Web Management Authorization and Delegation Framework

US 20100186082A1
Filed: 01/16/2009
Published: 07/22/2010
Est. Priority Date: 01/16/2009
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method comprising, receiving a request to authorize a non-administrative user to perform an administrative action, accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, and if so, providing credentials that allow the non-administrative user to perform the administrative action.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a technology in which a non-administrator computer/web user is allowed to perform an administrative-level task within a certain context and/or scope. An authorization store is queried based on information (e.g., a provider, a username, and a path) provided with an authorization request, e.g., from an application via an API. The information in the authorization store, set up by an administrator, determines the administrative action is allowed. If so, a credential store provides credentials that allow the action to be runs before reverting the user to the prior set of credentials. Also described is a pluggable provider model through which the authorization store and/or delegation store are accessed, whereby the data maintained therein can be any format and/or at any location known to the associated provider.

99 Citations

View as Search Results

20 Claims

1. In a computing environment, a method comprising, receiving a request to authorize a non-administrative user to perform an administrative action, accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, and if so, providing credentials that allow the non-administrative user to perform the administrative action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein providing the credentials comprises accessing a delegation store.
  - 3. The method of claim 2 wherein the delegation store provides credentials for running the action as a process, running the action as a current user, or running the action as a specific user.
  - 4. The method of claim 1 wherein accessing the authorization store comprises communicating through a provider associated with that authorization store.
  - 5. The method of claim 4 wherein the request identifies the provider, a username, and a path.
  - 6. The method of claim 4 wherein receiving the request comprises handling an API call.
  - 7. The method of claim 1 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises evaluating whether all users are denied, and if not, evaluating whether the user is denied, and if not, evaluating whether the user is allowed, and if not, evaluating whether a role associated with the user is denied, and if not, evaluating whether the role associated with the user is allowed, and if not, evaluating whether all users are allowed.
  - 8. The method of claim 1 further comprising running the administrative action, and when complete, returning the user to a set of credentials that were associated with that user prior to running the administrative action.
  - 9. The method of claim 1 further comprising, defining an authorization scope for authorizing the user based on a regular expression, a database connection string or a file system path.

10. In a computing environment, a system comprising, a rule engine that receives a request to authorize a non-administrative user to perform an administrative action, an authorization store coupled to the rules engine that provides information that corresponds to users and specified actions associated with those users, the rules engine configured to determine whether the non-administrative user is allowed to perform the administrative action, and if so, the rules engine configured to obtain providing credentials from a credential store to enable the non-administrative user to perform the administrative action.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the rule engine is coupled to the authorization store and the delegation store via a provider.
  - 12. The system of claim 10 wherein the provider comprises a pluggable provider that is associated with the authorization and delegation stores.
  - 13. The system of claim 10 wherein the delegation store provides credentials for running the action as a process, running the action as a current user, or running the action as a specific user.
  - 14. The system of claim 10 wherein rule engine receives the request from an application via an API call.
  - 15. The system of claim 10 further comprising an internet information service, wherein at least some user-related information is identified based upon a prior login to the internet information service.
  - 16. The system of claim 10 wherein the credential store securely stores credentials using encryption.

17. One or more computer-readable media having computer-executable instructions, which when executed perform steps, comprising, receiving a request to authorize a non-administrative user to perform an administrative action, the request including a provider, a username, and a path, using the provider to access an authorization store, determining from information in the authorization store and from the request whether the non-administrative user is allowed to perform the administrative action, and if so, obtaining credentials that allow the non-administrative user to perform the administrative action, running the administrative action, and returning the user to a set of credentials that were associated with that user prior to running the administrative action.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more computer-readable media of claim 17 wherein obtaining the credentials comprises accessing a delegation store that provides credentials for running the action as a process, running the action as a current user, or running the action as a specific user.
  - 19. The one or more computer-readable media of claim 17 wherein receiving the request comprises handling an API call.
  - 20. The one or more computer-readable media of claim 17 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises matching provider, action and path information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sen, Vijay, Allington, Clea H., Verma, Nitasha, Aguilar Mares, Carlos, Lucero, Robert J., Alam, Bilal, Joshi, Madhur, Ladki, Saad A.

Granted Patent

US 8,667,578 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/19
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Web Management Authorization and Delegation Framework

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Web Management Authorization and Delegation Framework

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links