Multiple entity authorization model

US 8,327,456 B2
Filed: 09/14/2007
Issued: 12/04/2012
Est. Priority Date: 04/13/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of securing data records in a service-based web platform, the computer-implemented method comprising:

storing, by the service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records;

exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context;

receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user;

verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and

denying, by the service-based web platform, access of the application to the stored data record associated with the owner entity upon verifying authorization of the application to call the exposed web method unless;

the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record;

the application is registered with the service-based web platform;

the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and

the stored data record is within the minimum required data record set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authorization framework is provided that protects data records in a platform, such as a service-based platform, by requiring multiple level entities to be authorized with respect to the data records. For example, the data records can have an associated owner user that can grant access to other users with respect to the data. Additionally, however, the user can also grant access to certain applications that access the platform such that the data records can be initially closed for a user requiring the user to explicitly grant desired access to applications and/or users. In this regard, applications can be forbidden from accessing the data, even on behalf of the user, unless expressly authorized to do so by the user. Thus, the user can make informed decisions regarding who is to have access to its data.

85 Citations

View as Search Results

20 Claims

1. A computer-implemented method of securing data records in a service-based web platform, the computer-implemented method comprising:
- storing, by the service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records;
  
  exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context;
  
  receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user;
  
  verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and
  
  denying, by the service-based web platform, access of the application to the stored data record associated with the owner entity upon verifying authorization of the application to call the exposed web method unless;
  
  the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record;
  
  the application is registered with the service-based web platform;
  
  the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and
  
  the stored data record is within the minimum required data record set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, by the service-based web platform, a registration request and the minimum required data record set from the application.
  - 3. The computer-implemented method of claim 1, wherein the minimum required data record set is specified for proper functioning of the application.
  - 4. The computer-implemented method of claim 3, wherein the minimum required data record set is defined by a developer of the application.
  - 5. The computer-implemented method of claim 1, further comprising:
    - presenting, by the service-based web platform, the minimum required data record set to the owner entity; and
      
      obtaining, by the service-based web platform, consent from the owner entity to authorize the application to access the minimum required data record set.
  - 6. The computer-implemented method of claim 1, further comprising:
    - creating, by the service-based web platform, one or more sets of data records associated with the owner entity; and
      
      storing, by the service-based web platform, authorization rules desired by the owner entity for the one or more sets of data records as a whole.
  - 7. The computer-implemented method of claim 6, further comprising:
    - superseding, by the service-based web platform, the authorization rules desired by the owner entity for the one or more sets of data records with system set authorization rules for individual data records in the one or more sets of data records that contain sensitive data.
  - 8. The computer-implemented method of claim 7, further comprising:
    - restricting, by the service-based web platform, access to the stored data record according to the system set authorization rules if the stored data record contains sensitive data, wherein the system set authorization rules satisfy a standard that governs access to the sensitive data contained in the stored data record.
  - 9. The computer-implemented method of claim 1, further comprising:
    - verifying, by the service-based web platform, authorization of a device utilizing the application to request access to the stored data record associated with the owner entity, wherein the service-based web platform further denies access of the application to the stored data record associated with the owner entity unless the owner entity has explicitly granted access to the device.

10. A computer-readable storage medium that does not consist of a signal, the computer-readable storage medium having instructions stored thereon that, when executed by a computing device, cause the computing device to perform operations comprising:
- storing, by a service-based web platform, one or more data records associated with an owner entity that is authorized to access the service based web platform and the one or more data records;
  
  exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context;
  
  receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user;
  
  verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and
  
  denying, by the service-based web platform, access of the application to the stored data record associated with owner entity upon verifying authorization of the application to call the exposed web method unless;
  
  the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record;
  
  the application is registered with the service-based web platform;
  
  the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and
  
  the stored data record is within the minimum required data record set.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable storage medium of claim 10, wherein the operations further comprise:
    - registering, by the service-based web platform, the application in response to receiving a registration request and the minimum required data record set from the application;
      
      presenting, by the service-based web platform, the minimum required data record set to the owner entity; and
      
      obtaining, by the service-based web platform, consent from the owner entity to authorize the application to access the minimum required data record set.
  - 12. The computer-readable storage medium of claim 10, wherein the minimum required data record set is defined by a developer of the application for proper functioning of the application.
  - 13. The computer-readable storage medium of claim 10, wherein the operations further comprise:
    - creating, by the service-based web platform, one or more sets of data records associated with the owner entity; and
      
      storing, by the service-based web platform, authorization rules desired by the owner entity for the one or more sets of data records as a whole.
  - 14. The computer-readable storage medium of claim 13, wherein the operations further comprise:
    - superseding, by the service-based web platform, the authorization rules desired by the owner entity for the one or more sets of data records with system set authorization rules for individual data records in the one or more sets of data records that contain sensitive data; and
      
      restricting, by the service-based web platform, access to the stored data record according to the system set authorization rules if the stored data record contains sensitive data, wherein the system set authorization rules satisfy a standard that governs access to the sensitive data contained in the stored data record.
  - 15. The computer-readable storage medium of claim 10, wherein the operations further comprise:
    - verifying, by the service-based web platform, authorization of a device utilizing the application to request access to the stored data record associated with the owner entity, wherein the service-based web platform further denies access of the application to the stored data record associated with the owner entity unless the owner entity has explicitly granted access to the device.

16. A computer system comprising:
- a processor configured to execute computer-executable instructions; and
  
  memory storing computer-executable instructions for;
  
  storing, by a service-based web platform, one or more data records associated with an owner entity that is authorized to access the service-based web platform and the one or more data records;
  
  exposing, by the service-based web platform, web methods for accessing data records stored by the service-based web platform, wherein authorization to call certain web methods is granted by the service-based web platform to authorized users of the service-based web platform according to user context;
  
  receiving, by the service-based web platform, a call to an exposed web method from an application requesting access to a stored data record associated with the owner entity on behalf of a user;
  
  verifying, by the service-based web platform, authorization of the application to call the exposed web method based at least on whether the user is authorized to access the service-based web platform and has been granted authorization to call the exposed web method by the service-based web platform; and
  
  denying, by the service-based web platform, access of the application to the stored data record associated with owner entity upon verifying authorization of the application to call the exposed web method unless;
  
  the user is at least one of the owner entity or a user that has been explicitly granted access by the owner entity to the stored data record or a set of data records that includes the stored data record;
  
  the application is registered with the service-based web platform;
  
  the owner entity has explicitly granted the application access to a minimum required data record set that was specified by the application during registration; and
  
  the stored data record is within the minimum required data record set.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer system of claim 16, wherein the memory further stores computer-executable instructions for:
    - registering, by the service-based web platform, the application in response to receiving a registration request and the minimum required data record set from the application;
      
      presenting, by the service-based web platform, the minimum required data record set to the owner entity; and
      
      obtaining, by the service-based web platform, consent from the owner entity to authorize the application to access the minimum required data record set.
  - 18. The computer system of claim 16, wherein the memory further stores computer-executable instructions for:
    - creating, by the service-based web platform, one or more sets of data records associated with the owner entity; and
      
      storing, by the service-based web platform, authorization rules desired by the owner entity for the one or more sets of data records as a whole.
  - 19. The computer system of claim 18, wherein the memory further stores computer-executable instructions for:
    - superseding, by the service-based web platform, the authorization rules desired by the owner entity for the one or more sets of data records with system set authorization rules for individual data records in the one or more sets of data records that contain sensitive data; and
      
      restricting, by the service-based web platform, access to the stored data record according to the system set authorization rules if the stored data record contains sensitive data, wherein the system set authorization rules satisfy a standard that governs access to the sensitive data contained in the stored data record.
  - 20. The computer system of claim 16, wherein the memory further stores computer-executable instructions for:
    - verifying, by the service-based web platform, authorization of a device utilizing the application to request access to the stored data record associated with the owner entity, wherein the service-based web platform further denies access of the application to the stored data record associated with the owner entity unless the owner entity has explicitly granted access to the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jones, Jeffrey Dick, Nolan, Sean Patrick, Apacible, Johnson T., Varadan, Vijay, Guarraci, Brian J., White, Christopher C.
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US11/855,251
Publication Number

US 20080256643A1
Time in Patent Office

1,908 Days
Field of Search

726 27- 30, 705 2- 3
US Class Current

726/27
CPC Class Codes

G06F 21/629 to features or functions of...

Multiple entity authorization model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple entity authorization model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links