ACCESS CONTROL POLICY IN A WEAKLY-COHERENT DISTRIBUTED COLLECTION

US 20080320299A1
Filed: 06/20/2007
Published: 12/25/2008
Est. Priority Date: 06/20/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of implementing an access control policy on a weakly-coherent distributed collection, the method comprising the steps of:

(a) generating one or more certificates creating one or more access control rights with respect to one or more replicas and items in the weakly-coherent distributed collection, said step (a) of generating one or more certificates including the step of creating one or more namespaces to subdivide the rights associated with different replicas; and

(b) allowing revocation but not modification of the one or more certificates by a collection manager and/or one or more replicas granted authority to revoke the one or more certificates.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed for creating and implementing an access control policy framework in a weakly coherent distributed collection. A collection manager may sign certificates forming equivalence classes of replicas that share a specific authority. The collection manager and/or certain privileged replicas may issue certificates that delegate authority for control of item policy and replica policy. Further certificates may be signed that create one or more items, set policy for these one or more items, and define a set of operations authorized on the one or more items. The certificates issued according to the present system for creating and implementing a control policy framework cannot be modified or simply overridden. Once a policy certificate is issued, it may only be revoked by the collection manager or by a replica having revocation authority.

115 Citations

View as Search Results

20 Claims

1. A computer implemented method of implementing an access control policy on a weakly-coherent distributed collection, the method comprising the steps of:
- (a) generating one or more certificates creating one or more access control rights with respect to one or more replicas and items in the weakly-coherent distributed collection, said step (a) of generating one or more certificates including the step of creating one or more namespaces to subdivide the rights associated with different replicas; and
  
  (b) allowing revocation but not modification of the one or more certificates by a collection manager and/or one or more replicas granted authority to revoke the one or more certificates.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A computer implemented method as recited in claim 1, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of generating one or more equivalence classes of replicas, each class of the one or more equivalence classes having a different authority.
  - 3. A computer implemented method as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of privileged replicas having the authority to define access control policy for one or more replicas and items.
  - 4. A computer implemented method as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of modifier replicas having the authority to update versions of items.
  - 5. A computer implemented method as recited in claim 4, wherein the class of modifier replicas do not have authority to define access control policy for replicas or items.
  - 6. A computer implemented method as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of synchronization replicas having the authority to synchronize with other replicas.
  - 7. A computer implemented method as recited in claim 6, wherein the class of synchronization replicas do not have authority to update versions of items and do not have the authority to define access control policy for replicas or items.
  - 8. A computer implemented method as recited in claim 1, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of generating one or more items and assigning responsibility for setting policy for the one or more items to the collection manager or replica creating the item.
  - 9. A computer implemented method as recited in claim 8, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of defining one or more operations which may be performed on the one or more items.
  - 10. A computer implemented method as recited in claim 9, wherein said step (a) of generating one or more operations which may be performed on the one or more items comprises the step of generating at least one of a right to modify the one or more items and a right to read the one or more items.

11. A computer implemented method of implementing an access control policy on a weakly-coherent distributed collection, the method comprising the steps of:
- (a) forming a plurality of classes of replicas, replicas in a given class of the plurality of classes sharing a specific authority with respect to operations on one or more replicas and items in the weakly-coherent distributed collection;
  
  (b) delegating authority for control of access control rights for one or more replicas and items in the weakly-coherent distributed collection to replicas in one or more of the plurality of classes formed in said step (a);
  
  (c) establishing access control rights applying to one or more replicas and items in the weakly-coherent distributed collection; and
  
  (d) applying access control policy to one or more items during a synchronization operation.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. A computer implemented method as recited in claim 11, further comprising the step of defining one or more namespaces to subdivide the rights associated with different replicas.
  - 13. A computer implemented method as recited in claim 11, further comprising the step of defining a default policy for replicas and/or items not expressly covered by an access control right established in said step (c).
  - 14. A computer implemented method as recited in claim 11, wherein said step (a) of forming a plurality of classes of replicas comprises the step of forming a first class of replicas having the authority to define access control policy for one or more replicas and items, a second class of replicas having the authority to update versions of items, and a third class of replicas having the authority to synchronize with other replicas.
  - 15. A computer implemented method as recited in claim 11, wherein said step (c) of establishing access control rights applying to one or more replicas and items in the weakly-coherent distributed collection comprises the step of issuing certificates defining the access control rights, wherein the issued certificates can be revoked but not modified.
  - 16. A computer implemented method as recited in claim 15, wherein the certificates are issued by a collection manager and/or by a replica in the first class of replicas having received authority from the collection manager to issue certificates.

17. A weakly-coherent distributed collection having an access control policy, the collection comprising:
- a collection manager for issuing certificates defining access control policy, the collection manager capable of delegating authority for issuing certificates defining access control policy;
  
  a plurality of replicas, a first group of one or more replicas of the plurality of replicas having authority delegated from the collection manager to issue certificates defining access control policy;
  
  a plurality of items generated by the plurality of replicas; and
  
  a synchronization protocol for synchronizing the plurality of items between the plurality of replicas;
  
  wherein at least one of the collection manager and the first group of replicas issuing certificates defining access control policy for the plurality of replicas and plurality of items, wherein the certificates issued can be revoked but not modified.
- View Dependent Claims (18, 19, 20)
- - 18. A weakly-coherent distributed collection as recited in claim 17, further comprising a second group of one or more replicas of the plurality of replicas having authority delegated from the collection manager to update the plurality of items.
  - 19. A weakly-coherent distributed collection as recited in claim 17, wherein the access control policy is propagated to the plurality of replicas by the synchronization protocol.
  - 20. A weakly-coherent distributed collection as recited in claim 17, wherein, upon a first replica of the plurality of replicas synchronizing with a second replica of the plurality of replicas, the access control policy known to the second replica is applied to the first replica prior to the first replica learning of versions of the plurality of items from the second replica.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rodeheffer, Thomas L., Abadi, Martin, Wobber, Edward P.

Granted Patent

US 8,505,065 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 16/273   Asynchronous replication or...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 9/12   Transmitting and receiving ...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

ACCESS CONTROL POLICY IN A WEAKLY-COHERENT DISTRIBUTED COLLECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

ACCESS CONTROL POLICY IN A WEAKLY-COHERENT DISTRIBUTED COLLECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others