Extensible security system and method for controlling access to objects in a computing environment

US 6,412,070 B1
Filed: 09/21/1998
Issued: 06/25/2002
Est. Priority Date: 09/21/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computer-readable medium having stored thereon a control access data structure for defining an access right to an operation of one or more objects within a computing environment, the control access data structure comprising:

an identification field for storing a unique identifier of the control access data structure;

one or more object identification fields for associating the control access data structure with the one or more objects of the computing environment; and

wherein the control access data structure corresponds to an access control entry of the one or more objects, and wherein the access control entry associates the access right with a trusted user of the computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.

Citations

46 Claims

1. A computer-readable medium having stored thereon a control access data structure for defining an access right to an operation of one or more objects within a computing environment, the control access data structure comprising:
- an identification field for storing a unique identifier of the control access data structure;
  
  one or more object identification fields for associating the control access data structure with the one or more objects of the computing environment; and
  
  wherein the control access data structure corresponds to an access control entry of the one or more objects, and wherein the access control entry associates the access right with a trusted user of the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable medium of claim 1, wherein an individual object identification field of the control access data structure stores a unique identifier of an associated object.
  - 3. The computer-readable medium of claim 1 having further stored thereon one or more access control entries (ACE'"'"'s), wherein each ACE includes a rights field for associating the control access data structure with one of the one or more objects.
  - 4. The computer-readable medium of claim 3, wherein the rights field of each ACE stores the unique identifier of the control access data structure.
  - 5. The computer-readable medium of claim 3, wherein each ACE further includes a trusted user field for associating an ACE with the trusted user of the computing environment.
  - 6. The computer-readable medium of claim 5, wherein the trusted user field of each ACE stores a unique identifier of the trusted user.

7. A computing system comprising:
- an operating system configured to execute on the computing system, the operating system having a set of predefined permissions for performing corresponding operations on objects within the computing system;
  
  an administrative tool configured to execute on the computing system and direct the operating system to;
  
  generate a control access right that defines a permission to perform a desired operation on an individual object within the computing system; and
  
  associate the control access right with an access control entry corresponding to the individual object within the computing system.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computing system of claim 7, further comprising a control access data structure that defines the control access right.
  - 9. The computing system of claim 8, wherein the administrative tool is further configured to direct the operating system to associate the control access data structure with a user in order to grant the user the right to perform the desired operation on the individual object.
  - 10. The computing system of claim 7, wherein the operating system is further configured to associate the control access data structure with the user by storing a unique identifier of the user within the access control entry that is associated with the access control list of the individual object.
  - 11. The computing system of claim 8, wherein the operating system is further configured to authorize a user request to perform the desired operation on the individual object as a function of the control access data structure.
  - 12. The computing system of claim 8, wherein the operating system is further configured to define the control access data structure, and maintain a unique identifier of the individual object within the control access data structure.
  - 13. The computing system of claim 12, wherein the operating system is further configured to associate the control access data structure with the individual object by maintaining a unique identifier of the control access data structure within a field of the access control entry, and by associating the access control entry with an access control list stored in the individual object.

14. A computer program for controlling user requested operations on an object in a computing environment having a set of predefined access rights, the computer program being stored on a machine readable medium and comprising:
- means for defining an access right component that defines a permission corresponding to a desired operation of the object;
  
  means for associating the access right component with the object;
  
  means for associating the access right component with an access control entry corresponding to the object; and
  
  means for associating the access right component with a user in order to grant the desired operation.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer program of claim 14, further comprising an administrative tool for controlling the defining means.
  - 16. The computer program of claim 14, further comprising an interface for allowing a user application to programmatically control the defining means.
  - 17. The computer program of claim 14, wherein the means for associating the access right component with the object includes means for storing a unique identifier of the object within a field of a control access data structure created by the defining means.
  - 18. The computer program of claim 14, wherein the means for associating the access right component with the user includes:

19. A method comprising:
- creating an access control entry as a component of an access control list that is associated with at least one object in a computing environment, the access control entry identifying a security principal;
  
  defining an extensible access right component that defines access to one or more operations of the at least one object;
  
  associating the extensible access right component with the access control entry such that the security principal is authorized to access the one or more operations of the at least one object.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. A method as recited in claim 19, wherein defining includes creating the extensible access right component as a component of the access control entry.
  - 21. A method as recited in claim 19, wherein defining the extensible access right component includes defining access to a property of the at least one object.
  - 22. A method as recited in claim 19, wherein defining the extensible access right component includes defining access to a method exposed by the at least one object.
  - 23. A method as recited in claim 19, wherein defining the extensible access right component includes defining access to a property of the at least one object, and wherein associating includes associating the extensible access right component with the security principal such that the security principal is authorized to access the property of the at least one object.
  - 24. A method as recited in claim 19, wherein defining the extensible access right component includes defining access to a method exposed by the at least one object, and wherein associating includes associating the extensible access right component with the security principal such that the security principal is authorized to initiate the method.
  - 25. A method as recited in claim 19, wherein defining includes an application executing in the computing environment defining the extensible access right component.
  - 26. A method as recited in claim 19, wherein defining includes an application executing in the computing environment defining the extensible access right component as a component of the access control entry.
  - 27. A method as recited in claim 19, wherein defining includes creating a control access data structure, and wherein associating includes maintaining a unique identifier of the at least one object with the control access data structure.
  - 28. A method as recited in claim 19, wherein associating includes the access control entry maintaining a unique identifier of the extensible access right component.
  - 29. A method as recited in claim 19, wherein associating includes the access control entry maintaining a unique identifier of a control access data structure that represents the extensible access right component.
  - 30. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to perform the method of claim 19.

31. One or more computer-readable media maintaining an extensible control access right comprising:
- a control access data structure that includes;
  
  an identification field to maintain a unique identifier of the control access data structure;
  
  an object identification field to maintain a unique identifier of an object within a computing environment, the object identification field configured to associate the control access data structure with the object; and
  
  wherein the control access data structure defines access by an authorized security principal to one or more operations of the object.
- View Dependent Claims (32, 33, 34, 35)
- - 32. One or more computer-readable media as recited in claim 31, wherein the control access data structure further includes at least one other object identification field to maintain a second unique identifier of at least one other object within the computing environment, the one other object identification field configured to associate the control access data structure with the one other object.
  - 33. One or more computer-readable media as recited in claim 31, the extensible control access right further comprising an access control entry that is associated with the object, the access control entry configured to maintain the unique identifier of the control access data structure to associate the control access data structure with the object.
  - 34. One or more computer-readable media as recited in claim 31, the extensible control access right further comprising an access control entry that is associated with the object, the access control entry configured to:
35. One or more computer-readable media as recited in claim 31, the extensible control access right further comprising an access control entry that is associated with the object, the access control entry configured to maintain:
- a unique identifier of the control access data structure to associate the control access data structure with the object; and
  
  a unique identifier of the authorized security principal to associate the authorized security principal with the object and with the control access data structure.

36. A computing system comprising:
- an operating system to manage one or more objects within the computing system, an individual object having an access control list of predefined operating system permissions to perform corresponding operations on the individual object;
  
  an access control entry to identify a security principal, the access control entry associated with the individual object as a component of the access control list;
  
  an extensible access right to define access to one or more operations of the individual object, the extensible access right associated with the access control entry such that the security principal is authorized to access the one or more operations of the individual object.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 37. A computing system as recited in claim 36, further comprising an application to generate a control access data structure that defines the extensible access right.
  - 38. A computing system as recited in claim 36, further comprising a control access data structure that defines the extensible access right, the control access data structure configured to maintain a unique identifier of the individual object.
  - 39. A computing system as recited in claim 36, further comprising a control access data structure that defines the extensible access right, the control access data structure configured to maintain a unique identifier of the individual object, and wherein the access control entry is configured to maintain a unique identifier of the control access data structure to associate the control access data structure with the individual object and with the security principal.
  - 40. A computing system as recited in claim 36, wherein the access control entry is configured to maintain a unique identifier of the security principal to associate the security principal with the individual object.
  - 41. A computing system as recited in claim 36, wherein the extensible access right further defines access to a property of the individual object.
  - 42. A computing system as recited in claim 36, wherein the extensible access right further defines access to a method exposed by the individual object.
  - 43. A computing system as recited in claim 36, wherein the extensible access right further defines access to a property of the individual object, the extensible access right associated with the access control entry such that the security principal is authorized to access the property of the individual object.
  - 44. A computing system as recited in claim 36, wherein the extensible access right further defines access to a method exposed by the individual object, the extensible access right associated with the access control entry such that the security principal is authorized to initiate the method.
  - 45. A computing system as recited in claim 36, further comprising a control access data structure that defines the extensible access right, and wherein the extensible access right can be redefined with a change of values maintained by the control access data structure.
  - 46. A computing system as recited in claim 36, further comprising a control access data structure that defines the extensible access right, and wherein the extensible access right can be redefined without a change to the access control entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, Ward, Richard B., Brundrett, Peter T., Van Dyke, Clifford P., Swift, Michael M.
Primary Examiner(s)
HUA, LY

Application Number

US09/157,882
Time in Patent Office

1,373 Days
Field of Search

713/200, 713/201, 713/182, 713/167, 713/150, 713/168, 713/164, 709/225, 709/229, 707/9, 707/10, 707/1, 707/103, 707/104
US Class Current

726/17
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

Y10S 707/99939   Privileged access

Extensible security system and method for controlling access to objects in a computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible security system and method for controlling access to objects in a computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links