Declarative and programmatic access control of component-based server applications using roles

US 6,014,666 A
Filed: 10/28/1997
Issued: 01/11/2000
Est. Priority Date: 10/28/1997
Status: Expired due to Term

First Claim

Patent Images

1. In a software application development system, a method of defining user access rights to objects of a component-based application prior to distribution and deployment to a plurality of end-user computer systems having a security facility requiring a user to log-on under one of a plurality of user identities configured on the respective computer system, and having a role-based access control operating in response to roles and access privileges declared for the component-based application and a configuration associating the user identities of the respective computer system to the declared roles to control access of a current user to component-based application objects depending on the user identity of the current user being associated in a declared role having declared access privileges for the object, the method comprising:

declaratively creating a roles data structure containing information defining a plurality of roles applicable to the component-based application;

declaratively creating a role privileges data structure containing information defining access privileges of the roles to the objects; and

packaging the roles data structure and the role privileges data structure with the component-based application into a distribution unit;

whereby on deployment of the distribution unit to a respective one of the end-user computer systems, the role-based access control of such respective end-user computer system operates to control access of such respective end-user computer system'"'"'s users to the objects based on the roles and access privileges defined in the distribution unit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A programming model for component-based server applications provides declarative and programmatic access control at development without knowledge of the security configuration at deployment. The developer defines the server application access control by defining logical classes of users, called roles. The developer also can declare access privileges of the roles at package, component and interface levels of the server application. At development, the roles are bound to the particular security configuration of the server computer. The programming model also provides application programming and integration interfaces with which the developer can programmatically define access control of the roles to the server application'"'"'s processing services.

484 Citations

12 Claims

1. In a software application development system, a method of defining user access rights to objects of a component-based application prior to distribution and deployment to a plurality of end-user computer systems having a security facility requiring a user to log-on under one of a plurality of user identities configured on the respective computer system, and having a role-based access control operating in response to roles and access privileges declared for the component-based application and a configuration associating the user identities of the respective computer system to the declared roles to control access of a current user to component-based application objects depending on the user identity of the current user being associated in a declared role having declared access privileges for the object, the method comprising:
- declaratively creating a roles data structure containing information defining a plurality of roles applicable to the component-based application;
  
  declaratively creating a role privileges data structure containing information defining access privileges of the roles to the objects; and
  
  packaging the roles data structure and the role privileges data structure with the component-based application into a distribution unit;
  
  whereby on deployment of the distribution unit to a respective one of the end-user computer systems, the role-based access control of such respective end-user computer system operates to control access of such respective end-user computer system'"'"'s users to the objects based on the roles and access privileges defined in the distribution unit.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 wherein declaratively creating the role privileges data structure comprises specifying access privileges of roles to interfaces of the objects.
  - 3. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 1.

4. A computer-readable data storage media having a distribution unit for a distributable component-based software application stored thereon, the software application being installable for execution on a computer system having, a role-based access control operating to control access by a user operating the computer system under a user identity to objects depending on the user'"'"'s user id entity being associated in a role having access privileges for the objects, the distribution unit of the software application comprising:
- executable code to implement a set of objects of the software application having interfaces providing a set of operations accessible to a client program;
  
  a roles data structure containing information defining a set of roles applicable to the software application; and
  
  an access privileges data structure containing information defining access privileges of the roles to objects in the software application;
  
  whereby access control is declaratively defined for the software application prior to distribution and deployment of the software application to the computer system.
- View Dependent Claims (5)
- - 5. The computer-readable data storage media of claim 4 wherein the access privileges data structure contains information defining access privileges of the roles to interfaces of the objects.

6. In a computer configured for operation by users having user identities, an object execution system software program for controlling access by a user of the computer to objects in a component-based software application based on a set of abstract user classes defined for the software application at development thereof, the component-based software application being distributed to the computer in a deployment unit containing a roles data structure defining the set of abstract user classes and an access privileges data structure defining access privileges of the abstract user classes to the objects, the object execution system software program comprising:
- a security configuration data store containing data associating user identities to the abstract user classes; and
  
  an authorization checker operating to check upon access by a caller program operating under a user identity to a called object in the component-based software application whether the user identity is associated with an abstract user class having an access privilege to call into the called object, and to permit or deny the access depending on a result of the check;
  
  whereby the object execution system software program permits access control for the component-based software application to be declaratively defined at development as an abstraction independent of the user identities actually configured on the computers on which the software application is later deployed.
- View Dependent Claims (7)
- - 7. The object execution system software program of claim 6 further comprising:
    - a security configuration utility operating in response to declaration of a binding of a user identity to an abstract user class to store an association of the user identity to the abstract user class in the security configuration data store.

8. A method of access control within a computer based on abstract user classes declaratively defined at development of a software application having code to implement a set of objects, the method comprising:
- in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the software application is to be deployed, generating a roles data structure containing data to represent the role classes;
  
  in response to declaration by the developer of access privileges of the role classes to the objects, generating an access privileges data structure containing data to represent the access privileges;
  
  packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application;
  
  deploying the deployment unit to a computer;
  
  in response to declaration by an administrator of the computer of bindings from user identities configured on the computer to the role classes, storing data in a configuration store to represent the bindings;
  
  upon a request of a client program code operating under a user identity on the computer to access an object of the software application, determining to permit or deny the access depending upon a result of an authorization check whether the user identity is bound to a role having an access privilege to the object.
- View Dependent Claims (9)
- - 9. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 8.

10. In a computer configured for operation by users having user identities, an object execution system software module for controlling access to objects of a software application distributed to the computer in a deployment unit containing a roles data structure declaratively defining roles representative of a set of abstract user classes and an access privileges data structure declaratively defining access privileges of the roles to the objects, the object execution system software module comprising:
- a configuration data store containing data defining bindings of the user identities to the roles; and
  
  code to implement a programmatic access control function for calling from the software application, the programmatic access control function having a role parameter designating a role out of the roles set, the programmatic access control function operating in response to the software application'"'"'s call to return a value indicating whether a user identity under which the software application was accessed is bound to the parameter-designated role.

11. A method of programmatically controlling access within a component-based software application based on a set of abstract user classes declaratively defined at development independent of the user identities actually configured on the computers to which the component-based software application is to be later deployed, the component-based software application being executable on a computer having an object execution system that implements a programmatic access control function operative to return a value indicative of whether a user identity of a calling thread is bound to a parameter-specified abstract user class of the component-based software application, the method comprising:
- in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the component-based software application is to be deployed, generating a roles data structure containing data to represent the roles;
  
  within program code of an object of the component-based software application, issuing a call to the programmatic access control function in which a particular role is specified by a function parameter and also conditioning a processing operation of the object on a result of the programmatic access control function call; and
  
  packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application.
- View Dependent Claims (12)
- - 12. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 11.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Devlin, William D., Reed, David R., Limprecht, Rodney, Helland, Patrick James, Al-Ghosein, Mohsen
Primary Examiner(s)
Fetting, Anton W.
Assistant Examiner(s)
Corrielus, Jean M.

Application Number

US08/958,974
Time in Patent Office

805 Days
Field of Search

707/103, 707/9, 707/10, 395/701, 395/703, 395/704, 395/702, 395/707, 395/710
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/468   Specific access rights for ...

Y10S 707/99939   Privileged access

Declarative and programmatic access control of component-based server applications using roles

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

484 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Declarative and programmatic access control of component-based server applications using roles

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

484 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links