System and method for user-centric authorization to access user-specific information

US 8,185,932 B2
Filed: 01/25/2011
Issued: 05/22/2012
Est. Priority Date: 02/27/2002
Status: Active Grant

First Claim

Patent Images

1. A system for controlling access to a data store of user-specific information in a network computing environment being accessed by a client and a user, the system comprising:

a web-services system providing a software service to the user, said web-services system maintaining the data store of user-specific information in connection with the software service;

a data store of default access preferences, said default access preferences defining a list of predetermined access permissions allowed by the user with respect to the data store of user-specific information, the client desiring access to the data store of user-specific information and transmitting an access request message having a parameter indicative of a desired form of access to the data store of user-specific information;

an access control interface associated with the web-services system, said access control interface receiving the access request message and comparing the desired form of access to an access control list associated with the software service, said access control list identifying whether the user has been granted the desired form of access requested by the client;

an access control engine determining an intended use by the client of the user-specific information in the data store of user-specific information, said access control engine also determining a default access preference defining a list of default access permissions to the data store of user-specific information that the user has allowed, the access control engine comparing the determined intended use and the default access permissions and dynamically creating an access control rule granting the desired form of access of the client if the intended use is permitted by the default access permissions; and

a consent engine generating an option list in response to the access request having at least one entry in the option list based on the intended use by the client of the user-specific information in the data store, said consent engine displaying on the access control interface an option menu reflecting the generated option list, said option menu prompting the user to accept or reject at least one option displayed on the option menu using a selection interface of a network communication device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a network computing environment, a user-centric system and method for controlling access to user-specific information maintained in association with a web-services service. When a web-services client desires access to the user-specific information, the client sends a request. The request identifies the reasons/intentions for accessing the desired information. The request is compared to the user'"'"'s existing access permissions. If there is no existing access permission, the request is compared to the user'"'"'s default preferences. If the default preferences permit the requested access, an access rule is created dynamically and the client'"'"'s request is filled, without interrupting the user. If the default preferences do not permit the request to be filled, a consent user interface may be invoked. The consent user interface presents the user with one or more consent options, thereby permitting the user to control whether the client will be given access to the user-specific information.

63 Citations

View as Search Results

17 Claims

1. A system for controlling access to a data store of user-specific information in a network computing environment being accessed by a client and a user, the system comprising:
- a web-services system providing a software service to the user, said web-services system maintaining the data store of user-specific information in connection with the software service;
  
  a data store of default access preferences, said default access preferences defining a list of predetermined access permissions allowed by the user with respect to the data store of user-specific information, the client desiring access to the data store of user-specific information and transmitting an access request message having a parameter indicative of a desired form of access to the data store of user-specific information;
  
  an access control interface associated with the web-services system, said access control interface receiving the access request message and comparing the desired form of access to an access control list associated with the software service, said access control list identifying whether the user has been granted the desired form of access requested by the client;
  
  an access control engine determining an intended use by the client of the user-specific information in the data store of user-specific information, said access control engine also determining a default access preference defining a list of default access permissions to the data store of user-specific information that the user has allowed, the access control engine comparing the determined intended use and the default access permissions and dynamically creating an access control rule granting the desired form of access of the client if the intended use is permitted by the default access permissions; and
  
  a consent engine generating an option list in response to the access request having at least one entry in the option list based on the intended use by the client of the user-specific information in the data store, said consent engine displaying on the access control interface an option menu reflecting the generated option list, said option menu prompting the user to accept or reject at least one option displayed on the option menu using a selection interface of a network communication device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1 wherein the access control interface comprises a service-side fabric associated with the software service provided by the web-services system.
  - 3. The system of claim 1 wherein the access control engine comprises:
    - schema for receiving and parsing the access request message, said schema identifying an intended use by the client of the user-specific information in the data store;
      
      a validation engine, said validation engine determining if the existing default access permissions identified in the access control list permit the client to access the data store of user-specific information for said identified intended use; and
      
      a policy engine being invoked if the existing default access permissions identified in the access control list do not permit the client to access the data store of user-specific information for the identified intended use, said policy engine dynamically determining an access control rule by comparing the user-specific default access preferences with said identified intended use, said validation engine writing said access control rule to the access control list.
  - 4. The system of claim 3 wherein the schema for receiving and parsing the access request message further identifies a method by which the client desires to access the user-specific information in the data store.
  - 5. The system of claim 4 wherein the validation engine determines if the existing default access permissions identified in the access control list permit the client to access the data store of user-specific information using the identified method by which the client desires to access the user-specific information in the data store.
  - 6. One or more non-transitory computer-readable storage medium having computer-executable instructions for performing the system recited in claim 1.

7. A method of controlling access to user specific information by a third party in a network computing environment, said network computing environment including a web-services provider, a user of a service provided by the web-services provider, the web-services provider maintaining a data store of user-specific information associated with the user, the third party in digital communication with the web-services provider, the third party desiring access to the user-specific information in the data store, and the user communicating with the web-services provider via a network communication device having a display interface and a selection interface, said method of controlling access to user-specific information by the third party comprising:
- obtaining at the web-services provider a digital request message from the third party desiring access to the user-specific information in the data store;
  
  determining an intended purpose of the third party for accessing the user-specific information in the data store;
  
  generating an option list in response to the third party'"'"'s request message for user-specific information having at least one entry based on the determined intended purpose of the third party for accessing the user-specific information in the data store;
  
  displaying to the user on the display interface of the network communication device an option menu reflecting the generated option list, said option menu prompting the user to accept or reject at least one option using the selection interface of the network communication device;
  
  receiving from the network communication device a selection signal indicative of whether the user accepted or rejected the at least one option; and
  
  creating an access control rule based on the received selection signal, said access control rule defining an extent of access to the user-specific information in the data store granted to the third party.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7 wherein determining an intended use comprises executing computer-executable instructions comprising:
    - an access control engine determining an intended use by a client of the user-specific information in the data store of user-specific information, said access control engine also determining a default access preference defining a list of default access permissions to the data store of user-specific information that the user has allowed, the access control engine comparing the determined intended use and the default access permissions and dynamically creating an access control rule granting a desired access of the client if the intended use is permitted by the default access permissions.
  - 9. The method of claim 8 wherein the access control engine comprises:
    - schema for receiving and parsing the request message, said schema identifying an intended use by the client of the user-specific information in the data store;
      
      a validation engine, said validation engine determining if the existing default access permissions identified in the access control list permit the client to access the data store of user-specific information for said identified intended use; and
      
      a policy engine being invoked if the existing default access permissions identified in the access control list do not permit the client to access the data store of user-specific information for the identified intended use, said policy engine dynamically determining an access control rule by comparing the user-specific default access preferences with said identified intended use, said validation engine writing said access control rule to the access control list.
  - 10. The method of claim 9 wherein the schema for receiving and parsing the request message further identifies a method by which the client desires to access the user-specific information in the data store.
  - 11. One or more non-transitory computer-readable storage medium having computer-executable instructions for performing the method recited in claim 7.

12. A method of providing and selecting from a menu displayed on a display interface in a network computing environment, said network computing environment including a web-services provider, a user of a service provided by the web-services provider, the web-services provider maintaining a data store of user-specific information associated with the user, a third party in digital communication with the web-services provider, and the third party desiring access to the user-specific information in the data store, the user communicating with the web-services provider via a network communication device having the display interface and a user selection interface, said method comprising:
- retrieving an intentions document associated with the third party desiring access to the user-specific information in the data store, said intentions document identifying;
  
  a purpose for which the third party desires access to the user-specific information in the data store;
  
  a value proposition associated with the purpose for which the third party desires access to the user-specific information in the data store; and
  
  a method by which the third party proposes to access the user-specific information in the data store;
  
  generating a set of menu entries in response to the third party'"'"'s intentions document, said menu entries identifying;
  
  an identity of the third party;
  
  the user-specific information in the data store to which the third party desires access;
  
  the purpose for which the third party desires access to the user-specific information in the data store;
  
  the value proposition associated with the purpose for which the third party desires access to the user-specific information in the data store; and
  
  the method by which the third party proposes to access the user-specific information in the data store;
  
  displaying the menu entries on the menu on the display interface of the network communication device;
  
  prompting the user to authorize or deny the third party to access the user-specific information in the data store;
  
  operatively receiving a selection signal being indicative of whether the user authorized or denied the third party to access the user-specific information in the data store; and
  
  creating an access control rule indicative of whether the user authorized the third party to access the user-specific information in the data store.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12 further comprising:
    - generating an option list in response to a third party'"'"'s request message for user-specific information having at least one entry based on the identified purpose of the third party for accessing the user-specific information in the data store;
      
      displaying to the user on the display interface of the network communication device an option menu reflecting the generated option list, said option menu prompting the user to accept or reject at least one option using the selection interface of the network communication device;
      
      receiving from the network communication device a selection signal indicative of whether the user accepted or rejected the at least one option; and
      
      creating an access control rule based on the received selection signal, said access control rule defining an extent of access to the user-specific information in the data store granted to the third party.
  - 14. The method of claim 13 wherein determining an intended use comprises executing computer-executable instructions comprising:
    - an access control engine determining an intended use by a client of the user-specific information in the data store of user-specific information, said access control engine also determining a default access preference defining a list of default access permissions to the data store of user-specific information that the user has allowed, the access control engine comparing the determined intended use and the default access permissions and dynamically creating an access control rule granting the desired access of the client if the intended use is permitted by the default access permissions.
  - 15. The method of claim 14 wherein the access control engine comprises:
    - schema for receiving and parsing the request message, said schema identifying an intended use by the client of the user-specific information in the data store;
      
      a validation engine, said validation engine determining if the existing default access permissions identified in the access control list permit the client to access the data store of user-specific information for said identified intended use; and
      
      a policy engine being invoked if the existing default access permissions identified in the access control list do not permit the client to access the data store of user-specific information for the identified intended use, said policy engine dynamically determining an access control rule by comparing the user-specific default access preferences with said identified intended use, said validation engine writing said access control rule to the access control list.
  - 16. The method of claim 15 wherein the schema for receiving and parsing the request message further identifies a method by which the client desires to access the user-specific information in the data store.
  - 17. One or more non-transitory computer-readable storage medium having computer-executable instructions for performing the method recited in claim 12.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dunn, Melissa W.
Primary Examiner(s)
Joo, Joshua

Application Number

US13/013,036
Publication Number

US 20110119732A1
Time in Patent Office

483 Days
Field of Search

709/203, 709217-219, 709223-226, 726 1- 2
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

System and method for user-centric authorization to access user-specific information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for user-centric authorization to access user-specific information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links