Access authorization having a centralized policy

US 7,685,632 B2
Filed: 10/01/2004
Issued: 03/23/2010
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium encoded with instructions that cause a computer to:

provide a centralized policy store having policies for application programs, a policy for an application program specifying access rights of the application program to resources, wherein at least some application programs have different policies;

receive a first request to load an application program into memory of the computer;

responsive to receiving the first request, determining if there is a policy in the centralized policy store for the application program,when it is determined that there is no such policy, denying the first request to load the application program; and

when it is determined that there is such policy,loading the application program into memory of the computer;

subsequent to loading the application program, receiving a second request to access a resource of the computer, wherein the second request is received from a principal selected from the group consisting of the application program and a combination of a user identity and the application program; and

performing an access control check based on the policy for the application program to determine whether to allow the requested access to the requested resource, wherein the policy for the application program is composed of one or more rules, the one or more rules having at least one dependency on a dynamically configurable environment parameter.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

63 Citations

View as Search Results

26 Claims

1. A computer-readable storage medium encoded with instructions that cause a computer to:
- provide a centralized policy store having policies for application programs, a policy for an application program specifying access rights of the application program to resources, wherein at least some application programs have different policies;
  
  receive a first request to load an application program into memory of the computer;
  
  responsive to receiving the first request, determining if there is a policy in the centralized policy store for the application program,when it is determined that there is no such policy, denying the first request to load the application program; and
  
  when it is determined that there is such policy,loading the application program into memory of the computer;
  
  subsequent to loading the application program, receiving a second request to access a resource of the computer, wherein the second request is received from a principal selected from the group consisting of the application program and a combination of a user identity and the application program; and
  
  performing an access control check based on the policy for the application program to determine whether to allow the requested access to the requested resource, wherein the policy for the application program is composed of one or more rules, the one or more rules having at least one dependency on a dynamically configurable environment parameter.
- View Dependent Claims (2)
- - 2. The computer-readable storage medium of claim 1, wherein the instructions are integrated into and execute as part of an operating system suitable for executing on the computer.

3. One or more computer memories collectively containing a centralized policy data structure, the centralized policy data structure comprising policies specifying access rights for application programs to resources, at least one policy comprising at least one rule having at least one dependency on a dynamically configurable environment parameter, wherein at least some application programs have different policies,such that the centralized policy data structure is used to determine whether to load an application program based on whether there is a policy for the application program,when it is determined that there is no such policy, the application program is not loaded;
- andwhen it is determined that there is such policy, the application program is loaded, and the policy is used to determine whether access to a resource is authorized based on an identity of the application program and the rules in the policy that are applicable to the application program.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 4. The computer memories of claim 3, wherein the environment parameter is set by an administrator who is different from an administrator of the policy.
  - 5. The computer memories of claim 3, wherein the environment parameter is a specified path.
  - 6. The computer memories of claim 3, wherein the environment parameter is a specification of a collection of filename extensions.
  - 7. The computer memories of claim 3, wherein the environment parameter is a specification of one or more directories.
  - 8. The computer memories of claim 3, wherein the environment parameter is an indication of a protocol.
  - 9. The computer memories of claim 3, wherein the at least one rule defines privileges for an object within an operating system.
  - 10. The computer memories of claim 3, wherein the at least one rule defines privileges for an object outside an operating system.
  - 11. The computer memories of claim 3, wherein the at least one rule supports the inclusion of conditions.
  - 12. The computer memories of claim 3, wherein the at least one rule defines privileges applicable to both present objects and later instantiated objects.

13. A computer-readable storage medium whose contents cause a computer to:
- provide a centralized policy store comprising policies for application programs, wherein the policies specify access rights of at least one application program, and wherein at least some application programs have different policies;
  
  receive a request to load an application program into memory;
  
  responsive to receiving the request, determining whether there is a policy for the application program;
  
  responsive to determining that there is such policy, loading the application program into memory; and
  
  responsive to determining that there is no such policy, denying the request to load the application program.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-readable storage medium of claim 13 further comprising contents that cause the computer to, responsive to determining that there is such policy, determining a potential security risk associated with loading the application program.
  - 15. The computer-readable storage medium of claim 14, wherein the potential security risk is based on an extent of authorization granted by the policy.
  - 16. The computer-readable storage medium of claim 13, wherein the determination of the existence of the policy is made prior to executing the application program.

17. A computer-readable storage medium whose contents cause a computer to:
- provide a centralized policy store comprising policies for application programs, wherein at least some application programs have different policies;
  
  receive a request to load an application program into memory;
  
  determine whether there is a policy in the centralized policy store for the application, such thatwhen it is determined that there is no such policy, denying the request to load the application program; and
  
  when it is determined that there is such policy, determining whether the application program intends to access a predetermined resource; and
  
  responsive to determining that the application program intends to access the predetermined resource, denying the request to load the application program, wherein the determination of the intent to access the predetermined resource is based upon an analysis of a policy for the application program.

18. A system for performing an access control check comprising:
- a centralized policy store comprising policies specifying access rights for application programs, wherein at least some application programs have different policies;
  
  a load component operable to receive a request to load an application program into memory and, in response to receiving a request, determine whether there is a policy in the centralized policy store for the application program, such that when it is determined that there is no such policy, the request to load the application program is denied, and when it is determined that there is such policy, loading the application program into memory;
  
  an authorization query component operable to receive an authorization query regarding access to a resource;
  
  a principal identification component operable to identify a principal requesting access to the resource, wherein the principal is a combination of the application program and a user; and
  
  an access control check component operable to perform an access control check as a function of the principal, the policy in the centralized policy store for the application program, and the resource.

19. A method in a computing system for querying the security risk of an application program, the method comprising:
- determining whether there is a policy applicable to an application program image;
  
  responsive to determining that there is an applicable policy, processing the application program image; and
  
  responsive to determining that an applicable policy does not exist, not processing the application program image.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19 further comprising, responsive to determining that there is an applicable policy, determining a potential security risk associated with the application program image.
  - 21. The method of claim 19 further comprising analyzing the applicable policy to determine the intent of the application program image, such that further processing of the application program image is based on the intent of the application program image.
  - 22. The method of claim 19, wherein processing the application program image includes loading the application program image.
  - 23. The method of claim 19, wherein processing the application program image includes executing the application program image.

24. A system for processing an application program based on the existence of an applicable policy, the system comprising:
- a means for providing a centralized policy store comprising policies specifying access rights for application programs to resources, wherein at least some application programs have different policies;
  
  a means for receiving a request to perform an operation on an application program image;
  
  a means for determining whether a policy exists for the application program image; and
  
  a means for performing the operation based on the determination of whether an applicable policy exists, wherein when an applicable policy does not exist, the received request is denied and the operation is not performed.
- View Dependent Claims (25, 26)
- - 25. The system of claim 24, wherein the operation is loading the application program image.
  - 26. The system of claim 24, wherein the operation is executing the application program image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/956,215
Publication Number

US 20060075461A1
Time in Patent Office

1,999 Days
Field of Search

709/226, 713/156, 726/17, 726/10, 707/9, 345/506
US Class Current

726/10
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/102   Entity profiles

Access authorization having a centralized policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization having a centralized policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links