Access control policy engine controlling access to resource based on any of multiple received types of security tokens

US 7,774,830 B2
Filed: 03/14/2005
Issued: 08/10/2010
Est. Priority Date: 03/14/2005
Status: Active Grant

First Claim

Patent Images

1. A processor implemented method in connection with a requestor submitting a request to access a digital resource, the request including at least one security token associated with the requestor, each security token of the request containing access decision information useful for determining whether to allow the request, each security token having one of a plurality of types, the method for an access control policy engine associated with the resource to determine whether to allow the request, the method comprising the access control policy engine:

receiving at the processor the request with each security token thereof;

retrieving each security token from the request;

processing by the processor each retrieved security token by;

determining the type of such retrieved security token;

mapping the access decision information in the retrieved security token to a common format, wherein the common format comprises at least one security claim setting forth a right of the requestor, and wherein the access control policy engine maps the access decision information in the retrieved security token to the common format as at least one security claim setting forth adequate information to determine a right of the requestor as;

P a principal identifier that identifies the requestor;

R a right possessed by P with respect to a target T and expressing a relationship between P and T;

T a target identifier that identifies the target of a right;

C any condition on R with respect to T that the access control policy engine is to evaluate; and

I an issuer identifier that identifies an entity that issued the security token and conferred R with respect to T on P,the access control policy engine having a set of security claims relating to the request after having processed the retrieved security tokens;

retrieving a set of rules for accessing the resource;

applying the retrieved set of rules for accessing the resource to the set of security claims to determine whether to allow the request from the requestor; and

if the request from the requestor is to be allowed, providing the requestor access to the resource in accordance with the request and the rights of the requestor as set forth within the set of security claims.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control policy engine associated with a resource determines whether to allow a request to access same. The engine receives the request with an security token, retrieves the token determines a type thereof, and maps access decision information in the token to a common format as at least one security claim setting forth adequate information to determine a right of the requestor. Thereafter, the engine retrieves a set of rules for accessing the resource, applies the rules to the security claims to determine whether to allow the request from the requestor, and if the request is to be allowed, provides the requestor access to the resource in accordance with the request and the rights of the requestor as determined based on the security claims.

Citations

16 Claims

1. A processor implemented method in connection with a requestor submitting a request to access a digital resource, the request including at least one security token associated with the requestor, each security token of the request containing access decision information useful for determining whether to allow the request, each security token having one of a plurality of types, the method for an access control policy engine associated with the resource to determine whether to allow the request, the method comprising the access control policy engine:
- receiving at the processor the request with each security token thereof;
  
  retrieving each security token from the request;
  
  processing by the processor each retrieved security token by;
  
  determining the type of such retrieved security token;
  
  mapping the access decision information in the retrieved security token to a common format, wherein the common format comprises at least one security claim setting forth a right of the requestor, and wherein the access control policy engine maps the access decision information in the retrieved security token to the common format as at least one security claim setting forth adequate information to determine a right of the requestor as;
  
  P a principal identifier that identifies the requestor;
  
  R a right possessed by P with respect to a target T and expressing a relationship between P and T;
  
  T a target identifier that identifies the target of a right;
  
  C any condition on R with respect to T that the access control policy engine is to evaluate; and
  
  I an issuer identifier that identifies an entity that issued the security token and conferred R with respect to T on P,the access control policy engine having a set of security claims relating to the request after having processed the retrieved security tokens;
  
  retrieving a set of rules for accessing the resource;
  
  applying the retrieved set of rules for accessing the resource to the set of security claims to determine whether to allow the request from the requestor; and
  
  if the request from the requestor is to be allowed, providing the requestor access to the resource in accordance with the request and the rights of the requestor as set forth within the set of security claims.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the access control policy engine is supplied with a plurality of mapping modules, each mapping module corresponding to one of the plurality of types and supplying mapping procedures for mapping the access decision information in a security token of such type to the common format, the method comprising the access control policy engine applying the retrieved security token based on the determined type thereof to the mapping module corresponding to such determined type to map the access decision information in the retrieved security token to the common format as at least one security claim setting forth sufficient information to determine a right of the requestor.
  - 3. The method of claim 2 wherein determining the type of the retrieved security token comprises determining the type based on extant characteristics as defined in the mapping module corresponding to the retrieved security token.
  - 4. The method of claim 2 comprising applying the retrieved security token based on the determined type thereof to a mapping module corresponding to such determined type and separate from but coupled to the access control policy engine.
  - 5. The method of claim 2 comprising applying the retrieved security token based on the determined type thereof to a mapping module corresponding to such determined type and integrated within the access control policy engine.
  - 6. The method of claim 1 wherein determining the type of the retrieved security token comprises reviewing a predefined type field of the security token.
  - 7. The method of claim 1 comprising retrieving and applying a set of rules for accessing the resource that are constructed according to the common format of the security claims.

8. A computer-based system comprising a digital resource to which a requestor requests access based on a request including at least one security token associated with the requestor, each security token of the request containing access decision information useful for determining whether to allow the request, each security token having one of a plurality of types, the system comprising:
- a processor that is programmed to implement an access control policy engine associated with the resource and controlling access thereto to determine whether to allow the request, the access control policy engine;
  
  receiving the request with each security token thereof;
  
  retrieving each security token from the request;
  
  processing each retrieved security token by determining the type of such retrieved security token;
  
  mapping the access decision information in the retrieved security token to the common format, wherein the common format comprises at least one security claim setting forth adequate information to determine a right of the requestor, and wherein the access control policy engine maps the access decision information in the retrieved security token to the common format as at least one security claim setting forth adequate information to determine a right of the requestor as;
  
  P a principal identifier that identifies the requestor;
  
  R a right possessed by P with respect to a target T and expressing a relationship between P and T;
  
  T a target identifier that identifies the target of a right;
  
  C any condition on R with respect to T that the access control policy engine is to evaluate; and
  
  I an issuer identifier that identifies an entity that issued the security token and conferred R with respect to T on P,the access control policy engine having a set of security claims relating to the request after having processed the retrieved tokens;
  
  retrieving a set of rules for accessing the resource;
  
  applying the retrieved set of rules for accessing the resource to the set of security claims to determine whether to allow the request from the requestor; and
  
  if the request from the requestor is to be allowed, the processor providing the requestor access to the resource in accordance with the request and the rights of the requestor as determined based on the set of security claims.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The system of claim 8 further comprising a plurality of mapping modules implemented by the processor, each mapping module corresponding to one of the plurality of types and supplying mapping procedures for mapping the access decision information in an security token of such type to the common format, the access control policy engine applying the retrieved security token based on the determined type thereof to the mapping module corresponding to such determined type to map the access decision information in the retrieved security token to the common format as at least one security claim setting forth adequate information to determine a right of the requestor.
  - 10. The system of claim 9 wherein the access control policy engine determines the type of the retrieved security token based on extant characteristics as defined in the mapping module corresponding to the retrieved security token.
  - 11. The system of claim 9 wherein at least one mapping module is separate from but coupled to the access control policy engine.
  - 12. The system of claim 9 wherein at least one mapping module is integrated within the access control policy engine.
  - 13. The system of claim 8 wherein the access control policy engine determines the type of the retrieved security token by reviewing a predefined type field of the security token.
  - 14. The system of claim 8 wherein the access control policy engine retrieves and applies a set of rules for accessing the resource that are constructed according to the common format of the security claims.
  - 15. The system of claim 8 wherein the resource includes the access control policy engine.
  - 16. The system of claim 8 wherein the access control policy engine is separate from the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Woods, Shawn Martin, Dillaway, Blair Brewster, Manferdelli, John L.
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/080,806
Publication Number

US 20060206931A1
Time in Patent Office

1,975 Days
Field of Search

713172-176, 726/2, 726/5, 726/9, 726/1, 726/17, 726 26- 30, 380/229
US Class Current

726/9
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

Access control policy engine controlling access to resource based on any of multiple received types of security tokens

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Access control policy engine controlling access to resource based on any of multiple received types of security tokens

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links