Auditing Authorization Decisions

US 20110030038A1
Filed: 10/12/2010
Published: 02/03/2011
Est. Priority Date: 09/08/2006
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

memory and a processor;

an auditing scheme module, stored in the memory and executable on the processor; and

an access control scheme module, stored in the memory and executable on the processor, that is integrated with the auditing scheme module,wherein the access control scheme module makes authorization decisions in response to access requests for resources, the authorization decisions including inputs, outputs, and internal data, and wherein the auditing scheme module includes an audit policy that comprises audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.

101 Citations

View as Search Results

20 Claims

1. A device comprising:
- memory and a processor;
  
  an auditing scheme module, stored in the memory and executable on the processor; and
  
  an access control scheme module, stored in the memory and executable on the processor, that is integrated with the auditing scheme module,wherein the access control scheme module makes authorization decisions in response to access requests for resources, the authorization decisions including inputs, outputs, and internal data, and wherein the auditing scheme module includes an audit policy that comprises audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The device as recited in claim 1, wherein the audit content rules utilize a semantic framework that is utilized by the access control scheme for making the authorization decisions.
  - 3. The device as recited in claim 1, wherein the audit content rules specify inputs to the authorization decisions in terms of logical assertions.
  - 4. The device as recited in claim 3, wherein the audit content rules specify internal data of the authorization decisions in terms of logical deductions derived from the logical assertions.
  - 5. The device as recited in claim 1, wherein the audit content rules specify logical deduction data used or produced during evaluation algorithms of authorization decisions.
  - 6. The device as recited in claim 5, wherein the logical deduction data comprises a proof graph indicating a logical chain of deductions that occur within the evaluation algorithm.
  - 7. The device as recited in claim 1, wherein the audit policy rules further include audit trigger rules that specify when an audit record is to be generated and added to an audit log.
  - 8. The device as recited in claim 7, wherein the audit trigger rules specify that an audit record is to be generated and added to the audit log responsive to access requests involving at least one of the following output and inputs:
    - a particular authorization decision result, a particular targeted resource, a particular requested action, or a particular operation on a particular resource.

9. One or more computer-readable storage media, storing computer-executable instructions that, when executed by a processor, configure the processor to perform acts comprising:
- receiving an access request for a resource by an access control scheme;
  
  performing by the access control scheme, at least partly in response to the access request, an authorization decision for the resource, the authorization decision comprising inputs, outputs, and internal data;
  
  specifying, by an auditing scheme, an audit policy comprising audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record; and
  
  recording, by the auditing scheme, the audit record based at least in part on the specified audit policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more computer-readable storage media as recited in claim 9, wherein the audit content rules utilize a semantic framework that is utilized by the access control scheme for performing the authorization decisions.
  - 11. The one or more computer-readable storage media as recited in claim 9, wherein the audit content rules specify inputs to the authorization decisions in terms of logical assertions.
  - 12. The one or more computer-readable storage media as recited in claim 11, wherein the audit content rules specify internal data of the authorization decisions in terms of logical deductions derived from the logical assertions.
  - 13. The one or more computer-readable storage media as recited in claim 9, wherein the audit content rules specify logical deduction data used or produced during evaluation algorithms of authorization decisions.
  - 14. The one or more computer-readable storage media as recited in claim 13, wherein the logical deduction data comprises a proof graph indicating a logical chain of deductions that occur within the evaluation algorithm.
  - 15. The one or more computer-readable storage media as recited in claim 9, wherein the audit policy rules further include audit trigger rules that specify when an audit record is to be generated and added to an audit log.
  - 16. The one or more computer-readable storage media as recited in claim 15, wherein the audit trigger rules specify that an audit record is to be generated and added to the audit log responsive to access requests involving at least one of the following output and inputs:
    - a particular authorization decision result, a particular targeted resource, a particular requested action, or a particular operation on a particular resource.

17. A computer-implemented method comprising:
- performed by one or more processors executing computer-readable instructions;
  
  receiving an access request for a resource;
  
  performing, at least partly in response to the access request, an authorization decision for the resource, the authorization decision comprising inputs, outputs, and internal data;
  
  specifying, an audit policy comprising audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record, wherein the audit content rules comprise a semantic framework; and
  
  recording the audit record based at least in part on the specified audit policy.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method as recited in claim 17, wherein the audit content rules specify inputs to the authorization decisions in terms of logical assertions and internal data of the authorization decisions in terms of logical deductions derived from the logical assertions.
  - 19. The one or more computer-readable storage media as recited in claim 17, wherein the audit content rules specify logical deduction data used or produced during evaluation algorithms of authorization decisions, and wherein the logical deduction data comprises a proof graph indicating a logical chain of deductions that occur within the evaluation algorithm.
  - 20. The one or more computer-readable storage media as recited in claim 17, wherein the audit policy rules further include audit trigger rules that specify when an audit record is to be generated and added to an audit log, and wherein the audit trigger rules specify that an audit record is to be generated and added to the audit log responsive to access requests involving at least one of the following output and inputs:
    - a particular authorization decision result, a particular targeted resource, a particular requested action, or a particular operation on a particular resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B.

Granted Patent

US 8,225,378 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2101 Auditing as a secondary aspect

Auditing Authorization Decisions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Auditing Authorization Decisions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links