ACCESS CONTROL MANAGEMENT

US 20130067539A1
Filed: 09/12/2011
Published: 03/14/2013
Est. Priority Date: 09/12/2011
Status: Active Grant

First Claim

Patent Images

1. An access control system, comprising:

a claims processing component configured to expand two or more input claims associated with a device into a set of output claims; and

an authorization component configured to match the set of output claims to an authorization table for rows that contain a matching resource claim, a matching subject claim, and a matching action claim to indicate the device is authorized to access a system resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject disclosure relates to authorization based on a determination of permissions that can be granted for an action(s) to be performed on a resource. The determination of the permission is based on a set of rules that represent a theory including a notion of trust that has been divided into different sized tables. The tables are utilized to evaluate two or more input claims and to facilitate a determination of whether access to at least one system resource is to be granted. The evaluation can include matching the two or more input claims to rows in the table, wherein access is allowed if a match is found.

Citations

20 Claims

1. An access control system, comprising:
- a claims processing component configured to expand two or more input claims associated with a device into a set of output claims; and
  
  an authorization component configured to match the set of output claims to an authorization table for rows that contain a matching resource claim, a matching subject claim, and a matching action claim to indicate the device is authorized to access a system resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The access control system of claim 1, wherein the claims processing component is further configured to apply facts associated with the two or more input claims against a data structure to expand the two or more input claims into the set of output claims.
  - 3. The access control system of claim 2, wherein the claims processing component is further configured to apply the facts against the data structure at each iteration.
  - 4. The access control system of claim 1, wherein the authorization component is further configured to match the set of output claims to an authorization table.
  - 5. The access control system of claim 1, wherein the claims processing component is configured to verify a matching row in a rules table for a plurality of the two or more input claims and to create a first output claim.
  - 6. The access control system of claim 1, wherein the claims processing component is configured to produce a first output claim by matching a first input claim, a second input claim, or both the first input claim and the second input claim with at least one row in a rules table.
  - 7. The access control system of claim 6, wherein the claims processing component is configured to assign a type and a value of the matched row to the first output claim.
  - 8. The access control system of claim 1, wherein the authorization component is configured to match the set of output claims against the authorization table and to allow access to the system resource.
  - 9. The access control system of claim 8, wherein the authorization table comprises a plurality of rows, wherein each row comprises a resource claim, a subject claim, and an action claim.
  - 10. The access control system of claim 1, wherein an input claim and an output claim comprises identity information signed by an issuer.

11. A method, comprising:
- receiving an authorization request;
  
  expanding a first input claim and a second input claim into a set of output claims;
  
  correlating a plurality of output claims in the set of output claims to an authorization table; and
  
  authorizing an action for the first input claim and the second input claim as a result of the correlating.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the expanding comprises:
    - verifying a row in a rules table matches the first input claim and the second input claim; and
      
      creating a first output claim as a function of the verifying.
  - 13. The method of claim 11, wherein the expanding further comprises:
    - matching the first input claim and the second input claim with a row in a rules table; and
      
      producing a first output claim based on the matching.
  - 14. The method of claim 13, wherein the producing comprises:
    - assigning a type and a value of the matched row to the first output claim.
  - 15. The method of claim 13, wherein the expanding further comprises:
    - matching the first output claim and either the first input claim or the second input claim with another row in the rules table; and
      
      producing a second output claim as a result of the matching, wherein the second output claim comprises a type and a value of the another row.
  - 16. The method of claim 11, wherein the expanding further comprises corresponding an input issuer, a type, and a value of the first input claim or the second input claim with a row in a rules table.
  - 17. The method of claim 11, wherein the authorizing the action comprises:
    - evaluating the set of output claims against an authorization table that comprises rows based on at least one row that comprises a resource claim, a subject claim, and an action claim; and
      
      allowing authorization as a function of an output of the evaluating.

18. A computer-readable storage medium comprising computer-executable instructions stored therein that, in response to execution, cause a computing system to perform operations, comprising:
- expanding two or more input claims associated with a device into a set of output claims; and
  
  corresponding the set of output claims to an authorization table for rows that include a matching resource claim, subject claim, and action claim to indicate the device is authorized to access a system resource.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage medium of claim 18, where the two or more input claims and the set of output claims comprise a piece of identity information signed by an issuer.
  - 20. The computer-readable storage medium of claim 18, the operations further comprising:
    - applying facts associated with the two or more input claims against a data structure to facilitate the expanding.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Qian, Wilson, Hervey Oliver, Baker, Caleb Geoffrey, Langworthy, David E., Layman, Andrew John, Shewchuk, John Peter Jr., Yong, Shiung-Vei, Passmore, Charles Edgar

Granted Patent

US 8,763,093 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

ACCESS CONTROL MANAGEMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL MANAGEMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links