Relational lockdown for an item store

US 8,250,094 B2
Filed: 07/19/2006
Issued: 08/21/2012
Est. Priority Date: 07/19/2006
Status: Active Grant

First Claim

Patent Images

1. A system for relational lockdown of an item store, the system comprising:

a processing unit;

a relational object item store comprising data items persisted as relational objects;

a relational engine;

a filing system configured to;

manipulate, utilizing said relational engine, data items written in application specific format in the item store; and

manage, store and retrieve the data items in accordance with a respective type of each data item; and

a memory system storing;

a first program module comprising instructions that are executable by the processing unit for initiating a lockdown of said item store by disabling all access to said item store by all users associated with said filing system, each user having an assigned set of privileges indicative of operations that the user is allowed to perform on the item store; and

a second program module comprising instructions that are executable by the processing unit for;

determining a sequence of caller and callee modules invoking executable code;

determining, by combining privileges associated with the sequence of caller and callee modules, a privilege level associated with the executable code, the privilege level indicative of operations that the executable code can perform on the item store;

determining a set of privileges assigned to a user associated with the executable code;

determining a combined set of privileges, based on the privilege level associated with the executable code and the set of privileges assigned to a user associated with the executable code; and

after the first program module has disabled all access to said item store, allowing limited access to said item store, based on said combined set of privileges.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various mechanisms are provided for the lockdown of an item store. For example, a method is provided that comprises of disabling access to a relational engine for a set of users associated with a filing system utilizing the relational engine to manipulate data in an item store. Following such disabling of access, an exception is created by allowing access to the relational engine for users of the filing system based on a set of privileges the users have been assigned. The disabling of access can be accomplished by removing system users from ownership roles, and the allowing of access can be accomplished by providing certificates to users that have associated set of privileges granted to the users.

33 Citations

View as Search Results

29 Claims

1. A system for relational lockdown of an item store, the system comprising:
- a processing unit;
  
  a relational object item store comprising data items persisted as relational objects;
  
  a relational engine;
  
  a filing system configured to;
  
  manipulate, utilizing said relational engine, data items written in application specific format in the item store; and
  
  manage, store and retrieve the data items in accordance with a respective type of each data item; and
  
  a memory system storing;
  
  a first program module comprising instructions that are executable by the processing unit for initiating a lockdown of said item store by disabling all access to said item store by all users associated with said filing system, each user having an assigned set of privileges indicative of operations that the user is allowed to perform on the item store; and
  
  a second program module comprising instructions that are executable by the processing unit for;
  
  determining a sequence of caller and callee modules invoking executable code;
  
  determining, by combining privileges associated with the sequence of caller and callee modules, a privilege level associated with the executable code, the privilege level indicative of operations that the executable code can perform on the item store;
  
  determining a set of privileges assigned to a user associated with the executable code;
  
  determining a combined set of privileges, based on the privilege level associated with the executable code and the set of privileges assigned to a user associated with the executable code; and
  
  after the first program module has disabled all access to said item store, allowing limited access to said item store, based on said combined set of privileges.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system according to claim 1, wherein the first program module comprises instructions that are executable by the processing unit to disable access to said item store by removing all users from a role that specifies ownership of items in the item store.
  - 3. The system according to claim 1, wherein the second program module comprises instructions that are executable by the processing unit to allow limited access to said relational engine by using security certificates.
  - 4. The system according to claim 3, wherein the security certificates are associated with corresponding certificate users and wherein said certificate users have said set of privileges.
  - 5. The system according to claim 3, wherein said security certificates sign a command resulting in the command being marked with a marker, wherein the marker either allows or disallows access to the relational engine depending on said set of privileges.
  - 6. The system according to claim 1, wherein the memory system further stores instructions that are executable by the processing unit to implement an entry point for access to said relational engine, wherein said entry point allows separate access from the limited access provided by said second program module.
  - 7. The system according to claim 1, wherein said filing system is WinFS and said relational engine is associated with SQL Server.
  - 8. The system according to claim 1, wherein no user of an operating system in which the filing system executes can own any object on which any item in the item store is based.

9. A method for relational lockdown of an item store comprising data items persisted as relational objects and a relational engine, the method comprising:
- initiating a lockdown of a relational object item store by disabling all access to said item store by all identities associated with a filing system utilizing said relational engine to manipulate data items written in application specific format in the item store and managing, storing and retrieving the data items in accordance with a respective type of each data item, each identity having an assigned set of privileges to access the item store;
  
  determining a sequence of caller and callee modules invoking executable code;
  
  determining, by combining privileges associated with the sequence of caller and callee modules, a privilege level associated with the executable code; and
  
  after said disabling all access, allowing limited access to said item store by one or more identities associated with the executable code, based on the set of privileges assigned to the one or more identities and the privilege level associated with the executable code.
- View Dependent Claims (10, 11, 12, 13, 14, 21, 22, 23, 24, 25, 26)
- - 10. The method according to claim 9, wherein said disabling access to said item store removes all identities from a role that specifies ownership of items in the item store.
  - 11. The method according to claim 9, wherein said allowing comprises providing access to said relational engine by using security certificates.
  - 12. The method according to claim 11, further comprising associating said security certificates with corresponding certificate identities, said certificate identities having said set of privileges.
  - 13. The method according to claim 9, further comprising using said security certificates to sign a command resulting in the command being marked with a marker, wherein the marker either allows or disallows access to the relational engine depending on said set of privileges.
  - 14. The method according to claim 9, further comprising providing an application programming interface (API) for signing a command for said relational engine.
  - 21. The method according to claim 9, wherein the set of privileges assigned to the one or more identities are indicative of operations that the one or more identities are allowed to perform on the item store.
  - 22. The method according to claim 21, wherein the privilege level associated with the executable code is indicative of operations that the executable code is allowed to perform on the item store.
  - 23. The method according to claim 22, further comprising determining a combined set of privileges based on the privilege level associated with the executable code and the set of privileges assigned to the one or more identities associated with the executable code, wherein said allowing limited access is further based on the combined set of privileges.
  - 24. The method according to claim 9, wherein said limit access comprises a subset of data and schema operations on said item store.
  - 25. The method according to claim 9, wherein the privilege level is indicative of operations that the executable code can perform on the item store.
  - 26. The method according to claim 25, further comprising determining a set of privileges assigned to one or more identities associated with the executable code.

15. A computer readable storage medium not consisting of communication media, the computer readable storage medium comprising computer executable instructions executable by a computer to perform acts for relational lockdown of an item store, the acts comprising:
- initiating a lockdown of a relational object item store by disabling all access to a relational engine by all identities associated with a filing system utilizing said relational engine to manipulate data items written in application specific format in the item store and managing, storing and retrieving the data items in accordance with a respective type of each data item, each identity having an assigned set of privileges to access the item store;
  
  determining a sequence of caller and callee modules invoking executable code;
  
  determining, by combining privileges associated with the sequence of caller and callee modules, a privilege level associated with the executable code; and
  
  allowing limited access to said relational engine by one or more identities, after said disabling all access, based on the set of privileges assigned to the one or more identities and the combined privileges associated with the sequence of caller and callee modules invoking the executable code.
- View Dependent Claims (16, 17, 18, 19, 20, 27, 28, 29)
- - 16. The computer readable storage medium according to claim 15, wherein access to said item store is disabled by removing all identities from a role that specifies ownership of items in the item store.
  - 17. The computer readable medium according to claim 15, wherein access to said relational engine is allowed by using security certificates.
  - 18. The computer readable medium according to claim 17, wherein access is allowed by associating said security certificates with corresponding certificate identities, said certificate identities having said set of privileges.
  - 19. The computer readable storage medium according to claim 18, further comprising computer executable instructions tangibly embodied on the computer readable storage medium, which are executable by a computer for providing an application programming interface (API) for signing code with a marker by using said security certificates.
  - 20. The computer readable storage medium according to claim 15, further comprising computer executable instructions tangibly embodied on the computer readable storage medium, which are executable by a computer for providing an entry point to the relational engine separate from providing access to said relational engine.
  - 27. The computer readable medium according to claim 15, further comprising determining a sequence of caller and callee modules invoking executable code.
  - 28. The computer readable medium according to claim 27, further comprising determining, by combining privileges associated with the sequence of caller and callee modules, a privilege level associated with the executable code, the privilege level indicative of operations that the executable code can perform on the item store.
  - 29. The computer readable medium according to claim 28, further comprising determining a set of privileges assigned to one or more identities associated with the executable code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Skaria, Simon, Hunter, Jason T., Dubhashi, Kedarnath A.
Primary Examiner(s)
Pulliam, Christyann
Assistant Examiner(s)
Mahmood, Rezwanul

Application Number

US11/490,410
Publication Number

US 20080021901A1
Time in Patent Office

2,225 Days
Field of Search

707/10, 707/100, 707/102, 707/200, 707/8, 707/694, 707/704, 707/757, 707/781, 707/783, 707/784, 707/785
US Class Current

707/783
CPC Class Codes

G06F 16/188   Virtual file systems

G06F 21/6227   where protection concerns t...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2147   Locking files

Relational lockdown for an item store

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Relational lockdown for an item store

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links