Methods and systems for synchronizing security descriptors in systems that use multiple security descriptor specifications

US 6,895,512 B1
Filed: 06/30/2000
Issued: 05/17/2005
Est. Priority Date: 06/30/2000
Status: Active Grant

First Claim

Patent Images

1. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:

a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;

a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;

an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;

an act of undoing the at least one security permission change in the second security descriptor;

a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;

a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and

an act of changing the first security descriptor to reflect the undone permission change as represented in the converted version of the second security descriptor so that any change to the first security descriptor is non-degenerative and reversible.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for replicating security descriptors that describe security rights to the same object even though those security descriptors may follow different security descriptor specifications. As an example, the replication may occur between a first security descriptor that follows a first security descriptor specification and a second security descriptor that follows a second security descriptor specification. In order to replicate changes to the first security descriptor with the second security descriptor, the first security descriptor is converted into a version of the first security descriptor that follows the second security descriptor specification. This version is then compared to the second security descriptor. Any detected changes are then made to the second security descriptor. The conversion may be accomplished using mapping rules that map sets of one or more rights of the first security descriptor specification to sets of one or more rights of the second security descriptor specification.

36 Citations

View as Search Results

25 Claims

1. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:
- a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
  
  a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
  
  an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;
  
  an act of undoing the at least one security permission change in the second security descriptor;
  
  a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
  
  a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
  
  an act of changing the first security descriptor to reflect the undone permission change as represented in the converted version of the second security descriptor so that any change to the first security descriptor is non-degenerative and reversible.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method in accordance with claim 1, wherein the first security descriptor specification is the 4.0 specification.
  - 3. A method in accordance with claim 2, wherein the second security descriptor specification is the Active Directory specification.
  - 4. A method in accordance with claim 1, wherein the first security descriptor specification is the Active Directory specification.
  - 5. A method in accordance with claim 4, wherein the second security descriptor specification is the 4.0 specification.
  - 6. A method in accordance with claim 1, wherein the step for converting the first security descriptor that follows the first security descriptor specification into a version of the first security descriptor that follows the second security descriptor specification comprises the following:
    - an act of consulting mapping rules that define mappings of rights of the first security descriptor specification to rights of the second security descriptor specification;
      
      for each right for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification; and
      
      an act of assembling each corresponding right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification.
  - 7. A method in accordance with claim 1, wherein the step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor that also follows the second security descriptor specification comprises the following:
    - for each right for which there is a corresponding mapping rule, an act of comparing the right in the version of the first security descriptor that follows the second security descriptor specification to the right in the second security descriptor; and
      
      based on the act of comparing, an act of detecting changes in the first security descriptor that are not reflected in the second security descriptor.

8. In a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the method comprising the following:
- an act of consulting mapping rules that define mappings of rights between the first security descriptor specification and the second security descriptor specification;
  
  for each right of the first security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification;
  
  an act of assembling each converted right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification;
  
  an act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification to the corresponding right in the second security descriptor;
  
  based on the act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification, an act of detecting one or more changes in the converted first security descriptor that are not reflected in the second security descriptor;
  
  an act of changing the second security descriptor to reflect the detected one or more changes in the first security descriptor so that changes to the second security descriptor are non-degenerative and reversible;
  
  an act of changing one or more rights in the second security descriptor;
  
  for each right of the second security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the second security descriptor specification to a corresponding right that follows the first security descriptor specification;
  
  an act of assembling each converted right that follows the first security descriptor specification to form a version of the second security descriptor that follows the first security descriptor specification;
  
  an act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification to the corresponding right in the first security descriptor;
  
  based on the act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification, an act of detecting one or more changes in the converted second security descriptor that are not reflected in the first security descriptor; and
  
  an act of changing the first security descriptor to reflect the detected one or more changes in the second security descriptor so that changes to the first security descriptor are non-degenerative and reversible.
- View Dependent Claims (9, 10, 11, 12)
- - 9. A method in accordance with claim 8, wherein the first security descriptor specification is the 4.0 specification.
  - 10. A method in accordance with claim 9, wherein the second security descriptor specification is the Active Directory specification.
  - 11. A method in accordance with claim 8, wherein the first security descriptor specification is the Active Directory specification.
  - 12. A method in accordance with claim 11, wherein the second security descriptor specification is the 4.0 specification.

13. A computer program product for use in a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, the computer program product for implementing a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
- a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
  
  a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
  
  an act of changing the second security descriptor to reflect at least one security permission change as represented in the converted version of the first security descriptor so that change to the second security descriptor is non-degenerative and reversible;
  
  an act of changing the second security descriptor;
  
  a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
  
  a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
  
  an act of changing the first security descriptor to reflect the change to the second security descriptor so that change to the first security descriptor is non-degenerative and reversible.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. A computer program product in accordance with claim 13, wherein the first security descriptor specification is the 4.0 specification.
  - 15. A computer program product in accordance with claim 14, wherein the second security descriptor specification is the Active Directory specification.
  - 16. A computer program product in accordance with claim 14, wherein the first security descriptor specification is the Active Directory specification.
  - 17. A computer program product in accordance with claim 16, wherein the second security descriptor specification is the 4.0 specification.
  - 18. A computer program product in accordance with claim 13, wherein the computer-executable instructions for performing the step for converting the first security descriptor that follows the first security descriptor specification into a version of the first security descriptor that follows the second security descriptor specification comprise computer-executable instructions for performing the following:
    - an act of consulting mapping rules that define mappings of rights of the first security descriptor specification to rights of the second security descriptor specification;
      
      for each right for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification; and
      
      an act of assembling each corresponding right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification.
  - 19. A computer program product in accordance with claim 13, wherein the computer-executable instructions for performing the step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor that also follows the second security descriptor specification comprise computer-executable instructions for performing the following:
    - for each right for which there is a corresponding mapping rule, an act of comparing the right in the version of the first security descriptor that follows the second security descriptor specification to the right in the second security descriptor; and
      
      based on the act of comparing, an act of detecting changes in the first security descriptor that are not reflected in the second security descriptor.

20. A computer program product for use in a security heterogenic computer network supporting different security descriptor specifications, the computer network having one or more devices that use a first security descriptor that follows a first security descriptor specification to describe security permissions related to a particular object, the computer network also having one or more devices that use a second security descriptor that follows a second security descriptor specification to describe security permissions related to that same particular object, a computer program product for implementing a method of replicating in a non-degenerative fashion the first security descriptor with the second security descriptor specification, the method facilitating the synchronization of the first and second security descriptor specifications so that both security specifications may be used in the computer network, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
- an act of consulting mapping rules that define mappings of rights between the first security descriptor specification and the second security descriptor specification;
  
  for each right of the first security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the first security descriptor specification to a corresponding right that follows the second security descriptor specification;
  
  an act of assembling each converted right that follows the second security descriptor specification to form a version of the first security descriptor that follows the second security descriptor specification;
  
  an act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification to the corresponding right in the second security descriptor;
  
  based on the act of comparing each converted right in the version of the first security descriptor that follows the second security descriptor specification, an act of detecting one or more changes in the converted first security descriptor that are not reflected in the second security descriptor;
  
  an act of changing the second security descriptor to reflect the detected one or more changes in the first security descriptor so that any changes to the second security descriptor are non-degenerative and reversible;
  
  an act of undoing the change to the second security descriptor;
  
  for each right of the second security descriptor specification for which there is a corresponding mapping rule, converting the right that follows the second security descriptor specification to a corresponding right that follows the first security descriptor specification;
  
  an act of assembling each converted right that follows the first security descriptor specification to form a version of the second security descriptor that follows the first security descriptor specification;
  
  an act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification to the corresponding right in the first security descriptor;
  
  based on the act of comparing each converted right in the version of the second security descriptor that follows the first security descriptor specification, an act of detecting one or more changes in the converted second security descriptor that are not reflected in the first security descriptor; and
  
  an act of changing the first security descriptor to reflect the detected one or more changes in the second security descriptor so that any changes to the first security descriptor are non-degenerative and reversible.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A computer program product in accordance with claim 20, wherein the first security descriptor specification is the 4.0 specification.
  - 22. A computer program product in accordance with claim 21, wherein the second security descriptor specification is the Active Directory specification.
  - 23. A computer program product in accordance with claim 20, wherein the first security descriptor specification is the Active Directory specification.
  - 24. A computer program product in accordance with claim 23, wherein the second security descriptor specification is the 4.0 specification.

25. A computer system comprising the following:
- a processing device; and
  
  a combination of one or more computer-readable media which in combination have stored thereon the following;
  
  a first data structure that represents a first security descriptor that follows a first security descriptor specification and that represents an object;
  
  a second data structure that represents a second security descriptor that follows a second security descriptor specification and that also represents the object;
  
  a third data structure that represent mapping rules that correlate sets of one or more rights of the first security descriptor specification which sets of one or more rights of the second security descriptor specification; and
  
  computer-executable instruction that, when executed by the processor, perform the following;
  
  a step for converting the first security descriptor into a version of the first security descriptor that follows the second security descriptor specification;
  
  a step for comparing the converted version of the first security descriptor that follows the second security descriptor specification with the second security descriptor;
  
  an act of changing the second security descriptor to reflect at least one change as represented in the converted version of the first security descriptor so that change to the second security descriptor is non-degenerative and reversible;
  
  an act of changing the second security descriptor;
  
  a step for converting the second security descriptor into a version of the second security descriptor that follows the first security descriptor specification;
  
  a step for comparing the converted version of the second security descriptor that follows the first security descriptor specification with the first security descriptor; and
  
  an act of changing the first security descriptor to reflect the change to the second security descriptor so that change to the first security descriptor is non-degenerative and reversible.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Calbucci, Marcelo A. F.
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
Colin, Carl G.

Application Number

US09/609,197
Time in Patent Office

1,782 Days
Field of Search

713/201, 709/246, 709/249, 707/103, 707/201
US Class Current

726/3
CPC Class Codes

H04L 63/101   Access control lists [ACL]

Y10S 707/99943   Generating database or data...

Y10S 707/99952   Coherency, e.g. same view t...

Methods and systems for synchronizing security descriptors in systems that use multiple security descriptor specifications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for synchronizing security descriptors in systems that use multiple security descriptor specifications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others