Delegation in logic-based access control

US 8,607,311 B2
Filed: 12/21/2007
Issued: 12/10/2013
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable memories having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:

abducing a first set of one or more assertions from information that comprises an access request for a first principal to access the resource, a system that performs said abducing not having in possession said first set of one or more assertions, said abducing being performed by acts comprising;

receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and

determining that said first answer set is not subsumed by said second answer set;

receiving a template that specifies said first set of one or more assertions;

obtaining a first token that satisfies a first one of said first set of one or more assertions;

presenting, to said guard, (a) a set of one or more tokens that comprises said first token, and (b) said access request;

receiving access to said resource from said guard; and

accessing said resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.

33 Citations

View as Search Results

19 Claims

1. One or more computer-readable memories having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
- abducing a first set of one or more assertions from information that comprises an access request for a first principal to access the resource, a system that performs said abducing not having in possession said first set of one or more assertions, said abducing being performed by acts comprising;
  
  receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and
  
  determining that said first answer set is not subsumed by said second answer set;
  
  receiving a template that specifies said first set of one or more assertions;
  
  obtaining a first token that satisfies a first one of said first set of one or more assertions;
  
  presenting, to said guard, (a) a set of one or more tokens that comprises said first token, and (b) said access request;
  
  receiving access to said resource from said guard; and
  
  accessing said resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
- - 2. The one or more computer-readable memories of claim 1, wherein said obtaining comprises:
    - consulting a token store that contains said first token;
      
      determining that said first token satisfies said first one of said first set of one or more assertions; and
      
      retrieving said first token from said token store.
  - 3. The one or more computer-readable memories of claim 1, wherein said obtaining comprises:
    - generating said first token and signing said first token with a key of a second principal, or requesting the token from a token authority.
  - 4. The one or more computer-readable memories of claim 1, wherein said first one of said first set of one or more assertions involves a variable, wherein said template specifies a constraint on a value of said variable, and wherein the method further comprises:
    - determining that said first token comprises a constant that satisfies said constraint.
  - 5. The one or more computer-readable memories of claim 1, wherein said template specifies a constraint on a variable involved in said first one of said first set of one or more assertions, said constraint being satisfiable with a set or range of values, and wherein the method further comprises:
    - choosing one of said values to substitute in said variable based on a principle.
  - 6. The one or more computer-readable memories of claim 1, wherein said obtaining comprises:
    - determining, under a rule, that generating said first token on behalf of a second principal is acceptable;
      
      generating said first token; and
      
      signing said first token by, or on behalf of, said second principal.
  - 7. The one or more computer-readable memories of claim 1, wherein said first token is received at a second principal, wherein said first token partially instantiates said template which constitutes a partially-instantiated template, and wherein the method further comprises:
    - communicating the partially-instantiated template to said second principal.
  - 19. The one or more computer-readable memories of claim 1, said determining that said first answer set is not subsumed by said second answer set comprising:
    - determining whether the number of abduced assertions in the first answer set is greater than the number of abduced assertions in the second answer set; and
      
      determining whether a substitution exists such that;
      
      the first answer set is logically equivalent to the second answer set when variables in said first answer set and said second answer set are substituted according to the substitution; and
      
      the first set of one or more assertions is a superset of the second set of one or more assertions when variables in said first answer set and said second answer set are substituted according to the substitution.

8. A method of facilitating access to a resource, the method comprising:
- using a processor to perform acts comprising;
  
  abducing a first plurality of assertions from information that comprises an access request and a policy under which a guard controls access to the resource, a system that performs said abducing not having in possession said first plurality of assertions, said abducing being performed by acts comprising;
  
  receiving a first answer set and a second answer set, said first answer set comprising said first plurality of assertions, said second answer set comprising a second plurality of assertions, said first plurality of assertions and said second plurality of assertions each satisfying a condition that either said first plurality of assertions or said second plurality of assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and
  
  determining that said first answer set is not subsumed by said second answer set;
  
  receiving, from a first principal, a template that specifies said first plurality of assertions and that further specifies a first token that satisfies a first one of said first plurality of assertions;
  
  determining from the template that a second one of said first plurality of assertions can be satisfied by a second token containing an assertion made by a second principal;
  
  retrieving or generating said second token;
  
  sending the guard of the resource said access request which includes a set of tokens which satisfy the template; and
  
  gaining access to the resource based on the request.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein said assertion involves a variable, wherein said template specifies a constraint on said variable, and wherein said determining comprisesdetermining a constant that, when substituted in place of said variable in said assertion, satisfies said constraint.
  - 10. The method of claim 8, wherein said acts further comprise:
    - using a key of said second principal to sign said second token.
  - 11. The method of claim 8, wherein said acts further comprise:
    - using a rule to determine that said second one of said first plurality of assertions may be made on behalf of said second principal.
  - 12. The method of claim 8, wherein said acts further comprise:
    - prior to said receiving, presenting said access request to a guard that controls access to the resource;
      
      receiving an indication of a failure to access the resource; and
      
      requesting that said template be generated.

13. A system comprising:
- one or more data remembrance components;
  
  one or more processors;
  
  a template stored in said one or more data remembrance components, said template specifying a first set of one or more assertions;
  
  one or more executable components that are stored in said one or more data remembrance components, and that execute on said one or more processors, and that retrieve or generate a first token that satisfies a first one of said first set of one or more assertions, and that create a first data structure that comprises one or more tokens that, together with an access request, allow a first principal to access a resource to be true under a policy, said one or more tokens comprising said first token;
  
  a guard that evaluates said first data structure and determines whether to allow said first principal access to said resource based on said access request and said one or more tokens; and
  
  an abduction component that abduces said first set of one or more assertions from information that comprises an access request for said first principal to access the resource, said abduction component not having in possession said first set of one or more assertions, said abduction component abducing said first said of one or more assertions by;
  
  receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to said guard, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and
  
  determining that said first answer set is not subsumed by said second answer set.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising:
    - a token store that stores a plurality of tokens, including said first token, wherein said one or more executable components comprise an assertion provider that makes a determination that said first token satisfies said first one of said first set of one or more assertions and retrieves said first token from said token store based on said determination.
  - 15. The system of claim 13, wherein said first one of said first set of one or more assertions involves a variable, wherein said template comprises a constraint on said variable, and wherein the system further comprises:
    - a constraint solver that finds a constant that satisfies said constraint to substitute in place of said variable.
  - 16. The system of claim 15, wherein there is a set or range of values that satisfy said constraint, and wherein said constraint solver chooses one or said values to substitute in place of said variable based on a principle.
  - 17. The system of claim 13, wherein said first token comprises an assertion made by a second principal, and wherein said one or more executable components provide said first data structure to a third principal that is able to provide, or has provided, a second token that satisfies a second one of said first set of one or more assertions.
  - 18. The system of claim 13, wherein said one or more executable components generate said first token by signing said first token with a key associated with a second principle by whom, or on whose behalf, an assertion contained in said first token is made.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Becker, Moritz Y., Dillaway, Blair B., Fee, Gregory D., Leen, John M., Mackay, Jason F.
Primary Examiner(s)
KIM, TAE K

Application Number

US11/962,761
Publication Number

US 20090165110A1
Time in Patent Office

2,181 Days
Field of Search

713/151, 713/201, 707/9, 707781-783, 707999001-99901, 726 1- 4, 726 16- 17, 726 26- 28
US Class Current

726/4
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Delegation in logic-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Delegation in logic-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links