SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS

US 20120079556A1
Filed: 09/27/2010
Published: 03/29/2012
Est. Priority Date: 09/27/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented access check system having computer readable media that store executable instructions executed by a processor, comprising:

a synchronization component that receives and normalizes entitlements of users obtained from resources having associated security enforcement points; and

an access management component that creates sets of user objects for the users of the entitlements based on the normalized entitlements, the access management component performs set operations on the sets of user objects to check for an anomalous entitlement.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data model in which a set provides an abstraction that isolates the computation of membership from the details of how an enforcement point determines access (e.g., based on claims, based on security group membership etc). Set operations (e.g., intersection, union, inverse) can then be used across the sets. The architecture utilizes workflow on set transitions such that when an object such as a user enters the scope of one of these sets, notification can occur, such that inadvertent changes which lead to separation-of-duties violations can be detected quickly. The sets can also be used to define entitlements for enforcement of claims-based access control in a cross-organization deployment (e.g., to a cloud-hosted application).

Citations

20 Claims

1. A computer-implemented access check system having computer readable media that store executable instructions executed by a processor, comprising:
- a synchronization component that receives and normalizes entitlements of users obtained from resources having associated security enforcement points; and
  
  an access management component that creates sets of user objects for the users of the entitlements based on the normalized entitlements, the access management component performs set operations on the sets of user objects to check for an anomalous entitlement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the anomalous entitlement is characterized by a user object associated with an entitlement but not a role for the entitlement.
  - 3. The system of claim 1, wherein the anomalous entitlement is characterized by a user object associated with a role but not for an entitlement for the role.
  - 4. The system of claim 1, wherein the set operations include union, intersection, and inverse operations.
  - 5. The system of claim 1, wherein the access management component processes a set transition when a user object enters scope of a set and sends a notification of the transition to address a separation-of-duties violation.
  - 6. The system of claim 1, wherein the access management component computes set differences and runs a workflow for a user object that has an anomalous entitlement.
  - 7. The system of claim 1, wherein the access management component utilizes the sets of user objects to define entitlements for enforcement of claims-based access control in an across-organization deployment.
  - 8. The system of claim 1, wherein the access management component creates an expression for a set of user objects that defines the set across attributes of a user, the expression utilized to determine whether a user is in the set.

9. A computer-implemented access check method executed by a processor, comprising:
- obtaining entitlements defined in enforcement policies associated with multiple enforcement points;
  
  for each entitlement, creating a set of user objects related to users that currently have the entitlement;
  
  obtaining role definitions that specify users for each role;
  
  applying set operations on the set and role definitions related to user objects of the set to obtain differences sets of allowed entitlements of the role and non-allowed entitlements for the role; and
  
  processing the differences sets to obtain an anomalous entitlement of a user object.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising performing a workflow based on the detected anomalous entitlement to provide notification of the anomalous entitlement.
  - 11. The method of claim 9, further comprising triggering the workflow based on a user transition into a set.
  - 12. The method of claim 9, further comprising triggering the workflow based on a change in user object attributes.
  - 13. The method of claim 9, further comprising triggering the workflow based on a change in enforcement point configuration.
  - 14. The method of claim 9, further comprising triggering the workflow based on a change in a role definition.
  - 15. The method of claim 9, further comprising enforcing claims-based access control in a cross-organization deployment based on the set.

16. A computer-implemented access check method executed by a processor, comprising:
- creating a set of user objects for each in-place entitlement associated with enforcement policies of multiple resources, the sets of user objects related to users that have corresponding in-place entitlements;
  
  obtaining role definitions that specify users for each associated role;
  
  applying set operations on the set and role definitions related to user objects of the set to obtain a conflict set that describes an entitlement anomaly; and
  
  performing one or more workflow processes for users associated with the entitlement anomaly.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising creating expression for a set of user objects that defines the set across attributes of a user, the expression utilized to determine whether a user is in the set.
  - 18. The method of claim 16, further comprising normalizing the entitlements obtained from the multiple resources in order to create the set of user objects for the entitlement.
  - 19. The method of claim 16, further comprising triggering a workflow process based on at least one of a user transition into a set, a change in user object attributes, a change in a role definition, or a change in enforcement point configuration.
  - 20. The method of claim 16, wherein set creation is separate from enforcement point access processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wahl, Mark

Granted Patent

US 9,582,673 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links