Controlling transactions in accordance with role based security

US 7,730,095 B2
Filed: 03/01/2006
Issued: 06/01/2010
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. At a computer system, the computer system including a transaction manager, the transaction manager configured to interoperate with one or more other transaction related components to perform transaction related operations within distributed transactions in accordance with a two-phase commit protocol, the one or more other transaction related components selected from among:

applications, resource managers, databases, message queues, and other transaction managers, a method for controlling a distributed transaction based on role based transaction control information listing transaction related operations the one or more other transaction related components are permitted to assume relative to the transaction manager, the method comprising;

an act of the transaction manager receiving a transaction related message, including a request from a transaction related component to perform a requested transaction related operation within the distributed transaction in accordance with the two-phase commit protocol on behalf of the transaction related component, the requested transaction related operation instructing the transaction manager to communicate with at least one other transaction related component on behalf of the transaction related component, the requested transaction related operation selected from among;

beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager, the corresponding transaction to include the transaction manager, the transaction related component, and the at least one other transaction related component as participants;

in response to receiving the transaction related message;

an act of the transaction manager authenticating that the transaction related message originated from the transaction related component;

an act of the transaction manager referring to the role based transaction control information in response to receiving authentication that the transaction related message originated from the transaction related component, the role based transaction control information having been previously configured by a user and expressly listing transaction related operations the transaction related component is permitted to perform relative to the transaction manager for transactions in which the transaction manager and the transaction related component are participants, the listing permitting the transaction manager to perform transaction related operations on behalf of the transaction related component including one or more of;

beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager;

an act of comparing the requested transaction related operation to the role based transaction control information to determine if the transaction related component is permitted to assume a role of the requested transaction related operation relative to the transaction manager that allows the transaction manager to perform the requested transaction related operation on behalf of the transaction related component; and

an act of implementing the requested transaction related operation in accordance with the results of the comparison.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for controlling transactions in accordance with role based security. A first transaction related component receives a transaction related message from a second transaction related component. The transaction related message indicates a request by the second transaction related component to perform a transaction related operation that is to involve the first transaction related component. The first transaction related component authenticates the second transaction related component. The first transaction related component refers to transaction control information indicating roles the second transaction component is permitted to assume relative to the first transaction related component. The transaction related operation indicated in the request is compared to the permitted roles for the second transaction related component. The transaction related operation is implemented in accordance with the results of the comparison.

Citations

20 Claims

1. At a computer system, the computer system including a transaction manager, the transaction manager configured to interoperate with one or more other transaction related components to perform transaction related operations within distributed transactions in accordance with a two-phase commit protocol, the one or more other transaction related components selected from among:
- applications, resource managers, databases, message queues, and other transaction managers, a method for controlling a distributed transaction based on role based transaction control information listing transaction related operations the one or more other transaction related components are permitted to assume relative to the transaction manager, the method comprising;
  
  an act of the transaction manager receiving a transaction related message, including a request from a transaction related component to perform a requested transaction related operation within the distributed transaction in accordance with the two-phase commit protocol on behalf of the transaction related component, the requested transaction related operation instructing the transaction manager to communicate with at least one other transaction related component on behalf of the transaction related component, the requested transaction related operation selected from among;
  
  beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager, the corresponding transaction to include the transaction manager, the transaction related component, and the at least one other transaction related component as participants;
  
  in response to receiving the transaction related message;
  
  an act of the transaction manager authenticating that the transaction related message originated from the transaction related component;
  
  an act of the transaction manager referring to the role based transaction control information in response to receiving authentication that the transaction related message originated from the transaction related component, the role based transaction control information having been previously configured by a user and expressly listing transaction related operations the transaction related component is permitted to perform relative to the transaction manager for transactions in which the transaction manager and the transaction related component are participants, the listing permitting the transaction manager to perform transaction related operations on behalf of the transaction related component including one or more of;
  
  beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager;
  
  an act of comparing the requested transaction related operation to the role based transaction control information to determine if the transaction related component is permitted to assume a role of the requested transaction related operation relative to the transaction manager that allows the transaction manager to perform the requested transaction related operation on behalf of the transaction related component; and
  
  an act of implementing the requested transaction related operation in accordance with the results of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein the act of the transaction manager authenticating that the transaction related message originated from the transaction related component comprises an act of authenticating using at least one of X.509 certificate thumbprints and Kerberos tickets.
  - 3. The method as recited in claim 1, wherein the act of referring to the role based transaction control information comprises an act of referring to transaction control information that indicates the transaction manager is permitted to perform the requested transaction related operation on behalf of the transaction related component.
  - 4. The method as recited in claim 1, wherein the act of referring to the role based transaction control information comprises an act of referring to transaction control information that indicates the transaction manager is not permitted to perform the requested transaction related operation on behalf of the transaction related component.
  - 5. The method as recited in claim 1, wherein the act of referring to the role based transaction control information comprises an act of referring to transaction control information maintained by an operating system.
  - 6. The method as recited in claim 1, wherein the act of referring to the role based transaction control information comprises an act of referring to transaction control information received from a second transaction manager using a transaction manager to transaction manager protocol.
  - 7. The method as recited in claim 1, wherein the act of implementing the requested transaction related operation in accordance with the results of the comparison comprises an act of the transaction manager performing the requested transaction related operation on behalf of the transaction related component to communicate with the at least one other transaction related component on behalf of the transaction related component.
  - 8. The method as recited in claim 1, wherein the act of implementing the requested transaction related operation in accordance with the results of the comparison comprises an act of the transaction manager preventing the requested transaction related operation from occurring when the transaction related operation is not a permitted transaction related operation for the transaction related component.
  - 9. The method as recited in claim 1, wherein the act of referring to the role based transaction control information comprises referring to expressly defined entries for transaction related components, including the transaction related component, each expressly defined entry listing:
    - a transaction related component; and
      
      one or more permitted transaction related operations the transaction manager is permitted to perform on behalf of the transaction related component, the transaction related operations selected from among;
      
      initiating a transaction, marshalling a transaction, unmarshalling a transaction, propagating a transaction, receiving a propagated transaction, enlisting in a transaction, becoming a subordinate transaction manager, and becoming a superior transaction manager.
  - 10. The method as recited in claim 9, wherein the act of comparing the requested transaction related operation to the role based transaction control information comprises an act of comparing the transaction related operation to expressly permitted transaction related operations listed in the expressly defined entry for the transaction related component.
  - 11. The method as recited in claim 1, further comprising:
    - an act of the transaction manager receiving a second transaction related message from the at least one other transaction related component to perform a second requested transaction related operation on behalf of the at least one other transaction related component, the second requested transaction related operation responsive to the transaction related operation; and
      
      in response to receiving the second transaction related message;
      
      an act of the transaction manager authenticating that the second transaction related message originated from the at least one other transaction related component;
      
      an act of the transaction manager referring to role based transaction control information in response to receiving authentication that the second transaction related message originated from the at least one other transaction related component, the role based transaction control information expressly listing roles the at least one other transaction related component is permitted to assume relative to the transaction manager for transactions in which the transaction manager and the at least one other transaction related component are participants, the roles permitting the transaction manager to perform transaction related operations on behalf of the at least one other transaction related component;
      
      an act of comparing the second requested transaction related operation to the role based transaction control information to determine if the at least one other transaction related component is permitted to assume a role relative to the transaction manager that allows the transaction manager to perform the second requested transaction related operation on behalf of the at least one other transaction related component; and
      
      an act of implementing the second requested transaction related operation in accordance with the results of the comparison.
  - 12. The method as recited in claim 11, wherein the at least one other transaction related component comprises a resource manager, and wherein the second requested transaction related operation comprises enlisting in the transaction.
  - 13. The method as recited in claim 11, wherein the at least one other transaction related component comprises a message queue, and wherein the second requested transaction related operation comprises storing a message.

14. A computer program product for use at a computer system, the computer system including a transaction manager, the transaction manager configured to interoperate with one or more other transaction related components to perform transaction related operations within distributed transactions in accordance with a two-phase commit protocol, the one or more other transaction related components selected from among:
- applications, resource managers, databases, message queues, and other transaction managers, the computer program product for implementing a method controlling a distributed transaction based on role based transaction control information listing transaction related operations the one or more other transaction related components are permitted to assume relative to the transaction manager, the computer program product comprising one or more computer storage media having stored thereon computer-executable instructions that, when executed by a processor, cause the transaction manager to perform the following;
  
  receive a transaction related message, including a request from a transaction related component to perform a requested transaction related operation within the distributed transaction in accordance with the two-phase commit protocol on behalf of the transaction related component, the requested transaction related operation instructing the transaction manager to communicate with at least one other transaction related component on behalf of the transaction related component, the requested transaction related operation selected from among;
  
  beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager, the corresponding transaction to include the transaction manager, the transaction related component, and the at least one other transaction related component as participants;
  
  in response to receiving the transaction related message;
  
  authenticate that the transaction related message originated from the transaction related component;
  
  refer to the role based transaction control information in response to receiving authentication that the transaction related message originated from the transaction related component, the role based transaction control information having been previously configured by a user and expressly listing transaction related operations the transaction related component is permitted to perform relative to the transaction manager for transactions in which the transaction manager and the transaction related component are participants, the listing permitting the transaction manager to perform transaction related operations on behalf of the transaction related component including one or more of;
  
  beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, and propagating data to the transaction manager;
  
  compare the requested transaction related operation to the role based transaction control information to determine if the transaction related component is permitted to assume a role of the requested transaction related operation relative to the transaction manager that allows the transaction manager to perform the requested transaction related operation on behalf of the transaction related component; and
  
  implement the requested transaction related operation in accordance with the results of the comparison.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the transaction manager to implement the requested transaction related operation in accordance with the results of the comparison comprise computer-executable instructions that, when executed, cause the transaction manager to prevent the requested transaction related operation from occurring.
  - 16. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the transaction manager to refer to the role based transaction control information comprise computer-executable instructions that, when executed, cause the transaction manager to refer to expressly defined entries for transaction related components, including the transaction related component, each expressly defined entry listing:
    - a transaction related component; and
      
      one or more permitted transaction related operations the transaction manager is permitted to perform on behalf of the transaction related component, the transaction related operations selected from among;
      
      initiating a transaction, marshalling a transaction, unmarshalling a transaction, propagating a transaction, receiving a propagated transaction, enlisting in a transaction, becoming a subordinate transaction manager, and becoming a superior transaction manager.
  - 17. The computer program product as recited in claim 16, wherein computer-executable instructions that, when executed, cause the transaction manager to compare the requested transaction related operation to the role based transaction control information comprise computer-executable instructions that, when executed, cause the transaction manager to compare the requested transaction related operation to permitted transaction related operations listed in the expressly defined entry for the transaction related component.
  - 18. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, when executed by a processor, cause the transaction manager to further perform the following:
    - receive a second transaction related message from the at least one other transaction related component to perform a second requested transaction related operation on behalf of the at least one other transaction related component, the second requested transaction related operation responsive to the transaction related operation; and
      
      in response to receiving the second transaction related message;
      
      authenticate that the second transaction related message originated from the at least one other transaction related component;
      
      refer to role based transaction control information in response to receiving authentication that the second transaction related message originated from the at least one other transaction related component, the role based transaction control information expressly listing roles the at least one other transaction related component is permitted to assume relative to the transaction manager for transactions in which the transaction manager and the at least one other transaction related component are participants, the roles permitting the transaction manager to perform transaction related operations on behalf of the at least one other transaction related component;
      
      compare the second requested transaction related operation to the role based transaction control information to determine if the at least one other transaction related component is permitted to assume a role relative to the transaction manager that allows the transaction manager to perform the second requested transaction related operation on behalf of the at least one other transaction related component; and
      
      implement the second requested transaction related operation in accordance with the results of the comparison.
  - 19. The computer program product as recited in claim 18, wherein the at least one other transaction related component comprises a resource manager, and wherein the second requested transaction related operation comprises enlisting in the transaction.

20. A computer system, comprising:
- one or more processors;
  
  a system memory; and
  
  one or more computer-readable media having stored thereon a transaction manager, the transaction manger configured to perform operations related to distributed transactions in accordance with a two-phase commit protocol based on role based transaction control information listing transaction related operations the one or more other transaction related components are permitted to assume relative to the transaction manager, wherein the distributed transactions are to include the transaction manager and one or more additional other components, the one or more additional other components selected from among;
  
  applications, resource managers, databases, message queues, and other transaction managers, including being configured to;
  
  receive a transaction related message from an application, the transaction related message indicating a request by the application for the transaction manager to perform a begin transaction operation within a distributed transaction in accordance with the two-phase commit protocol, the transaction related message indicating that the transaction is to include at least the transaction manager, the application, and a second transaction manager, wherein the second transaction manager is separated from the first transaction manager by a network boundary;
  
  authenticate that the transaction related message originated from the application;
  
  refer to the role based transaction control information in response to receiving authentication that the transaction related message originated from the application, the role based transaction control information having been previously configured by a user and expressly listing transaction related operations the application and the second transaction manager are permitted to perform relative to the transaction manager for transactions in which the transaction manager, the application, and the second transaction manager are participants, the role based transaction control information including an entry for each of the application and the second transaction manager, the listing permitting the transaction manager to perform one or more transaction related operations on behalf of the application and the second transaction manager, the one or more transaction related operations selected from among;
  
  beginning a transaction, marshalling data for a transaction, unmarshalling data for a transaction, enlisting in a transaction, propagating data from the transaction manager, propagating data to the transaction manager, become a subordinate transaction manager to the transaction manager, and become a superior transaction manager to the transaction manager;
  
  compare the begin transaction operation to the role based transaction control information in the entry for the application to determine if the application is permitted to perform a first transaction related operation relative to the transaction manager that allows the transaction manager to begin a transaction in response to a request from the application;
  
  determine that the transaction manager is permitted to begin transactions in response to a request from the application based on the results of the comparison;
  
  initiate a transaction that is to include the transaction manager, the application, and the second transaction manager in response to the application request;
  
  receive a transaction manager request from the second transaction manager to perform a second transaction related operation of becoming either superior or subordinate transaction manager to the second transaction manager;
  
  authenticate that the transaction manager request originated from the second transaction manager;
  
  refer to the role based transaction control information in response to receiving authentication that the transaction related message originated from the second transaction manager;
  
  compare the transaction related operation to the role based transaction control information in the entry for the second transaction manger to determine if the second transaction manager is permitted to perform the second transaction related operation relative to the transaction manager that allows the transaction manager to become either superior or subordinate to the second transaction manager;
  
  determine that the second transaction manager is permitted to perform the second transaction related operation relative to the transaction manager that allows the transaction manager to become either superior or subordinate to the second transaction manager;
  
  cause the transaction manager to become either superior or subordinate to the second transaction manger in response to receiving the transaction manager request; and
  
  simultaneously participate in the transaction, along with the application and the second transaction manager, to transfer data from the application to the second transaction manager in accordance with the two-phase commit protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vishwanath, Tirunelveli, Johnson, James E., Feingold, Max A.
Primary Examiner(s)
Robinson; Greta L
Assistant Examiner(s)
Weinrich; Brian E

Application Number

US11/365,419
Publication Number

US 20070208741A1
Time in Patent Office

1,553 Days
Field of Search

707/9
US Class Current

707/785
CPC Class Codes

G06Q 20/10 specially adapted for elect...

G06Q 20/3823 combining multiple encrypti...

Controlling transactions in accordance with role based security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling transactions in accordance with role based security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links