INTEGRATED ACCESS AUTHORIZATION
First Claim
1. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource;
identify a principal requesting to access the resource;
perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, and enter an entry into an audit log, the entry recording the denial of authorization, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log. The facility may additionally determine whether the authorization query is a request for authorization to perform an inherently dangerous operation, and record an indication of an authorization to perform the inherently dangerous operation in the audit log.
-
Citations
26 Claims
-
1. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource;
identify a principal requesting to access the resource;
perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, and enter an entry into an audit log, the entry recording the denial of authorization, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- receive an authorization query regarding a request to access a resource;
-
10. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to perform an operation on a computer;
identify a principal requesting to perform the operation;
perform an access control check to determine whether to allow authorization to perform the operation, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
responsive to determining to allow authorization to perform the operation, determine whether the requested operation is an inherently dangerous operation; and
responsive to determining that the requested operation is an inherently dangerous operation, enter an entry into an audit log, the entry recording the authorization to perform an inherently dangerous operation, such that the computer instructions are executed as an integral component of an operating system suitable for executing on the computer. - View Dependent Claims (11)
- receive an authorization query regarding a request to perform an operation on a computer;
-
12-15. -15. (canceled)
-
16. A computer-readable storage medium whose contents cause a computer to:
- receive an authorization query regarding a request to access a resource on a computer;
perform a first access control check to determine whether to allow or deny authorization to access the resource;
responsive to determining to allow authorization to access the resource based on the first access control check;
identify a principal requesting access to the resource;
perform a second access control check to determine whether to allow or deny authorization to access the resource, the second access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules;
responsive to determining to allow authorization to access the resource, return an allow decision granting authorization to access the resource; and
responsive to determining to deny authorization to access the resource, return a deny decision denying authorization to access the resource, such that the computer instructions for the second access control check are executed as an integral component of an operating system suitable for executing on the computer.
- receive an authorization query regarding a request to access a resource on a computer;
-
17. One or more computer memories collectively containing a centralized policy store, the centralized policy store comprising at least one policy, the policy comprising at least one rule having an indication of whether to activate learning mode for the rule, such that the indication of whether to activate learning mode is used to determine whether to apply the rule in processing an access control check to determine whether access to a resource is authorized.
-
18. A method in a computing system for auditing requests to access a resource, the method comprising:
- identifying a principal requesting to access a resource;
performing an access control check to determine whether to deny or allows authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
responsive to determining to deny authorization to access the resource, returning a deny decision denying authorization to access the resource, and entering an entry into an audit log, the entry recording the denial of authorization, such that the method is performed by an integral component of an operating system executing on the computing system. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- identifying a principal requesting to access a resource;
-
26-40. -40. (canceled)
Specification