Method and apparatus for extensible security authorization grouping

US 8,191,115 B2
Filed: 01/10/2005
Issued: 05/29/2012
Est. Priority Date: 01/10/2005
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:

a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and

an authorization service, which is separate from the group service, that determines permission for one of the plurality of users to perform a first action using a first software product with respect to a first object based on group information for the one of the plurality of users obtained from the group service and based on corresponding permission information held by the authorization service and stored separately from the store of groups of the group service, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products;

wherein the permission information held by the authorization service comprises;

securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information;

object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and

authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator.

17 Citations

View as Search Results

18 Claims

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and
  
  an authorization service, which is separate from the group service, that determines permission for one of the plurality of users to perform a first action using a first software product with respect to a first object based on group information for the one of the plurality of users obtained from the group service and based on corresponding permission information held by the authorization service and stored separately from the store of groups of the group service, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products;
  
  wherein the permission information held by the authorization service comprises;
  
  securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information;
  
  object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and
  
  authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the permission information is created by a non-systems administrator.
  - 3. The apparatus of claim 1, wherein the permission information is stored in a single location.
  - 4. The apparatus of claim 1, wherein a non-systems administrator controls which users and/or groups correspond to each of the groups.
  - 5. The apparatus of claim 1, wherein the authorization service obtains securable object class (SOC) information from at least one of the plurality of software products.
  - 6. The apparatus of claim 1, wherein the computer system further comprising a store of operating system or directory groups (OS/D groups) that are used by at least one system administrator to control access to certain objects, and wherein at least one group in the store of groups includes at least one OS/D group.
  - 7. The apparatus of claim 1, wherein the authorization service includes inheritance information for two objects that is used to associate permission information for one of the objects in the other object.
  - 8. The apparatus of claim 7, wherein permission information for an object is determined based on permission information for a related object based on inheritance information.
  - 9. The apparatus of claim 1, wherein the authorization service includes:
    - a first authorization service that interacts with the first software product and is not configured to interact with the second software product; and
      
      a second authorization service that interacts with the second software product and is not configured to interact with the first software product.

10. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups that does not include permission information, each group including at least one of the plurality of users; and
  
  an authorization service, which is separate from the group service, that determines permission for at least one user to perform an action with respect to an object based on group information for the at least one user obtained from the group service and based on permission information held by the authorization service and stored separately from the store of groups of the group service, the permission information corresponding to the obtained group information and indicating at least one action that may be performed with respect to an object by at least one group or user;
  
  wherein the permission information held by the authorization service comprises;
  
  securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, wherein the securable object class information does not include user information or group information;
  
  object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and
  
  authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, wherein each authorization entry corresponds to an object identifier in the object registration information, and wherein the authorization entries do not determine group membership; and
  
  wherein at least one non-system administrator defines at least some of the permission information to assign authorization to one or more groups or users to perform a first action with respect to a first object using a first software product, and wherein at least one non-system administrator assigns authorization to one or more groups or users to perform a second action with respect to a second object using second software product.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, wherein the store of groups includes at least two different group types, a first group type being controlled by a system administrator, a second group type being controlled by a non-system administrator, each group in the second group type including a first type group, a second type group, or a user.
  - 12. The apparatus of claim 10, wherein each of the plurality of software products is arranged to send a request to the authorization service including an identity of a user requesting to perform an identified action with respect to an identified object, and is arranged to perform the identified action upon receiving authorization from the authorization service.
  - 13. The apparatus of claim 10, wherein each of the plurality of software products is arranged to provide permission information to the authorization service including at least one object type and a set of actions that are performable with respect to the object type.
  - 14. The apparatus of claim 10, wherein the authorization service includes a plurality of authorization service modules each operating with a corresponding one of the plurality of software products.

15. A computer-implemented method for operating a computer system, comprising:
- receiving a first request regarding a first action requested to be performed by a first user with respect to a first object using a first software product, access to the first object being unrestricted by permissions established by a systems administrator;
  
  obtaining first group information from a group service having a store of groups that does not include permission information, the information indicating that the first user is associated with at least one group;
  
  determining authorization, using a processor of the computer system, for the first user to perform the first action using the first software product based on the first group information obtained from the group service and permission information, which is stored separately from store of groups of the group service, the permission information defining authorization for at least one group to perform at least one action with respect to at least one object;
  
  wherein the permission information comprises;
  
  securable object class information for a plurality of object types that includes a complete set of actions performable with respect to each object type, and wherein the securable object class information does not include user information or group information;
  
  object registration information for a plurality of objects that includes an object identifier and an object type for each object, wherein each object type in the object registration information corresponds to an object type in the securable object class information, and wherein the object registration information does not include user information or group information; and
  
  authorization entries (ACEs) for the plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users to perform with respect to the object, and wherein each authorization entry corresponds to an object identifier in the object registration information;
  
  receiving a second request regarding a second action requested to be performed by a second user with respect to a second object using a second software product, access to the second object being unrestricted by permissions established by a systems administrator;
  
  obtaining second group information from the group service indicating that the second user is associated with at least one group; and
  
  determining authorization, using the processor of the computer system, for the second user to perform the second action using the second software product based on the obtained second group information and the permission information.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the first and second requests are sent by the first and second software products, respectively.
  - 17. The method of claim 15, wherein a set of users or groups that correspond to at least one group is controlled by a user with less than system administrator privileges.
  - 18. The method of claim 15, wherein the at least one group includes a group that is controlled by a system administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Minium, Dennis W., Shelepov, Bulat Y., Fu, Xiongjian
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US11/032,527
Publication Number

US 20060156384A1
Time in Patent Office

2,696 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Method and apparatus for extensible security authorization grouping

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for extensible security authorization grouping

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others