RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM

US 20090222881A1
Filed: 06/27/2008
Published: 09/03/2009
Est. Priority Date: 02/29/2008
Status: Active Grant

First Claim

Patent Images

1. In a computing system, a method of enforcing access control, the method comprising:

receiving a request for an operation on one or more objects stored on computer readable media;

determining one or more pre-operation states of the one or more objects when the operation is requested;

determining one or more post-operation states of the one or more objects after the operation is performed on the one or more objects;

referencing one or more access control rules, the access control rules controlling access to resources based on pre-operation state and post operation state, and determining that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states;

based on determining that the one or more access control rules allow the operation to succeed, allowing the operation to succeed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.

18 Citations

View as Search Results

20 Claims

1. In a computing system, a method of enforcing access control, the method comprising:
- receiving a request for an operation on one or more objects stored on computer readable media;
  
  determining one or more pre-operation states of the one or more objects when the operation is requested;
  
  determining one or more post-operation states of the one or more objects after the operation is performed on the one or more objects;
  
  referencing one or more access control rules, the access control rules controlling access to resources based on pre-operation state and post operation state, and determining that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states;
  
  based on determining that the one or more access control rules allow the operation to succeed, allowing the operation to succeed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the access control rules are pre-specified by an administrator.
  - 3. The method of claim 1, wherein at least a portion of the one or more access control rules are reflexive such that determining that the one or more access control rules allow the operation to succeed further comprises determining that a particular requester is authorized to perform an operation on the resources based on a dynamic definition of the requester based on a relationship of the requester and a target resource object.
  - 4. The method of claim 2, wherein access rules are pre-specified by an administrator using a system that performs the following:
    - displaying in a graphical user interface a model of an object in a first state;
      
      displaying in the graphical user interface a model of the object in a second state; and
      
      receiving user input linking the model of the object in the first state to the model of the object in the second state so as to create a state based access control rule based the first and second state.
  - 5. The method of claim 4, wherein the system receives user input at the graphical user interface specifying principals or entities for the access control rules.
  - 6. The method of claim 4, wherein the system receives user input at the graphical user interface specifying one or more operations for the access control rules.
  - 7. The method of claim 4, wherein the system stores the state based access control rule for later use in access control verification.
  - 8. The method of claim 6, wherein the first state is a state prior to the operations occurring and the second state is a state after the operations occur.
  - 9. The method of claim 1, wherein at least a portion of the control rules specify changes from a pre-operation state to a post-operation state that are allowed to occur.
  - 10. The method of claim 1, wherein at least a portion of the control rules specify changes from a pre-operation state to a post-operation state that are not allowed to occur.
  - 11. The method of claim 1, wherein receiving a request for an operation on one or more objects comprises receiving a request from an administrator to change objects associated with other users.
  - 12. The method of claim 1, wherein receiving a request for an operation on one or more objects comprises receiving a request from a user to change objects associated with the user themselves.
  - 13. The method of claim 1, wherein determining that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states comprises evaluating all rules in a pre-defined plurality of rules defined in a computing system before permissions are granted.
  - 14. The method of claim 1, wherein allowing the operation to succeed comprises committing the operation, such that one or more changes to the one or more objects are ratified such that subsequent requests for operations on the one or more objects are based on the operation after the one or more changes have been performed on the one or more objects.
  - 15. The method of claim 1, wherein determining one or more post-operation states of the one or more objects if the operation were allowed to succeed comprises calculating one or more post-operation states.
  - 16. The method of claim 1, wherein determining one or more post-operation states of the one or more objects if the operation were allowed to succeed comprises examining the one or more objects after the operation has been performed on the one or more objects.

17. In a computing environment, a method of defining access control rules, the method comprising:
- receiving user input at a computer implemented user interface selecting an operation to be performed on one or more objects;
  
  receiving user input at the computer implemented user interface selecting one or more pre-operation states of the one or more objects, the pre-operation states defining the state of the one or more objects when the operation is requested to be performed;
  
  receiving user input at the computer implemented user interface selecting one or more post-operation states of the one or more objects, wherein the one or more selected post operation states are operation states that the one or more objects would be in if the operation were allowed to succeed;
  
  defining one or more access control rules for the operation, the access control rules controlling access to resources, wherein defining access control rules comprises defining rules based on the one or more pre-operation states and the one or more post operation states; and
  
  storing the one or more access control rules, including information about the one or more pre operation states and the one or more post operation states, in a computer readable medium among a collection of access control rules.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17 further comprising receiving user input specifying one or more requesters that may perform operations as defined by the access control rules and based on conditions of the access control rules having been met.
  - 19. The method of claim 17 further comprising:
    - receiving user input specifying one or more tasks to be performed if conditions of the one or more access control rules are met; and
      
      storing the one or more tasks as part of the one or more access control rules.

20. In a computing environment, a computer readable medium comprising a computer readable data structure storing an access control rule for controlling operations performed on one or more resource, wherein the computer readable data structure comprises:
- a first field, wherein the first field comprises a listing of one or more operations that may be performed on the one or more resources by one or more principals when conditions for the access control rule are met;
  
  a second field, wherein the second field comprises a listing of the one or more principals, the one or more principals being entities to which the access control rule apples;
  
  a third field, wherein the third field comprises a listing of one or more attributes of the one or more resources, the attributes being attributes that the one or more principals perform the one or more operations on;
  
  a fourth field, wherein the fourth field comprises a listing of one or more pre-operation states defining one or more states of the one or more resources when a request to perform the one or more operations is made, wherein the one or more resources must be in the one or more pre-operation states prior to the request to perform the one or more operations is made for the conditions of the access control rule to be met;
  
  a fifth field, wherein the fifth field comprises a listing of one or more post-operation states defining one or more states of the one or more resources after and if the one or more operations are performed, wherein the one or more resources must be in the one or more pre-operation states after and if the one or more operations are performed for the conditions of the access control rule to be met;
  
  a sixth field, wherein the sixth field defines one or more tasks that are performed if the conditions of the access control rule are met.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Weinert, Alexander T., Meleshuk, Vadim, Kabat, Jack

Granted Patent

US 8,196,187 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links