Rights-context elevator

US 7,945,951 B2
Filed: 01/30/2006
Issued: 05/17/2011
Est. Priority Date: 01/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a computer, comprising:

intercepting, by one of a controlled-access application or operating system security, a first task comprising a non-user initiated attempt to install an application downloaded over the internet prior to the first task being performed, in order to check the first task against rights of a user;

identifying a second task;

calling, by one of the controlled-access application or the operating system security, a rights elevator to begin a process of user rights elevation;

receiving, from the user currently logged on to a computer operating system with a single user account having both a limited-rights context and a higher-rights context and while the single user account is operating within the limited-rights context that has rights insufficient to permit the first task and the second task, the user'"'"'s assent to perform a task not permitted by the limited-rights context, wherein the user'"'"'s assent is indicated by user entry of a secure access sequence comprising a simultaneous keystroke activation of more than one key to elevate the rights of the single user account to the higher rights context of the single user account;

following entry of the secure access sequence and prior to an act of elevating the context of the single user account, enabling the assent via receiving a user entry in addition to the secure access sequence;

responsive to the entry of the secure access sequence, initiating a process to minimally elevate rights of the single user account to the higher-rights context of the single user account, wherein the higher-rights context of the single user account minimally permits the first task without elevating the rights to another higher-rights context that would minimally permit the second task; and

elevating the context of the single user account from the limited-rights context to the higher-rights context effective to permit the first task, following entry of the secure access sequence and completion of the process to minimally elevate rights.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System(s), techniques, and/or method(s) (“tools”) are described that enable a user to elevate his or her rights. The tools may do so by switching a user to an account having higher rights or a different, higher-rights context of a same account. The tools may elevate a user'"'"'s rights after a user enters a secure access sequence, such as Control+Alt+Delete, clicks on a button, or enters credentials. The tools may also enable a user to identify tasks that need higher rights to be performed by visually correlating graphic indicia with these tasks.

Citations

20 Claims

1. A method implemented at least in part by a computer, comprising:
- intercepting, by one of a controlled-access application or operating system security, a first task comprising a non-user initiated attempt to install an application downloaded over the internet prior to the first task being performed, in order to check the first task against rights of a user;
  
  identifying a second task;
  
  calling, by one of the controlled-access application or the operating system security, a rights elevator to begin a process of user rights elevation;
  
  receiving, from the user currently logged on to a computer operating system with a single user account having both a limited-rights context and a higher-rights context and while the single user account is operating within the limited-rights context that has rights insufficient to permit the first task and the second task, the user'"'"'s assent to perform a task not permitted by the limited-rights context, wherein the user'"'"'s assent is indicated by user entry of a secure access sequence comprising a simultaneous keystroke activation of more than one key to elevate the rights of the single user account to the higher rights context of the single user account;
  
  following entry of the secure access sequence and prior to an act of elevating the context of the single user account, enabling the assent via receiving a user entry in addition to the secure access sequence;
  
  responsive to the entry of the secure access sequence, initiating a process to minimally elevate rights of the single user account to the higher-rights context of the single user account, wherein the higher-rights context of the single user account minimally permits the first task without elevating the rights to another higher-rights context that would minimally permit the second task; and
  
  elevating the context of the single user account from the limited-rights context to the higher-rights context effective to permit the first task, following entry of the secure access sequence and completion of the process to minimally elevate rights.
- View Dependent Claims (2, 3, 4, 5, 6, 19)
- - 2. The method of claim 1, wherein the single user account comprises a second higher-rights context capable of permitting more tasks than a first higher-rights context, and further comprising determining which of the first or second higher-rights contexts is minimally sufficient to permit the first task effective to provide a minimally sufficient rights context, the enabling assent elevates the single user account context to the minimally sufficient rights context.
  - 3. The method of claim 1, wherein the act of receiving receives the assent without a credential.
  - 4. The method of claim 1, wherein the act of receiving comprises:
    - receiving the assent with a credential; and
      
      authenticating the higher-rights context with the credential prior to elevating the single user account context.
  - 5. The method of claim 1, further comprising lowering, responsive to performance of the first task, the single user account context from the higher-rights context to the limited-rights context.
  - 6. The method of claim 1, further comprising enabling performance of the first task responsive to the act of elevating the single user account context.
  - 19. A computer-readable storage medium, wherein the computer-readable storage medium excludes propagating carrier waves, the computer-readable storage medium having computer-executable instructions embodied thereon, the computer executable instructions encoded to program a computer, upon execution, to perform the method of claim 1.

7. A method implemented at least in part by a computer, comprising:
- on a display device, presenting a user interface for a currently logged on user account, the user interface simultaneously representing;
  
  a first task comprising a non-user initiated attempt to execute instructions from the internet;
  
  a second task; and
  
  an icon that indicates that the first task is not being permitted without elevation of rights associated with the user account;
  
  determining whether the user account is a multi-rights account; and
  
  in an event that the user account is a multi-rights account, presenting, if the currently logged on user account is currently logged on to a computer'"'"'s operating system in a limited-rights context of the multi-rights account, a selectable graphic enabling assent to elevate the currently logged on user account context to a minimally higher-rights context of the multi-rights account, the minimally higher-rights context of the multi-rights account being effective to permit the first task and not sufficient to permit the second task, orin an event that the user account is not a multi-rights account, presenting, if the currently logged on user account is currently logged on to a computer'"'"'s operating system with a limited-rights account, a higher-rights account that has rights minimally sufficient to permit the first task and not the second task and a region for entry of credentials for authenticating a user for the higher-rights account.
- View Dependent Claims (8, 9, 10, 11, 12, 20)
- - 8. The method of claim 7, wherein the user interface simultaneously represents a visual indication that the second task is permitted without elevation of the rights.
  - 9. The method of claim 7, further comprising, responsive to entry of credentials, authenticating the user if the credentials authenticate the user for the higher-rights account, and temporarily elevating the user account rights to that of the higher-rights account effective to permit the task.
  - 10. The method of claim 7, wherein the user interface simultaneously represents:
    - a lack of correlation between one or more other tasks and the first and second tasks; and
      
      enabling performance of the first task and the second task but not the one or more other tasks.
  - 11. The method of claim 7, further comprising elevating the user account context effective to enable performance of the first task and the second task responsive to receiving assent or receiving credentials and authenticating the credentials.
  - 12. The method of claim 7, further comprising elevating the user account context effective to enable the first task and the second task responsive to receiving a secure access sequence comprising an indication of a simultaneous activation of more than one key.
  - 20. A computer-readable storage medium wherein the computer-readable storage medium excludes propagating carrier waves, the computer-readable storage medium having computer-executable instructions embodied thereon, the computer executable instructions encoded to program a computer, upon execution, to perform the method of claim 7.

13. A system comprising:
- a processor;
  
  a computer-readable storage media operatively coupled to the processor, the memory having computer-executable instructions encoded thereon, such that execution of the computer-executable instructions by the processor configures the system to perform operations comprising;
  
  intercepting, by operating system security, a first task comprising a non-user initiated attempt to execute instructions from the internet prior to the first task being performed, in order to check the first task against the rights of a currently active user account;
  
  determining the first task is not permitted by a limited-rights context of the currently active user account;
  
  calling, by the operating system security, a rights elevator to begin a process of user account rights elevation;
  
  receiving, from the currently active user account logged on to a computer operating system, the currently active user account having the limited-rights context and a higher-rights context and while the currently active user account is operating within the limited-rights context, assent for the currently active user account to perform the first task not permitted by the limited-rights context, wherein the assent for the currently active user account is achieved by receiving entry of a secure access sequence comprising a simultaneous activation of more than one key of an input device;
  
  following entry of the secure access sequence and prior to an act of elevating the context of the user account, enabling the assent via an entry in addition to the secure access sequence;
  
  responsive to the entry of the secure access sequence, initiating a process to elevate rights of the currently active user account currently logged on to the computer'"'"'s operating system to the higher-rights context of the currently active user account, wherein the higher-rights context of the currently active user account minimally permits the first task without elevating the rights to another higher-rights context that would minimally permit a second task; and
  
  elevating, responsive to receiving the assent, the currently active user account context from the limited-rights context to the higher-rights context effective to permit the first task, wherein the higher-rights context of the currently active user account effective to permit the first task is not sufficient to permit the second task.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the higher-rights context is a first higher-rights context and the account comprises a second higher-rights context capable of permitting more tasks than the first higher-rights context, and further comprising determining which of the first higher-rights context or second higher-rights context is minimally sufficient to permit the first task effective to provide a minimally sufficient rights context, and where the act of permitting elevates the currently active user account context to the minimally sufficient rights context.
  - 15. The system of claim 13, wherein the operation of receiving comprises receiving the assent without a credential.
  - 16. The system of claim 13, wherein the operation of receiving comprises:
    - receiving the assent with a credential; and
      
      authenticating the higher-rights context with the credential prior to elevating the currently active user account context.
  - 17. The system of claim 13, wherein the operations further comprise lowering, responsive to performance of the first task, the currently active user account context from the higher-rights context to the limited-rights context.
  - 18. The system of claim 13, wherein the operations further comprise enabling performance of the first task responsive to the act of elevating the currently active user account context.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Scallen, Steve, Koh, Jerry K, Yadav, Anil K
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Durham; Imhotep

Application Number

US11/275,818
Publication Number

US 20070180502A1
Time in Patent Office

1,933 Days
Field of Search

726/17, 726/21, 726/26, 726/28, 705/8, 705/9
US Class Current

726/21
CPC Class Codes

G06F 21/31   User authentication

G06F 21/629   to features or functions of...

G06F 2221/2105   Dual mode as a secondary as...

G06F 9/45512   Command shells

Rights-context elevator

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rights-context elevator

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links