Controlling Resource Access Based on Resource Properties

US 20110126281A1
Filed: 11/20/2009
Published: 05/26/2011
Est. Priority Date: 11/20/2009
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method performed on at least one processor, comprising, determining access to a resource based on policy decoupled from the resource, including by evaluating a resource label associated with the resource against a user claim associated with an access request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.

Citations

20 Claims

1. In a computing environment, a method performed on at least one processor, comprising, determining access to a resource based on policy decoupled from the resource, including by evaluating a resource label associated with the resource against a user claim associated with an access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising, obtaining the resource label from resource classification obtained via one or more classification rules.
  - 3. The method of claim 2 wherein the classification rules comprise declarative instructions that assign certain resource labels to certain files.
  - 4. The method of claim 2 wherein the resource is a file, and wherein obtaining each resource label comprises performing the resource classification based upon a change to content of the file, a change to one or more labels of the file, a change to other attributes of the file, a change to a location of the file, a change to a classification rule, or a state change to one or more classification rules, or any combination of a change to content of the file, a change to one or more labels of the file, a change to other attributes of the file, a change to a location of the file, a change to a classification rule, or a state change to one or more classification rules.
  - 5. The method of claim 1 further comprising, further determining the access based on an access control list coupled to the resource.
  - 6. The method of claim 1 wherein evaluating the resource label associated with the resource against the user claim associated with the access request comprises evaluating compound conditions.
  - 7. The method of claim 1 further comprising, caching the resource label in association with the file.
  - 8. The method of claim 1 wherein evaluating the resource label against the user claim associated with the access request comprises determining whether a user clearance level value corresponding to data in the user claim achieves a resource sensitivity level value corresponding to data in the resource label.

9. In a computing environment, a system comprising, an authorization engine that determines access to a resource based upon policy, including by using information in the policy to evaluate a resource label associated with the resource against a user claim associated with an access request.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the authorization engine that evaluates the resource label against the user claim is incorporated into a security model of an operating system.
  - 11. The system of claim 9 wherein the policy is based upon a combination of policy components.
  - 12. The system of claim 9 wherein the policy is maintained independent of the resource, and applies to a plurality of resources.
  - 13. The system of claim 9 wherein the resource comprises a file and further comprising a classifier that provides the resource label by classifying the file.
  - 14. The system of claim 9 wherein the resource is associated with an access control list, and wherein the authorization engine that evaluates the resource label against the user claim further determines the access by evaluating the access control list against an access token.
  - 15. The system of claim 9 wherein the resource comprises a file and wherein the resource label is cached in an alternate data stream of the file.

16. One or more computer-readable media having computer-executable instructions, which when executed perform steps, comprising, processing an access request to grant or deny an access-related operation to a resource, including obtaining policy that is decoupled from the resource, and using the policy to determine whether to grant or deny the access-related operation, including by evaluating a resource label associated with the resource against a user claim associated with the access request.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer-readable media of claim 16 wherein the resource is a file, and having further computer-executable instructions comprising, classifying the file into classification properties, including a classification property corresponding to the resource label.
  - 18. The one or more computer-readable media of claim 16 wherein the resource is a file, wherein the resource label is cached in association with the file, and having further computer-executable instructions comprising, determining whether the resource level is valid and up-to-date, and if not, obtaining a valid and up-to-date resource label, and caching the valid and up-to-date resource label in association with the file.
  - 19. The one or more computer-readable media of claim 16 wherein a plurality of policies are applicable, and wherein using the policy to determine whether to grant or deny the access-related operation further comprises logically combining a result of evaluating a resource label associated with the resource against a user claim with a result of at least one other policy evaluation.
  - 20. The one or more computer-readable media of claim 19 wherein a result of at least one other policy evaluation comprises an access control list-based evaluation result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Samuelsson, Anders, Li, Ziquan, Law, Clyde, Hamblin, Jeffrey B., Wollnik, Matthias H., Kalach, Ran, Oltean, Paul Adrian, Perumal, Raja Pazhanivel, Ben-Zvi, Nir

Granted Patent

US 9,038,168 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Controlling Resource Access Based on Resource Properties

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling Resource Access Based on Resource Properties

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links