Unified management policy

US 8,353,005 B2
Filed: 06/27/2008
Issued: 01/08/2013
Est. Priority Date: 02/29/2008
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method of defining a unified management policy expression for expressing an access control policy controlling operations on resources and execution of events or workflows, the method comprising:

storing access control information that defines permissions for access to resources based on one or more entities and one or more operations requested by the one or more entities;

storing events or workflows that are executed in response to the one or more operations being allowed on resources by one or more entities and one or more operations requested by the one or more entities, wherein storing events or workflows comprises storing the events or workflows in a same definition as the access control information in unified management policy rules;

receiving a request to execute the one or more operations on one or more objects;

calculating one or more of the unified management policy rules that apply for a given request and verifying the access control information against the request, wherein verifying comprises performing a single retrieval, retrieving both the access control information and the events or workflows, and wherein the unified management policy rules includes one or more rules that are reflexive such that calculating the one or more of the applicable unified management policy rules comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object of the one or more objects; and

executing the workflows defined in the definition.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed.

Citations

19 Claims

1. In a computing environment, a method of defining a unified management policy expression for expressing an access control policy controlling operations on resources and execution of events or workflows, the method comprising:
- storing access control information that defines permissions for access to resources based on one or more entities and one or more operations requested by the one or more entities;
  
  storing events or workflows that are executed in response to the one or more operations being allowed on resources by one or more entities and one or more operations requested by the one or more entities, wherein storing events or workflows comprises storing the events or workflows in a same definition as the access control information in unified management policy rules;
  
  receiving a request to execute the one or more operations on one or more objects;
  
  calculating one or more of the unified management policy rules that apply for a given request and verifying the access control information against the request, wherein verifying comprises performing a single retrieval, retrieving both the access control information and the events or workflows, and wherein the unified management policy rules includes one or more rules that are reflexive such that calculating the one or more of the applicable unified management policy rules comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object of the one or more objects; and
  
  executing the workflows defined in the definition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein calculating one or more of the unified management policy rules and verifying the access control information against the request comprises performing a single calculation to determine both the access control information and the events or workflows through a consistent definition in the system.
  - 3. The method of claim 1, wherein calculating one or more of the unified management policy rules and verifying the access control information against the request comprises:
    - determining the states of the one or more objects when the operation is requested;
      
      determining the states of the one or more objects if the operation were allowed to succeed;
      
      generating a comparison between the states of the one or more objects when the operation is requested and the states of the one or more objects if the operation were allowed to succeed; and
      
      referencing one or more unified management policy rules, the unified management policy rules controlling access to resources based on current and post operation state, and determining that a rule exists that allows the operation to succeed based on the comparison.
  - 4. The method of claim 3, wherein allowing the operation to proceed comprises granting permission to a request to perform the operation, where after the operation is performed resulting in a change to the one or more objects stored on the computer readable media.
  - 5. The method of claim 3, wherein allowing the operation to succeed comprises committing the operation, such that one or more changes to the one or more objects are ratified such that subsequent requests for operations on the one or more objects are based on the operation after the one or more changes have been performed on the one or more objects.
  - 6. The method of claim 3, wherein determining the states of the one or more objects if the operation were allowed to succeed comprises calculating one or more post-operation states.
  - 7. The method of claim 3, wherein determining the states of the one or more objects if the operation were allowed to succeed comprises examining the one or more objects after the operation has been performed on the one or more objects.
  - 8. The method of claim 1, wherein storing access control information comprises storing information about operations including one or more of create, delete, read, modify, modify insert, or modify remove operations.
  - 9. The method of claim 1, wherein storing access control information comprises storing information about principal entities by specifying the principal entities as a group of principals.
  - 10. The method of claim 1, wherein storing access control information comprises storing information about principal entities by specifying the principal entities as attributes of a resource object.
  - 11. The method of claim 1, wherein storing access control information comprises storing information about attributes of a resource, wherein the attributes of a resource are the attributes which operations can be performed on by the one or more entities.
  - 12. The method of claim 1, wherein storing access control information comprises storing information about pre-operation state and post-operation state of resource objects.

13. In a computing environment, a tangible computer readable storage device having stored thereon a data structure including a definition of unified management policy, the unified management policy including provisions for unified management policy controlling access to resources and resultant actions, the tangible computer readable storage device comprising:
- a condition definition, wherein the condition definition defines when the unified management policy is applicable, and wherein the condition definition comprises;
  
  a first field comprising data stored on the computer readable storage device, the first field comprising a definition of one or more principals to whom the a rule applies when performing one or more requested actions, wherein the definition of one or more principals to whom a rule applied when performing one or more actions is part of a definition of the unified management policy;
  
  a second field comprising data stored on the computer readable storage device, the second field comprising a definition of the one or more requested actions, wherein the definition of the one or more requested actions is part of the definition of the unified management policy;
  
  a third field comprising data stored on the computer readable storage device, the third field including attribute information defining the attributes on which the one or more principals perform the one or more actions on;
  
  a fourth field comprising data stored on the computer readable storage device, the fourth field including resource information defining the resources on which the one or more principals perform the one or more actions on; and
  
  a fifth field comprising data stored on the computer readable storage device, the fifth field including Grant right Boolean information indicating that permission will be granted to the principles to perform the actions; and
  
  an event definition, wherein the event definition comprises a definition of what occurs when conditions in the condition definition are met, and wherein the event definition comprises;
  
  a sixth field, comprising data stored on the computer readable storage device, the sixth field comprising a definition of an action workflow that that is executed when the conditions in the conditions definition are met, wherein the definition of the action workflow is part of the definition of the unified management policy,wherein the unified management policy includes one or more rules that are reflexive such that calculating one or more unified management policy rules that apply for a given request comprises determining that a particular requestor is defined in a rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The tangible computer readable storage device of claim 13, wherein the event definition further comprises a seventh field, comprising data stored on the computer readable storage device, the seventh field comprising an authentication workflow definition, the authentication workflow definition including one or more references to one or more process objects, wherein if conditions of authentication workflow definition are met, then any processes specified in authentication workflow definition are run prior to any authorization processes, instantiation of a user request for actions, and action processes.
  - 15. The tangible computer readable storage device of claim 13, wherein the event definition further comprises an eighth field, comprising data stored on the computer readable storage device, the eighth field comprising an authorization workflow definition, the authorization workflow definition defining one or more references to one or more process objects, and wherein if conditions of authorization workflow definition are met, then any processes specified in authorization workflow definition is run prior to instantiation of a user request for actions, and action processes.
  - 16. The tangible computer readable storage device of claim 13, wherein the event definition further comprises a ninth field including resource current set definition including a reference to a set, wherein the resource current set definition is a match if and only if a resource targeted by a request for an action is in the set specified by a reference or keyword before the action has been performed.
  - 17. The tangible computer readable storage device of claim 13, wherein the event definition further comprises a tenth field including a resource final set definition, including a reference to a set, wherein the resource final set definition is a match if and only if a resource targeted by request for an action is in the set specified by a reference or keyword after the action has been performed.

18. In a computing environment, a method of defining a unified management policy expression for access control and events or workflows, the method comprising:
- receiving user input at a computer implemented user interface selecting one or more principals;
  
  receiving user input at a computer implemented user interface selecting one or more operation to be performed on one or more objects by the one or more principals;
  
  receiving user input at a computer implemented user interface selecting one or more attributes of the one or more resources, the attributes being attributes that the one or more principals perform the one or more operations on;
  
  receiving user input at a computer implemented user interface defining one or more workflows that are performed if conditions of the unified management policy rule are met;
  
  defining one or more unified policy rules for the one or more operations, the unified policy rules controlling access to resources, wherein defining unified policy rules comprises defining access control rules including workflows that are executed; and
  
  storing the one or more unified management policy rules, including the workflows that are executed in response to the one or more operations being requested, wherein storing events or workflows comprises storing the events or workflows in a same definition as the unified management policy information a computer readable medium among a collection of unified management policy rules, wherein the one or more unified management policy includes at least one rule that is reflexive such that calculating a unified management policy rule that applies for a given request comprises determining that a particular requestor is defined in the rule based on a dynamic definition of the requestor based on a relationship of the requestor and a target resource object.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the one or more workflows comprise at least one of an authorization workflow, an authentication workflow, or an action workflow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kabat, Jack, Meleshuk, Vadim, Gill, Jasjeet, Weinert, Alexander T.
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/163,791
Publication Number

US 20090222882A1
Time in Patent Office

1,656 Days
Field of Search

726 1- 2
US Class Current

726/2
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

Unified management policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Unified management policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links