Security authorization queries

US 8,060,931 B2
Filed: 09/08/2006
Issued: 11/15/2011
Est. Priority Date: 09/08/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A system comprising:

memory and a processor; and

a security scheme module, stored in the memory and executable on the processor, that includes an authorization query table and a syntactic validator that disallows an assertion having a negation element at a first level, wherein the authorization query table includes multiple fields with each field mapping a resource-specific operation to an associated authorization query, and wherein each authorization query is a logical English expression comprising a fact, a condition, and/or a logical operator.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.

111 Citations

View as Search Results

18 Claims

1. A system comprising:
- memory and a processor; and
  
  a security scheme module, stored in the memory and executable on the processor, that includes an authorization query table and a syntactic validator that disallows an assertion having a negation element at a first level, wherein the authorization query table includes multiple fields with each field mapping a resource-specific operation to an associated authorization query, and wherein each authorization query is a logical English expression comprising a fact, a condition, and/or a logical operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system as recited in claim 1, wherein the associated authorization query comprises an associated authorization query template having one or more predetermined empty slots.
  - 3. The system as recited in claim 2, wherein the security scheme converts the authorization query template into the authorization query by substituting a requesting principal or a requested resource that relates to the resource-specific operation into the one or more predetermined empty slots.
  - 4. The system as recited in claim 1, wherein the security scheme evaluates the associated authorization query in conjunction with an assertion context having multiple assertions, at least one assertion of the multiple assertions relating to the resource-specific operation.
  - 5. The system as recited in claim 4, wherein the authorization query table includes at least one field having an authorization query that includes a negation operator.
  - 6. The system as recited in claim 1, wherein the security scheme provides the associated authorization query and an assertion context having multiple assertions to an authorization engine, the assertion context including multiple assertions with at least one assertion relating to the resource-specific operation;
    - and wherein the authorization engine evaluates the associated authorization query in conjunction with the assertion context to make an authorization decision.
  - 7. The system as recited in claim 6, wherein the associated authorization query includes multiple asserted facts;
    - and wherein the authorization engine matches validated assertions deduced from the assertion context to the asserted facts of the associated authorization query.
  - 8. The system as recited in claim 7, wherein individual asserted facts of the associated authorization query are replaced by a “
    - TRUE”
      
      Boolean status if a validated matching assertion can be deduced from the assertion context and are replaced by a “
      
      FALSE”
      
      Boolean status if a validated matching assertion cannot be deduced from the assertion context.
  - 9. The system as recited in claim 8, wherein if an individual asserted fact is replaced by a “
    - TRUE”
      
      Boolean status, the authorization engine produces a set of variable substitutions that are configured to render the individual asserted fact TRUE.

10. A computer-implemented method with an authorization query table in a security scheme, the authorization query table stored in a memory, the method comprising:
- providing a resource-specific operation for a resource stored in a memory to the authorization query table stored in the memory;
  
  disallowing, by a syntactic validator, an assertion having a negation element at a first level;
  
  ascertaining an authorization query that is associated with the resource-specific operation using the authorization query table stored in the memory, wherein each authorization query is a logical English expression comprising a fact, a condition, and/or a logical operator, the ascertained authorization query comprising an authorization query template having one or more predetermined empty slots; and
  
  converting, at the resource guard module, the authorization query template into the ascertained authorization query by replacing the one or more predetermined empty slots with the identified resource and a principal requesting the identified resource.
- View Dependent Claims (11, 12)
- - 11. The method as recited in claim 10, further comprising:
    - receiving at a resource guard module a request to access an identified resource on behalf of a principal; and
      
      translating at the resource guard module the request into the resource-specific operation;
      
      wherein the providing and the ascertaining are effected by a security policy module.
  - 12. The method as recited in claim 10, further comprising:
    - applying (i) an assertion context derived from the resource-specific operation and (ii) the ascertained authorization query to an evaluation algorithm;
      
      matching validated assertions of the assertion context to asserted facts of the ascertained authorization query;
      
      performing a TRUE/FALSE replacement process on the ascertained authorization query responsive to the matching;
      
      logically evaluating the ascertained authorization query after the performing;
      
      if the ascertained authorization query logically evaluates to TRUE, authorizing the resource-specific operation; and
      
      if the ascertained authorization query logically evaluates to FALSE, denying the resource-specific operation.

13. One or more computer-readable storage media with computer-executable instructions that, when executed on a processor, configure the processor to perform acts comprising:
- implementing a bifurcated security scheme having a first level and a second level, wherein the first level includes a syntactic validator that disallows an assertion containing a negation and the second level permits usage of negations within an authorization query, and wherein each authorization query is a logical English expression comprising conditions, asserted facts, and/or logical operators.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The one or more computer-readable storage media as recited in claim 13, wherein the first level comprises an assertion level.
  - 15. The one or more computer-readable storage media as recited in claim 14, wherein the assertion level is populated by token assertions and policy assertions.
  - 16. The one or more computer-readable storage media as recited in claim 13, wherein the second level comprises a query level.
  - 17. The one or more computer-readable storage media as recited in claim 16, wherein the query level is populated by the authorization queries formed at least from the asserted facts and the logical operators, wherein the logical operators comprise AND, OR, and NOT, and wherein each authorization query is associated with a resource-specific operation.
  - 18. The one or more computer-readable storage media as recited in claim 13, wherein the first level comprises an assertion level that is populated by assertions, wherein the second level comprises a query level that is populated by the authorization queries formed at least from the asserted facts, and wherein the bifurcated security scheme evaluates a particular authorization query by attempting to match validated assertions from the assertion level to one or more asserted facts of the particular authorization query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gordon, Andrew D., Fournet, Cedric, Dillaway, Blair B., Becker, Moritz Y.
Primary Examiner(s)
Pearson; David J

Application Number

US11/530,438
Publication Number

US 20080066175A1
Time in Patent Office

1,894 Days
Field of Search

None
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Security authorization queries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security authorization queries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links