System and methods for providing dynamic authorization in a computer system

US 7,434,257 B2
Filed: 05/04/2001
Issued: 10/07/2008
Est. Priority Date: 06/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:

initializing a client authorization context for the client using one or more client context initialization routines;

determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed;

invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries;

identifying an access control entry as a callback access control entry; and

in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.

Citations

20 Claims

1. A method for dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:
- initializing a client authorization context for the client using one or more client context initialization routines;
  
  determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed;
  
  invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries;
  
  identifying an access control entry as a callback access control entry; and
  
  in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein said first dynamic policy defines flexible rules for determining the client authorization context and wherein said second dynamic policy defines flexible rules for purposes of determining access privileges.
  - 3. A method according to claim 1, further comprising computing the client authorization context after a request for a resource is received from the client and updating said client authorization context according to said determining.
  - 4. A method according to claim 1, further comprising:
    - comparing the client authorization context of the client to at least one access control entry of an access control list.
  - 5. A method according to claim 1, further comprising registering with a resource manager, an application-defined routine for determining dynamic groups.
  - 6. A method according to claim 1, further comprising registering with a resource manager, an application-defined routine for determining dynamic access checks.
  - 7. A method according to claim 1, wherein said application-defined dynamic access check routine supplements a determination of access rights based upon static data and policy.

8. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer cause the computer to carry out a method for dynamically updating a client authorization context in a computer system having a client thereof requesting access to a resource from an application, the method comprising:
- computing a client authorization context after the request for the resource is received from the client;
  
  determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed;
  
  invoking an access check routine to determine if the client represented by the client authorization context is allowed access to the resource, the application providing said dynamic data and an identifier in the client authorization context to the access check routine for comparison against access control entries;
  
  identifying an access control entry as a callback access control entry; and
  
  in response to identifying the access control entry as a callback access control entry and a match between said identifier and an identifier in the callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A computer readable storage medium according to claim 8, the method further comprising:
    - comparing the client authorization context to at least one access control entry of an access control list.
  - 10. A computer readable storage medium according to claim 8, the method further comprising registering with a resource manager, an application-defined routine for determining dynamic groups.
  - 11. A computer readable storage medium according to claim 8, the method further comprising registering with a resource manager, an application-defined routine for determining dynamic access checks.
  - 12. A computer readable storage medium according to claim 8, the method further comprising comparing data to a client authorization context determined based upon static data and policy before said step of determining based upon dynamic data whether the client authorization context is to be updated.
  - 13. A computer readable storage medium according to claim 8, wherein said application-defined dynamic access check routine supplements a determination of access rights based upon static data and policy.

14. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer cause the computer to perform a method of dynamically managing access to a resource in a computer system, the system having a client thereof requesting access to the resource from an application, the method comprising:
- computing a client authorization context after the access request for the resource is received from the client;
  
  determining, via an application programming interface, based upon dynamic data possessed by the application and a first dynamic policy whether said client authorization context is to be updated and, if so, updating said client authorization context, wherein said first dynamic policy is tailored to said application through which the resource is accessed;
  
  providing said dynamic data and the client authorization context to an access check routine;
  
  comparing the client authorization context to at least one access control entry of an access control list to determine if the client represented by the client authorization context is allowed access to the resource;
  
  identifying an access control entry having an identifier that matches an identifier in the client authorization context as a callback access control entry; and
  
  in response to identifying the access control entry as a callback access control entry, automatically invoking, via said application programming interface, an application-defined dynamic access check routine that performs the access check for the client based upon said dynamic data and a second dynamic policy in the callback access control entry for the application, wherein said second dynamic policy is tailored to said application and said dynamic data includes run-time data managed by the application.
- View Dependent Claims (15, 16)
- - 15. A computer readable storage medium according to claim 14, wherein said access check routine is invoked automatically when there is a match between an identifier in the client authorization context and an identifier in the callback access control entry.
  - 16. A computer readable storage medium according to claim 14, wherein said application-defined dynamic access check routine supplements a determination of access rights based upon static data and policy.

17. For an application in a computer system having a resource manager that manages and controls access to a resource and a client thereof requesting access to a resource from an application, a computer readable storage medium having computer executable instructions stored thereon that when executed by the computer system causes the computer system to carry out a method for carrying out a dynamic authorization callback mechanism that provides extensible support for application-defined business rules via a set of APIs and DACLs including a dynamic groups routine and a dynamic access routine customized to the application, the method comprising:
- initializing a client authorization context for the client;
  
  carrying out said dynamic groups routine to update said client authorization context based upon dynamic data possessed by the application and a first dynamic policy tailored to said application through which the resource is accessed; and
  
  carrying out said dynamic access routine to determine if the client represented by the updated client authorization context is allowed access to the resource, said dynamic access routine using said dynamic data and a second dynamic policy in a callback access control entry when an identifier in the client authorization context matches an identifier in the callback access control entry, wherein said dynamic data includes run-time data managed by the application.
- View Dependent Claims (18)
- - 18. A computer readable storage medium according to claim 17, further comprising registering said dynamic groups routine and said dynamic access routine with the resource manager upon initializing the resource manager and storing said second dynamic policy in said callback access control entry.

19. A computer readable storage medium having computer executable instructions stored thereon that when executed by a computer causes the computer to provide dynamic authorization of an application in a computer system based upon application-specific or business rules that incorporate dynamic data, the dynamic data including an identifier for identifying whether a dynamic access check callback function should be invoked for conducting said dynamic authorization of said application, data from client operation parameters, authorization policy data stored in a callback access control entry, and any other authorization policy data managed, computed or retrieved by the application, the computer executing said computer executable instructions to perform the steps of:
- the application using an initialization routine to register with a resource manager dynamic group functions that enable the application to assign temporary group membership based upon said dynamic data to a client for the purpose of checking access rights to a resource protected by the resource manager and to register with said resource manager dynamic access check callback functions that enable the application to perform customized procedures for checking access rights to said resource based on said dynamic data;
  
  adding said dynamic access check callback functions to the resource manager'"'"'s registered callback list;
  
  when a user attempts to connect to the application to request the resource, automatically invoking a registered dynamic group function to augment said client authorization context with client contextual data computed using said dynamic data; and
  
  invoking a registered dynamic access check callback function to provide said customized procedures for checking access rights to the resource based on said dynamic data and said augmented client authorization context.
- View Dependent Claims (20)
- - 20. A computer readable storage medium according to claim 19, wherein a user'"'"'s security identifier is used for an access privilege check of said application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, Ward, Richard B., Reichel, Robert P., Hamblin, Jeffrey B., Dubhashi, Kedarnath A., Hopkins, Anne C.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Dinh; Minh

Application Number

US09/849,093
Publication Number

US 20020002577A1
Time in Patent Office

2,713 Days
Field of Search

713182-183, 713/185, 713/200, 709/225, 709/229, 707/9, 726/4, 726/17, 726/21
US Class Current

726/21
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/4488   Object-oriented

Y10S 707/99939   Privileged access

System and methods for providing dynamic authorization in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for providing dynamic authorization in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links