SECURING RESOURCE STORES WITH CLAIMS-BASED SECURITY
First Claim
1. At a computer system, a method for securing a resource store, the method comprising:
- an act of receiving policy information for the resource store;
an act of deriving permissions for accessing secured resources in the resource store from the received policy information, the permissions defining secured operations that can be performed on secured resources in the resource store based on received identity information, the permissions derived from;
a secured operations table defining the secured operations that are possible for the resource store;
a secured resources table defining the secured resources within the resource store, each secured resource being of a specified resource type, from among a plurality of different resource types; and
each of the plurality of different resource types defined in a secured resource types table;
an act of receiving identity information for a session connected to the resource store, the identity information accumulated from one or more claims submitted to the resource store on behalf of the session;
an act of determining the resource types that the session can access based on the derived permissions and the received identity information;
an act of accessing a metadata table that maps secured resource identifiers to corresponding resource types; and
an act of filtering metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types the session can access.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention extends to methods, systems, and computer program products for securing resource stores with claims-based security. From policy information, a resource store populates a security table of permissions. The permissions authorize resource access based on received claims. Sessions submit claims to the resource store. The resource store accumulates claims for a session into a claims list. From the claims list and the security table, the resource store filters out a subset of metadata including resource IDs for resources the session is authorized to access. Since the metadata corresponds to the session, any application using the session is given similar access to resources at the resource store.
36 Citations
20 Claims
-
1. At a computer system, a method for securing a resource store, the method comprising:
-
an act of receiving policy information for the resource store; an act of deriving permissions for accessing secured resources in the resource store from the received policy information, the permissions defining secured operations that can be performed on secured resources in the resource store based on received identity information, the permissions derived from; a secured operations table defining the secured operations that are possible for the resource store; a secured resources table defining the secured resources within the resource store, each secured resource being of a specified resource type, from among a plurality of different resource types; and each of the plurality of different resource types defined in a secured resource types table; an act of receiving identity information for a session connected to the resource store, the identity information accumulated from one or more claims submitted to the resource store on behalf of the session; an act of determining the resource types that the session can access based on the derived permissions and the received identity information; an act of accessing a metadata table that maps secured resource identifiers to corresponding resource types; and an act of filtering metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types the session can access. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. At a computer system, a method for providing secure access to resources in a resource store, the method comprising:
-
an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store; an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session; an act of referring to a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information; an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list; and an act of performing the requested operation for any secured resources of the specified type contained in the resource store. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. At a computer system, a method for providing secure access to data in a database, the method comprising:
-
an act of receiving policy information for the database; an act of deriving permissions for accessing secured data in the database from the received policy information, the permissions defining secured operations that can be performed on secured data in the database based on received identity information, the permissions derived from; a secured operations table defining the secured operations that are possible for the database; a secured resources table defining the secured portions of data within the database, each portion of data having a specified data type, from among a plurality of different data types; and each of the plurality of different data types defined in a secured data types table; an act of storing the derived permissions in a security table at the data base; an act of receiving one or more security tokens for a session connected to the database, each token containing claims that assert identify information for the session; an act of accumulating the claims for the session into a claims list; an act of receiving a data request over the session, the data request to perform an operation on secured data of a specified data type contained in the database; an act of referring to the security table to determine that the session is authorized to perform the requested operation on secure data of the specified data type based on the claims contained the claims list; an act of accessing a metadata table at the database that maps identifiers for secured data to corresponding data types; an act of filtering the metadata table into a subset of metadata that includes identifiers for secured data of the specified data type; an act of using the identifiers to access secured data of the specified data type from the database; and an act of performing the requested operation on the accessed secure data. - View Dependent Claims (17, 18, 19, 20)
-
Specification