Access control based on program properties
First Claim
1. A computer implemented method, comprising:
- generating privilege access lists based on manifests associated with one or more applications and a publisher for each of the one or more applications, said generating including accessing a manifest associated with a first of the applications, identifying one or more privileges in the manifest that the first application is asserted to have, and confirming that a publisher of the first application may grant the privileges in the manifest to the first application;
receiving a request for a resource from a principal associated with a requesting application;
retrieving an access control pattern associated with the resource;
identifying a privilege sub-expression in the access control pattern, the sub-expression defining a privilege;
accessing the privilege access lists to determine which applications have the privilege in the sub-expression;
expanding the privilege in the privilege sub-expression in the access control pattern to include the applications that have the privilege; and
matching the expanded access control pattern to the name of the principal.
2 Assignments
0 Petitions
Accused Products
Abstract
A pattern matching access control system determines whether a principal should be granted access to use a resource based on properties of applications comprised by the principal. The principal name may be created when an application is loaded, invokes other applications (or programs) and/or assumes a new role context. Access is provided based on whether, for each application, the publisher is authorized by system policy to grant privilege as requested by the application. When a resource which requires the privilege is requested by a principal, an access control list (ACL) for the resource is expanded with a list of applications that have been authorized through their publisher to assert the privilege. The expanded ACL is compared to the principal name to determine resource access.
49 Citations
20 Claims
-
1. A computer implemented method, comprising:
-
generating privilege access lists based on manifests associated with one or more applications and a publisher for each of the one or more applications, said generating including accessing a manifest associated with a first of the applications, identifying one or more privileges in the manifest that the first application is asserted to have, and confirming that a publisher of the first application may grant the privileges in the manifest to the first application; receiving a request for a resource from a principal associated with a requesting application; retrieving an access control pattern associated with the resource; identifying a privilege sub-expression in the access control pattern, the sub-expression defining a privilege; accessing the privilege access lists to determine which applications have the privilege in the sub-expression; expanding the privilege in the privilege sub-expression in the access control pattern to include the applications that have the privilege; and matching the expanded access control pattern to the name of the principal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more computer storage devices having processor readable code stored on said computer storage devices, said processor readable code for programming one or more processors to perform a method comprising:
-
determining an application asserts at least one privilege, said determining the application asserts a privilege includes accessing a set of program properties from a manifest for the application, and determining if the program properties indicate the application asserts a privilege, the accessing a set of program properties includes either deriving the at least one privilege from annotations or deducing the at least one privilege from analysis of source code; determining the publisher of the application; accessing an access control pattern for the privilege; comparing the application publisher to the access control pattern for the privilege; and adding the application to an application list for the privilege based on said step of comparing. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system, comprising:
-
a processor; and a computer storage media coupled to the processor, the storage media having processor readable code stored thereon for programming the processor to perform a method comprising; generating application lists comprising a disjunction of application names, wherein said generating application lists includes; accessing manifests associated with respective applications; identifying one or more privileges in each of the manifests that the respective application is asserted to have, and confirming that a publisher of the respective application may grant the privileges in the manifest to the respective application; receiving a request for a resource from a principal associated with a requesting application; retrieving an access control pattern associated with the resource; identifying a sub-expression in the access control pattern; determining whether the sub-expression is set by system policy and, if so; retrieving sub-expression content defined by system policy; and expanding the sub-expression using the sub-expression content defined by system policy; determining whether the sub-expression is set by privilege and, if so; accessing the privilege access lists to determine which applications have a privilege in the sub-expression; and expanding the sub-expression to include the applications that have the privilege; and matching the expanded access control pattern to the name of the principal associated with the requesting application. - View Dependent Claims (18, 19, 20)
-
Specification