Web management authorization and delegation framework

US 8,667,578 B2
Filed: 01/16/2009
Issued: 03/04/2014
Est. Priority Date: 01/16/2009
Status: Expired due to Fees

First Claim

Patent Images

1. In a computing environment, a method comprising:

receiving a request to authorize a non-administrative user to perform an administrative action;

accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, wherein the authorization store provides a userscope variable that specifies a path for the non-administrative user, and wherein the path specified is automatically substituted for the non-administrative user based on a user login of the non-administrative user;

in response to a determination that the non-administrative user is allowed to perform the administrative action, providing credentials that allow the non-administrative user to perform the administrative action using impersonation, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user;

running the administrative action; and

upon completion of the administrative action, returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a technology in which a non-administrator computer/web user is allowed to perform an administrative-level task within a certain context and/or scope. An authorization store is queried based on information (e.g., a provider, a username, and a path) provided with an authorization request, e.g., from an application via an API. The information in the authorization store, set up by an administrator, determines the administrative action is allowed. If so, a credential store provides credentials that allow the action to be runs before reverting the user to the prior set of credentials. Also described is a pluggable provider model through which the authorization store and/or delegation store are accessed, whereby the data maintained therein can be any format and/or at any location known to the associated provider.

Citations

19 Claims

1. In a computing environment, a method comprising:
- receiving a request to authorize a non-administrative user to perform an administrative action;
  
  accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, wherein the authorization store provides a userscope variable that specifies a path for the non-administrative user, and wherein the path specified is automatically substituted for the non-administrative user based on a user login of the non-administrative user;
  
  in response to a determination that the non-administrative user is allowed to perform the administrative action, providing credentials that allow the non-administrative user to perform the administrative action using impersonation, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user;
  
  running the administrative action; and
  
  upon completion of the administrative action, returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein providing the credentials comprises accessing a delegation store.
  - 3. The method of claim 1 wherein the authorization store provides a userscope variable that infers information already known about a user from a user login.
  - 4. The method of claim 1 wherein accessing the authorization store comprises communicating through a provider associated with that authorization store.
  - 5. The method of claim 4 wherein the request identifies the provider, a username, and a path.
  - 6. The method of claim 4 wherein receiving the request comprises handling an API call.
  - 7. The method of claim 1 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises:
    - evaluating whether all users are denied;
      
      in response to a determination that all users are not denied, evaluating whether the non-administrative user is denied;
      
      in response to a determination that the non-administrative user is not denied, evaluating whether the non-administrative user is allowed;
      
      in response to a determination that the non-administrative user is not allowed, evaluating whether a role associated with the non-administrative user is denied;
      
      in response to a determination that the role associated with the non-administrative user is not denied, evaluating whether the role associated with the non-administrative user is allowed;
      
      in response to a determination that the role associated with the non-administrative user is not allowed, evaluating whether all users are allowed.
  - 8. The method of claim 1 further comprising:
    - defining an authorization scope for authorizing the user based on a regular expression, a database connection string or a file system path.

9. In a computing environment, a system comprising:
- a rules engine configured to receive a request to authorize a non-administrative user to perform an administrative action;
  
  an authorization store stored in memory coupled to the rules engine and configured to provide information that corresponds to users and specified actions associated with those users, the information including a userscope variable that specifies a path for the non-administrative user, the rules engine configured to automatically substitute the path specified for the non-administrative user based on a user login of the non-administrative user, the rules engine configured to determine whether the non-administrative user is allowed to perform the administrative action, and in response to a determination that the non-administrative user is allowed to perform the administrative action, the rules engine configured to obtain credentials from a credential store to enable the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the rule engine is coupled to the authorization store and the delegation store via a provider.
  - 11. The system of claim 9 wherein the provider comprises a pluggable provider that is associated with the authorization and delegation stores.
  - 12. The system of claim 9 wherein the delegation store provides credentials for running the action as a process, running the action as a current user, or running the action as a specific user.
  - 13. The system of claim 9 wherein rule engine receives the request from an application via an API call.
  - 14. The system of claim 9 further comprising an internet information service, wherein at least some user-related information is identified based upon a prior login to the internet information service.
  - 15. The system of claim 9 wherein the credential store securely stores credentials using encryption.

16. One or more computer-readable storage devices storing computer-executable instructions, which in response to execution by a computer, cause the computer to perform steps, comprising:
- receiving a request to authorize a non-administrative user to perform an administrative action, the request including a provider, a username, and a path;
  
  using the provider to access an authorization store;
  
  determining from information in the authorization store and from the request whether the non-administrative user is allowed to perform the administrative action, including identifying a userscope variable that specifies a path for the non-administrative user and automatically substituting the path specified for the non-administrative user based on a user login of the non-administrative user;
  
  in response to a determination that the non-administrative user is allowed to perform the administrative action, obtaining credentials that allow the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user;
  
  running the administrative action; and
  
  returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.
- View Dependent Claims (17, 18, 19)
- - 17. The one or more computer-readable storage devices of claim 16 wherein obtaining the credentials comprises accessing a delegation store that provides the credentials.
  - 18. The one or more computer-readable storage devices of claim 16 wherein receiving the request comprises handling an API call.
  - 19. The one or more computer-readable storage devices of claim 16 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises matching provider, action and path information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ladki, Saad A., Joshi, Madhur, Lucero, Robert J., Aguilar Mares, Carlos, Verma, Nitasha, Alam, Bilal, Allington, Clea H., Sen, Vijay
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US12/354,790
Publication Number

US 20100186082A1
Time in Patent Office

1,873 Days
Field of Search

726/18, 726/19
US Class Current

726/19
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Web management authorization and delegation framework

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Web management authorization and delegation framework

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links