Flexible and dynamic derivation of permissions
First Claim
1. A method for deriving current and maximal permissions for executable content using:
- a. one or more executable content descriptions;
b. one or more sets of permissions (access rights) that describe the operations that executable content can perform on objects;
c. one or more permission equations that compute a set of permissions from one or more other sets of permissions;
d. one or more permission propositions that specify conditions under which associated modifications to permissions apply;
e. one or more policy graphs that associate permissions, permission equations, and/or permission propositions with graph nodes;
wherein the method for deriving current and maximal permissions comprises the following steps;
f. deriving one or more permission equations and one or more permission propositions from policy graphs;
g. deriving one or more maximal sets of permissions from policy graphs;
h. selecting granted permissions from within an associated maximal set of permissions;
i. combining one or more maximal sets of permissions into the maximal permissions using one permission equation and one or more permission propositions;
j. combining one or more granted permissions into one current set of permissions which are a subset of the maximal permissions using one permission equation and one or more permission propositions.
1 Assignment
0 Petitions
Accused Products
Abstract
A dynamic derivation mechanism is defined which enables limited permissions to be dynamically and flexibly derived for executables based upon their authenticated description. The dynamic derivation mechanism uses the authenticated description to determine the maximal permissions that individual principals can delegate to the content. A principal'"'"'s maximal permissions for content define a superset of the rights that that principal will actually delegate to that content. Although the maximal permissions are derived from predefined specifications, the specifications can be sensitive to runtime state on the downloader'"'"'s system or previous delegations to enable the dynamic (i.e., runtime) derivation. Multiple principals can delegate a subset of their maximal permissions for the executable content. The mechanism uses policy for combining the delegated permissions into the content'"'"'s runtime permissions.
226 Citations
44 Claims
-
1. A method for deriving current and maximal permissions for executable content using:
-
a. one or more executable content descriptions; b. one or more sets of permissions (access rights) that describe the operations that executable content can perform on objects; c. one or more permission equations that compute a set of permissions from one or more other sets of permissions; d. one or more permission propositions that specify conditions under which associated modifications to permissions apply; e. one or more policy graphs that associate permissions, permission equations, and/or permission propositions with graph nodes; wherein the method for deriving current and maximal permissions comprises the following steps; f. deriving one or more permission equations and one or more permission propositions from policy graphs; g. deriving one or more maximal sets of permissions from policy graphs; h. selecting granted permissions from within an associated maximal set of permissions; i. combining one or more maximal sets of permissions into the maximal permissions using one permission equation and one or more permission propositions; j. combining one or more granted permissions into one current set of permissions which are a subset of the maximal permissions using one permission equation and one or more permission propositions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification