ACCESS CONTROL BASED ON PROGRAM PROPERTIES
First Claim
1. A computer implemented method, comprising:
- generating a disjunction of application names based on manifests associated with one or more applications and a publisher for each of the one or more applications;
receiving a request for a resource from a principal associated with a requesting application;
retrieving an access control pattern associated with the resource;
identifying a privilege sub-expression in the access control pattern;
expanding the privilege sub-expression in the access control pattern with the disjunction of application names; and
matching the expanded access control pattern to the principal name.
2 Assignments
0 Petitions
Accused Products
Abstract
A pattern matching access control system determines whether a principal should be granted access to use a resource based on properties of applications comprised by the principal. The principal name may be created when an application is loaded, invokes other applications (or programs) and/or assumes a new role context. Access is provided based on whether, for each application, the publisher is authorized by system policy to grant privilege as requested by the application. When a resource which requires the privilege is requested by a principal, an access control list (ACL) for the resource is expanded with a list of applications that have been authorized through their publisher to assert the privilege. The expanded ACL is compared to the principal name to determine resource access.
61 Citations
20 Claims
-
1. A computer implemented method, comprising:
-
generating a disjunction of application names based on manifests associated with one or more applications and a publisher for each of the one or more applications; receiving a request for a resource from a principal associated with a requesting application; retrieving an access control pattern associated with the resource; identifying a privilege sub-expression in the access control pattern; expanding the privilege sub-expression in the access control pattern with the disjunction of application names; and matching the expanded access control pattern to the principal name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising:
-
determining an application asserts at least one privilege; determining the publisher of the application; accessing an access control pattern for the privilege; comparing the application publisher to the access control pattern for the privilege; and adding the application to an application pattern for the privilege based on said step of comparing. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer implemented method, comprising:
-
generating an application list comprising a disjunction of application names, wherein said step of generating includes; accessing a manifest associated with an application which comprises at least a portion of the principal, identifying one or more privileges asserted by the application according to the manifest, and confirming that a publisher of the application may grant the privileges asserted in the manifest to the application; receiving a request for a resource from a principal associated with a requesting application; retrieving an access control pattern associated with the resource; identifying a group in the access control pattern; expanding the group in the access control pattern with the application list; comparing each disjunction application name in the expanded access control pattern to the principal name; and determining if the principal name is a match for one of the disjunction application names. - View Dependent Claims (20)
-
Specification