Integrated access authorization

US 7,506,364 B2
Filed: 10/01/2004
Issued: 03/17/2009
Est. Priority Date: 10/01/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-readable storage medium encoded with instructions that cause a computer to:

receive an authorization query regarding a request to access a resource;

identify a principal requesting to access the resource, wherein the principal is an application program;

perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and

responsive to determining to deny authorization to access the resource,identify a rule in the policy that caused the denial of authorization to access the resource; and

determine whether learning mode is enabled for the identified rule;

responsive to determining that learning mode is enabled for the identified rule,return an allow decision that would otherwise be denied, the allow decision granting authorization to access the resource, such that the effects of the principal accessing the resource may be evaluated; and

enter an entry into a report log, the entry recording an indication of the rule having the enabled learning mode,wherein the instructions are executed as an integral component of an operating system suitable for executing on the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log. The facility may additionally determine whether the authorization query is a request for authorization to perform an inherently dangerous operation, and record an indication of an authorization to perform the inherently dangerous operation in the audit log.

Citations

8 Claims

1. A computer-readable storage medium encoded with instructions that cause a computer to:
- receive an authorization query regarding a request to access a resource;
  
  identify a principal requesting to access the resource, wherein the principal is an application program;
  
  perform an access control check to determine whether to deny authorization to access the resource, the access control check being based on the principal and a policy applicable to the principal, wherein the policy is maintained as part of a centralized policy store and the policy comprises one or more rules; and
  
  responsive to determining to deny authorization to access the resource,identify a rule in the policy that caused the denial of authorization to access the resource; and
  
  determine whether learning mode is enabled for the identified rule;
  
  responsive to determining that learning mode is enabled for the identified rule,return an allow decision that would otherwise be denied, the allow decision granting authorization to access the resource, such that the effects of the principal accessing the resource may be evaluated; and
  
  enter an entry into a report log, the entry recording an indication of the rule having the enabled learning mode,wherein the instructions are executed as an integral component of an operating system suitable for executing on the computer.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-readable storage medium of claim 1 further comprising instructions that cause the computer to, responsive to determining that learning mode is not enabled for the identified rule, return a deny decision denying authorization to access the resource.
  - 3. The computer-readable storage medium of claim 1, wherein the entry identifies the principal.
  - 4. The computer-readable storage medium of claim 1 further comprising instructions that cause the computer to:
    - responsive to determining to allow authorization to access the resource, identify a rule in the policy that caused the allowance of authorization to access the resource and determine whether learning mode is enabled for the identified rule; and
      
      responsive to determining that learning mode is enabled for the identified rule, return an allow decision granting authorization to access the resource, and enter an entry into a report log, the entry recording an indication of the rule having the enabled learning mode.

5. A method in a computing system for fine-tuning a policy, the method comprising:
- receiving from an executing application program a request to access a resource of the computing system;
  
  providing a centralized policy store comprising a plurality of policies, each policy applicable to a different application program, at least one policy being applicable to the executing application program, the at least one policy comprising at least one rule having an indication of whether to activate learning mode for the ruleperforming an access control check to determine whether the executing application program is to be granted access to the resource as requested based on the at least one policy applicable to the executing application program, whereinif the at least one rule fails and causes a denial of authorization to access the resource and learning mode is activated;
  
  granting the executing application program authorization to access the resource; and
  
  recording the grant of the authorization and the failure of the at least one rule in a log;
  
  if the at least one rule fails and causes the denial of authorization to access the resource and learning mode is not activated;
  
  denying the executing application program authorization to access the resource;
  
  if the at least one rule allows authorization to access the resource and learning mode is activated;
  
  granting the executing application program authorization to access the resource; and
  
  recording the grant of the authorization and an indication of the at least one rule responsible for allowing authorization to access the resource in the log.
- View Dependent Claims (6)
- - 6. The method of claim 5 wherein the method is performed by an integral component of an operating system executing on the computing system.

7. A computing system for fine-tuning a policy comprising:
- processor;
  
  a centralized policy store having at least one policy, the policy comprising at least one rule having an indication of whether to activate learning mode for the rule;
  
  an authorization component operable to execute as a component of an operating system suitable for execution by a processor, the authorization component also operable to apply the rule to an authorization query to determine whether the rule fails and causes a denial of an authorization, the authorization component further operable to;
  
  responsive to determining that the rule fails, determine whether learning mode is activated for the failed rule;
  
  responsive to determining that learning mode is activated,grant the authorization that would otherwise be denied, such that the effects of granting authorization are assessable; and
  
  record the grant of the authorization and the failure of the rule in a log.
- View Dependent Claims (8)
- - 8. The computing system of claim 7 further comprising:
    - responsive to determining that the rule does not fail and learning mode is activated;
      
      grant the authorization;
      
      and record the grant of the authorization and an indication of the rule responsible for the grant of the authorization in the log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/957,509
Publication Number

US 20060075469A1
Time in Patent Office

1,628 Days
Field of Search

707/9, 713/168, 726/4
US Class Current

726/4
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

Integrated access authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated access authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links