Unified authorization for heterogeneous applications

US 8,365,254 B2
Filed: 10/28/2005
Issued: 01/29/2013
Est. Priority Date: 06/23/2005
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a data store service executing on a computing device, the method comprising:

receiving, from a first user device, a first user request for an application service of an application, and from a second user device, a second user request for the application service;

determining a first user identifier associated with the first user device, and a second user identifier associated with the second user device;

determining an access right for the first user device to access the application service, based on the first user identifier;

determining a different access right for the second user device to access the application service, based on the second user identifier;

authenticating with the application using a set of credentials associated with the data store service such that the data store service has both the access right for the first device and the different access right for the second user device;

accessing the application service for the first user device by the data store service, provided the first user request is consistent with the access right for the first user device; and

accessing the application service for the second user device by the data store service, provided the second user request is consistent with the access right for the second user device,wherein the credentials associated with the data store service are used by the data store service to access the application service for the first user device and the second user device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise system may separate the executable functionality existing in backend applications, and the separation may be at differing levels of granularity. The separated functions of the application may be registered in a catalog in the form of metadata objects. Once the executable functionality has been registered, the authorization information for each granular functional object may be associated with authorization information. In this manner, the authorization of a service of an application may be made on a feature by feature (or object by object) basis in a unified manner.

55 Citations

View as Search Results

22 Claims

1. A method implemented at least in part by a data store service executing on a computing device, the method comprising:
- receiving, from a first user device, a first user request for an application service of an application, and from a second user device, a second user request for the application service;
  
  determining a first user identifier associated with the first user device, and a second user identifier associated with the second user device;
  
  determining an access right for the first user device to access the application service, based on the first user identifier;
  
  determining a different access right for the second user device to access the application service, based on the second user identifier;
  
  authenticating with the application using a set of credentials associated with the data store service such that the data store service has both the access right for the first device and the different access right for the second user device;
  
  accessing the application service for the first user device by the data store service, provided the first user request is consistent with the access right for the first user device; and
  
  accessing the application service for the second user device by the data store service, provided the second user request is consistent with the access right for the second user device,wherein the credentials associated with the data store service are used by the data store service to access the application service for the first user device and the second user device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining the access right for the first user device includes accessing an object associated with the application service, the object being stored in a data store associated with the data store service.
  - 3. The method of claim 2, wherein accessing the object includes accessing an access control list associated with the object.
  - 4. The method of claim 3, wherein the access control list is owned by the object.
  - 5. The method of claim 3, wherein accessing the access control list includes accessing another object'"'"'s access control list.
  - 6. The method of claim 5, further comprising determining the another object by determining a nearest ancestor of the object owning the access control list or another access control list.
  - 7. The method of claim 6, wherein the object is selected from a group comprising a system object, a system instance object, an entity object, a method object, a parameter object, and a parameter type object.
  - 8. The method of claim 7, further comprising organizing the group as a hierarchy, and wherein determining the nearest ancestor of the object includes, based on the hierarchy, determining a higher level object associated with the object and owning the at least one access control list or at least one other access control list.
  - 9. The method of claim 3, wherein accessing the object includes accessing an access control entry associated with the access control list, the access control entry including at least the first user identifier and the second user identifier.
  - 10. The method of claim 9, wherein the access right for the first user device and the different access right for the second user device are selected from a group comprising a right to edit, a right to view, and a right to execute.

11. One or more computer readable storage media having stored thereon a data structure comprising:
- a) a first data field containing data representing an object identifier, the object identifier indicating an available service of an application and a security classification for accessing the available service, wherein the security classification identifies a required level of access rights to access the available service that is greater than a level of access rights of an authorized user of the application;
  
  b) a second data field, associated with the first data field, containing data representing an access control list identifier;
  
  c) a third data field, associated with the second data field, containing data representing an access control entry identifier;
  
  d) a fourth data field, associated with the third data field, containing data representing a user identifier associated with the authorized user of the application; and
  
  e) a fifth data field, associated with the third data field, containing data representing a right identifier indicating that the authorized user is permitted to access the available service via a data store service having the required level of access rights to access the available service.
- View Dependent Claims (12, 13, 14)
- - 12. The one or more computer readable storage media of claim 11, wherein the access control list identifier references an access control list application program interface for checking access rights of users requesting access to the available service or another service of the application.
  - 13. The one or more computer readable storage media of claim 11, wherein the access control entry identifier references an access control entry application program interface for verifying access rights based on the fourth and fifth data fields.
  - 14. The one or more computer readable storage media of claim 11, wherein the object identifier identifies an object having a type selected from a group comprising a system object, a system instance object, an entity object, a method object, a parameter object, and a parameter type object.

15. One or more computer readable storage media containing computer readable instructions that, when implemented, perform a method comprising:
- associating a service identifier with a first authorized user identifier and a first access right indicator of the first authorized user identifier, wherein the service identifier is associated with a service of an application;
  
  associating the service identifier with a second authorized user identifier and a second access right indicator of the second authorized user identifier, the first access right indicator and the second access right indicator indicating different access rights for the service;
  
  receiving a first request for the service from a first user device;
  
  verifying that a first user identifier associated with the first user device matches the first authorized user identifier;
  
  receiving a second request for the service from a second user device;
  
  verifying that a second user identifier associated with the second user device matches the second authorized user identifier;
  
  determining, based on the first access right indicator, whether accessing the service is permitted for the first user device;
  
  determining, based on the second access right indicator, whether accessing the service is permitted for the second user device;
  
  providing credentials to access an account associated with the application, wherein the credentials are associated with an entity other than the first user device and the second user device; and
  
  using the account to access the service for both the first user device and the second user device by the entity, provided both the first user device and the second user device are permitted to access the service.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The one or more computer readable storage media of claim 15, further comprising:
    - associating the service identifier with an access control list;
      
      associating the access control list with an access control entry; and
      
      associating the access control entry with the first authorized user identifier and the first access right indicator.
  - 17. The one or more computer readable storage media of claim 16, wherein associating the service identifier with the access control list includes creating a service object containing the access control list.
  - 18. The one or more computer readable storage media of claim 16, wherein associating the service identifier with the access control list includes associating the service identifier with an application program interface for discovering a nearest ancestor object of the service identifier that contains the access control list.
  - 19. The one or more computer readable storage media of claim 18, wherein discovering the nearest ancestor object includes walking up a predetermined object hierarchy associated with the service identifier and determining a nearest higher level object containing the access control list or another access control list.
  - 20. The one or more computer readable storage media of claim 15, further comprising associating the first authorized user identifier and the first access right indicator with a child service indicator associated with the service indicator in accordance with a service hierarchy.
  - 21. The one or more computer readable storage media according to claim 15, wherein the account used to access the service has at least one access right that is not indicated by the first access right indicator and the second access right indicator.
  - 22. The one or more computer readable storage media according to claim 15, wherein the entity comprises a data store service, the method further comprising:
    - receiving, by the data store service, results from the service for the first user device;
      
      redacting, by the data store service, the results in accordance with user permissions for the first user device; and
      
      providing the redacted results to the first user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Burke, Jonah S., Kapadia, Arshish C.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Ho, Virginia T

Application Number

US11/262,273
Publication Number

US 20060294578A1
Time in Patent Office

2,650 Days
Field of Search

726/2, 726 3- 7, 726/12, 726 17- 19, 713153-158, 713/189, 707781-785, 709/203, 709/219, 709/229
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/101   Access control lists [ACL]

Unified authorization for heterogeneous applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Unified authorization for heterogeneous applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links