RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM
First Claim
1. In a computing system, a method of enforcing access control, the method comprising:
- receiving a request for an operation on one or more objects stored on computer readable media;
determining one or more pre-operation states of the one or more objects when the operation is requested;
determining one or more post-operation states of the one or more objects after the operation is performed on the one or more objects;
referencing one or more access control rules, the access control rules controlling access to resources based on pre-operation state and post operation state, and determining that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states;
based on determining that the one or more access control rules allow the operation to succeed, allowing the operation to succeed.
2 Assignments
0 Petitions
Accused Products
Abstract
Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.
18 Citations
20 Claims
-
1. In a computing system, a method of enforcing access control, the method comprising:
-
receiving a request for an operation on one or more objects stored on computer readable media; determining one or more pre-operation states of the one or more objects when the operation is requested; determining one or more post-operation states of the one or more objects after the operation is performed on the one or more objects; referencing one or more access control rules, the access control rules controlling access to resources based on pre-operation state and post operation state, and determining that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states; based on determining that the one or more access control rules allow the operation to succeed, allowing the operation to succeed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. In a computing environment, a method of defining access control rules, the method comprising:
-
receiving user input at a computer implemented user interface selecting an operation to be performed on one or more objects; receiving user input at the computer implemented user interface selecting one or more pre-operation states of the one or more objects, the pre-operation states defining the state of the one or more objects when the operation is requested to be performed; receiving user input at the computer implemented user interface selecting one or more post-operation states of the one or more objects, wherein the one or more selected post operation states are operation states that the one or more objects would be in if the operation were allowed to succeed; defining one or more access control rules for the operation, the access control rules controlling access to resources, wherein defining access control rules comprises defining rules based on the one or more pre-operation states and the one or more post operation states; and storing the one or more access control rules, including information about the one or more pre operation states and the one or more post operation states, in a computer readable medium among a collection of access control rules. - View Dependent Claims (18, 19)
-
-
20. In a computing environment, a computer readable medium comprising a computer readable data structure storing an access control rule for controlling operations performed on one or more resource, wherein the computer readable data structure comprises:
-
a first field, wherein the first field comprises a listing of one or more operations that may be performed on the one or more resources by one or more principals when conditions for the access control rule are met; a second field, wherein the second field comprises a listing of the one or more principals, the one or more principals being entities to which the access control rule apples; a third field, wherein the third field comprises a listing of one or more attributes of the one or more resources, the attributes being attributes that the one or more principals perform the one or more operations on; a fourth field, wherein the fourth field comprises a listing of one or more pre-operation states defining one or more states of the one or more resources when a request to perform the one or more operations is made, wherein the one or more resources must be in the one or more pre-operation states prior to the request to perform the one or more operations is made for the conditions of the access control rule to be met; a fifth field, wherein the fifth field comprises a listing of one or more post-operation states defining one or more states of the one or more resources after and if the one or more operations are performed, wherein the one or more resources must be in the one or more pre-operation states after and if the one or more operations are performed for the conditions of the access control rule to be met; a sixth field, wherein the sixth field defines one or more tasks that are performed if the conditions of the access control rule are met.
-
Specification