Security authorization queries

US 8,584,230 B2
Filed: 09/27/2011
Issued: 11/12/2013
Est. Priority Date: 09/08/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

under control of one or more processors;

receiving a request for access to a resource;

applying, by the one or more processors, a multi-level security scheme to the request for access, the multi-level security scheme including an assertion level and a query level, wherein the assertion level disallows an assertion containing a negation, and wherein the query level permits an authorization query containing at least one negation; and

determining, by the one or more processors, an authorization result for the request, based at least on the application of the multi-level security scheme.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.

Citations

20 Claims

1. A method comprising:
- under control of one or more processors;
  
  receiving a request for access to a resource;
  
  applying, by the one or more processors, a multi-level security scheme to the request for access, the multi-level security scheme including an assertion level and a query level, wherein the assertion level disallows an assertion containing a negation, and wherein the query level permits an authorization query containing at least one negation; and
  
  determining, by the one or more processors, an authorization result for the request, based at least on the application of the multi-level security scheme.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising ascertaining the authorization query by applying an authorization query table to the request.
  - 3. The method of claim 1, wherein the authorization query is an English-language expression.
  - 4. The method of claim 1, further comprising:
    - translating the request for access to an operation to be performed on the resource; and
      
      ascertaining the authorization query associated with the operation, based on an authorization query table included in the multi-level security scheme.
  - 5. The method of claim 4, wherein the authorization query table maps one or more resource-specific operations to one or more associated authorization queries.
  - 6. The method of claim 1, further comprising auditing the determination of the authorization result, based on an audit policy.
  - 7. The method of claim 1, wherein the assertion level includes a syntactic validator for disallowing the assertion containing the negation.
  - 8. The method of claim 1, wherein the authorization query is a logical operation.

9. A system comprising:
- one or more processors; and
  
  one or more security components executed by the one or more processors to implement a multi-level security scheme that includes an assertion level and a query level, wherein the one or more security components perform actions including;
  
  receiving a request to access a resource;
  
  forming an assertion context at the assertion level, including disallowing an assertion containing a negation;
  
  ascertaining an authorization query at the query level, based at least on an authorization query table; and
  
  employing the authorization query and the assertion context to produce an authorization decision for the request to access the resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the one or more security components include an audit component that audits the operation of at least one of the other security components.
  - 11. The system of claim 9, wherein the actions further include permitting at least one negation within the authorization query, at the query level.
  - 12. The system of claim 9, wherein the request includes a security token that includes one or more token assertions, and wherein the actions further include combining the one or more token assertions with one or more policy assertions to form the assertion context at the assertion level.
  - 13. The system of claim 9, wherein disallowing the assertion containing the negation is performed using syntactic validation at the assertion level.
  - 14. The system of claim 9, wherein the authorization query is a logical operation that includes at least one asserted fact and at least one logical operator.
  - 15. The system of claim 9, wherein the actions further include:
    - translating the request into an operation to be performed on the resource;
      
      providing the operation to the authorization query table that maps one or more resource-specific operations to one or more associated authorization queries; and
      
      retrieving the authorization query associated with the operation, based on the mapping included in the authorization query table.

16. One or more computer-readable storage devices storing instructions that, when executed, configure one or more processors to perform actions comprising:
- receiving a request to access a resource, wherein the request includes a security token with one or more token assertions;
  
  applying a multi-level security scheme to the request for access, the multi-level security scheme including a first level and a second level;
  
  determining an assertion context at the first level, based on the one or more token assertions;
  
  employing syntactic validation to disallow an assertion containing a negation, at the first level;
  
  ascertaining an authorization query at the second level; and
  
  employing the authorization query and the assertion context to produce an authorization decision for the request to access the resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer-readable storage devices of claim 16, wherein the actions further comprise auditing one or more of the actions based on an audit policy.
  - 18. The one or more computer-readable storage devices of claim 16, wherein determining the assertion context includes combining the one or more token assertions with one or more policy assertions to form the assertion context.
  - 19. The one or more computer-readable storage devices of claim 18, wherein the one or more policy assertions include at least one of a trust-related assertion and an authorization-related assertion.
  - 20. The one or more computer readable storage devices of claim 16, wherein the second level permits at least one negation within the authorization query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., Becker, Moritz Y., Gordon, Andrew D., Fournet, Cedric
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US13/246,537
Publication Number

US 20120017263A1
Time in Patent Office

777 Days
Field of Search

None
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Security authorization queries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security authorization queries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links