Systems and methods for integrating access control with a namespace

US 7,065,784 B2
Filed: 02/13/2004
Issued: 06/20/2006
Est. Priority Date: 07/26/1999
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method for enforcing access control to a resource of a computer system at the security system as opposed to enforcing access control at the server, the method comprising the steps of:

the server processing a logon request from a remote user;

the server producing a security context of the remote user based on the logon request;

assigning the security context of the remote user to the server, wherein assigning the security context of the remote user to the server includes changing a previous security context of the server and by replacing the previous security context of the server with the security context of the remote user; and

the server accessing the resource on behalf of the remote user with the assigned security context of the remote user, which replaced the previous security context of the server, so that the security system can enforce access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead were to access the resource with the server'"'"'s security context.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and systems for integrating the access controls of computer resources into a namespace or domain. For a remote user, a computer network or system is a namespace represented by a URL. In order to enforce the access controls of the computer network being accesses, a remote user is impersonated by a server of the computer system such that access requests to the resources of a system are made by the server in the security context of the remote user. By impersonating the remote user, the actual rights of the remote user are being presented to the access controls rather than the rights of the server. In this manner, the access control of the system can be enforced directly on the remote user and the access control is effectively extended to the namespace.

82 Citations

View as Search Results

20 Claims

1. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method for enforcing access control to a resource of a computer system at the security system as opposed to enforcing access control at the server, the method comprising the steps of:
- the server processing a logon request from a remote user;
  
  the server producing a security context of the remote user based on the logon request;
  
  assigning the security context of the remote user to the server, wherein assigning the security context of the remote user to the server includes changing a previous security context of the server and by replacing the previous security context of the server with the security context of the remote user; and
  
  the server accessing the resource on behalf of the remote user with the assigned security context of the remote user, which replaced the previous security context of the server, so that the security system can enforce access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead were to access the resource with the server'"'"'s security context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20)
- - 2. A method as defined in claim 1, wherein the step of processing a logon request further comprises the step of receiving a user name and a user password from the remote user.
  - 3. A method as defined in claim 1, wherein the step of processing a logon request further comprises the step of authenticating the identity of the remote user.
  - 4. A method as defined in claim 1, wherein the step of assigning to the server the security context of the remote user further comprises the step of receiving the security context of the remote user from the system.
  - 5. A method as defined in claim 1, wherein the security context of the remote user is stored by the system.
  - 6. A method as defined in claim 1, wherein the step of accessing the resource further comprises evaluating the security context of the remote user that is assigned to the server with the security system.
  - 7. A method as defined in claim 1, further comprising a step of the security system enforcing the access control by determining rights of the server to the resource based on the security context of the remote user.
  - 8. A method as defined in claim 1, wherein the security context is a security ID.
  - 20. A method as recited in claim 1, wherein the method further includes the server impersonating the remote user at different security levels, and by changing a security context assigned to the server to various different security contexts, based on different tasks.

9. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a method of enforcing access control, by the security system, on a remote user accessing a resource, as opposed to enforcing access control at the server, the method comprising the steps of:
- the server receiving from the remote user a request to access the resource;
  
  the server authenticating the identity of the remote user to produce a remote security context for the remote user;
  
  the server creating a process for executing the access request of the remote user, wherein the process initially has a security context of the server;
  
  changing the security context of the process to match the remote security context of the remote user;
  
  the server using the process with the remote security context to access the resource on behalf of the remote user; and
  
  the security system enforcing access control on the remote security context thereby relieving the server from having to enforce access control against the remote user, had the server instead accessed the resource with the server'"'"'s security context.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A method as defined in claim 9, wherein the remote security context comprises a security ID of the remote user.
  - 11. A method as defined in claim 9, wherein the step of changing the security context of the process further comprises the step of assigning a level of impersonation.
  - 12. A method as defined in claim 11, wherein the level of impersonation indicates the use of the remote security context by the server.
  - 13. A method as defined in claim 9, wherein the step of enforcing access control further comprises the steps of evaluating, by the security system, rights to the resource which are granted by the remote security context.
  - 14. A method as defined in claim 9, wherein the step of enforcing access control further comprises the step of restricting access to the resources by the server to rights of the remote user.

15. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a computer program product for a method of enforcing access controls at the security system against remote users as opposed to enforcing access controls against remote users at the server, the computer program product comprising:
- a computer-readable medium carrying computer-executable instructions for implementing the method wherein the computer-executable instructions comprise;
  
  program code means for receiving from a remote user a request to access a resource;
  
  program code means for authenticating the identity of the remote user at the server to produce a remote security context of the remote user;
  
  program code means for altering and replacing a previous security context of the server to match the remote security context for the remote user to allow the server to perform the access request on behalf of the remote user with the remote security context of the remote user; and
  
  program code means for accessing the resource with the server using the remote security context of the remote user, which was used to alter and replace the previous security context, so tat the security system can enforce access control against the remote security context in order to relieve the server from enforcing access control against the remote user if the server instead had accessed the resource with the server'"'"'s security context.
- View Dependent Claims (16)
- - 16. A computer program product as in claim 15, wherein the computer executable instructions further comprise program code means for evaluating rights of the remote user granted by the access controls.

17. In a computer system comprising a server that provides remote access to one or more resources and a security system for controlling access to the one or more resources, a computer program product for a method of enforcing access controls on a remote user of the computer system at the server system as opposed to enforcing access control against the remote user at the server, the computer program product comprising:
- a computer readable medium carrying computer-executable instructions for implementing the method wherein the computer executable instructions comprise;
  
  program code means for authenticating the identity of the remote user at a server;
  
  program code means for producing a remote security context for the remote user;
  
  program code means for changing a security context of the server to match the remote security context of the remote user for access requests of the remote user executed by the server; and
  
  program code means for executing access requests from the server with the remote security context of the remote user so that the security system enforces access control against the remote security context, thereby relieving the server from enforcing access control against the remote user if the server instead had accessed the resource with a security context of the server.
- View Dependent Claims (18, 19)
- - 18. A computer program product as in claim 17, wherein the computer executable instructions further comprise program code means for assigning a level of impersonation indicating the scope of use of the remote security context by the server.
  - 19. A computer program product as in claim 17, wherein the computer executable instructions further comprise program code means for evaluating, by the security system, the remote security context assigned to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Deen, Brian J., Hopmann, Alexander I., Van, Van C.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Baum, Ronald

Application Number

US10/779,221
Publication Number

US 20040162997A1
Time in Patent Office

858 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

Systems and methods for integrating access control with a namespace

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

82 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for integrating access control with a namespace

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others