DELEGATION IN LOGIC-BASED ACCESS CONTROL

US 20090165110A1
Filed: 12/21/2007
Published: 06/25/2009
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage media having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:

receiving a template that specifies one or more assertions;

obtaining a first token that satisfies a first one of said one or more assertions;

presenting, to a guard of the resource, (a) a set of one or more tokens that comprises said first token, and (b) an access request for a first principal to access the resource;

receiving access to said resource from said guard; and

accessing said resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.

84 Citations

View as Search Results

20 Claims

1. One or more computer-readable storage media having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
- receiving a template that specifies one or more assertions;
  
  obtaining a first token that satisfies a first one of said one or more assertions;
  
  presenting, to a guard of the resource, (a) a set of one or more tokens that comprises said first token, and (b) an access request for a first principal to access the resource;
  
  receiving access to said resource from said guard; and
  
  accessing said resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The one or more computer-readable storage media of claim 1, wherein the method further comprises:
    - abducing said one or more assertions from information that comprises said access request.
  - 3. The one or more computer-readable storage media of claim 1, wherein said obtaining comprises:
    - consulting a token store that contains said first token;
      
      determining that said first token satisfies said first one of said one or more assertions; and
      
      retrieving said first token from said token store.
  - 4. The one or more computer-readable storage media of claim 1, wherein said obtaining comprises:
    - generating said first token and signing said first token with a key of a second principal, or requesting the token from a token authority.
  - 5. The one or more computer-readable storage media of claim 1, wherein said first one of said one or more assertions involves a variable, wherein said template specifies a constraint on a value of said variable, and wherein the method further comprises:
    - determining that said first token comprises a constant that satisfies said constraint.
  - 6. The one or more computer-readable storage media of claim 1, wherein said template specifies a constraint on a variable involved in said first one of said one or more assertions, said constraint being satisfiable with a set or range of values, and wherein the method further comprises:
    - choosing one of said values to substitute in said variable based on a principle.
  - 7. The one or more computer-readable storage media of claim 1, wherein said obtaining comprises:
    - determining, under a rule, that generating said first token on behalf of a second principal is acceptable;
      
      generating said first token; and
      
      signing said first token by, or on behalf of, said second principal.
  - 8. The one or more computer-readable storage media of claim 1, wherein said first token is received at a second principal, wherein said first token partially instantiates said template which constitutes a partially-instantiated template, and wherein the method further comprises:
    - communicating the partially-instantiated template to said second principal.

9. A method of facilitating access to a resource, the method comprising:
- receiving, from a first principal, a template that specifies a plurality of assertions and that further specifies a first token that satisfies a first one of said plurality of assertions;
  
  determining from the template that a second one of said plurality of assertions can be satisfied by a second token containing an assertion made by a second principal;
  
  retrieving or generating said second token;
  
  sending the guard of the resource an access request which includes the set of tokens which satisfy the template; and
  
  gaining access to the resource based on the request.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising:
    - abducing said plurality of assertions from information that comprises said access request and a policy under which a guard controls access to the resource.
  - 11. The method of claim 9, wherein said assertion involves a variable, wherein said template specifies a constraint on said variable, and wherein said determining comprises determining a constant that, when substituted in place of said variable in said assertion, satisfies said constraint.
  - 12. The method of claim 9, further comprising:
    - using a key of said second principal to sign said second token.
  - 13. The method of claim 9, further comprising:
    - using a rule to determine that said assertion may be made on behalf of said second principal.
  - 14. The method of claim 9, further comprising:
    - prior to said receiving, presenting said access request to a guard that controls access to the resource;
      
      receiving an indication of a failure to access the resource; and
      
      requesting that said template be generated.

15. A system comprising:
- one or more data remembrance components;
  
  a template stored in said one or more data remembrance components, said template specifying one or more assertions;
  
  one or more executable components that are stored in said one or more data remembrance components and that retrieve or generate a first token that satisfies a first one of said one or more assertions, and that create a first data structure that comprises one or more tokens that, together with an access request, allow a first principal to access a resource to be true under a policy, said one or more tokens comprising said first token; and
  
  a guard that evaluates said first data structure and determines whether to allow said first principal access to said resource based on said access request and said one or more tokens.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - a token store that stores a plurality of tokens, including said first token,wherein said one or more executable components comprise an assertion provider that makes a determination that said first token satisfies said first one of said one or more assertions and retrieves said first token from said token store based on said determination.
  - 17. The system of claim 15, wherein said first one of said one or more assertions involves a variable, wherein said template comprises a constraint on said variable, and wherein the system further comprises:
    - a constraint solver that finds a constant that satisfies said constraint to substitute in place of said variable.
  - 18. The system of claim 17, wherein there is a set or range of values that satisfy said constraint, and wherein said constraint solver chooses one or said values to substitute in place of said variable based on a principle.
  - 19. The system of claim 15, wherein said first token comprises an assertion made by a second principal, and wherein said one or more executable components provide said first data structure to a third principal that is able to provide, or has provided, a second token that satisfies a second one of said one or more assertions.
  - 20. The system of claim 15, wherein said one or more executable components generate said first token by signing said first token with a key associated with a second principle by whom, or on whose behalf, an assertion contained in said first token is made.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Leen, John M., Dillaway, Blair B., Becker, Moritz Y., Fee, Gregory D., Mackay, Jason F.

Granted Patent

US 8,607,311 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/6218 to a system of files or obj...

DELEGATION IN LOGIC-BASED ACCESS CONTROL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

DELEGATION IN LOGIC-BASED ACCESS CONTROL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others