Composable roles

US 6,574,736 B1
Filed: 11/30/1998
Issued: 06/03/2003
Est. Priority Date: 11/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method of defining security for an application set comprising at least one application, the method comprising:

at development of an application in the application set, defining a plurality of roles for the application to specify access privileges to processing services provided by the application;

at deployment of the application, binding one of the roles to a composite role;

at deployment of the application, binding the composite role to at least one user identity; and

at runtime of the application, granting a user identity access to a processing service provided by the application if a role having access privileges to the processing service is bound to a composite role bound to the user identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application developer grants access privileges to application processing services in an object-based application by defining logical classes of users called roles. When the application is deployed on a host computer system, an administrator populates the roles with users and groups recognized by the host computer system. At runtime, a user is not permitted access to a processing service unless the user is a member of a permitted role for the processing service. To ease administration, two or more roles can be composed. In one implementation, roles are associated with a separate composite role. The administrator can then populate the composite role instead of individually populating each of the roles associated with the composite role. In another implementation, the administrator can specify that a role follows another role; user identities in the followed role are automatically considered members of the following role. Additional features include an installation utility to help compose roles when installing an application on the host computer system. An exemplary security framework for implementing composable roles relieves application developers from including security logic in application components.

Citations

27 Claims

1. A computer-implemented method of defining security for an application set comprising at least one application, the method comprising:
- at development of an application in the application set, defining a plurality of roles for the application to specify access privileges to processing services provided by the application;
  
  at deployment of the application, binding one of the roles to a composite role;
  
  at deployment of the application, binding the composite role to at least one user identity; and
  
  at runtime of the application, granting a user identity access to a processing service provided by the application if a role having access privileges to the processing service is bound to a composite role bound to the user identity.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the processing services provided by the application comprise an object, an interface, and a method.
  - 3. A computer-readable medium having computer-executable instructions for performing the steps of claim 1.
  - 4. The method of claim 1 wherein a role defined for a first application and a role defined for a second application are bound to the composite role.
  - 5. The method of claim 1 wherein a plurality of roles are bound to the composite role, the method further comprising:

6. A computer-implemented method of providing runtime security to an object application set comprising at least two applications, wherein processing services are provided by the applications in the application set, the method comprising:
- at development of applications in the application set, performing the steps of;
  
  (a) defining a plurality of roles for the application; and
  
  (b) declaring access privileges of the roles to the processing services of the application; and
  
  at deployment of the applications in the application set on a computer system having a security configuration comprising a plurality of identities associated with users, performing the steps of;
  
  (a) binding at least one of the roles to at least one composite role; and
  
  (b) binding the composite role to at least one of the identities.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. A computer-readable medium having computer-executable instructions for performing the steps of claim 6.
  - 8. The method of claim 6 further comprising:
9. The method of claim 6 wherein at least one composite role is also an application role defined at development of an application.
10. The method of claim 6 wherein at least one composite role is bound to a plurality of application roles, wherein a first application role of the application roles is an application role defined at development time of a first application, and a second application of the application roles is an application role defined at development time of a second application different from the first.
11. The method of claim 6 wherein a first application is installed on a host computer, the method further comprising:
- at deployment of a second application on the host computer, automatically selecting a new role from the second application; and
  
  binding the new role to a composite role having members identical to those bound to a role in the first application.
12. The method of claim 11 wherein the selecting step is performed by an installation utility and the role in the first application is selected by a user from a list of roles in the first application presented by the installation utility.

13. In a computer system having a security configuration comprising a plurality of identities associated with users, a computer-implemented method of enforcing security for a first application and a second application, wherein the first application provides a first group of processing services and the second application provides a second group of processing services, wherein access privileges to the first group of processing services is limited to a first set of roles declared at development time of the first application and access privileges to the second group of processing services is limited to a second set of roles declared at development time of the second application, the method comprising:
- defining at least one composite role;
  
  populating the composite role with a set of user identities;
  
  mapping at least a first role from the first set of roles and a second role from the second set of roles to the composite role;
  
  at runtime, determining whether an identity is a member of a role mapped to the composite role by comparing the identity to the set of user identities populating the composite role; and
  
  denying access to a processing service if the processing service is requested by a user identity not a member of a role having access privileges to the processing service.
- View Dependent Claims (14)
- - 14. A computer-readable medium having computer-executable instructions for performing the steps of claim 13.

15. A computer-implemented method of installing a package having a first set of roles defined for a first application on a computer system having installed thereon a second application, wherein a second set of roles for the second application is defined in a catalog on the computer system, the method comprising:
- importing the roles defined for the first application from the package into the catalog;
  
  composing the first and second applications by binding in the catalog a first role defined for the first application to a second role defined for the second application.
- View Dependent Claims (16, 17)
- - 16. A computer-readable medium having computer-executable instructions for performing the steps of claim 15.
  - 17. The method of claim 15 further comprising:

18. A security administration utility for managing membership of roles defined for a plurality of applications installed on a host computer system, the administration utility comprising:
- code for presenting a graphical user interface for selecting one of the roles and populating the selected role to add identities to the selected role'"'"'s membership;
  
  code for composing a first one of the roles and a second one of the roles having a membership by binding the first role to the membership of the second role; and
  
  code for writing the role'"'"'s bindings to a central store on the host computer system.
- View Dependent Claims (19, 20)
- - 19. The security administration utility of claim 18 wherein the code for composing composes two roles by binding a role identifier for the first role to a role identifier for the second role.
  - 20. The security administration utility of claim 18 wherein the code for composing composes two roles by binding a role identifier for the first role and a role identifier for the second role to a role identifier for a composite role.

21. A security service for monitoring calls to a plurality of secured objects to limit access to the secured objects to specified sets of user identities, the service comprising:
- a central store of security settings comprising;
  
  (a) entries binding roles to identities, wherein at least two roles are transitively bound to a same set of identities by being bound to a composite role bound to the set of identities; and
  
  (b) entries indicating which roles have access privileges to the secured objects;
  
  a role membership manager operative to add an additional identity to the composite role by binding the composite role to the additional identity; and
  
  a runtime service operative to monitor a call to one of the secured objects, the runtime service further operative to determine a caller identity associated with the call and allow the call only if the central store indicates the caller identity is bound to a role having access privileges to the secured object, wherein transitively bound identities are considered bound identities.
- View Dependent Claims (22, 23, 24)
- - 22. The security service of claim 21 wherein access to a first one of a secured object'"'"'s methods is limited to a different role than a second one of the secured object'"'"'s methods.
  - 23. The security service of claim 21 further comprising:
24. The method of claim 23 wherein the runtime service is implemented in a wrapper interposed before the called secured object.

25. A computer-readable medium having stored thereon a data structure for limiting access to processing services provided by a plurality of object-based applications having roles for defining access to the processing services by mapping processing services to user identifiers, the data structure comprising:
- for each application, a set of processing service entries binding a processing service with a role permitted to access the processing service;
  
  at least one composite role entry binding a first role defined for a first application with a second role defined for a second application; and
  
  for each composite role entry, a set of user identifiers bound to the composite role entry;
  
  wherein the data structure maps a particular processing service to a particular user identifier if the particular processing service is bound to a particular role, the particular role is bound to a particular composite role, and the particular role is bound to the particular user identifier.
- View Dependent Claims (26, 27)
- - 26. The computer-readable medium of claim 25 wherein the processing services are object methods.
  - 27. The computer-readable medium of claim 25 wherein bindings for each composite role entry are specified using a graphical user interface depicting the composite role as an icon.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Andrews, Anthony D.
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/201,061
Time in Patent Office

1,646 Days
Field of Search

713/201, 713/200, 709/332, 709/331, 709/227, 707/100
US Class Current

726/21
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 9/468   Specific access rights for ...

Composable roles

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Composable roles

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links