as recited in claim 1, wherein the unified principal-to-attribute binding mechanism comprises a fact that comports with a form of:
    - principal possess-verb attribute-object.
  - 4. The system as recited in claim 3, wherein the attribute-object portion of the principal-to-attribute binding mechanism can comprise a single attribute or an attribute set.
  - 5. The system as recited in claim 3, wherein the attribute-object is encoded as at least one name-value pair.
  - 6. The system as recited in claim 1, wherein each token assertion that includes a principal-to-attribute binding mechanism comprises a statement indicating that an asserter believes a principal-to-attribute binding to be true;
    - and wherein each policy assertion that includes a principal-to-attribute binding mechanism comprises a statement indicating that a fact is true if a particular principal-to-attribute binding is true.
  - 7. The system as recited in claim 1, wherein each principal-to-attribute binding mechanism is capable of expressing a binding between a principal and an attribute;
    - and wherein the attribute is selected from a group of attributes comprising;
      
      email name, common name, group name, role title, account name, domain name server/service (DNS) name, internet protocol (IP) address, device name, application name, organization name, service name, and account identification/identifier (ID).
  - 8. The system as recited in claim 1, wherein the security scheme further enables a given authorization policy to be declared equivalently valid for principals possessing any one or more attribute values from among a group of defined attribute values.

9. A device that protects a resource and provides conditional access to the resource based on a principal simultaneously possessing multiple predetermined attributes.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The device as recited in claim 9, wherein the device enforces an authorization policy indicating that the principal can access the resource if the principal possesses at least a first predetermined attribute and a second predetermined attribute.
  - 11. The device as recited in claim 10, wherein the authorization policy utilizes a unified principal-to-attribute binding mechanism;
    - and wherein the device processes token assertions that utilize the unified principal-to-attribute binding mechanism.
  - 12. The device as recited in claim 10, wherein the device attempts to deduce one or more valid assertions that indicate that the principal possesses the first predetermined attribute and that the principal possesses the second predetermined attribute.
  - 13. The device as recited in claim 9, wherein the conditional access is expressed in an assertion that comports with a form of:
    - assertor says principal access resource if principal possess
      
      {(attribute name₁, attribute value₁), (attribute name₂,
      
      attribute value₂), ..., (attribute name_s, attribute value_s)} ,
      
      where “
      
      s”
      
      represents an integer of two or greater.
  - 14. The device as recited in claim 9, wherein one or more of the multiple predetermined attributes is defined by a group of attributes in which a subset of a universe of possible values for a given attribute is described using at least one pattern.
  - 15. The device as recited in claim 9, wherein the device further provides conditional access based on whether a principal possesses one or more attribute values of a defined subset of potential values of a given attribute.

16. A method comprising:
- for an authorization policy on a resource, defining a subset of values from among a total set of potential values for a given attribute, the defined subset of values including at least two values;
  
  receiving an access request from a principal that is directed to the resource;
  
  in response to the access request, determining if the principal possesses at least one value that is included in the defined subset of values for the given attribute; and
  
  if the principal is determined to possess at least one value that is included in the defined subset of values for the given attribute, granting the principal access to the resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, further comprising:
    - if the principal is not determined to possess at least one value that is included in the defined subset of values for the given attribute, denying the principal access to the resource.
  - 18. The method as recited in claim 16, wherein the defining, the determining, and the granting are performed based on at least one policy assertion created for the authorization policy.
  - 19. The method as recited in claim 18, wherein the at least one policy assertion is expressed in a form that comports with:
    - assertor says principal access resource if principal possess
      
      given_attribute=group and group matches
      
      (defined_subset_of_values) ,
      
      wherein the given attribute corresponds to “
      
      given_attribute” and
      
      the defined subset of values for the given attribute corresponds to “
      
      defined _subset_of_values”
      
      .
  - 20. The method as recited in claim 16, further comprising:
    - establishing multiple attributes that a principal must simultaneously possess to be granted access to another resource;
      
      receiving from another principal another access request that is directed to the other resource;
      
      in response to the other access request, determining if the other principal simultaneously possesses each attribute multiple attributes; and
      
      if the other principal is determined to simultaneously possesses each attribute of the multiple attributes, granting the other principal access to the other resource, otherwise denying access to the other resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., LaMacchia, Brian A.

Application Number

US11/530,429
Publication Number

US 20080066158A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Authorization Decisions with Principal Attributes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization Decisions with Principal Attributes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links