Securing resource stores with claims-based security
First Claim
1. At a computer system where, during a session, one or more applications are running and the one or more applications require access to resources from a resource store, a method for securing the resources maintained at the resource store with claims-based security, the method comprising the following acts:
- in response to a claims request submitted to a policy store from one or more applications running during the session, receiving from the policy store policy information for the resource store;
deriving permissions for accessing secured resources in the resource store from the received policy information, the permissions being derived from;
a secured resources table defining the resources secured within the resource store, each secured resource being of a specified resource type, from among a plurality of different resource types, and each of the plurality of different resource types in turn being defined in a secured resource types table; and
a secured operations table defining secured operations that are possible for the resources defined in the secured resources table;
receiving identity information for the session, wherein the identity information is accumulated in a claims list compiled from one or more claims obtained for the session from an identity store and/or the policy store in response to requests submitted by the one or more applications running in the session;
determining the resource types that any of the one or more applications of the session can access based on the derived permissions and the received identity information as defined by the compiled claims list for the session;
accessing a metadata table that maps secured resource identifiers to corresponding resource types;
filtering the metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types; and
during the session, providing access to the subset of metadata that includes resource identifiers for secured resources of the resource types by any of the one or more applications of the session.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention extends to methods, systems, and computer program products for securing resource stores with claims-based security. From policy information, a resource store populates a security table of permissions. The permissions authorize resource access based on received claims. Sessions submit claims to the resource store. The resource store accumulates claims for a session into a claims list. From the claims list and the security table, the resource store filters out a subset of metadata including resource IDs for resources the session is authorized to access. Since the metadata corresponds to the session, any application using the session is given similar access to resources at the resource store.
69 Citations
12 Claims
-
1. At a computer system where, during a session, one or more applications are running and the one or more applications require access to resources from a resource store, a method for securing the resources maintained at the resource store with claims-based security, the method comprising the following acts:
-
in response to a claims request submitted to a policy store from one or more applications running during the session, receiving from the policy store policy information for the resource store; deriving permissions for accessing secured resources in the resource store from the received policy information, the permissions being derived from; a secured resources table defining the resources secured within the resource store, each secured resource being of a specified resource type, from among a plurality of different resource types, and each of the plurality of different resource types in turn being defined in a secured resource types table; and a secured operations table defining secured operations that are possible for the resources defined in the secured resources table; receiving identity information for the session, wherein the identity information is accumulated in a claims list compiled from one or more claims obtained for the session from an identity store and/or the policy store in response to requests submitted by the one or more applications running in the session; determining the resource types that any of the one or more applications of the session can access based on the derived permissions and the received identity information as defined by the compiled claims list for the session; accessing a metadata table that maps secured resource identifiers to corresponding resource types; filtering the metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types; and during the session, providing access to the subset of metadata that includes resource identifiers for secured resources of the resource types by any of the one or more applications of the session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. At a computer system where, during a session, one or more applications are running and the one or more applications require access to resources from a resource store, a computer program product for implementing a method for securing the resources maintained at the resource store with claims-based security,
the computer program product comprising computer usable memory containing computer-executable instructions for executing the method, and wherein the method is comprised of the following acts: -
in response to a claims request submitted to a policy store from one or more applications running during the session, receiving from the policy store policy information for the resource store; deriving permissions for accessing secured resources in the resource store from the received policy information, the permissions being derived from; a secured resources table defining the resources secured within the resource store, each secured resource being of a specified resource type, from among a plurality of different resource types, and each of the plurality of different resource types in turn being defined in a secured resource types table; and a secured operations table defining secured operations that are possible for the resources defined in the secured resources table; receiving identity information for the session, wherein the identity information is accumulated in a claims list compiled from claims included with security tokens, one such token indicating a claim for a domain for an operating system ID claim, another token indicating a claim for a group membership in response to requests submitted by the one or more applications running in the session, and the identity information being obtained for the session from an identity store and/or the policy store in response to requests submitted by the one or more applications running in the session; determining the resource types that any of the one or more applications of the session can access based on the derived permissions and the received identity information as defined by the compiled claims list for the session; accessing a metadata table that maps secured resource identifiers to corresponding resource types; filtering the metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types that one of the one or more applications of the session can access; and during the session, providing access to the subset of metadata that includes resource identifiers for secured resources of the resource types by any of the one or more applications of the session. - View Dependent Claims (10, 11, 12)
-
Specification