CREDENTIAL-BASED ACCESS TO DATA

US 20110231940A1
Filed: 03/19/2010
Published: 09/22/2011
Est. Priority Date: 03/19/2010
Status: Abandoned Application

First Claim

Patent Images

1. One or more computer-readable media comprising computer-executable instructions for controlling access to a set of data that is associated with an access control list comprising one or more access control entries, the computer-executable instructions performing steps comprising:

receiving, from accessing computer-executable instructions, a request to access the set of data;

searching the one or more access control entries for one or more access control entries relevant to a user identified by a user token associated with the accessing computer-executable instructions;

comparing credential data associated with the user token to credential data specified by the one or more access control entries relevant to the user if the one or more access control entries relevant to the user specify credential data; and

denying the request and notifying the accessing computer-executable instructions that credential data is required to access the set of data if the comparing reveals that the credential data associated with the user token differs from the credential data specified by the one or more access control entries relevant to the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Existing mechanisms that control access to data based upon whether the user seeking to access the data is identified among the users that are allowed to access the data, can be extended to further control access based upon the provision of credential data by the user, or processes associated therewith. Access control entries can limit access based upon Boolean conditionals, including those referencing credential data, such that access can be granted only to specific users that provide the credential data or, alternatively, to any user that provides it. The referenced credential data can be specified in the access control information in an obfuscated form for security purposes. Information associated with the user, such as a user token, can be temporarily updated to include credential data when provided by the user, so as to enable access to the data but to prevent such access from remaining open too long.

90 Citations

View as Search Results

20 Claims

1. One or more computer-readable media comprising computer-executable instructions for controlling access to a set of data that is associated with an access control list comprising one or more access control entries, the computer-executable instructions performing steps comprising:
- receiving, from accessing computer-executable instructions, a request to access the set of data;
  
  searching the one or more access control entries for one or more access control entries relevant to a user identified by a user token associated with the accessing computer-executable instructions;
  
  comparing credential data associated with the user token to credential data specified by the one or more access control entries relevant to the user if the one or more access control entries relevant to the user specify credential data; and
  
  denying the request and notifying the accessing computer-executable instructions that credential data is required to access the set of data if the comparing reveals that the credential data associated with the user token differs from the credential data specified by the one or more access control entries relevant to the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable media of claim 1, wherein the computer-executable instructions for comparing comprise computer-executable instructions for obfuscating the credential data associated with the user token using an equivalent obfuscation mechanism to that utilized to obfuscate the credential data specified by the one or more access control entries relevant to the user.
  - 3. The computer-readable media of claim 1, wherein the computer-executable instructions for comparing comprise computer-executable instructions for decrypting the credential data associated with the user token.
  - 4. The computer-readable media of claim 1, wherein the one or more access control entries relevant to the user comprise a Boolean conditional statement comprising at least one conditional reference to the credential data.
  - 5. The computer-readable media of claim 1 comprising further computer-executable instructions performing steps comprising:
    - receiving the credential data and generating at least one of the one or more access control entries relevant to the user so as to specify that access to the set of data is to be granted if the received credential data is associated with the user token that is associated with the accessing computer-executable instructions when the request to access the set of data is received.
  - 6. The computer-readable media of claim 5, wherein the computer-executable instructions for generating the at least one of the one or more access control entries comprise computer-executable instructions for enumerating a set of users in the generated at least one of the one or more access control entries such that the generated at least one of the one or more access control entries specifies that the access to the set of data is to be granted if both the received credential data is associated with the user token that is associated with the accessing computer-executable instructions and the user identified by the user token that is associated with the accessing computer-executable instructions is among the enumerated set of users.

7. One or more computer-readable media comprising computer-executable instructions that access a set of data that is associated with an access control list comprising one or more access control entries, the computer-executable instructions performing steps comprising:
- requesting access to the set of data;
  
  receiving, in response to the requesting the access, a denial of access notification comprising an indication that credential data is required to access the set of data;
  
  requesting, in response to the receiving the denial of access notification, the credential data;
  
  receiving a received credential data in response to the requesting the credential data;
  
  associating, for a temporally limited amount of time, the received credential data with a user token associated with the computer-executable instructions; and
  
  requesting, for a subsequent time, access to the set of data;
  
  wherein the temporally limited amount of time is only so long as to enable accesses that are associated with the requested access and the subsequently requested access to proceed.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer-readable media of claim 7, wherein the computer-executable instructions for requesting the credential data comprise computer-executable instructions for requesting the credential data from a user by prompting the user.
  - 9. The computer-readable media of claim 7, wherein the computer-executable instructions for associating the received credential data with the user token comprise computer-executable instructions for obfuscating the received credential data prior to the associating, the obfuscating using an equivalent obfuscation mechanism to that utilized to obfuscate credential data specified by one or more access control entries relevant to a user associated with the user token.
  - 10. The computer-readable media of claim 7, wherein the computer-executable instructions for associating the received credential data with the user token comprise computer-executable instructions for encrypting the received credential data prior to the associating so that access control mechanisms can decrypt the encrypted received credential data.
  - 11. The computer-readable media of claim 7, wherein the computer-executable instructions for associating the received credential data with the user token comprise computer-executable instructions for generating a time stamp;
    - and wherein further the temporally limited amount of time is enforced by an operating system responsible for the user token.
  - 12. The computer-readable media of claim 7, wherein the accesses that are enabled by the temporally limited amount of time comprise a single editing session of the set of data by the computer-executable instructions.
  - 13. The computer-readable media of claim 7, wherein the accesses that are enabled by the temporally limited amount of time comprise accesses directed to one or more child objects of the set of data.
  - 14. The computer-readable media of claim 7, wherein the accesses that are enabled by the temporally limited amount of time consist of only the subsequently requested access.

15. A method of accessing a first set of data that is associated with an access control list comprising one or more access control entries, the method comprising the steps of:
- requesting access to the set of data;
  
  searching the one or more access control entries for one or more access control entries relevant to a user identified by a user token associated with the requesting the access;
  
  comparing credential data associated with the user token to credential data specified by the one or more access control entries relevant to the user if the one or more access control entries relevant to the user specify credential data;
  
  generating a denial of access notification comprising an indication that credential data is required to access the set of data if the comparing reveals that the credential data associated with the user token differs from the credential data specified by the one or more access control entries relevant to the user;
  
  requesting, in response to receiving the denial of access notification, the credential data;
  
  receiving a received credential data in response to the requesting the credential data;
  
  associating, for a temporally limited amount of time, the received credential data with the user token; and
  
  requesting, for a subsequent time, access to the set of data;
  
  wherein the temporally limited amount of time is only so long as to enable accesses that are associated with the requested access and the subsequently requested access to proceed.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the comparing comprises obfuscating the credential data associated with the user token using an equivalent obfuscation mechanism to that utilized to obfuscate the credential data specified by the one or more access control entries relevant to the user.
  - 17. The method of claim 15, wherein the one or more access control entries relevant to the user comprise a Boolean conditional statement comprising at least one conditional reference to the credential data.
  - 18. The method of claim 15, further comprising the steps of:
    - initially receiving an initial credential data; and
      
      generating at least one of the one or more access control entries relevant to the user so as to specify that access to the set of data is to be granted if the initial credential data is associated with the user token that is associated with the requesting the access when the requesting the access occurs.
  - 19. The method of claim 15, wherein the accesses that are enabled by the temporally limited amount of time comprise accesses directed to one or more child objects of the set of data.
  - 20. The method of claim 15, wherein the accesses that are enabled by the temporally limited amount of time consist of only the subsequently requested access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Perumal, Raja Pazhanivel, Hamblin, Jeffrey B.

Application Number

US12/727,763
Publication Number

US 20110231940A1
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2103   Challenge-response

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/101   Access control lists [ACL]

CREDENTIAL-BASED ACCESS TO DATA

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CREDENTIAL-BASED ACCESS TO DATA

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links