Access control policy in a weakly-coherent distributed collection

US 8,505,065 B2
Filed: 06/20/2007
Issued: 08/06/2013
Est. Priority Date: 06/20/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium not consisting of a modulated data signal for programming a processor to perform a method of implementing an access control policy on a weakly-coherent distributed collection, the method comprising the steps of:

(a) generating one or more certificates creating one or more access control rights with respect to one or more replicas and items in the weakly-coherent distributed collection, said step (a) of generating one or more certificates including the step of creating one or more namespaces to subdivide the rights associated with different replicas;

(b) revoking a certificate of the one or more certificates by a collection manager and/or one or more replicas granted authority to revoke the one or more certificates;

(c) preventing conflicting policies within the weakly-coherent distributed collection by preventing modification of the one or more certificates by the collection manager and one or more replicas granted authority to revoke the one or more certificates; and

(d) creating a new replica upon revocation of the certificate in said step (b), and recreating the certificate revoked in said step (b) in the new replica, the new replica implementing policy to replace the policy of the revoked certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed for creating and implementing an access control policy framework in a weakly coherent distributed collection. A collection manager may sign certificates forming equivalence classes of replicas that share a specific authority. The collection manager and/or certain privileged replicas may issue certificates that delegate authority for control of item policy and replica policy. Further certificates may be signed that create one or more items, set policy for these one or more items, and define a set of operations authorized on the one or more items. The certificates issued according to the present system for creating and implementing a control policy framework cannot be modified or simply overridden. Once a policy certificate is issued, it may only be revoked by the collection manager or by a replica having revocation authority.

Citations

10 Claims

1. A computer-readable storage medium not consisting of a modulated data signal for programming a processor to perform a method of implementing an access control policy on a weakly-coherent distributed collection, the method comprising the steps of:
- (a) generating one or more certificates creating one or more access control rights with respect to one or more replicas and items in the weakly-coherent distributed collection, said step (a) of generating one or more certificates including the step of creating one or more namespaces to subdivide the rights associated with different replicas;
  
  (b) revoking a certificate of the one or more certificates by a collection manager and/or one or more replicas granted authority to revoke the one or more certificates;
  
  (c) preventing conflicting policies within the weakly-coherent distributed collection by preventing modification of the one or more certificates by the collection manager and one or more replicas granted authority to revoke the one or more certificates; and
  
  (d) creating a new replica upon revocation of the certificate in said step (b), and recreating the certificate revoked in said step (b) in the new replica, the new replica implementing policy to replace the policy of the revoked certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A computer-readable storage medium as recited in claim 1, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of generating one or more equivalence classes of replicas, each class of the one or more equivalence classes having a different authority.
  - 3. A computer-readable storage medium as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of privileged replicas having the authority to define access control policy for one or more replicas and items.
  - 4. A computer-readable storage medium as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of modifier replicas having the authority to update versions of items.
  - 5. A computer-readable storage medium as recited in claim 4, wherein the class of modifier replicas do not have authority to define access control policy for replicas or items.
  - 6. A computer-readable storage medium as recited in claim 2, wherein said step of generating one or more equivalence classes of replicas comprises the step of generating a class of synchronization replicas having the authority to synchronize with other replicas.
  - 7. A computer-readable storage medium as recited in claim 6, wherein the class of synchronization replicas do not have authority to update versions of items and do not have the authority to define access control policy for replicas or items.
  - 8. A computer-readable storage medium as recited in claim 1, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of generating one or more items and assigning responsibility for setting policy for the one or more items to the collection manager or replica creating the item.
  - 9. A computer-readable storage medium as recited in claim 8, wherein said step (a) of generating one or more certificates creating one or more access control rights comprises the step of defining one or more operations which may be performed on the one or more items.
  - 10. A computer-readable storage medium as recited in claim 9, wherein said step (a) of generating one or more operations which may be performed on the one or more items comprises the step of generating at least one of a right to modify the one or more items and a right to read the one or more items.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wobber, Edward P., Abadi, Martin, Rodeheffer, Thomas L.
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ELMORE, JOHN E

Application Number

US11/765,886
Publication Number

US 20080320299A1
Time in Patent Office

2,239 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 16/273   Asynchronous replication or...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 9/12   Transmitting and receiving ...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

Access control policy in a weakly-coherent distributed collection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Access control policy in a weakly-coherent distributed collection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links