Methods and systems for using derived user accounts

US 8,683,578 B2
Filed: 08/02/2012
Issued: 03/25/2014
Est. Priority Date: 11/01/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for accessing a resource in a computer system comprising an operating system, comprising:

receiving a request to access the resource from an application;

determining if the application is running in a derived user account (DUA) context, wherein the DUA context represents a security context of a DUA that is derived from an original user account (OUA) of a user, and wherein the determining comprises examining an access token associated with the request to determine if the request is associated with the DUA;

if the application is not running in the DUA context, creating the DUA and directing the application to run in the DUA context, wherein creating the DUA comprises applying a derivation transformation to an OUA state of the OUA to generate a corresponding DUA state of the DUA; and

granting the application access to the resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and articles of manufacture consistent with features of the present invention allow the generation and use of derived user accounts, or DUA, in a computer system comprising user accounts. In particular, derivation rules define how a DUA is linked to or created based on an existing original user account, or OUA. Derivation transformations may also update the state of a DUA based on its corresponding OUA or give feedback from the state of a DUA to the state of its corresponding OUA.

40 Citations

View as Search Results

20 Claims

1. A computer-implemented method for accessing a resource in a computer system comprising an operating system, comprising:
- receiving a request to access the resource from an application;
  
  determining if the application is running in a derived user account (DUA) context, wherein the DUA context represents a security context of a DUA that is derived from an original user account (OUA) of a user, and wherein the determining comprises examining an access token associated with the request to determine if the request is associated with the DUA;
  
  if the application is not running in the DUA context, creating the DUA and directing the application to run in the DUA context, wherein creating the DUA comprises applying a derivation transformation to an OUA state of the OUA to generate a corresponding DUA state of the DUA; and
  
  granting the application access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein creating the DUA further comprises creating a copy of the resource, and wherein granting the application access to the resource comprises granting the application access to the copy of the resource.
  - 3. The computer-implemented method of claim 1, wherein applying the derivation transformation comprises copying the OUA state to generate the DUA state.
  - 4. The computer-implemented method of claim 1, wherein applying the derivation transformation comprises modifying the OUA state to generate the DUA state.
  - 5. The computer-implemented method of claim 1, wherein applying the derivation transformation comprises setting a value of the DUA state irrespective of a value of the OUA state.
  - 6. The computer-implemented method of claim 1, wherein creating the DUA comprises generating the DUA using a user account creation mechanism of the operating system.
  - 7. The computer-implemented method of claim 1, wherein the DUA comprises different access rights than the OUA.
  - 8. The computer-implemented method of claim 1, wherein applying the derivation transformation comprises:
    - comparing a value of the OUA state against a range; and
      
      setting a value of the DUA state based on the comparison.
  - 9. The computer-implemented method of claim 8, wherein setting the value of the DUA state based on the comparison comprises:
    - setting the value of the DUA state as the closer of two end values of the range to the value of the OUA state, if the OUA state is outside the range; and
      
      setting the value of the DUA state as the value of the OUA state, if the value of the OUA state is within the range.

10. An apparatus, comprising:
- at least one memory having program instructions to execute an operating system; and
  
  at least one processor configured to execute the program instructions to perform the operations of;
  
  receiving a request to access a resource from an application;
  
  determining if the application is running in a derived user account (DUA) context, the DUA context represents a security context of a DUA that is derived from an original user account (OUA) of a user, and wherein the determining comprises examining an access token associated with the request to determine if the request is associated with the DUA;
  
  if the application is not running in the DUA context, creating the DUA and directing the application to run in the DUA context, wherein creating the DUA comprises applying a derivation transformation to an OUA state of the OUA to generate a corresponding DUA state of the DUA; and
  
  granting the application access to the resource.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, wherein applying the derivation transformation comprises copying the OUA state to generate the DUA state.
  - 12. The apparatus of claim 10, wherein applying the derivation transformation comprises modifying the OUA state to generate the DUA state.
  - 13. The apparatus of claim 10, wherein applying the derivation transformation comprises:
    - comparing a value of the OUA state against a range; and
      
      setting a value of the DUA state based on the comparison.
  - 14. The apparatus of claim 10, wherein the DUA comprises different access rights than the OUA.

15. A non-transitory computer-readable medium containing computer-readable instructions enabling a computer to perform a method, the method comprising:
- receiving a request to access a resource from an application;
  
  determining if the application is running in a derived user account (DUA) context, wherein the DUA context represents a security context of a DUA that is derived from an original user account (OUA) of a user, and wherein the determining comprises examining an access token associated with the request to determine if the request is associated with the DUA;
  
  if the application is not running in the DUA context, creating the DUA and directing the application to run in the DUA context, wherein creating the DUA comprises applying a derivation transformation to an OUA state of the OUA to generate a corresponding DUA state of the DUA; and
  
  granting the application access to the resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein applying the derivation transformation comprises copying the OUA state to generate the DUA state.
  - 17. The non-transitory computer-readable medium of claim 15, wherein applying the derivation transformation comprises modifying the OUA state to generate the DUA state.
  - 18. The non-transitory computer-readable medium of claim 15, wherein applying the derivation transformation comprises:
    - comparing a value of the OUA state against a range; and
      
      setting a value of the DUA state based on the comparison.
  - 19. The non-transitory computer-readable medium of claim 18, wherein setting the value of the DUA state based on the comparison comprises:
    - setting the value of the DUA state as the closer of two end values of the range to the value of the OUA state, if the OUA state is outside the range; and
      
      setting the value of the DUA state as the value of the OUA state, if the value of the OUA state is within the range.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the DUA comprises different access rights than the OUA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Erlingsson, Ulfar
Primary Examiner(s)
Lipman, Jacob

Application Number

US13/565,483
Publication Number

US 20120311698A1
Time in Patent Office

600 Days
Field of Search

713/193, 726/18
US Class Current

726/18
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

H04L 63/102   Entity profiles

Methods and systems for using derived user accounts

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for using derived user accounts

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links