ROLE-BASED ACCESS CONTROL MODELING AND AUDITING SYSTEM

US 20140157350A1
Filed: 12/03/2012
Published: 06/05/2014
Est. Priority Date: 12/03/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

presenting one or more first user interface elements that allow a user to access or create a first security role, the first security role having one or more permissions associated therewith; and

subsequent to the user accessing or creating the first security role via the one or more first user interface elements, presenting one or more second user interface elements that indicate at least one of;

information that can be viewed by a user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with a first software application, andone or more actions that can be performed by the user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with the first software application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A role-based access control (RBAC) modeling and auditing system is described that enables a user to access and/or create security roles that can be applied to users of a first software application. When a security role having a particular set of permissions has been accessed or created, the system can present a simulated user interface (UI) that indicates information that can be viewed and/or actions that can be performed by a user to whom the security role has been assigned when interacting with the first software application. The system may further provide “run as” functionality that enables a simulated UI to be generated for a particular user and that can display the security role(s) associated with the particular user. The system may be embodied in a second software application, such as a tool that is associated with the first software application.

13 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- presenting one or more first user interface elements that allow a user to access or create a first security role, the first security role having one or more permissions associated therewith; and
  
  subsequent to the user accessing or creating the first security role via the one or more first user interface elements, presenting one or more second user interface elements that indicate at least one of;
  
  information that can be viewed by a user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with a first software application, andone or more actions that can be performed by the user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with the first software application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein presenting the one or more first user interface elements comprises presenting one or more user interface elements that allow the user to select the first security role from among a plurality of predefined security roles.
  - 3. The method of claim 1, wherein presenting the one or more first user interface elements comprises presenting one or more user interface elements that allow the user to select the one or more permissions associated with the first security role.
  - 4. The method of claim 1, wherein presenting the one or more first user interface elements comprises presenting one or more user interface elements that further allow the user to access or create a second security role having at least one permission associated therewith that is not associated with the first security role, the method further comprising:
    - modifying the one or more second user interface elements such that the one or more second user interface elements indicate of at least one of;
      
      information that can be viewed by a user to whom the second security role has been assigned when the user to whom the second security role has been assigned interacts with the first software application, andone or more actions that can be performed by the user to whom the second security role has been assigned when the user to whom the second security role has been assigned interacts with the first software application.
  - 5. The method of claim 1, wherein presenting the one or more second user interface elements comprises presenting the one or more second user interface elements concurrently with the one or more first user interface elements.
  - 6. The method of claim 1, further comprising:
    - determining that the user has one or more required permissions; and
      
      performing the presenting steps only if a determination is made that the user has the one or more required permissions.
  - 7. The method of claim 1, wherein the presenting steps are performed by a second software application.
  - 8. The method of claim 7, wherein the second software application comprises a tool associated with the first software application.
  - 9. The method of claim 7, further comprising:
    - obtaining configuration data stored in a database associated with the first software application by the second software application, the configuration data comprising at least one or more permissions that may be associated with a security role, and for each of the one or more permissions, one or more of information viewable by a user having the permission and one or more actions performable by a user having the permission; and
      
      using the configuration data to generate at least one of the one or more first user interface elements and the one or more second user interface elements.
  - 10. The method of claim 9, further comprising:
    - caching the obtained configuration data by the second application.

11. A system, comprising:
- one or more processors; and
  
  a storage medium that stores computer program logic that is executable by the one or more processors, the computer program logic comprising;
  
  first computer program logic that is programmed to cause the one or more processors to present one or more first user interface elements that allow a user to access or create a first security role, the first security role having one or more permissions associated therewith; and
  
  second computer program logic that is programmed to cause the one or more processors to present one or more second user interface elements concurrently with the one or more first user interface elements, the one or more second user interface elements indicating;
  
  information that can be viewed by a user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with a first software application, andone or more actions that can be performed by the user to whom the first security role has been assigned when the user to whom the first security role has been assigned interacts with the first software application.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the one or more first user interface elements allow the user to select the first security role from among a plurality of predefined security roles.
  - 13. The system of claim 11, wherein the one or more first user interface elements allow the user to select the one or more permissions associated with the first security role.
  - 14. The system of claim 11, wherein the one or more first user interface elements further allow the user to access or create a second security role having at least one permission associated therewith that is not associated with the first security role;
    - andwherein the second computer program logic is programmed to cause the one or more processors to modify the one or more second user interface elements such that the one or more second user interface elements indicate;
      
      information that can be viewed by a user to whom the second security role has been assigned when the user to whom the second security role has been assigned interacts with the first software application, andone or more actions that can be performed by the user to whom the second security role has been assigned when the user to whom the second security role has been assigned interacts with the first software application.
  - 15. The system of claim 11, wherein the second computer program logic is programmed to cause the one or more processors to present the one or more second user interface elements concurrently with the one or more first user interface elements.
  - 16. The system of claim 11, wherein the first computer program logic and the second computer program logic comprise portions of a second software application.
  - 17. The system of claim 16, wherein the computer program logic stored by the storage medium further comprises:
    - third computer program logic that is programmed to cause the one or more processors to obtain configuration data stored in a database associated with the first software application, the configuration data comprising at least one or more permissions that may be associated with a security role, and for each of the one or more permissions, one or more of information viewable by a user having the permission and one or more actions performable by a user having the permission;
      
      wherein the first computer program logic is programmed to cause the one or more processors to generate the one or more first user interface elements using the configuration data and the second computer program logic is programmed to cause the one or more processors to generate the one or more second user interface elements using the configuration data.

18. A computer-implemented method, comprising:
- presenting one or more first user interface elements that allow a first user to input an identifier of a second user of a first software application; and
  
  subsequent to the user inputting the identifier of the second user via the first user interface;
  
  identifying one or more security roles assigned to the second user based on the identifier of the second user;
  
  generating one or more second user interface elements based at least on the identified one or more security roles, the one or more second user interface elements indicating of at least one of;
  
  information that can be viewed by the second user when the second user interacts with the first software application, andone or more actions that can be performed by the second user when the second user interacts with the first software application; and
  
  presenting the one or more second user interface elements.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising:
    - presenting one or more third user interface elements that show the identified one or more security roles.
  - 20. The method of claim 18, wherein the presenting, identifying and generating steps are performed by a second software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tang, Lin, Xuan, Yingchun, Wang, Jingcun

Granted Patent

US 9,165,156 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2149   Restricted operating enviro...

ROLE-BASED ACCESS CONTROL MODELING AND AUDITING SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ROLE-BASED ACCESS CONTROL MODELING AND AUDITING SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links