DATA DRIVEN ROLE BASED SECURITY

US 20110277017A1
Filed: 05/05/2010
Published: 11/10/2011
Est. Priority Date: 05/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

querying for a data context in connection with potential access to one or more computing objects of a computing system by at least one computing device on behalf of a user identity;

receiving, by the at least one computing device, a request for access to at least one computing object of the one or more computing objects;

evaluating a control expression of an object governing access to the at least one computing object based on the data context to form a set of permissions; and

granting access to the at least one computing object if the set of permissions includes a permission for the request for access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data driven role based security is provided. At login, the system queries for a data context in connection with access to computing objects of a computing system. When a request for access to computing objects is received by the computing system, one or more control expressions specified for the computing object being accessed are evaluated. The evaluation of the control expressions may reference the user context or the data context previously established, and returns a set of effective permissions. Access to the computing object is then granted if the set of permissions includes an appropriate permission for the request for access.

55 Citations

View as Search Results

20 Claims

1. A method, comprising:
- querying for a data context in connection with potential access to one or more computing objects of a computing system by at least one computing device on behalf of a user identity;
  
  receiving, by the at least one computing device, a request for access to at least one computing object of the one or more computing objects;
  
  evaluating a control expression of an object governing access to the at least one computing object based on the data context to form a set of permissions; and
  
  granting access to the at least one computing object if the set of permissions includes a permission for the request for access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the evaluating includes evaluating a programmatic expression against one or more current versions of the one or more computing objects of the computing system.
  - 3. The method of claim 1, further comprising:
    - denying access to the at least one computing object if the set of permissions does not include the permission for the request for access.
  - 4. The method of claim 1, wherein the evaluating includes evaluating the control expression of an access control list governing access to the at least one computing object based on the data context.
  - 5. The method of claim 4, wherein the evaluating includes evaluating the control expression to form a list of permissions.
  - 6. The method of claim 1, wherein the evaluating further includes evaluating a set of static permissions included in the object governing access to the at least one computing object.
  - 7. The method of claim 1, wherein the querying includes querying for the data context in response to receiving a login based on credentials identifying the user identity.
  - 8. The method of claim 1, wherein the querying includes querying for an updated data context in response to receiving an additional request for access to the at least one computing object.
  - 9. The method of claim 1, wherein the querying includes querying for a data context in connection with potential access to one or more computing objects representing employees of a human resources computing system.
  - 10. The method of claim 1, further comprising:
    - receiving a definition of the control expression of the object governing access to the at least one computing object from a user interface expressing relationships between access control and the one or more computing objects of the computing system.

11. A computer-implemented system, comprising:
- a login component configured to query for a data context for access requests to data objects of a computing system in response to a user login, the data context is retrieved based on the data objects;
  
  an access control component configured to dynamically evaluate, in response to a request for access to at least one data object of the data objects, at least one control expression of an access control object that controls whether the access is granted to determine a set of permissions and configured to grant permission based on the set of permissions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the access control component is configured to dynamically evaluate a programmatic expression against current versions of the data objects.
  - 13. The system of claim 11, wherein the access control component is further configured to deny access to the at least one data object if the set of permissions does not include a permission for the request for access.
  - 14. The system of claim 11, wherein the access control component is configured to evaluate the control expression of an access control list governing access to the at least one data object based on the data context.
  - 15. The system of claim 14, wherein the access control component is configured to evaluate the control expression to output a list of permissions.
  - 16. The system of claim 11, wherein the access control component is configured to evaluate a set of static permissions included in the object governing access to the at least one data object.
  - 17. The system of claim 11, wherein the login component is configured to query for the data context in response to receiving a login based on user credentials identifying a user.
  - 18. The system of claim 11, wherein the login component is configured to query for an updated data context in response to receiving an additional request for access to the at least one data object.
  - 19. The system of claim 11, wherein the login component is configured to query for a data context in connection with access to data objects representing employees of an enterprise.

20. A method, comprising:
- receiving first input via a user interface of at least one computing device regarding an application function of an application for which role based security control is to be applied for users of the application function;
  
  receiving second input via the user interface regarding at least one data field of a data set applicable to carrying out the application function;
  
  receiving third input via the user interface regarding data instances to be extracted from the data set to establish a data context applicable to a given user at a time of login in connection with potential use of the application function; and
  
  based on the first, second and third inputs, receiving fourth input via the user interface defining at least one control expression for a role based access control object for dynamic evaluation in connection with the potential use of the application function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Barrows, John August, Ivanov, Sergei

Granted Patent

US 8,806,578 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

DATA DRIVEN ROLE BASED SECURITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATA DRIVEN ROLE BASED SECURITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links