Access authorization having a centralized policy
First Claim
Patent Images
1. A computer-readable storage medium encoded with instructions that cause a computer to:
- provide a centralized policy store having policies for application programs, a policy for an application program specifying access rights of the application program to resources, wherein at least some application programs have different policies;
receive a first request to load an application program into memory of the computer;
responsive to receiving the first request, determining if there is a policy in the centralized policy store for the application program,when it is determined that there is no such policy, denying the first request to load the application program; and
when it is determined that there is such policy,loading the application program into memory of the computer;
subsequent to loading the application program, receiving a second request to access a resource of the computer, wherein the second request is received from a principal selected from the group consisting of the application program and a combination of a user identity and the application program; and
performing an access control check based on the policy for the application program to determine whether to allow the requested access to the requested resource, wherein the policy for the application program is composed of one or more rules, the one or more rules having at least one dependency on a dynamically configurable environment parameter.
2 Assignments
0 Petitions
Accused Products
Abstract
A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.
63 Citations
26 Claims
-
1. A computer-readable storage medium encoded with instructions that cause a computer to:
-
provide a centralized policy store having policies for application programs, a policy for an application program specifying access rights of the application program to resources, wherein at least some application programs have different policies; receive a first request to load an application program into memory of the computer; responsive to receiving the first request, determining if there is a policy in the centralized policy store for the application program, when it is determined that there is no such policy, denying the first request to load the application program; and when it is determined that there is such policy, loading the application program into memory of the computer; subsequent to loading the application program, receiving a second request to access a resource of the computer, wherein the second request is received from a principal selected from the group consisting of the application program and a combination of a user identity and the application program; and performing an access control check based on the policy for the application program to determine whether to allow the requested access to the requested resource, wherein the policy for the application program is composed of one or more rules, the one or more rules having at least one dependency on a dynamically configurable environment parameter. - View Dependent Claims (2)
-
-
3. One or more computer memories collectively containing a centralized policy data structure, the centralized policy data structure comprising policies specifying access rights for application programs to resources, at least one policy comprising at least one rule having at least one dependency on a dynamically configurable environment parameter, wherein at least some application programs have different policies,
such that the centralized policy data structure is used to determine whether to load an application program based on whether there is a policy for the application program, when it is determined that there is no such policy, the application program is not loaded; - and
when it is determined that there is such policy, the application program is loaded, and the policy is used to determine whether access to a resource is authorized based on an identity of the application program and the rules in the policy that are applicable to the application program. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
- and
-
13. A computer-readable storage medium whose contents cause a computer to:
-
provide a centralized policy store comprising policies for application programs, wherein the policies specify access rights of at least one application program, and wherein at least some application programs have different policies; receive a request to load an application program into memory; responsive to receiving the request, determining whether there is a policy for the application program; responsive to determining that there is such policy, loading the application program into memory; and responsive to determining that there is no such policy, denying the request to load the application program. - View Dependent Claims (14, 15, 16)
-
-
17. A computer-readable storage medium whose contents cause a computer to:
-
provide a centralized policy store comprising policies for application programs, wherein at least some application programs have different policies; receive a request to load an application program into memory; determine whether there is a policy in the centralized policy store for the application, such that when it is determined that there is no such policy, denying the request to load the application program; and when it is determined that there is such policy, determining whether the application program intends to access a predetermined resource; and responsive to determining that the application program intends to access the predetermined resource, denying the request to load the application program, wherein the determination of the intent to access the predetermined resource is based upon an analysis of a policy for the application program.
-
-
18. A system for performing an access control check comprising:
-
a centralized policy store comprising policies specifying access rights for application programs, wherein at least some application programs have different policies; a load component operable to receive a request to load an application program into memory and, in response to receiving a request, determine whether there is a policy in the centralized policy store for the application program, such that when it is determined that there is no such policy, the request to load the application program is denied, and when it is determined that there is such policy, loading the application program into memory; an authorization query component operable to receive an authorization query regarding access to a resource; a principal identification component operable to identify a principal requesting access to the resource, wherein the principal is a combination of the application program and a user; and an access control check component operable to perform an access control check as a function of the principal, the policy in the centralized policy store for the application program, and the resource.
-
-
19. A method in a computing system for querying the security risk of an application program, the method comprising:
-
determining whether there is a policy applicable to an application program image; responsive to determining that there is an applicable policy, processing the application program image; and responsive to determining that an applicable policy does not exist, not processing the application program image. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A system for processing an application program based on the existence of an applicable policy, the system comprising:
-
a means for providing a centralized policy store comprising policies specifying access rights for application programs to resources, wherein at least some application programs have different policies; a means for receiving a request to perform an operation on an application program image; a means for determining whether a policy exists for the application program image; and a means for performing the operation based on the determination of whether an applicable policy exists, wherein when an applicable policy does not exist, the received request is denied and the operation is not performed. - View Dependent Claims (25, 26)
-
Specification